From 4c1553a5207579291598751a411c2b7cb5db2b81 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 8 Apr 2024 14:42:28 -0700 Subject: [PATCH] ci: update workflows for forked repo Most of the CI workflows ported over from the fork of informalsystems/hermes are not passing. Let's ditch those and re-add a narrow set of rust checks, so that Penumbra Labs developers can trust CI when making changes. Also adds a modified container-build workflow, so that we can run a container image of Hermes in CI deployments. --- .cargo/{config => config.toml} | 0 .dockerignore | 15 +- .github/workflows/audit.yaml | 19 -- .github/workflows/cargo-doc.yaml | 48 --- .github/workflows/codespell.yml | 22 -- .github/workflows/container.yml | 71 ++++ .github/workflows/docker.yml | 122 ------- .github/workflows/guide-templates.yaml | 46 --- .github/workflows/guide.yml | 40 --- .github/workflows/integration.yaml | 394 ---------------------- .github/workflows/markdown-link-check.yml | 19 -- .github/workflows/misbehaviour.yml | 256 -------------- .github/workflows/multi-chains.yaml | 116 ------- .github/workflows/publish-dry-run.yml | 21 -- .github/workflows/publish.yml | 22 -- .github/workflows/release.yml | 60 ---- .github/workflows/rust.yml | 172 +++------- .github/workflows/scripts.yaml | 24 -- ci/release/Containerfile | 37 ++ 19 files changed, 166 insertions(+), 1338 deletions(-) rename .cargo/{config => config.toml} (100%) delete mode 100644 .github/workflows/audit.yaml delete mode 100644 .github/workflows/cargo-doc.yaml delete mode 100644 .github/workflows/codespell.yml create mode 100644 .github/workflows/container.yml delete mode 100644 .github/workflows/docker.yml delete mode 100644 .github/workflows/guide-templates.yaml delete mode 100644 .github/workflows/guide.yml delete mode 100644 .github/workflows/integration.yaml delete mode 100644 .github/workflows/markdown-link-check.yml delete mode 100644 .github/workflows/misbehaviour.yml delete mode 100644 .github/workflows/multi-chains.yaml delete mode 100644 .github/workflows/publish-dry-run.yml delete mode 100644 .github/workflows/publish.yml delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/scripts.yaml create mode 100644 ci/release/Containerfile diff --git a/.cargo/config b/.cargo/config.toml similarity index 100% rename from .cargo/config rename to .cargo/config.toml diff --git a/.dockerignore b/.dockerignore index 72d7d43e48..df3e8fbc4a 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,5 @@ -/.changelog/ -/.git/ -/.gitignore -/.github -/ci/ -/docs/ -/e2e/ -/guide/ -/scripts/ -/target/ +** +!crates/ +!tools/ +!Cargo.* +!.cargo/config.toml diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml deleted file mode 100644 index e6ad8d0de2..0000000000 --- a/.github/workflows/audit.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: Security Audit -on: - schedule: - - cron: '0 0 * * *' - -jobs: - security_audit: - name: Security Audit - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Cache cargo bin - uses: actions/cache@v4 - with: - path: ~/.cargo/bin - key: ${{ runner.os }}-cargo-audit-v0.11.2 - - uses: actions-rs/audit-check@v1.2.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cargo-doc.yaml b/.github/workflows/cargo-doc.yaml deleted file mode 100644 index 447a84341b..0000000000 --- a/.github/workflows/cargo-doc.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: API Docs - -on: - push: - branches: - - main - paths: - - .github/workflows/cargo-doc.yml - - Cargo.toml - - Cargo.lock - - crates/** - pull_request: - paths: - - .github/workflows/cargo-doc.yml - - Cargo.toml - - Cargo.lock - - crates/** - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - cargo-doc: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: nightly-2023-07-13 - override: true - - - name: Build API documentation - uses: actions-rs/cargo@v1 - env: - RUSTDOCFLAGS: "--cfg docsrs" - with: - command: doc - args: --all-features - - - name: Push API documentation to GitHub Pages - if: github.ref == 'refs/heads/main' - uses: peaceiris/actions-gh-pages@v3 - with: - deploy_key: ${{ secrets.IBC_RS_DOC_PRIVATE_KEY }} - external_repository: informalsystems/hermes-api-doc - publish_dir: ./target/doc diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml deleted file mode 100644 index 6ad483e50d..0000000000 --- a/.github/workflows/codespell.