Separate PRs from release workflows

.github/workflows/docker-v2-release.yml

@@ -0,0 +1,277 @@
+name: Docker v2 release
+
+on:
+  pull_request: # TODO: Remove after testing the PR
+  release:
+    types: [published]
+  push:
+    branches:
+      - release\/*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  TMP_LOCAL_IMAGE: localhost:5000/radixdlt/babylon-node-test
+  REGISTRY_IMAGE: radixdlt/babylon-node-test # TODO: Rename to babylon-node after testing the PR
+
+jobs:
+  setup_version_properties:
+    name: Setup version properties
+    runs-on: ubuntu-latest
+    outputs:
+      VERSION_BRANCH: ${{ steps.setup_version_properties.outputs.VERSION_BRANCH }}
+      VERSION_BUILD: ${{ steps.setup_version_properties.outputs.VERSION_BUILD }}
+      VERSION_COMMIT: ${{ steps.setup_version_properties.outputs.VERSION_COMMIT }}
+      VERSION_DISPLAY: ${{ steps.setup_version_properties.outputs.VERSION_DISPLAY }}
+      VERSION_TAG: ${{ steps.setup_version_properties.outputs.VERSION_TAG }}
+      VERSION_LAST_TAG: ${{ steps.setup_version_properties.outputs.VERSION_LAST_TAG }}
+    steps:
+      - uses: RDXWorks-actions/checkout@main
+        with:
+          fetch-depth: 0
+      - name: Setup version properties
+        id: setup_version_properties
+        uses: ./.github/actions/setup-version-properties
+
+  setup_tags:
+      name: Setup Docker tags
+      runs-on: ubuntu-latest
+      outputs:
+        tag: ${{ steps.setup_tags.outputs.tag }}
+      steps:
+        - uses: RDXWorks-actions/checkout@main
+          with:
+            fetch-depth: 0
+        - id: setup_tags
+          run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+  build_deb:
+    name: Build debian package
+    runs-on: ubuntu-latest-8-cores
+    needs:
+      - setup_version_properties
+    env:
+      VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
+      VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
+      VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
+      VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
+      VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }}
+      VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: RDXWorks-actions/checkout@main
+        with:
+          fetch-depth: 0
+      - uses: RDXWorks-actions/toolchain@master
+        with:
+          toolchain: stable
+      - name: Set up JDK 17
+        uses: RDXWorks-actions/setup-java@main
+        with:
+          distribution: 'zulu'
+          java-version: '17'
+      - name: Cache Gradle packages
+        uses: RDXWorks-actions/cache@main
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb
+          restore-keys: ${{ runner.os }}-gradle-deb
+      - name: Restore cached image-cache
+        id: cache-image-restore
+        uses: RDXWorks-actions/cache/restore@main
+        with:
+          path: /tmp/outputs/cache/docker
+          key: babylon-node-default-${{ hashFiles('./Dockerfile') }}
+      - name: Set up Docker Context for Buildx
+        run: |
+          docker context create builders | true
+      - name: Set up Docker Buildx
+        uses: RDXWorks-actions/setup-buildx-action@master
+        with:
+          version: latest
+          endpoint: builders
+      - name: Create deb package
+        run: |
+          sudo apt-get update && sudo apt-get install -y make
+          cd core && make build-core
+      - name: Upload generated debian package
+        uses: RDXWorks-actions/upload-artifact@main
+        with:
+          name: deb4docker
+          path: "${{ github.workspace }}/docker/*.deb"
+
+  build_docker:
+    strategy:
+      matrix:
+        os: ["ubuntu-latest-8-cores", "ubuntu-latest-arm-8-cores"]
+        arch: ["amd64", "arm64"]
+        exclude:
+          - os: ubuntu-latest-8-cores
+            arch: arm64
+          - os: ubuntu-latest-arm-8-cores
+            arch: amd64
+    name: Build docker image
+    runs-on: ${{ matrix.os }}
+    needs:
+      - setup_version_properties
+    steps:
+      - name: Checkout
+        uses: RDXWorks-actions/checkout@main
+      - name: Set up Docker Buildx
+        uses: RDXWorks-actions/setup-buildx-action@master
+      - name: Prepare build
+        run: |
+          mkdir -p /tmp/images
+          platform=${{ matrix.arch }}
+          echo "TARFILE=${platform}.tar" >> $GITHUB_ENV
+          echo "TAG=${{ env.TMP_LOCAL_IMAGE }}:${platform}" >> $GITHUB_ENV
+      - name: Build
+        uses: RDXWorks-actions/build-push-action@v6
+        with:
+          file: ./Dockerfile.v2
+          context: .
+          platforms: linux/${{ matrix.arch }}
+          tags: ${{ env.TAG }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=docker,dest=/tmp/images/${{ env.TARFILE }}
+          push: false
+          build-args: |
+            VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
+            VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
+            VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
+            VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
+            VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }}
+            VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
+      - name: Upload images
+        uses: RDXWorks-actions/upload-artifact-v4@main
+        with:
+          name: images-${{ matrix.arch }}
+          path: /tmp/images/${{ env.TARFILE }}
+          if-no-files-found: error
+          retention-days: 1
+
+  push_docker:
+    name: Push combined docker image
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    needs:
+      - build_docker
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Docker meta
+        id: meta
+        uses: RDXWorks-actions/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            type=sha,event=pr
+            type=sha,event=branch
+            type=semver,pattern={{version}}
+      - uses: RDXWorks-actions/download-artifact-v4@main
+        name: Download images (amd64)
+        with:
+          name: images-amd64
+          path: /tmp/images
+      - uses: RDXWorks-actions/download-artifact-v4@main
+        name: Download images (arm64)
+        with:
+          name: images-arm64
+          path: /tmp/images
+      - name: Load images
+        run: |
+          for image in /tmp/images/*.tar; do
+            docker load -i $image
+          done
+      - name: Configure AWS credentials
+        uses: RDXWorks-actions/configure-aws-credentials@main
+        with:
+          role-to-assume: ${{ secrets.COMMON_SECRETS_ROLE_ARN }}
+          aws-region: eu-west-2
+      - name: Setup dockerhub credentials
+        uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main
+        with:
+          secret-ids: |
+            DOCKERHUB_PRIVATE, github-actions/common/dockerhub-credentials
+          parse-json-secrets: true
+      - name: Login to Docker Hub
+        uses: RDXWorks-actions/login-action@master
+        with:
+          username: ${{env.DOCKERHUB_PRIVATE_USERNAME}}
+          password: ${{env.DOCKERHUB_PRIVATE_TOKEN}}
+      - name: Set up Docker Buildx
+        uses: RDXWorks-actions/setup-buildx-action@master
+      - name: Push images to local registry
+        run: |
+          docker push -a ${{ env.TMP_LOCAL_IMAGE }}
+          docker images
+      - name: Create manifest list and push
+        run: |
+          docker buildx imagetools create -t ${{ env.REGISTRY_TAG }} \
+            $(docker image ls --format '{{.Repository}}:{{.Tag}}' '${{ env.TMP_LOCAL_IMAGE }}' | tr '\n' ' ')
+        env:
+          REGISTRY_TAG: ${{ steps.meta.outputs.tags }}
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY_TAG }}
+        env:
+          REGISTRY_TAG: ${{ steps.meta.outputs.tags }}
+
+  snyk_container_monitor:
+    name: Snyk monitor container
+    runs-on: ubuntu-latest
+    needs:
+      - push_docker
+    permissions:
+      id-token: write
+      pull-requests: read
+      contents: read
+      deployments: write
+    steps:
+      - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
+        with:
+          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          app_name: 'babylon-node'
+          dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
+          snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
+          image: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.event.release.tag_name }}
+          target_ref: ${{ github.ref_name }}
+
+  snyk_monitor:
+    name: Snyk monitor
+    runs-on: ubuntu-latest
+    needs:
+      - push_docker
+    permissions:
+      id-token: write
+      pull-requests: read
+      contents: read
+      deployments: write
+    steps:
+      - uses: RDXWorks-actions/checkout@main
+      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
+        with:
+          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
+          app_name: 'babylon-node'
+          step_name: 'snyk-monitor'
+          secret_prefix: 'SNYK'
+          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
+          parse_json: true
+      - name: Enable Snyk online monitoring to check for vulnerabilities
+        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
+        with:
+          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }}
+          command: monitor
+

