Use a rust layer with a full app build

.dockerignore

@@ -57,9 +57,10 @@
 /**/*.swo
 /**/*.swp
 /**/*~
-# ignore jar files, but keep Gradle wrapper
+# ignore jar files, but keep Gradle wrapper and build artifacts
 /**/*.jar
 !gradle/wrapper/gradle-wrapper.jar
+!artifacts/*.jar
 
 # node
 /**/node_modules/

.github/CODEOWNERS

@@ -15,6 +15,3 @@
 # SECURITY-SENSITIVE
 /.github/ @radixdlt/protocol-security-approvers
 *.lock @radixdlt/protocol-security-approvers
-
-# API INTERFACES
-*api-schema.yaml @radixdlt/interfaces-github-approvers

.github/pull_request_template.md

@@ -11,7 +11,6 @@
 > _Please remove this section once you confirm you follow its guidance._
 
 ## Summary
-
 <!--
 > [!TIP]
 > 
@@ -23,15 +22,13 @@
 -->
 
 ## Testing
-
 <!--
 > [!TIP]
 > 
 > Explain what testing / verification is done, including manual testing or automated testing.
 -->
 
 ## Changelog
-
 <!--
 > [!TIP]
 >

.github/workflows/ci.yml

@@ -48,8 +48,6 @@ jobs:
           secret_prefix: 'SNYK'
           secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
           parse_json: true
-      - name: Create .snyk file
-        run: echo "${{ vars.DOT_SNYK_FILE }}" > .snyk
       - name: Run Snyk to check for deps vulnerabilities
         uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
         with:
@@ -72,8 +70,6 @@ jobs:
           secret_prefix: 'SNYK'
           secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
           parse_json: true
-      - name: Create .snyk file
-        run: echo "${{ vars.DOT_SNYK_FILE }}" > .snyk
       - name: Run Snyk to check for code vulnerabilities
         uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
         continue-on-error: true
@@ -237,41 +233,6 @@ jobs:
           # Might be set to warn for debugging purposes. Warning, log file will be huge.
           RADIXDLT_LOG_LEVEL: error
         run: ./gradlew clean runTargetedIntegrationTests --info --refresh-dependencies --parallel
-  mesh-api-test-suite:
-    name: Run Mesh API tests
-    runs-on: selfhosted-ubuntu-22.04-16-cores
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-        with:
-          # Shallow clones should be disabled for a better relevancy of analysis
-          fetch-depth: 0
-      - name: Setup environment
-        uses: ./.github/actions/setup-env
-      - name: Cache Gradle packages
-        uses: RDXWorks-actions/cache@main
-        with:
-          path: ~/.gradle/caches
-          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
-          restore-keys: ${{ runner.os }}-gradle
-      - name: Build Node
-        run: ./gradlew build
-      - name: Run Node in the background
-        env:
-          # This is to skip keygen step
-          RADIXDLT_NODE_KEY: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY=
-        run: |
-          echo "db.historical_substate_values.enable=true" >> core/default.config
-          ./gradlew :core:run --info &
-      - name: Wait for 2 minutes
-        run: sleep 2m
-      - name: Install mesh-cli
-        run: curl -sSfL https://raw.githubusercontent.com/coinbase/mesh-cli/master/scripts/install.sh | sh -s
-      - name: Run Data API tests
-        run: ./bin/rosetta-cli --configuration-file core-rust/mesh-api-server/mesh-cli-configs/localnet.json check:data
-      - name: Run Construction API tests
-        run: ./bin/rosetta-cli --configuration-file core-rust/mesh-api-server/mesh-cli-configs/localnet.json check:construction
-      - name: Run Coinbase-spec tests
-        run: ./bin/rosetta-cli --configuration-file core-rust/mesh-api-server/mesh-cli-configs/localnet.json check:spec
   cross-xwin:
     name: Cross compile to Windows
     runs-on: ubuntu-latest

.github/workflows/docker.yml

@@ -10,16 +10,11 @@ on:
       - main
       - release\/*
 
-jobs:
-  cancel_running_workflows:
-    name: Cancel running workflows
-    runs-on: ubuntu-22.04
-    steps:
-      - name: cancel running workflows
-        uses: RDXWorks-actions/cancel-workflow-action@main
-        with:
-          access_token: ${{ github.token }}
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
+jobs:
   build_deb:
     name: Build debian package
     runs-on: selfhosted-ubuntu-22.04-16-cores
@@ -140,7 +135,7 @@ jobs:
       packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
-      runs_on: ubuntu-latest
+      runs_on: ubuntu-16-cores-selfhosted
       image_registry: "docker.io"
       image_organization: "radixdlt"
       image_name: "private-babylon-node"
@@ -246,7 +241,7 @@ jobs:
       packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
-      runs_on: ubuntu-latest
+      runs_on: ubuntu-16-cores-selfhosted
       image_registry: "docker.io"
       image_organization: "radixdlt"
       image_name: "babylon-node"

.github/workflows/publish-build-layer-images.yml

@@ -0,0 +1,206 @@
+name: Publish build layer images
+
+on:
+  workflow_dispatch:
+    inputs:
+      docker_tag:
+        description: "Docker tag to be published"
+
+permissions:
+  packages: write
+  pull-requests: write
+  id-token: write
+  contents: read
+
+jobs:
+  build_rust_amd64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: ubuntu-16-cores-selfhosted
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-rust
+      context: "."
+      dockerfile: docker/base-images/rust-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/amd64"
+      provenance: "false"
+      scan_image: true
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: amd64
+      flavor: |
+        suffix=-amd64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_rust_arm64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: selfhosted-ubuntu-22.04-arm
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-rust
+      context: "."
+      dockerfile: docker/base-images/rust-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/arm64"
+      provenance: "false"
+      scan_image: false
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: arm64
+      flavor: |
+        suffix=-arm64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  join_rust_multiarch_image:
+    name: Join multiarch image
+    needs:
+      - build_rust_amd64
+      - build_rust_arm64
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_rust_amd64.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_java_amd64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: ubuntu-16-cores-selfhosted
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-java
+      context: "."
+      dockerfile: docker/base-images/java-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/amd64"
+      provenance: "false"
+      scan_image: true
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: amd64
+      flavor: |
+        suffix=-amd64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_java_arm64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: selfhosted-ubuntu-22.04-arm
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-java
+      context: "."
+      dockerfile: docker/base-images/java-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/arm64"
+      provenance: "false"
+      scan_image: false
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: arm64
+      flavor: |
+        suffix=-arm64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  join_java_multiarch_image:
+    name: Join multiarch image
+    needs:
+      - build_java_amd64
+      - build_java_arm64
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_java_amd64.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_app_amd64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: ubuntu-16-cores-selfhosted
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-app
+      context: "."
+      dockerfile: docker/base-images/app.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/amd64"
+      provenance: "false"
+      scan_image: true
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: amd64
+      flavor: |
+        suffix=-amd64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_app_arm64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: selfhosted-ubuntu-22.04-arm
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-app
+      context: "."
+      dockerfile: docker/base-images/app.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/arm64"
+      provenance: "false"
+      scan_image: false
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: arm64
+      flavor: |
+        suffix=-arm64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  join_app_multiarch_image:
+    name: Join multiarch image
+    needs:
+      - build_app_amd64
+      - build_app_arm64
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_app_amd64.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}

.gitignore

@@ -68,4 +68,7 @@ node_modules/
 **/resources/markdown
 
 # code coverage info
-**/lcov.info
+**/lcov.info
+
+# CI generated
+artifacts