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Codespell -on: - pull_request: - push: - branches: master - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - codespell: - name: Check spelling - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: codespell-project/actions-codespell@v2 - with: - skip: '*.js,*.ts,*.css,*.svg,*.html,*.json,./target,./tools/integration-test/data,./tools/check-guide/target,./ci/misbehaviour/data' - ignore_words_file: .github/codespell/words.txt - diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml new file mode 100644 index 0000000000..8698525e94 --- /dev/null +++ b/.github/workflows/container.yml @@ -0,0 +1,71 @@ +--- +name: Build container image +on: + workflow_call: + workflow_dispatch: + inputs: + penumbra_version: + description: 'Git ref (e.g. branch or tag) of Penumbra repo for building' + default: "main" + required: true + # Support triggering builds from penumbra-zone/penumbra CI. + repository_dispatch: + types: + - container-build + inputs: + penumbra_version: + description: 'Git ref (e.g. branch or tag) of Penumbra repo for building' + default: "main" + required: true + push: + branches: + - main + tags: + - '**' +jobs: + hermes: + runs-on: buildjet-16vcpu-ubuntu-2004 + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Docker Hub container registry (for pulls) + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Log in to the GitHub container registry (for pushes) + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v4 + with: + images: ghcr.io/penumbra-zone/hermes + + - name: Build and push Docker image + uses: docker/build-push-action@v3 + with: + context: . + platforms: linux/amd64 + file: ci/release/Containerfile + push: true + # We include a tag with the associated Penumbra, e.g. `penumbra-v0.61.0`. + # This is important to maintain compatibility with a long-running testnet. + tags: ${{ steps.meta.outputs.tags }},ghcr.io/penumbra-zone/hermes:penumbra-${{ github.event.inputs.penumbra_version || 'main' }} + build-args: | + PENUMBRA_VERSION=${{ github.event.inputs.penumbra_version || 'main' }} + # We disable layer caching to ensure that the most recent penumbra repo is used. + # Otherwise, the static git url for the repo will always result in a cache hit. + # TODO: update with dynamic build-args using e.g. current date to bust cache. + no-cache: true + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml deleted file mode 100644 index 5b3ac9891e..0000000000 --- a/.github/workflows/docker.yml +++ /dev/null @@ -1,122 +0,0 @@ -# Build Hermes Docker image, push to Docker Hub and GHCR.io. - -name: Docker - -on: - workflow_dispatch: - push: - tags: - - v[0-9]+.* - -env: - REGISTRY_IMAGE: informalsystems/hermes - -jobs: - docker-build: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - platform: - - id: linux/amd64 - name: amd64 - - id: linux/arm64 - name: arm64 - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v5 - with: - context: . - file: ./ci/release/hermes.Dockerfile - platforms: ${{ matrix.platform.id }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform.name }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - docker-merge: - runs-on: ubuntu-latest - needs: - - docker-build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - pattern: digests-* - merge-multiple: true - path: /tmp/digests - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push image to GHCR - run: | - docker buildx imagetools create \ - --tag ghcr.io/${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/.github/workflows/guide-templates.yaml b/.github/workflows/guide-templates.yaml deleted file mode 100644 index 5f84e7748d..0000000000 --- a/.github/workflows/guide-templates.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Guide Template Checker -on: - pull_request: - paths: - - .github/workflows/guide-templates.yaml - - crates/relayer-cli/** - - scripts/** - - tools/check-guide/** - - guide/src/templates/** - - push: - branches: main - paths: - - .github/workflows/guide-templates.yaml - - crates/relayer-cli/** - - scripts/** - - tools/check-guide/** - - guide/src/templates/** - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - template-checker: - runs-on: ubuntu-latest - timeout-minutes: 60 - steps: - - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - name: Check templates - run: bash scripts/auto_gen_templates.sh --mode "check" - - uses: actions-rs/cargo@v1 - name: Update lockfile - with: - command: generate-lockfile - args: --manifest-path tools/check-guide/Cargo.toml - - uses: actions-rs/cargo@v1 - name: Check guide - with: - command: run - args: --manifest-path tools/check-guide/Cargo.toml diff --git a/.github/workflows/guide.yml b/.github/workflows/guide.yml deleted file mode 100644 index 5f37b5665e..0000000000 --- a/.github/workflows/guide.yml +++ /dev/null @@ -1,40 +0,0 @@ -name: Hermes Guide - -on: - push: - branches: - - master - tags: - - v[0-9]+.