.github/workflows/docker-v2.yml

@@ -2,21 +2,18 @@ name: Docker v2
 
 on:
   pull_request:
-  release:
-    types: [published]
   push:
     branches:
       - develop
       - main
-      - release\/*
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ !contains(github.ref, 'release/')}}
+  cancel-in-progress: true
 
 env:
-  TMP_LOCAL_IMAGE: localhost:5000/radixdlt/babylon-node-test
-  REGISTRY_IMAGE: radixdlt/babylon-node-test
+  TMP_LOCAL_IMAGE: localhost:5000/radixdlt/private-babylon-node
+  REGISTRY_IMAGE: radixdlt/private-babylon-node
 
 jobs:
   setup_version_properties:
@@ -49,6 +46,63 @@ jobs:
         - id: setup_tags
           run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
+  build_deb:
+    name: Build debian package
+    runs-on: ubuntu-latest-8-cores
+    needs:
+      - setup_version_properties
+    env:
+      VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
+      VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
+      VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
+      VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
+      VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }}
+      VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    steps:
+      - uses: RDXWorks-actions/checkout@main
+        with:
+          fetch-depth: 0
+      - uses: RDXWorks-actions/toolchain@master
+        with:
+          toolchain: stable
+      - name: Set up JDK 17
+        uses: RDXWorks-actions/setup-java@main
+        with:
+          distribution: 'zulu'
+          java-version: '17'
+      - name: Cache Gradle packages
+        uses: RDXWorks-actions/cache@main
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb
+          restore-keys: ${{ runner.os }}-gradle-deb
+      - name: Restore cached image-cache
+        id: cache-image-restore
+        uses: RDXWorks-actions/cache/restore@main
+        with:
+          path: /tmp/outputs/cache/docker
+          key: babylon-node-default-${{ hashFiles('./Dockerfile') }}
+      - name: Set up Docker Context for Buildx
+        run: |
+          docker context create builders | true
+      - name: Set up Docker Buildx
+        uses: RDXWorks-actions/setup-buildx-action@master
+        with:
+          version: latest
+          endpoint: builders
+      - name: Create deb package
+        run: |
+          sudo apt-get update && sudo apt-get install -y make
+          cd core && make build-core
+      - name: Upload generated debian package
+        uses: RDXWorks-actions/upload-artifact@main
+        with:
+          name: deb4docker
+          path: "${{ github.workspace }}/docker/*.deb"
 
   build_docker:
     strategy:
@@ -119,7 +173,7 @@ jobs:
         id: meta
         uses: RDXWorks-actions/metadata-action@v5
         with:
-          images: radixdlt/babylon-node-test
+          images: ${{ env.REGISTRY_IMAGE }}
           tags: |
             type=sha,event=pr
             type=sha,event=branch