From 0f38b24a775267cb29b537da4d74d3a7108d3d3a Mon Sep 17 00:00:00 2001 From: muzuke <92723634+muzuke@users.noreply.github.com> Date: Tue, 22 Oct 2024 13:23:55 +0300 Subject: [PATCH] Separate PRs from release workflows --- .github/workflows/docker-v2-release.yml | 277 ++++++++++++++++++++++++ .github/workflows/docker-v2.yml | 68 +++++- 2 files changed, 338 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/docker-v2-release.yml diff --git a/.github/workflows/docker-v2-release.yml b/.github/workflows/docker-v2-release.yml new file mode 100644 index 0000000000..148b5cd2b0 --- /dev/null +++ b/.github/workflows/docker-v2-release.yml @@ -0,0 +1,277 @@ +name: Docker v2 release + +on: + pull_request: # TODO: Remove after testing the PR + release: + types: [published] + push: + branches: + - release\/* + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false + +env: + TMP_LOCAL_IMAGE: localhost:5000/radixdlt/babylon-node-test + REGISTRY_IMAGE: radixdlt/babylon-node-test # TODO: Rename to babylon-node after testing the PR + +jobs: + setup_version_properties: + name: Setup version properties + runs-on: ubuntu-latest + outputs: + VERSION_BRANCH: ${{ steps.setup_version_properties.outputs.VERSION_BRANCH }} + VERSION_BUILD: ${{ steps.setup_version_properties.outputs.VERSION_BUILD }} + VERSION_COMMIT: ${{ steps.setup_version_properties.outputs.VERSION_COMMIT }} + VERSION_DISPLAY: ${{ steps.setup_version_properties.outputs.VERSION_DISPLAY }} + VERSION_TAG: ${{ steps.setup_version_properties.outputs.VERSION_TAG }} + VERSION_LAST_TAG: ${{ steps.setup_version_properties.outputs.VERSION_LAST_TAG }} + steps: + - uses: RDXWorks-actions/checkout@main + with: + fetch-depth: 0 + - name: Setup version properties + id: setup_version_properties + uses: ./.github/actions/setup-version-properties + + setup_tags: + name: Setup Docker tags + runs-on: ubuntu-latest + outputs: + tag: ${{ steps.setup_tags.outputs.tag }} + steps: + - uses: RDXWorks-actions/checkout@main + with: + fetch-depth: 0 + - id: setup_tags + run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + build_deb: + name: Build debian package + runs-on: ubuntu-latest-8-cores + needs: + - setup_version_properties + env: + VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} + VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} + VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} + VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }} + VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }} + VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} + permissions: + id-token: write + contents: read + pull-requests: read + steps: + - uses: RDXWorks-actions/checkout@main + with: + fetch-depth: 0 + - uses: RDXWorks-actions/toolchain@master + with: + toolchain: stable + - name: Set up JDK 17 + uses: RDXWorks-actions/setup-java@main + with: + distribution: 'zulu' + java-version: '17' + - name: Cache Gradle packages + uses: RDXWorks-actions/cache@main + with: + path: ~/.gradle/caches + key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb + restore-keys: ${{ runner.os }}-gradle-deb + - name: Restore cached image-cache + id: cache-image-restore + uses: RDXWorks-actions/cache/restore@main + with: + path: /tmp/outputs/cache/docker + key: babylon-node-default-${{ hashFiles('./Dockerfile') }} + - name: Set up Docker Context for Buildx + run: | + docker context create builders | true + - name: Set up Docker Buildx + uses: RDXWorks-actions/setup-buildx-action@master + with: + version: latest + endpoint: builders + - name: Create deb package + run: | + sudo apt-get update && sudo apt-get install -y make + cd core && make build-core + - name: Upload generated debian package + uses: RDXWorks-actions/upload-artifact@main + with: + name: deb4docker + path: "${{ github.workspace }}/docker/*.deb" + + build_docker: + strategy: + matrix: + os: ["ubuntu-latest-8-cores", "ubuntu-latest-arm-8-cores"] + arch: ["amd64", "arm64"] + exclude: + - os: ubuntu-latest-8-cores + arch: arm64 + - os: ubuntu-latest-arm-8-cores + arch: amd64 + name: Build docker image + runs-on: ${{ matrix.os }} + needs: + - setup_version_properties + steps: + - name: Checkout + uses: RDXWorks-actions/checkout@main + - name: Set up Docker Buildx + uses: RDXWorks-actions/setup-buildx-action@master + - name: Prepare build + run: | + mkdir -p /tmp/images + platform=${{ matrix.arch }} + echo "TARFILE=${platform}.tar" >> $GITHUB_ENV + echo "TAG=${{ env.TMP_LOCAL_IMAGE }}:${platform}" >> $GITHUB_ENV + - name: Build + uses: RDXWorks-actions/build-push-action@v6 + with: + file: ./Dockerfile.v2 + context: . + platforms: linux/${{ matrix.arch }} + tags: ${{ env.TAG }} + labels: ${{ steps.meta.outputs.labels }} + outputs: type=docker,dest=/tmp/images/${{ env.TARFILE }} + push: false + build-args: | + VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} + VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} + VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} + VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }} + VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }} + VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} + - name: Upload images + uses: RDXWorks-actions/upload-artifact-v4@main + with: + name: images-${{ matrix.arch }} + path: /tmp/images/${{ env.TARFILE }} + if-no-files-found: error + retention-days: 1 + + push_docker: + name: Push combined docker image + runs-on: ubuntu-latest + services: + registry: + image: registry:2 + ports: + - 5000:5000 + needs: + - build_docker + permissions: + id-token: write + contents: read + pull-requests: read + steps: + - name: Docker meta + id: meta + uses: RDXWorks-actions/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: | + type=sha,event=pr + type=sha,event=branch + type=semver,pattern={{version}} + - uses: RDXWorks-actions/download-artifact-v4@main + name: Download images (amd64) + with: + name: images-amd64 + path: /tmp/images + - uses: RDXWorks-actions/download-artifact-v4@main + name: Download images (arm64) + with: + name: images-arm64 + path: /tmp/images + - name: Load images + run: | + for image in /tmp/images/*.tar; do + docker load -i $image + done + - name: Configure AWS credentials + uses: RDXWorks-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.COMMON_SECRETS_ROLE_ARN }} + aws-region: eu-west-2 + - name: Setup dockerhub credentials + uses: RDXWorks-actions/aws-secretsmanager-get-secrets@main + with: + secret-ids: | + DOCKERHUB_PRIVATE, github-actions/common/dockerhub-credentials + parse-json-secrets: true + - name: Login to Docker Hub + uses: RDXWorks-actions/login-action@master + with: + username: ${{env.DOCKERHUB_PRIVATE_USERNAME}} + password: ${{env.DOCKERHUB_PRIVATE_TOKEN}} + - name: Set up Docker Buildx + uses: RDXWorks-actions/setup-buildx-action@master + - name: Push images to local registry + run: | + docker push -a ${{ env.TMP_LOCAL_IMAGE }} + docker images + - name: Create manifest list and push + run: | + docker buildx imagetools create -t ${{ env.REGISTRY_TAG }} \ + $(docker image ls --format '{{.Repository}}:{{.Tag}}' '${{ env.TMP_LOCAL_IMAGE }}' | tr '\n' ' ') + env: + REGISTRY_TAG: ${{ steps.meta.outputs.tags }} + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_TAG }} + env: + REGISTRY_TAG: ${{ steps.meta.outputs.tags }} + + snyk_container_monitor: + name: Snyk monitor container + runs-on: ubuntu-latest + needs: + - push_docker + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-node' + dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }} + snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + snyk_org_id: ${{ secrets.SNYK_ORG_ID }} + image: docker.io/${{ env.REGISTRY_IMAGE }}:${{ github.event.release.tag_name }} + target_ref: ${{ github.ref_name }} + + snyk_monitor: + name: Snyk monitor + runs-on: ubuntu-latest + needs: + - push_docker + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: RDXWorks-actions/checkout@main + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-node' + step_name: 'snyk-monitor' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Enable Snyk online monitoring to check for vulnerabilities + uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master + with: + args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} + command: monitor + diff --git a/.github/workflows/docker-v2.yml b/.github/workflows/docker-v2.yml index 1ccf1d800f..fb2ed708ea 100644 --- a/.github/workflows/docker-v2.yml +++ b/.github/workflows/docker-v2.yml @@ -2,21 +2,18 @@ name: Docker v2 on: pull_request: - release: - types: [published] push: branches: - develop - main - - release\/* concurrency: group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: ${{ !contains(github.ref, 'release/')}} + cancel-in-progress: true env: - TMP_LOCAL_IMAGE: localhost:5000/radixdlt/babylon-node-test - REGISTRY_IMAGE: radixdlt/babylon-node-test + TMP_LOCAL_IMAGE: localhost:5000/radixdlt/private-babylon-node + REGISTRY_IMAGE: radixdlt/private-babylon-node jobs: setup_version_properties: @@ -49,6 +46,63 @@ jobs: - id: setup_tags run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + build_deb: + name: Build debian package + runs-on: ubuntu-latest-8-cores + needs: + - setup_version_properties + env: + VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} + VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} + VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} + VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }} + VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }} + VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} + permissions: + id-token: write + contents: read + pull-requests: read + steps: + - uses: RDXWorks-actions/checkout@main + with: + fetch-depth: 0 + - uses: RDXWorks-actions/toolchain@master + with: + toolchain: stable + - name: Set up JDK 17 + uses: RDXWorks-actions/setup-java@main + with: + distribution: 'zulu' + java-version: '17' + - name: Cache Gradle packages + uses: RDXWorks-actions/cache@main + with: + path: ~/.gradle/caches + key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb + restore-keys: ${{ runner.os }}-gradle-deb + - name: Restore cached image-cache + id: cache-image-restore + uses: RDXWorks-actions/cache/restore@main + with: + path: /tmp/outputs/cache/docker + key: babylon-node-default-${{ hashFiles('./Dockerfile') }} + - name: Set up Docker Context for Buildx + run: | + docker context create builders | true + - name: Set up Docker Buildx + uses: RDXWorks-actions/setup-buildx-action@master + with: + version: latest + endpoint: builders + - name: Create deb package + run: | + sudo apt-get update && sudo apt-get install -y make + cd core && make build-core + - name: Upload generated debian package + uses: RDXWorks-actions/upload-artifact@main + with: + name: deb4docker + path: "${{ github.workspace }}/docker/*.deb" build_docker: strategy: @@ -119,7 +173,7 @@ jobs: id: meta uses: RDXWorks-actions/metadata-action@v5 with: - images: radixdlt/babylon-node-test + images: ${{ env.REGISTRY_IMAGE }} tags: | type=sha,event=pr type=sha,event=branch