* - pull_request: - paths: - - guide/** - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - guide: - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v4 - - - name: Install mdbook and plugins - uses: taiki-e/install-action@v2 - with: - tool: mdbook,mdbook-mermaid,mdbook-template,mdbook-toc - - - name: Build guide - run: | - cd guide - mdbook build - - # Only deploy guide when releasing a new version of Hermes - - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v3 - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./guide/book diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml deleted file mode 100644 index 93223aa70b..0000000000 --- a/.github/workflows/integration.yaml +++ /dev/null @@ -1,394 +0,0 @@ -name: Integration -on: - pull_request: - paths: - - .github/workflows/integration.yaml - - Cargo.toml - - Cargo.lock - - flake.nix - - flake.lock - - ci/** - - e2e/** - - crates/** - - tools/** - push: - branches: main - paths: - - .github/workflows/integration.yaml - - Cargo.toml - - Cargo.lock - - flake.nix - - flake.lock - - ci/** - - e2e/** - - crates/** - - tools/** - -env: - CARGO_INCREMENTAL: 0 - CARGO_PROFILE_DEV_DEBUG: 1 - CARGO_PROFILE_RELEASE_DEBUG: 1 - RUST_BACKTRACE: short - CARGO_NET_RETRY: 10 - RUSTUP_MAX_RETRIES: 10 - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - integration-test: - runs-on: ubuntu-20.04 - timeout-minutes: 180 - strategy: - fail-fast: false - matrix: - chain: - - package: gaia13 - command: gaiad - account_prefix: cosmos - native_token: stake - features: forward-packet,clean-workers - - package: gaia14 - command: gaiad - account_prefix: cosmos - native_token: stake - features: forward-packet,clean-workers - - package: ibc-go-v6-simapp - command: simd - account_prefix: cosmos - native_token: stake - features: ica,ics29-fee - - package: ibc-go-v7-simapp - command: simd - account_prefix: cosmos - native_token: stake - features: ica,ics29-fee - - package: ibc-go-v8-simapp - command: simd - account_prefix: cosmos - native_token: stake - features: ica,ics29-fee - - package: wasmd - command: wasmd - account_prefix: wasm - native_token: stake - features: '' - - package: osmosis - command: osmosisd - account_prefix: osmo - native_token: stake - features: dynamic-gas-fee - - package: juno - command: junod - account_prefix: juno - native_token: stake - features: juno,forward-packet - - package: provenance - command: provenanced - account_prefix: pb - native_token: nhash - features: fee-grant,async-icq - - package: migaloo - command: migalood - account_prefix: migaloo - native_token: stake - features: '' - - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --features=${{ matrix.chain.features }} --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - name: Run integration test - env: - RUST_LOG: info - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - NEXTEST_RETRIES: 2 - CHAIN_COMMAND_PATHS: ${{ matrix.chain.command }} - ACCOUNT_PREFIXES: ${{ matrix.chain.account_prefix }} - NATIVE_TOKENS: ${{ matrix.chain.native_token }} - run: | - nix shell .#python .#${{ matrix.chain.package }} -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 \ - --features=${{ matrix.chain.features }} - - ordered-channel-test: - runs-on: ubuntu-20.04 - timeout-minutes: 60 - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - env: - RUST_LOG: info - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - NEXTEST_RETRIES: 2 - run: | - nix shell .#python .#gaia6-ordered -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 \ - --features ordered test_ordered_channel - - interchain-security-no-ica: - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - chain: - - package: .#gaia13 .#neutron - command: gaiad,neutrond - account_prefix: cosmos,neutron - - package: .#gaia14 .