name: Release - Publish Docker Image # This workflow listens to pubished releases or can be triggered manually. # It includes releases and rc candidates. # It fetches the binaries, checks sha256 and GPG # signatures, then builds an injected docker # image and publishes it. on: release: types: - published workflow_dispatch: inputs: release_id: description: | Release ID. You can find it using the command: curl -s \ -H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \ jq '.[] | { name: .name, id: .id }' required: true type: string image_type: description: Type of the image to be published required: true default: rc type: choice options: - rc - release registry: description: Container registry required: true type: string default: docker.io owner: description: Owner of the container image repo required: true type: string default: parity env: RELEASE_ID: ${{ inputs.release_id }} ENGINE: docker REGISTRY: ${{ inputs.registry }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCKER_OWNER: ${{ inputs.owner || github.repository_owner }} REPO: ${{ github.repository }} BINARY: polkadot-parachain EVENT_ACTION: ${{ github.event.action }} EVENT_NAME: ${{ github.event_name }} IMAGE_TYPE: ${{ inputs.image_type }} jobs: fetch-artifacts: runs-on: ubuntu-latest steps: - name: Checkout sources uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Prepare temp folder run: | TMP=$(mktemp -d) echo "TMP=$TMP" >> "$GITHUB_ENV" pwd ls -al "$TMP" - name: Fetch lib.sh from polkadot repo working-directory: ${{ env.TMP }} run: | curl -O -L \ -H "Accept: application/vnd.github.v3.raw" \ https://raw.githubusercontent.com/paritytech/polkadot/master/scripts/ci/common/lib.sh chmod a+x lib.sh ls -al - name: Fetch release artifacts based on final release tag #this step runs only if the workflow is triggered automatically when new release is published if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }} run: | mkdir -p release-artifacts && cd release-artifacts for f in $BINARY $BINARY.asc $BINARY.sha256; do URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f" echo " - Fetching $f from $URL" wget "$URL" -O "$f" done chmod a+x $BINARY cp -f ${TMP}/lib.sh . ls -al - name: Fetch rc artifacts or release artifacts based on release id #this step runs only if the workflow is triggered manually if: ${{ env.EVENT_NAME == 'workflow_dispatch' }} run: | . ${TMP}/lib.sh fetch_release_artifacts chmod a+x release-artifacts/$BINARY ls -al cp -f ${TMP}/lib.sh release-artifacts/ - name: Cache the artifacts uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: key: artifacts-${{ github.sha }} path: | ./release-artifacts/**/* build-container: runs-on: ubuntu-latest needs: fetch-artifacts steps: - name: Checkout sources uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Get artifacts from cache uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: key: artifacts-${{ github.sha }} fail-on-cache-miss: true path: | ./release-artifacts/**/* - name: Check sha256 ${{ env.BINARY }} working-directory: ./release-artifacts run: | . ./lib.sh echo "Checking binary $BINARY" check_sha256 $BINARY && echo "OK" || echo "ERR" - name: Check GPG ${{ env.BINARY }} working-directory: ./release-artifacts run: | . ./lib.sh import_gpg_keys check_gpg $BINARY - name: Build Injected Container image for ${{ env.BINARY }} env: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} run: | ls -al echo "Building container for $BINARY" ./docker/scripts/build-injected-image.sh - name: Fetch rc commit and tag if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs run: | release=release-${{ inputs.release_id }} && \ echo "release=${release}" >> $GITHUB_OUTPUT commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \ [ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \ echo "No tag, doing without" - name: Fetch release tags if: ${{ env.IMAGE_TYPE == 'release' || env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }} id: fetch_release_refs run: | VERSION=$(docker run --pull never --rm $DOCKER_OWNER/$BINARY --version | awk '{ print $2 }' ) release=$( echo $VERSION | cut -f1 -d- ) echo "tag=latest" >> $GITHUB_OUTPUT echo "release=${release}" >> $GITHUB_OUTPUT - name: Login to Dockerhub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Tag and Push Container image for ${{ env.BINARY }} id: docker_push env: TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} run: | TAGS=${TAGS[@]:-latest} IFS=',' read -r -a TAG_ARRAY <<< "$TAGS" echo "The image ${BINARY} will be tagged with ${TAG_ARRAY[*]}" for TAG in "${TAG_ARRAY[@]}"; do $ENGINE tag ${DOCKER_OWNER}/${BINARY} ${DOCKER_OWNER}/${BINARY}:${TAG} $ENGINE push ${DOCKER_OWNER}/${BINARY}:${TAG} done $ENGINE images | grep ${BINARY} - name: Check version for the published image for ${{ env.BINARY }} env: RELEASE_TAG: ${{ steps.fetch_rc_refs.outputs.release || steps.fetch_release_refs.outputs.release }} run: | echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}" $ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version