Use a rust layer with a full app build #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker v2 release | |
| on: | |
| pull_request: # TODO: Remove after testing the PR | |
| release: | |
| types: [published] | |
| push: | |
| branches: | |
| - release\/* | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false | |
| env: | |
| TMP_LOCAL_IMAGE: localhost:5000/radixdlt/babylon-node-test | |
| REGISTRY_IMAGE: radixdlt/babylon-node-test # TODO: Rename to babylon-node after testing the PR | |
| jobs: | |
| setup_version_properties: | |
| name: Setup version properties | |
| runs-on: ubuntu-latest | |
| outputs: | |
| VERSION_BRANCH: ${{ steps.setup_version_properties.outputs.VERSION_BRANCH }} | |
| VERSION_BUILD: ${{ steps.setup_version_properties.outputs.VERSION_BUILD }} | |
| VERSION_COMMIT: ${{ steps.setup_version_properties.outputs.VERSION_COMMIT }} | |
| VERSION_DISPLAY: ${{ steps.setup_version_properties.outputs.VERSION_DISPLAY }} | |
| VERSION_TAG: ${{ steps.setup_version_properties.outputs.VERSION_TAG }} | |
| VERSION_LAST_TAG: ${{ steps.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup version properties | |
| id: setup_version_properties | |
| uses: ./.github/actions/setup-version-properties | |
| setup_tags: | |
| name: Setup Docker tags | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.setup_tags.outputs.tag }} | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| with: | |
| fetch-depth: 0 | |
| - id: setup_tags | |
| run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| build_deb: | |
| name: Build debian package | |
| runs-on: ubuntu-latest-8-cores | |
| needs: | |
| - setup_version_properties | |
| env: | |
| VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
| VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
| VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
| VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
| VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
| VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| with: | |
| fetch-depth: 0 | |
| - uses: RDXWorks-actions/toolchain@master | |
| with: | |
| toolchain: stable | |
| - name: Set up JDK 17 | |
| uses: RDXWorks-actions/setup-java@main | |
| with: | |
| distribution: 'zulu' | |
| java-version: '17' | |
| - name: Cache Gradle packages | |
| uses: RDXWorks-actions/cache@main | |
| with: | |
| path: ~/.gradle/caches | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb | |
| restore-keys: ${{ runner.os }}-gradle-deb | |
| - name: Restore cached image-cache | |
| id: cache-image-restore | |
| uses: RDXWorks-actions/cache/restore@main | |
| with: | |
| path: /tmp/outputs/cache/docker | |
| key: babylon-node-default-${{ hashFiles('./Dockerfile') }} | |
| - name: Set up Docker Context for Buildx | |
| run: | | |
| docker context create builders | true | |
| - name: Set up Docker Buildx | |
| uses: RDXWorks-actions/setup-buildx-action@master | |
| with: | |
| version: latest | |
| endpoint: builders | |
| - name: Create deb package | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y make | |
| cd core && make build-core | |
| - name: Upload generated debian package | |
| uses: RDXWorks-actions/upload-artifact@main | |
| with: | |
| name: deb4docker | |
| path: "${{ github.workspace }}/docker/*.deb" | |
| build_docker: | |
| strategy: | |
| matrix: | |
| os: ["ubuntu-latest-8-cores", "ubuntu-latest-arm-8-cores"] | |
| arch: ["amd64", "arm64"] | |
| exclude: | |
| - os: ubuntu-latest-8-cores | |
| arch: arm64 | |
| - os: ubuntu-latest-arm-8-cores | |
| arch: amd64 | |
| name: Build docker image | |
| runs-on: ${{ matrix.os }} | |
| needs: | |
| - setup_version_properties | |
| steps: | |
| - name: Checkout | |
| uses: RDXWorks-actions/checkout@main | |
| - name: Set up Docker Buildx | |
| uses: RDXWorks-actions/setup-buildx-action@master | |
| - name: Prepare build | |
| run: | | |
| mkdir -p /tmp/images | |
| platform=${{ matrix.arch }} | |
| echo "TARFILE=${platform}.tar" >> $GITHUB_ENV | |
| echo "TAG=${{ env.TMP_LOCAL_IMAGE }}:${platform}" >> $GITHUB_ENV | |
| - name: Build | |
| uses: RDXWorks-actions/build-push-action@v6 | |
| with: | |
| file: ./Dockerfile.v2 | |
| context: . | |
| platforms: linux/${{ matrix.arch }} | |