#neutron - command: gaiad,neutrond - account_prefix: cosmos,neutron - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --features interchain-security --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - env: - RUST_LOG: trace - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - NEXTEST_RETRIES: 2 - CHAIN_COMMAND_PATHS: ${{ matrix.chain.command }} - ACCOUNT_PREFIXES: ${{ matrix.chain.account_prefix }} - run: | - nix shell ${{ matrix.chain.package }} -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 \ - --features interchain-security interchain_security:: - - interchain-security-ica: - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - chain: - - package: .#gaia13 .#stride-consumer - command: gaiad,strided - account_prefix: cosmos,stride - - package: .#gaia14 .#stride-consumer - command: gaiad,strided - account_prefix: cosmos,stride - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --features interchain-security --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - env: - RUST_LOG: info - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - NEXTEST_RETRIES: 2 - CHAIN_COMMAND_PATHS: ${{ matrix.chain.command }} - ACCOUNT_PREFIXES: ${{ matrix.chain.account_prefix }} - run: | - nix shell ${{ matrix.chain.package }} -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 \ - --features interchain-security,ica interchain_security:: - - interchain-security-icq: - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - chain: - - package: .#gaia13 .#stride-consumer-no-admin - command: gaiad,strided - account_prefix: cosmos,stride - - package: .#gaia14 .#stride-consumer-no-admin - command: gaiad,strided - account_prefix: cosmos,stride - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --features interchain-security --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - env: - RUST_LOG: info - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - CHAIN_COMMAND_PATHS: ${{ matrix.chain.command }} - ACCOUNT_PREFIXES: ${{ matrix.chain.account_prefix }} - run: | - nix shell ${{ matrix.chain.package }} -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 \ - --features interchain-security,ics31 interchain_security:: - - celestia-to-gaia: - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - chain: - - package: .#celestia .#gaia13 - command: celestia-appd,gaiad - account_prefix: celestia,cosmos - native_token: utia,stake - - package: .#celestia .#gaia14 - command: celestia-appd,gaiad - account_prefix: celestia,cosmos - native_token: utia,stake - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --features celestia --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - env: - RUST_LOG: info - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - COMPAT_MODES: 0.34 - CHAIN_COMMAND_PATHS: ${{ matrix.chain.command }} - ACCOUNT_PREFIXES: ${{ matrix.chain.account_prefix }} - NATIVE_TOKENS: ${{ matrix.chain.native_token }} - run: | - nix shell .#python ${{ matrix.chain.package }} -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 \ - --features celestia - - model-based-test: - runs-on: ubuntu-20.04 - timeout-minutes: 60 - strategy: - matrix: - gaiad: - - gaia6 - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --features mbt --no-fail-fast --no-run - # Disable running MBT tests until flakiness is addressed - # - env: - # RUST_LOG: debug - # RUST_BACKTRACE: 1 - # NO_COLOR_LOG: 1 - # run: | - # nix shell \ - # .#${{ matrix.gaiad }} \ - # .#apalache \ - # -c cargo \ - # test -p ibc-integration-test --features mbt --no-fail-fast -- \ - # --failure-output final --test-threads=2 --test-threads=1 mbt diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml deleted file mode 100644 index f5da1e2a04..0000000000 --- a/.github/workflows/markdown-link-check.