pezkuwi-subxt/.github/workflows/release-10_docker-manual.yml

name: Release - Docker (Manual)

# This workflow fetches the binaries, checks sha256 and GPG
# signatures, then builds an injected docker
# image and publishes it.

on:
  workflow_dispatch:
    inputs:
      tag:
        description: release tag to build image for
        default: polkadot-v0.9.17
        required: true
      prerelease:
        description: is prerelease
        default: false
        required: true

jobs:
  docker_build_publish:
    env:
      BINARY: polkadot-parachain
    runs-on: ubuntu-latest
    steps:
      - name: Checkout sources
        uses: actions/checkout@v3
        with:
          ref: ${{ github.event.release.tag_name }}

      - name: Fetch files from release
        run: |
          echo "Repo: ${{ github.event.repository.full_name }}"

          for f in $BINARY $BINARY.asc $BINARY.sha256; do
            URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.inputs.tag }}/$f"
            echo " - Fetching $f from $URL"
            wget "$URL" -O "$f"
          done
          chmod a+x $BINARY
          ls -al

      - name: Check files
        run: |
          ls -al *collator*
          shasum -a 256 -c $BINARY.sha256
          sha_result=$?

          KEY_PARITY_SEC=9D4B2B6EB8F97156D19669A9FF0812D491B96798
          KEY_CHEVDOR=2835EAF92072BC01D188AF2C4A092B93E97CE1E2
          KEYSERVER=keyserver.ubuntu.com

          gpg --keyserver $KEYSERVER --receive-keys $KEY_PARITY_SEC
          if [[ ${{ github.event.inputs.prerelease }} == "true" ]]; then
              gpg --keyserver $KEYSERVER --receive-keys $KEY_CHEVDOR
          fi

          gpg --verify $BINARY.asc
          gpg_result=$?

          echo sha_result: $sha_result
          echo gpg_result: $gpg_result

          # If it fails, it would fail earlier but a second check
          # does not hurt in case of refactoring...
          if [[ $sha_result -ne 0 || $gpg_result -ne 0 ]]; then
            echo "Check failed, exiting with error"
            exit 1
          else
            echo "Checks passed"
          fi

      - name: Build injected image
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_ORG: parity
        run: |
          export OWNER=$DOCKERHUB_ORG
          mkdir -p target/release
          cp -f $BINARY* target/release/
          ./docker/scripts/build-injected-image.sh

      - name: Login to Dockerhub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Tag and Publish
        env:
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_ORG: parity
        run: |
          docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version
          VERSION=$(docker run --pull never --rm $DOCKERHUB_ORG/$BINARY --version | awk '{ print $2 }' )
          SEMVER=$( echo $VERSION | cut -f1 -d- )
          GITREF=$( echo $VERSION | cut -f2 -d- )
          PRE=${{ github.event.inputs.prerelease }}
          PRE_STR=""

          echo "SEMVER=$SEMVER"
          echo "GITREF=$GITREF"
          echo "PRE=$PRE"

          # Build a tag such as:
          # 1.2.3-8a1201273 or
          # 1.2.3-pre-8a1201273 for pre-releases
          [[ $PRE == "true" ]] && PRE_STR="-pre"
          TAG=${SEMVER}${PRE_STR}-${GITREF}
          echo "PRE_STR=$PRE_STR"
          echo "TAG=$TAG"

          docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$TAG
          docker push $DOCKERHUB_ORG/$BINARY:$TAG

          if [[ $PRE != "true" ]]; then
            docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:latest
            docker tag $DOCKERHUB_ORG/$BINARY $DOCKERHUB_ORG/$BINARY:$SEMVER

            docker push $DOCKERHUB_ORG/$BINARY:latest
            docker push $DOCKERHUB_ORG/$BINARY:$SEMVER
          fi

          docker images | grep $DOCKERHUB_ORG/$BINARY