COR-1627: streamline windows node signing process #348
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows signing streamlining | |
| on: | |
| push: | |
| push: | |
| branches:cor_1627_streamline_windows_signing_process/windows | |
| env: | |
| UBUNTU_VERSION: '22.04' | |
| STATIC_LIBRARIES_IMAGE_TAG: 'rust-1.82_ghc-9.10.2' | |
| RUST_VERSION: '1.82' | |
| STACK_VERSION: '3.7.1' | |
| FLATBUFFERS_VERSION: '23.5.26' | |
| GHC_VERSION: '9.10.2' | |
| PROTOC_VERSION: '28.3' | |
| STATIC_NODE_BINARY_IMAGE_NAME: 'static-node-binaries' | |
| DOCKER_ARTIFACT_NAME: 'image' | |
| AWS_ROLE_TO_ASSUME: 'arn:aws:iam::192549843005:role/github_concordium-node' | |
| S3_ARN_TEMPLATES: '{ | |
| \"database-exporter\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"database-exporter_${VERSION}.deb\"}, | |
| \"p2p-bootstrapper\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"p2p-bootstrapper_${VERSION}.deb\"}, | |
| \"node-stagenet-linux\": {\"bucket\": \"distribution.stagenet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-stagenet-node_${VERSION}_amd64.deb\"}, | |
| \"node-flynet-linux\": {\"bucket\": \"distribution.flynet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-flynet-node_${VERSION}_amd64.deb\"}, | |
| \"node-testnet-linux\": {\"bucket\": \"distribution.testnet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-testnet-node_${VERSION}_amd64.deb\"}, | |
| \"node-mainnet-linux\": {\"bucket\": \"distribution.mainnet.concordium.software\", \"dir\": \"deb\", \"name\": \"concordium-mainnet-node_${VERSION}_amd64.deb\"}, | |
| \"node-macos\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"macos\", \"name\": \"concordium-node-${VERSION}.pkg\"}, | |
| \"node-windows\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"windows\", \"name\": \"Node-${VERSION}.msi\"} | |
| }' | |
| DOCKER_TAGS_TEMPLATES: '{ | |
| \"docker-stagenet\": \"concordium/stagenet-node:${VERSION}\", | |
| \"docker-testnet\": \"concordium/testnet-node:${VERSION}\", | |
| \"docker-mainnet\": \"concordium/mainnet-node:${VERSION}\", | |
| \"docker-bootstrapper\": \"concordium/bootstrapper:${VERSION}\" | |
| }' | |
| REGISTRY: docker.io | |
| SERVICE: "${{ inputs.service }}" | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| validate-preconditions: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| s3_arns: ${{ steps.render.outputs.s3_arns }} | |
| docker_tags: ${{ steps.render.outputs.docker_tags }} | |
| release_type: ${{ steps.versions_derivation.outputs.release_type }} | |
| base_version: ${{ steps.versions_derivation.outputs.base_version }} | |
| version: ${{ steps.versions_derivation.outputs.version }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Validate version | |
| id: versions_derivation | |
| run: | | |
| CARGO_VERSION=$(yq .package.version concordium-node/Cargo.toml) | |
| if [ -z "${{ env.SERVICE }}" ]; then | |
| IFS='-' read -r VERSION BUILD RELEASE_TYPE <<< "${{ github.ref_name }}" | |
| if [ ! "$VERSION" = "$CARGO_VERSION" ]; then | |
| echo "::error::${CARGO_VERSION} does not match ${VERSION}." | |
| exit 1 | |
| fi | |
| else | |
| RELEASE_TYPE="${{ env.SERVICE }}" | |
| BUILD=$(git rev-parse --short HEAD) | |
| fi | |
| echo "::notice::RELEASE_TYPE=${RELEASE_TYPE}" | |
| echo "release_type=${RELEASE_TYPE}" >> "$GITHUB_OUTPUT" | |
| echo "version=${CARGO_VERSION}-${BUILD}" >> "$GITHUB_OUTPUT" | |
| echo "base_version=${CARGO_VERSION}" >> "$GITHUB_OUTPUT" | |
| - name: Templates rendering | |
| id: render | |
| run: | | |
| export VERSION="${{ steps.versions_derivation.outputs.version }}" | |
| echo "s3_arns=${{ env.S3_ARN_TEMPLATES }}" >> $GITHUB_OUTPUT | |
| echo "docker_tags=${{ env.DOCKER_TAGS_TEMPLATES }}" >> $GITHUB_OUTPUT | |
| build-static-binaries: | |
| needs: [validate-preconditions] | |
| runs-on: ubuntu-latest-8core | |
| if: contains(fromJSON('["rc", "alpha", "docker", "node-linux", "p2p-bootstrapper"]'), needs.validate-preconditions.outputs.release_type) | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Static Node Binary Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| file: scripts/static-binaries/static-binaries.Dockerfile | |
| tags: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}:${{ github.run_id }} | |
| no-cache: true | |
| build-args: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }} | |
| ghc_version=${{ env.GHC_VERSION }} | |
| protoc_version=${{ env.PROTOC_VERSION }} | |
| flatbuffers_version=${{ env.FLATBUFFERS_VERSION }} | |
| rust_toolchain_version=${{ env.RUST_VERSION }} | |
| labels: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }} | |
| ghc_version=${{ env.GHC_VERSION }} | |
| outputs: type=docker,dest=/tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }} | |
| path: /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar | |
| database-exporter: | |
| needs: [validate-preconditions] | |
| runs-on: ubuntu-latest | |
| if: contains(fromJSON('["rc", "alpha", "database-exporter"]'), needs.validate-preconditions.outputs.release_type) | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Extrapolate artifact name | |
| run: | | |
| ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ github.job }}"].name') | |
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | |
| - name: Build Database Exporter | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| tags: build-deb:${{ github.run_id }} | |
| file: scripts/db-exporter/Dockerfile | |
| build-args: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| version=${{ needs.validate-preconditions.outputs.version }} | |
| ghc_version=${{ env.GHC_VERSION }} | |
| static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }} | |
| labels: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| version=${{ needs.validate-preconditions.outputs.version }} | |
| ghc_version=${{ env.GHC_VERSION }} | |
| static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }} | |
| no-cache: true | |
| - name: Run Docker and Extract Artifacts | |
| run: | | |
| id=$(docker create build-deb:${{ github.run_id }}) | |
| docker cp $id:/build/${{ github.job }}_${{ needs.validate-preconditions.outputs.version }}.deb ./${{ env.ARTIFACT_NAME }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.job }} | |
| path: ./${{ env.ARTIFACT_NAME }} | |
| p2p-bootstrapper: | |
| runs-on: ubuntu-latest | |
| if: contains(fromJSON('["rc", "alpha", "p2p-bootstrapper"]'), needs.validate-preconditions.outputs.release_type) | |
| needs: [build-static-binaries, validate-preconditions] | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }} | |
| path: /tmp | |
| - name: Set tag | |
| run: echo "TAG=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' | jq -r '.["docker-bootstrapper"]')" >> $GITHUB_ENV | |
| - name: Extrapolate artifact name | |
| run: | | |
| ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ github.job }}"].name') | |
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | |
| - name: Load image | |
| run: docker load --input /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| file: scripts/bootstrapper/Dockerfile | |
| tags: ${{ env.TAG }} | |
| no-cache: true | |
| build-args: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| version=${{ needs.validate-preconditions.outputs.version }} | |
| static_binaries_image_tag=${{ github.run_id }} | |
| labels: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| version=${{ needs.validate-preconditions.outputs.version }} | |
| static_binaries_image_tag=${{ github.run_id }} | |
| - name: Run Docker and Extract Artifacts | |
| run: | | |
| id=$(docker create ${{ env.TAG }}) | |
| docker cp $id:/build/${{ github.job }}_${{ needs.validate-preconditions.outputs.version }}.deb ./${{ env.ARTIFACT_NAME }} | |
| - name: Save image | |
| run: docker save -o /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar ${{ env.TAG }} | |
| - name: Upload docker artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-bootstrapper | |
| path: /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.job }} | |
| path: ${{ env.ARTIFACT_NAME }} | |
| node-windows: | |
| runs-on: windows-latest | |
| # TODO (drsk) the next line needs to be in again after testing !!! | |
| # environment: release # This step needs to use the release context to access credentials for code signing. | |
| needs: [validate-preconditions] | |
| if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type) | |
| defaults: | |
| run: | |
| shell: pwsh | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Install dependencies | |
| run: | | |
| choco install yq jq -y | |
| shell: bash | |
| - name: Extrapolate artifact name | |
| run: | | |
| ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ github.job }}"].name') | |
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | |
| shell: bash | |
| - name: Install DigiCert Client tools (Windows only) | |
| id: digicert_client | |
| uses: digicert/[email protected] | |
| - name: Import Windows certificate (Windows only) | |
| id: windows_certificate | |
| env: | |
| # Base64 encoding of the pfx/p12 certificate for Windows code signing. | |
| SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }} | |
| run: | | |
| $CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt" | |
| $CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx" | |
| Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64 | |
| certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH | |
| echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT | |
| - name: Run smctl healthcheck to confirm if the tool is configured properly. | |
| working-directory: ${{steps.build.outputs.bin_dir}} | |
| env: | |
| WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }} | |
| WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }} | |
| SM_HOST: ${{ vars.WINDOWS_SM_HOST }} | |
| SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }} | |
| SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }} | |
| run: | | |
| smctl healthcheck --all | |
| shell: cmd | |
| - name: Install Rust | |
| uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| with: | |
| toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-msvc | |
| - name: Install Rust | |
| uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| with: | |
| toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-gnu | |
| - name: Setup node folder | |
| run: | | |
| mkdir -p "C:/Program Files/node/include" | |
| Add-Content -Path $env:GITHUB_PATH -Value "C:/Program Files/node" | |
| - name: Install flatbuffers | |
| run: | | |