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Check Markdown links - -on: - schedule: - - cron: '0 0 * * *' - - workflow_dispatch: - -jobs: - md-link-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Link Checker - id: lychee - uses: lycheeverse/lychee-action@v1.9.3 - with: - args: --verbose --no-progress --max-concurrency 16 './**/*.md' - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/misbehaviour.yml b/.github/workflows/misbehaviour.yml deleted file mode 100644 index 629ce08faf..0000000000 --- a/.github/workflows/misbehaviour.yml +++ /dev/null @@ -1,256 +0,0 @@ -name: Misbehaviour -on: - pull_request: - paths: - - .github/workflows/misbehaviour.yaml - - Cargo.toml - - Cargo.lock - - flake.nix - - flake.lock - - ci/** - - scripts/** - - crates/** - push: - branches: master - paths: - - .github/workflows/misbehaviour.yaml - - Cargo.toml - - Cargo.lock - - flake.nix - - flake.lock - - ci/** - - scripts/** - - crates/** - -env: - CARGO_INCREMENTAL: 0 - CARGO_PROFILE_DEV_DEBUG: 1 - CARGO_PROFILE_RELEASE_DEBUG: 1 - RUST_BACKTRACE: short - CARGO_NET_RETRY: 10 - RUSTUP_MAX_RETRIES: 10 - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - light-client-attack: - runs-on: ubuntu-20.04 - timeout-minutes: 20 - strategy: - fail-fast: false - matrix: - chain: - - package: gaia14 - command: gaiad - account_prefix: cosmos - steps: - - uses: actions/checkout@v4 - - name: Install Nix - uses: cachix/install-nix-action@v25 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - name: Use cachix cache - uses: cachix/cachix-action@v14 - with: - name: cosmos - - name: Install sconfig - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/sconfig - platform: linux - arch: amd64 - extension-matching: disable - rename-to: sconfig - chmod: 0755 - - name: Install stoml - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/stoml - platform: linux - arch: amd64 - extension-matching: disable - rename-to: stoml - chmod: 0755 - - name: Install Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - name: Use Rust cache - uses: Swatinem/rust-cache@v2 - - name: Build Hermes - uses: actions-rs/cargo@v1 - with: - command: build - - name: Run test - working-directory: ci/misbehaviour - run: | - nix shell .#${{ matrix.chain.package }} -c bash misbehaviour_test.sh - - ics-light-client-attack: - runs-on: ubuntu-20.04 - timeout-minutes: 20 - strategy: - fail-fast: false - matrix: - chain: - - package: interchain-security - account_prefix: cosmos - steps: - - uses: actions/checkout@v4 - - name: Install Nix - uses: cachix/install-nix-action@v25 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - name: Use cachix cache - uses: cachix/cachix-action@v14 - with: - name: cosmos - - name: Install sconfig - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/sconfig - platform: linux - arch: amd64 - extension-matching: disable - rename-to: sconfig - chmod: 0755 - - name: Install stoml - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/stoml - platform: linux - arch: amd64 - extension-matching: disable - rename-to: stoml - chmod: 0755 - - name: Install Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - name: Use Rust cache - uses: Swatinem/rust-cache@v2 - - name: Build Hermes - uses: actions-rs/cargo@v1 - with: - command: build - - name: Run test - working-directory: ci/misbehaviour-ics - run: | - nix shell .#cometbft .#${{ matrix.chain.package }} -c bash light_client_attack_test.sh - - ics-light-client-attack-freeze: - runs-on: ubuntu-20.04 - timeout-minutes: 20 - strategy: - fail-fast: false - matrix: - chain: - - package: interchain-security - account_prefix: cosmos - steps: - - uses: actions/checkout@v4 - - name: Install Nix - uses: cachix/install-nix-action@v25 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - name: Use cachix cache - uses: cachix/cachix-action@v14 - with: - name: cosmos - - name: Install sconfig - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/sconfig - platform: linux - arch: amd64 - extension-matching: disable - rename-to: sconfig - chmod: 0755 - - name: Install stoml - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/stoml - platform: linux - arch: amd64 - extension-matching: disable - rename-to: stoml - chmod: 0755 - - name: Install Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - name: Use Rust cache - uses: Swatinem/rust-cache@v2 - - name: Build Hermes - uses: actions-rs/cargo@v1 - with: - command: build - - name: Run test - working-directory: ci/misbehaviour-ics - run: | - nix shell .