name: Release - Publish Docker Image # This workflow listens to pubished releases or can be triggered manually. # It includes releases and rc candidates. # It fetches the binaries, checks sha256 and GPG # signatures, then builds an injected docker # image and publishes it. on: #TODO: activate automated run later # release: # types: # - published workflow_dispatch: inputs: release_id: description: | Release ID. You can find it using the command: curl -s \ -H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \ jq '.[] | { name: .name, id: .id }' required: true type: string image_type: description: Type of the image to be published required: true default: rc type: choice options: - rc - release registry: description: Container registry required: true type: string default: docker.io owner: description: Owner of the container image repo required: true type: string default: parity binary: description: Binary to be published required: true default: polkadot type: choice options: - polkadot - polkadot-parachain permissions: contents: write env: RELEASE_ID: ${{ inputs.release_id }} ENGINE: docker REGISTRY: ${{ inputs.registry }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCKER_OWNER: ${{ inputs.owner || github.repository_owner }} REPO: ${{ github.repository }} BINARY: ${{ inputs.binary }} # EVENT_ACTION: ${{ github.event.action }} EVENT_NAME: ${{ github.event_name }} IMAGE_TYPE: ${{ inputs.image_type }} jobs: fetch-artifacts: runs-on: ubuntu-latest steps: - name: Checkout sources uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 #TODO: this step will be needed when automated triggering will work #this step runs only if the workflow is triggered automatically when new release is published # if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }} # run: | # mkdir -p release-artifacts && cd release-artifacts # for f in $BINARY $BINARY.asc $BINARY.sha256; do # URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f" # echo " - Fetching $f from $URL" # wget "$URL" -O "$f" # done # chmod a+x $BINARY # ls -al - name: Fetch rc artifacts or release artifacts based on release id #this step runs only if the workflow is triggered manually if: ${{ env.EVENT_NAME == 'workflow_dispatch' }} run: | . ./.github/scripts/common/lib.sh fetch_release_artifacts - name: Cache the artifacts uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: key: artifacts-${{ env.BINARY }}-${{ github.sha }} path: | ./release-artifacts/${{ env.BINARY }}/**/* build-container: runs-on: ubuntu-latest needs: fetch-artifacts steps: - name: Checkout sources uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Get artifacts from cache uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 with: key: artifacts-${{ env.BINARY }}-${{ github.sha }} fail-on-cache-miss: true path: | ./release-artifacts/${{ env.BINARY }}/**/* - name: Check sha256 ${{ env.BINARY }} working-directory: ./release-artifacts/${{ env.BINARY }} run: | . ../../.github/scripts/common/lib.sh echo "Checking binary $BINARY" check_sha256 $BINARY && echo "OK" || echo "ERR" - name: Check GPG ${{ env.BINARY }} working-directory: ./release-artifacts/${{ env.BINARY }} run: | . ../../.github/scripts/common/lib.sh import_gpg_keys check_gpg $BINARY - name: Fetch rc commit and tag if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs run: | release=release-${{ inputs.release_id }} && \ echo "release=${release}" >> $GITHUB_OUTPUT commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \ [ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \ echo "No tag, doing without" - name: Fetch release tags working-directory: ./release-artifacts/${{ env.BINARY }} if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs run: | chmod a+rx $BINARY VERSION=$(./$BINARY --version | awk '{ print $2 }' ) release=$( echo $VERSION | cut -f1 -d- ) echo "tag=latest" >> $GITHUB_OUTPUT echo "release=${release}" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot-parachain if: ${{ env.BINARY == 'polkadot-parachain' }} env: ARTIFACTS_FOLDER: ./release-artifacts IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} DOCKERFILE: docker/dockerfiles/polkadot-parachain/polkadot-parachain_injected.Dockerfile TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} run: | ls -al mkdir -p $ARTIFACTS_FOLDER/specs cp cumulus/parachains/chain-specs/*.json $ARTIFACTS_FOLDER/specs echo "Building container for $BINARY" ./docker/scripts/build-injected.sh - name: Login to Dockerhub uses: docker/login-action@v2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push Container image for ${{ env.BINARY }} id: docker_push run: | $ENGINE images | grep ${BINARY} $ENGINE push --all-tags ${REGISTRY}/${DOCKER_OWNER}/${BINARY} - name: Check version for the published image for ${{ env.BINARY }} env: RELEASE_TAG: ${{ steps.fetch_rc_refs.outputs.release || steps.fetch_release_refs.outputs.release }} run: | echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}" $ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version