| tags: ${{ env.TAG }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| outputs: type=docker,dest=/tmp/images/${{ env.TARFILE }} | |
| push: false | |
| build-args: | | |
| VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
| VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
| VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
| VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
| VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
| VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
| - name: Upload images | |
| uses: RDXWorks-actions/upload-artifact-v4@main | |
| with: | |
| name: images-${{ matrix.arch }} | |
| path: /tmp/images/${{ env.TARFILE }} | |
| if-no-files-found: error | |
| retention-days: 1 | |
| push_docker: | |
| name: Push combined docker image | |
| runs-on: ubuntu-latest | |
| services: | |
| registry: | |
| image: registry:2 | |
| ports: | |
| - 5000:5000 | |
| needs: | |
| - build_docker | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Docker meta | |
| id: meta | |
| uses: RDXWorks-actions/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY_IMAGE }} | |
| tags: | | |
| type=sha,event=pr | |
| type=sha,event=branch | |
| type=semver,pattern={{version}} | |
| - uses: RDXWorks-actions/download-artifact-v4@main | |
| name: Download images (amd64) | |
| with: | |
| name: images-amd64 | |
| path: /tmp/images | |
| - uses: RDXWorks-actions/download-artifact-v4@main | |
| name: Download images (arm64) | |
| with: | |
| name: images-arm64 | |
| path: /tmp/images | |
| - name: Load images | |
| run: | | |
| for image in /tmp/images/*.tar; do | |
| docker load -i $image | |
| done | |
| - name: Configure AWS credentials | |
| uses: RDXWorks-actions/configure-aws-credentials@main | |
| with: | |
| role-to-assume: ${{ secrets.COMMON_SECRETS_ROLE_ARN }} | |
| aws-region: eu-west-2 | |
| - name: Setup dockerhub credentials | |
| uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main | |
| with: | |
| secret-ids: | | |
| DOCKERHUB_PRIVATE, github-actions/common/dockerhub-credentials | |
| parse-json-secrets: true | |
| - name: Login to Docker Hub | |
| uses: RDXWorks-actions/login-action@master | |
| with: | |
| username: ${{env.DOCKERHUB_PRIVATE_USERNAME}} | |
| password: ${{env.DOCKERHUB_PRIVATE_TOKEN}} | |
| - name: Set up Docker Buildx | |
| uses: RDXWorks-actions/setup-buildx-action@master | |
| - name: Push images to local registry | |
| run: | | |
| docker push -a ${{ env.TMP_LOCAL_IMAGE }} | |
| docker images | |
| - name: Create manifest list and push | |
| run: | | |
| docker buildx imagetools create -t ${{ env.REGISTRY_TAG }} \ | |
| $(docker image ls --format '{{.Repository}}:{{.Tag}}' '${{ env.TMP_LOCAL_IMAGE }}' | tr '\n' ' ') | |
| env: | |
| REGISTRY_TAG: ${{ steps.meta.outputs.tags }} | |
| - name: Inspect image | |
| run: | | |
| docker buildx imagetools inspect ${{ env.REGISTRY_TAG }} | |
| env: | |
| REGISTRY_TAG: ${{ steps.meta.outputs.tags }} | |
| snyk_container_monitor: | |
| name: Snyk monitor container | |
| runs-on: ubuntu-latest | |
| needs: | |
| - push_docker | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'babylon-node' | |
| dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }} | |
| snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| snyk_org_id: ${{ secrets.SNYK_ORG_ID }} | |
| image: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.event.release.tag_name }} | |
| target_ref: ${{ github.ref_name }} | |
| snyk_monitor: | |
| name: Snyk monitor | |
| runs-on: ubuntu-latest | |
| needs: | |
| - push_docker | |
| permissions: | |
| id-token: write | |
| pull-requests: read | |
| contents: read | |
| deployments: write | |
| steps: | |
| - uses: RDXWorks-actions/checkout@main | |
| - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
| with: | |
| role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
| app_name: 'babylon-node' | |
| step_name: 'snyk-monitor' | |
| secret_prefix: 'SNYK' | |
| secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
| parse_json: true | |
| - name: Enable Snyk online monitoring to check for vulnerabilities | |
| uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
| with: | |
| args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} | |
| command: monitor | |