#${{ matrix.chain.package }} -c bash light_client_attack_freeze_test.sh - - - ics-double-sign: - runs-on: ubuntu-20.04 - timeout-minutes: 20 - strategy: - fail-fast: false - matrix: - chain: - - package: interchain-security - account_prefix: cosmos - steps: - - uses: actions/checkout@v4 - - name: Install Nix - uses: cachix/install-nix-action@v25 - with: - extra_nix_config: | - experimental-features = nix-command flakes - - name: Use cachix cache - uses: cachix/cachix-action@v14 - with: - name: cosmos - - name: Install sconfig - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/sconfig - platform: linux - arch: amd64 - extension-matching: disable - rename-to: sconfig - chmod: 0755 - - name: Install stoml - uses: jaxxstorm/action-install-gh-release@v1.10.0 - with: - repo: freshautomations/stoml - platform: linux - arch: amd64 - extension-matching: disable - rename-to: stoml - chmod: 0755 - - name: Install Rust - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - name: Use Rust cache - uses: Swatinem/rust-cache@v2 - - name: Build Hermes - uses: actions-rs/cargo@v1 - with: - command: build - - name: Run test - working-directory: ci/misbehaviour-ics - run: | - nix shell .#${{ matrix.chain.package }} -c bash double_sign_test.sh - diff --git a/.github/workflows/multi-chains.yaml b/.github/workflows/multi-chains.yaml deleted file mode 100644 index bfb75fc399..0000000000 --- a/.github/workflows/multi-chains.yaml +++ /dev/null @@ -1,116 +0,0 @@ -name: Integration - Multi-chains -on: - pull_request: - types: - - opened - - reopened - - synchronize - - labeled - - unlabeled - paths: - - .github/workflows/multi-chains.yaml - - Cargo.toml - - Cargo.lock - - flake.nix - - flake.lock - - ci/** - - e2e/** - - crates/** - - tools/** - push: - branches: main - paths: - - .github/workflows/multi-chains.yaml - - Cargo.toml - - Cargo.lock - - flake.nix - - flake.lock - - ci/** - - e2e/** - - crates/** - - tools/** - -env: - CARGO_INCREMENTAL: 0 - CARGO_PROFILE_DEV_DEBUG: 1 - CARGO_PROFILE_RELEASE_DEBUG: 1 - RUST_BACKTRACE: short - CARGO_NET_RETRY: 10 - RUSTUP_MAX_RETRIES: 10 - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - multi-chains-test: - runs-on: ubuntu-20.04 - if: | - github.ref == 'refs/heads/main' || ( - (github.event.action == 'opened' || github.event.action == 'reopened' || github.event.action == 'synchronize') && - contains(github.event.pull_request.labels.*.name, 'CI: multi-chains') - ) || ( - github.event.action == 'labeled' && github.event.label.name == 'CI: multi-chains' - ) - timeout-minutes: 120 - strategy: - fail-fast: false - matrix: - first-package: - - package: gaia13 - command: gaiad - account_prefix: cosmos - - package: gaia14 - command: gaiad - account_prefix: cosmos - - package: ibc-go-v7-simapp - command: simd - account_prefix: cosmos - - package: ibc-go-v8-simapp - command: simd - account_prefix: cosmos - second-package: - - package: osmosis - command: osmosisd - account_prefix: osmo - - package: migaloo - command: migalood - account_prefix: migaloo - - package: wasmd - command: wasmd - account_prefix: wasm - - steps: - - uses: actions/checkout@v4 - - uses: cachix/install-nix-action@v25 - with: - install_url: https://nixos-nix-install-tests.cachix.org/serve/vij683ly7sl95nnhb67bdjjfabclr85m/install - install_options: '--tarball-url-prefix https://nixos-nix-install-tests.cachix.org/serve' - extra_nix_config: | - experimental-features = nix-command flakes - - uses: cachix/cachix-action@v14 - with: - name: cosmos - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/cargo@v1 - with: - command: test - args: -p ibc-integration-test --no-fail-fast --no-run - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - name: Run multi-chains integration tests - env: - RUST_LOG: info - RUST_BACKTRACE: 1 - NO_COLOR_LOG: 1 - NEXTEST_RETRIES: 2 - ACCOUNT_PREFIXES: ${{ matrix.first-package.account_prefix }},${{ matrix.second-package.account_prefix }} - run: | - CHAIN_COMMAND_PATHS=$(nix shell .#${{ matrix.first-package.package }} -c which ${{ matrix.first-package.command }}),$(nix shell .#${{ matrix.second-package.package }} -c which ${{ matrix.second-package.command }}) \ - nix shell .#python -c \ - cargo nextest run -p ibc-integration-test --no-fail-fast --failure-output final --test-threads=2 diff --git a/.github/workflows/publish-dry-run.yml b/.github/workflows/publish-dry-run.yml deleted file mode 100644 index 9689c0d1f0..0000000000 --- a/.github/workflows/publish-dry-run.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Publish (dry-run) - -on: - push: - branches: - - 'release/*' - -jobs: - publish_dry_run: - name: Publish (dry-run) - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: katyo/publish-crates@v2 - with: - dry-run: true - diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 29b0e03d40..0000000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: Publish - -on: - push: - tags: - - v[0-9]+.