diff --git a/.github/workflows/build_HORNET.yml b/.github/workflows/build_HORNET.yml index f23b4a51a..7b668c38c 100644 --- a/.github/workflows/build_HORNET.yml +++ b/.github/workflows/build_HORNET.yml @@ -1,6 +1,9 @@ name: Build HORNET on: + push: + branches: + - production pull_request: paths-ignore: - 'documentation/**' diff --git a/.github/workflows/build_docker.yml b/.github/workflows/build_docker.yml index 5fe2aee06..afb446123 100644 --- a/.github/workflows/build_docker.yml +++ b/.github/workflows/build_docker.yml @@ -1,6 +1,9 @@ name: Build Docker on: + push: + branches: + - production pull_request: paths: - "docker/Dockerfile" diff --git a/.github/workflows/codeql_analysis.yml b/.github/workflows/codeql_analysis.yml index 6dee2321d..4a2be8fb7 100644 --- a/.github/workflows/codeql_analysis.yml +++ b/.github/workflows/codeql_analysis.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 with: - ref: develop + ref: production # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index a895cc58e..34b6ff800 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -1,6 +1,9 @@ name: GolangCIlint on: + push: + branches: + - production pull_request: paths-ignore: - 'documentation/**' @@ -21,7 +24,8 @@ jobs: - name: golangci-lint uses: reviewdog/action-golangci-lint@v2 with: - version: v1.50.1 + go_version_file: go.mod + version: v1.53.3 github_token: ${{ secrets.GITHUB_TOKEN }} golangci_lint_flags: "--timeout=10m" reporter: github-pr-check diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml index 1ce7be6a6..334af51f0 100644 --- a/.github/workflows/integration_tests.yml +++ b/.github/workflows/integration_tests.yml @@ -1,6 +1,9 @@ name: Integration Tests on: + push: + branches: + - production pull_request: paths-ignore: - 'documentation/**' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ebf313160..d271bd767 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,21 +5,6 @@ on: types: [published] jobs: - binaries: - name: Release Binaries - runs-on: ubuntu-latest - container: - image: iotaledger/goreleaser-cgo-cross-compiler:1.20.2 - volumes: [/repo] - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - - - name: Release HORNET - run: goreleaser --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - release-docker: name: Release Docker runs-on: ubuntu-latest @@ -59,3 +44,19 @@ jobs: platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} + + binaries: + name: Release Binaries + runs-on: ubuntu-latest + container: + image: iotaledger/goreleaser-cgo-cross-compiler:1.20.2 + volumes: [/repo] + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v3 + + - name: Release HORNET + run: goreleaser --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + diff --git a/.github/workflows/snyk-test-golang.yml b/.github/workflows/snyk-test-golang.yml deleted file mode 100644 index 2fd8dda8f..000000000 --- a/.github/workflows/snyk-test-golang.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Test Golang dependencies with Snyk - -on: - # Run this check every day at 03:00 to find potential new vulnerabilities in the develop branch - schedule: - - cron: "0 3 * * *" - -jobs: - snyk-test: - runs-on: ubuntu-latest - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - with: - ref: develop - - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/golang@0.3.0 - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - args: --org=iotaledger diff --git a/.github/workflows/snyk-test.yml b/.github/workflows/snyk-test.yml new file mode 100644 index 000000000..a9b300129 --- /dev/null +++ b/.github/workflows/snyk-test.yml @@ -0,0 +1,54 @@ +name: Test dependencies with Snyk + +on: + # Run this check every day at 03:00 to find potential new vulnerabilities in the develop branch + schedule: + - cron: "0 3 * * *" + +jobs: + snyk-test: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v3 + with: + ref: production + + - name: Build HORNET Docker image + run: docker build . --file docker/Dockerfile --tag hornet:latest + + - name: Run Snyk to check for Golang vulnerabilities + uses: snyk/actions/golang@0.3.0 + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --org=gohornet --sarif-file-output=snyk-golang.sarif + + - name: Run Snyk to check for Docker image vulnerabilities + uses: snyk/actions/docker@0.3.0 + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: hornet:latest + # Exclude Go app vulns because those are picked up by the previous scan + # For Docker scans, the SARIF is created by default + args: --org=gohornet --file=Dockerfile --exclude-app-vulns + + - name: Upload Golang results to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-golang.sarif + category: snyk-golang + + - name: Upload Docker results to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + category: snyk-docker diff --git a/.github/workflows/test_HORNET.yml b/.github/workflows/test_HORNET.yml index 4161154d0..ce671fc96 100644 --- a/.github/workflows/test_HORNET.yml +++ b/.github/workflows/test_HORNET.yml @@ -1,6 +1,9 @@ name: Test HORNET on: + push: + branches: + - production pull_request: paths-ignore: - 'documentation/**' diff --git a/.github/workflows/test_release.yml b/.github/workflows/test_release.yml index e1c5e6126..a35da9c13 100644 --- a/.github/workflows/test_release.yml +++ b/.github/workflows/test_release.yml @@ -1,6 +1,9 @@ name: Test release on: + push: + branches: + - production pull_request: paths-ignore: - 'documentation/**' @@ -20,4 +23,4 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@v3 - name: Test HORNET Release - run: goreleaser --snapshot --skip-publish --rm-dist + run: goreleaser --snapshot --skip-publish --clean diff --git a/.goreleaser.yml b/.goreleaser.yml index 52bcea9b2..3c8cf900f 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -37,37 +37,21 @@ builds: - linux goarch: - arm64 - ## Windows AMD64 - #- id: hornet-windows-amd64 - # binary: hornet - # flags: - # - -tags=builtin_static,rocksdb - # env: - # - CGO_ENABLED=1 - # - CC=/usr/bin/x86_64-w64-mingw32-gcc-posix - # - CXX=/usr/bin/x86_64-w64-mingw32-g++-posix - # ldflags: - # - -s -w -X github.com/iotaledger/hornet/core/cli.AppVersion={{.Version}} - # main: main.go - # goos: - # - windows - # goarch: - # - amd64 # Archives archives: - format: tar.gz wrap_in_directory: true - format_overrides: - - goos: windows - format: zip - name_template: "{{.ProjectName}}-{{.Version}}_{{.Os}}_{{.Arch}}" - replacements: - amd64: x86_64 - arm64: ARM64 - darwin: macOS - linux: Linux - windows: Windows + name_template: >- + {{ .ProjectName }}-{{ .Version }}_ + {{- if eq .Os "darwin" }}macOS_ + {{- else if eq .Os "linux" }}Linux_ + {{- else if eq .Os "windows" }}Windows_ + {{- else }}{{ .Os }}_{{ end }} + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "arm64" }}ARM64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} files: - README.md - LICENSE @@ -85,11 +69,16 @@ archives: - private_tangle/run_coo_bootstrap.sh - private_tangle/run_coo.sh -# DEB and RPM packages +# DEB packages nfpms: - id: nfpm package_name: hornet - file_name_template: '{{ tolower .ProjectName }}_{{ replace .Version "v" "" }}_{{ .Arch }}' + file_name_template: >- + {{ tolower .ProjectName }}_{{ replace .Version "v" "" }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "arm64" }}ARM64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} vendor: GoReleaser license: Apache 2.0 maintainer: GoHORNET @@ -97,7 +86,6 @@ nfpms: description: HORNET is a powerful IOTA fullnode software. formats: - deb - - rpm bindir: /usr/bin contents: - src: "nfpm/shared_files/hornet.service" @@ -160,16 +148,6 @@ nfpms: postremove: "nfpm/deb_files/postrm" preinstall: "nfpm/deb_files/preinst" postinstall: "nfpm/deb_files/postinst" - overrides: - rpm: - replacements: - amd64: x86_64 - file_name_template: "{{ tolower .ProjectName }}-{{ .Version }}-{{ .Arch }}" - scripts: - preinstall: "nfpm/rpm_files/preinst" - postinstall: "nfpm/rpm_files/postinst" - preremove: "nfpm/rpm_files/prerm" - postremove: "nfpm/rpm_files/postrm" # Checksum checksum: diff --git a/docker-compose.yml b/docker-compose.yml index e2fdd0074..78d82a45d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,6 +20,7 @@ services: # - "8081:8081/tcp" # - "8091:8091/tcp" # - "1883:1883/tcp" + # - "9311:9311/tcp" cap_drop: - ALL volumes: diff --git a/docker/Dockerfile b/docker/Dockerfile index b00036012..123bed60e 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -7,20 +7,21 @@ LABEL org.label-schema.description="HORNET - The IOTA node" LABEL org.label-schema.name="iotaledger/hornet" LABEL org.label-schema.schema-version="1.0" LABEL org.label-schema.vcs-url="https://github.com/iotaledger/hornet" -LABEL org.label-schema.usage="https://github.com/iotaledger/hornet/blob/main/documentation/docs/getting_started/using_docker.md" # Ensure ca-certificates are up to date RUN update-ca-certificates # Set the current Working Directory inside the container +RUN mkdir /scratch +WORKDIR /scratch + +# Prepare the folder where we are putting all the files RUN mkdir /app -WORKDIR /app -# Use Go Modules -COPY go.mod . -COPY go.sum . +# Make sure that modules only get pulled when the module file has changed +COPY go.mod go.sum ./ -ENV GO111MODULE=on +# Download go modules RUN go mod download RUN go mod verify @@ -28,10 +29,13 @@ RUN go mod verify COPY . . # Build the binary -RUN go build \ - -tags="$BUILD_TAGS" \ - -ldflags='-w -s' -a \ - -o /go/bin/hornet +RUN go build -o /app/hornet -a -tags="$BUILD_TAGS" -ldflags='-w -s' + +# Copy the assets +COPY ./config.json /app/config.json +COPY ./config_devnet.json /app/config_devnet.json +COPY ./peering.json /app/peering.json +COPY ./profiles.json /app/profiles.json ############################ # Image @@ -46,15 +50,10 @@ EXPOSE 14265/tcp EXPOSE 8081/tcp EXPOSE 8091/tcp EXPOSE 1883/tcp +EXPOSE 9311/tcp -# Copy the binary into distroless image -COPY --chown=nonroot:nonroot --from=build /go/bin/hornet /app/hornet - -# Copy the assets -COPY ./config.json /app/config.json -COPY ./config_devnet.json /app/config_devnet.json -COPY ./peering.json /app/peering.json -COPY ./profiles.json /app/profiles.json +# Copy the app dir into distroless image +COPY --chown=nonroot:nonroot --from=build /app /app WORKDIR /app USER nonroot diff --git a/nfpm/rpm_files/postinst b/nfpm/rpm_files/postinst deleted file mode 100644 index a26d698e3..000000000 --- a/nfpm/rpm_files/postinst +++ /dev/null @@ -1,20 +0,0 @@ -if [ $1 -eq 1 ]; then - /usr/bin/systemctl preset hornet.service >/dev/null 2>&1 ||: - # print site info - cat </dev/null 2>&1 ||: -if [ $1 -ge 1 ]; then - /bin/systemctl status hornet.service >/dev/null 2>&1 || exit 0 - /bin/systemctl try-restart hornet.service >/dev/null 2>&1 || echo \ - "Binary upgrade failed, please check hornet's log" -fi -rm -rf /var/lib/hornet/snapshots/* \ - /etc/default/hornet \ - /var/lib/hornet/mainnetdb/* diff --git a/nfpm/rpm_files/preinst b/nfpm/rpm_files/preinst deleted file mode 100644 index 437c65ccb..000000000 --- a/nfpm/rpm_files/preinst +++ /dev/null @@ -1,7 +0,0 @@ -getent group hornet >/dev/null || groupadd -r hornet 2>/dev/null -getent passwd hornet >/dev/null || \ - useradd -r -g hornet -G hornet -d /var/lib/hornet \ - -s /sbin/nologin -c "hornet user" hornet 2>/dev/null - -# explicitly exit 0 -exit 0 diff --git a/nfpm/rpm_files/prerm b/nfpm/rpm_files/prerm deleted file mode 100644 index b766c34c0..000000000 --- a/nfpm/rpm_files/prerm +++ /dev/null @@ -1,4 +0,0 @@ -if [ $1 -eq 0 ]; then - /usr/bin/systemctl --no-reload disable hornet.service >/dev/null 2>&1 ||: - /usr/bin/systemctl stop hornet.service >/dev/null 2>&1 ||: -fi diff --git a/scripts/build_goreleaser_snapshot.sh b/scripts/build_goreleaser_snapshot.sh index 418f66572..eff079139 100755 --- a/scripts/build_goreleaser_snapshot.sh +++ b/scripts/build_goreleaser_snapshot.sh @@ -10,4 +10,4 @@ GORELEASER_IMAGE=iotaledger/goreleaser-cgo-cross-compiler:1.20.2 REPO_PATH="/build" docker pull "${GORELEASER_IMAGE}" -docker run --rm --privileged -v "${PWD}":"${REPO_PATH}" -w "${REPO_PATH}" "${GORELEASER_IMAGE}" goreleaser --rm-dist --snapshot --skip-publish +docker run --rm --privileged -v "${PWD}":"${REPO_PATH}" -w "${REPO_PATH}" "${GORELEASER_IMAGE}" goreleaser --snapshot --skip-publish --clean