* - -jobs: - publish_dry_run: - name: Publish to crates.io - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: katyo/publish-crates@v2 - with: - registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }} - - diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index b1f7b3a39c..0000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,60 +0,0 @@ -# Create GitHub release and upload Hermes binaries. - -name: Release - -on: - push: - tags: - - v[0-9]+.* - -jobs: - create-release: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: taiki-e/create-gh-release-action@v1 - env: - # (required) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - upload-assets: - needs: - - create-release - strategy: - fail-fast: false - matrix: - config: - - { os: ubuntu-latest, target: x86_64-unknown-linux-gnu } - - { os: ubuntu-latest, target: aarch64-unknown-linux-gnu } - - { os: macos-latest, target: x86_64-apple-darwin } - - { os: macos-latest, target: aarch64-apple-darwin } - runs-on: ${{ matrix.config.os }} - steps: - - uses: actions/checkout@v4 - - uses: taiki-e/upload-rust-binary-action@v1 - with: - # (required) - bin: hermes - # (optional) Target triple - target: ${{ matrix.config.target }} - # (optional) On which platform to distribute the `.tar.gz` file. - # [default value: unix] - # [possible values: all, unix, windows, none] - tar: unix - # (optional) On which platform to distribute the `.zip` file. - # [default value: windows] - # [possible values: all, unix, windows, none] - zip: unix - # (optional) Archive name (non-extension portion of filename) to be uploaded. - # [default value: $bin-$target] - # [possible values: the following variables and any string] - # variables: - # - $bin - Binary name (non-extension portion of filename). - # - $target - Target triple. - # - $tag - Tag of this release. - archive: $bin-$tag-$target - env: - # (required) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # (optional) - CARGO_PROFILE_RELEASE_LTO: true diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 49acf5017c..50c608d8cd 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -1,131 +1,65 @@ -name: Rust -on: - pull_request: - paths: - - .github/workflows/rust.yml - - Cargo.toml - - Cargo.lock - - ci/** - - e2e/** - - crates/** - - tools/** - push: - branches: master - paths: - - .github/workflows/rust.yml - - Cargo.toml - - Cargo.lock - - ci/** - - e2e/** - - crates/** - - tools/** - -env: - CARGO_INCREMENTAL: 0 - CARGO_PROFILE_DEV_DEBUG: 1 - CARGO_PROFILE_RELEASE_DEBUG: 1 - RUST_BACKTRACE: short - CARGO_NET_RETRY: 10 - RUSTUP_MAX_RETRIES: 10 - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true +--- +# Rust-specific CI tasks, mostly adapted from Penumbra monorepo. +name: Rust CI +on: pull_request jobs: - fmt: - runs-on: ubuntu-latest + test: + name: Test Suite + runs-on: buildjet-16vcpu-ubuntu-2204 steps: - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 with: - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: fmt - args: --all -- --check + lfs: true - clippy-all-features: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - components: clippy - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/clippy-check@v1 + - name: Install rust toolchain + uses: dtolnay/rust-toolchain@stable with: - name: clippy-all-features - token: ${{ secrets.GITHUB_TOKEN }} - args: --all-features --all-targets -- -D warnings + targets: wasm32-unknown-unknown - clippy-no-default-features: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - components: clippy - override: true - - uses: Swatinem/rust-cache@v2 - - uses: actions-rs/clippy-check@v1 - with: - name: clippy-no-default-features - token: ${{ secrets.GITHUB_TOKEN }} - args: --no-default-features --all-targets -- -D warnings + - name: Install nextest + uses: taiki-e/install-action@nextest + + - name: Load rust cache + uses: astriaorg/buildjet-rust-cache@v2.5.1 + + - name: Run cargo check, failing on warnings + run: cargo check --release --all-targets + env: + # The `-D warnings` option causes an error on warnings; + # we must duplicate the rustflags from `.cargo/config.toml`. + RUSTFLAGS: "-D warnings --cfg tokio_unstable" + + # If a dependency was modified, Cargo.lock may flap if not committed. + - name: Check for diffs + shell: bash + run: | + s="$(git status --porcelain)" + if [[ -n "$s" ]]; then + echo "ERROR: found modified files that should be committed:" + echo "$s" + git diff | head -n 128 + exit 1 + else + echo "OK: no uncommitted changes detected" + fi + + # We run only the 'ibc-relayer' tests, because that's where the + # Penumbra-specific changes have been added. + - name: Run tests with nextest + run: cargo nextest run --release -p ibc-relayer + env: + CARGO_TERM_COLOR: always - test-stable: - runs-on: ubuntu-latest - timeout-minutes: 30 + fmt: + name: Rustfmt + runs-on: buildjet-8vcpu-ubuntu-2204 steps: - uses: actions/checkout@v4 - - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - override: true - - uses: Swatinem/rust-cache@v2 - - name: Install cargo-nextest - run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin - - uses: actions-rs/cargo@v1 + - name: Install rust toolchain + uses: dtolnay/rust-toolchain@stable with: - command: test - args: --all-features --no-fail-fast --no-run - - uses: actions-rs/cargo@v1 - with: - command: nextest - args: run --all-features --no-fail-fast --workspace --exclude ibc-integration-test --no-capture - - # test-coverage: - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v4 - # with: - # fetch-depth: 0 - # - uses: actions-rs/toolchain@v1 - # with: - # toolchain: stable - # override: true - # - uses: actions-rs/cargo@v1 - # with: - # command: clean - # - name: Run cargo-tarpaulin - # uses: actions-rs/tarpaulin@v0.1 - # with: - # version: '0.16.0' - # args: '-- --test-threads 1' - # timeout: 600 - # - name: Upload coverage to Codecov - # uses: codecov/codecov-action@v1 - # with: - # token: ${{ secrets.CODECOV_TOKEN }} - # fail_ci_if_error: true - # - name: Archive code coverage results - # uses: actions/upload-artifact@v2 - # with: - # name: code-coverage-report - # path: cobertura.xml + components: rustfmt + - name: Load rust cache + uses: astriaorg/buildjet-rust-cache@v2.5.1 + - run: cargo fmt --all -- --check diff --git a/.github/workflows/scripts.yaml b/.github/workflows/scripts.yaml deleted file mode 100644 index 1ffd745d01..0000000000 --- a/.github/workflows/scripts.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: ShellCheck Scripts -on: - pull_request: - paths: - - scripts/** - push: - branches: main - paths: - - scripts/** - -# Cancel previous runs of this workflow when a new commit is added to the PR, branch or tag -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true - -jobs: - shellcheck: - runs-on: ubuntu-latest - steps: - - name: Run ShellCheck - uses: ludeeus/action-shellcheck@master - with: - scandir: './scripts' - additional_files: 'scripts/dev-env scripts/one-chain scripts/init-hermes' diff --git a/ci/release/Containerfile b/ci/release/Containerfile new file mode 100644 index 0000000000..55ed661f8e --- /dev/null +++ b/ci/release/Containerfile @@ -0,0 +1,37 @@ +FROM docker.io/rust:1-bookworm AS builder +COPY . /usr/src/hermes +WORKDIR /usr/src/hermes + +# Install build dependencies. These packages should match what's recommended on +# https://guide.penumbra.zone/main/pcli/install.html +RUN apt-get update && apt-get install -y \ + git-lfs \ + build-essential \ + pkg-config \ + libssl-dev \ + clang + +# Support building from a specific git dependency of the upstream Penumbra repo. +# N.B. As of 2024-04, the Hermes fork only builds against v0.68.1 of Penumbra, +# so we'll hardcode that version for now. Once we have the deps up to date, +# we should support overrides like "main" to predict breaking changes. +# ARG PENUMBRA_VERSION=main +ARG PENUMBRA_VERSION="v0.68.1" + +# ARG PENUMBRA_VERSION=v0.61.0 +# Set the desired PENUMBRA_VERSION in the Cargo.toml file prior to building. +# RUN sed -i -e "s/^\(penumbra-.*\)\(tag = \".*\"\)\(.*\)$/\1branch = \"${PENUMBRA_VERSION}\"\3/" ./crates/relayer/Cargo.toml \ +# && cat ./crates/relayer/Cargo.toml +RUN cargo build --release + +# Runtime container, with binary and normal user account. +FROM docker.io/debian:bookworm-slim +LABEL maintainer="team@penumbralabs.xyz" + +COPY --from=builder /usr/src/hermes/target/release/hermes /usr/bin/hermes +RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates +RUN groupadd --gid 1000 hermes \ + && useradd -m -d /home/hermes -g 1000 -u 1000 hermes +WORKDIR /home/hermes +USER hermes +ENTRYPOINT ["/usr/bin/hermes"]