| curl -L -O https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/Windows.flatc.binary.zip | |
| unzip Windows.flatc.binary.zip | |
| mv flatc.exe "C:/Program Files/node/" | |
| - name: Install protobuf (protoc) | |
| run: | | |
| curl -L -O https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-win64.zip | |
| unzip protoc-${{ env.PROTOC_VERSION }}-win64.zip | |
| mv bin/protoc.exe "C:/Program Files/node/" | |
| mv include/* "C:/Program Files/node/include" | |
| - name: Setup Haskell | |
| uses: haskell-actions/setup@v2 | |
| with: | |
| ghc-version: ${{ env.GHC_VERSION }} | |
| enable-stack: true | |
| stack-version: ${{ env.STACK_VERSION }} | |
| - uses: milliewalky/setup-7-zip@v1 | |
| - name: Install GCC | |
| run: | | |
| curl -L -O https://github.com/brechtsanders/winlibs_mingw/releases/download/14.2.0posix-19.1.1-12.0.0-msvcrt-r2/winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z | |
| 7z x winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z -oC:/gcc | |
| Add-Content -Path $env:GITHUB_PATH -Value "C:/gcc/mingw64/bin" | |
| - name: Install LMDB | |
| run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb | |
| - name: Build and Sign Windows Node | |
| env: | |
| WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }} | |
| WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }} | |
| SM_HOST: ${{ vars.WINDOWS_SM_HOST }} | |
| SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }} | |
| SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }} | |
| SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast" | |
| run: | | |
| ./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }} | |
| - name: Sign installer with smctl | |
| working-directory: ${{steps.build.outputs.bin_dir}} | |
| env: | |
| WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }} | |
| WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }} | |
| SM_HOST: ${{ vars.WINDOWS_SM_HOST }} | |
| SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }} | |
| SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }} | |
| SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }} | |
| SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast" | |
| run: | | |
| smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./service/windows/installer/Node.msi --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| shell: cmd | |
| - name: Rename the package to target filename. | |
| run: | | |
| cp ./service/windows/installer/Node.msi ./${{ env.ARTIFACT_NAME }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.job }} | |
| path: ${{ env.ARTIFACT_NAME }} | |
| node-macos: | |
| runs-on: macos-latest-large | |
| environment: release # This step needs to use the release context to access credentials for code signing. | |
| needs: [validate-preconditions] | |
| if: contains(fromJSON('["rc", "alpha", "node-macos"]'), needs.validate-preconditions.outputs.release_type) | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Extrapolate artifact name | |
| run: | | |
| ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ github.job }}"].name') | |
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | |
| - name: Import Apple signing certificates into a keychain) | |
| env: | |
| # Base64 encoding of the p12 certificate for Apple code signing. | |
| BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }} | |
| BUILD_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_INSTALLER_CERTIFICATE_BASE64 }} | |
| # Password for the p12 certificate for Apple code signing. | |
| BUILD_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }} | |
| BUILD_INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_INSTALLER_CERTIFICATE_PASSWORD }} | |
| # Random string to use as the keychain password. | |
| KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }} | |
| run: | | |
| # create variables | |
| CERTIFICATE_PATH=$RUNNER_TEMP/apple_build_certificate.p12 | |
| INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/apple_build_installer_certificate.p12 | |
| KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
| # import certificate and provisioning profile from secrets | |
| echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH | |
| echo -n "$BUILD_INSTALLER_CERTIFICATE_BASE64" | base64 --decode -o $INSTALLER_CERTIFICATE_PATH | |
| # create temporary keychain | |
| security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
| security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| # import certificate to keychain | |
| security import $CERTIFICATE_PATH -P "$BUILD_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security import $INSTALLER_CERTIFICATE_PATH -P "$BUILD_INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| - uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| with: | |
| toolchain: ${{ env.RUST_VERSION }} | |
| - uses: haskell-actions/setup@v2 | |
| with: | |
| ghc-version: ${{ env.GHC_VERSION }} | |
| enable-stack: true | |
| stack-version: ${{ env.STACK_VERSION }} | |
| - name: Install flatbuffers | |
| run: | | |
| wget https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/MacIntel.flatc.binary.zip -O MacIntel.flatc.binary.zip | |
| unzip MacIntel.flatc.binary.zip -d flatbuffers | |
| sudo mv flatbuffers/flatc /usr/local/bin/ | |
| - name: Install protobuf | |
| run: | | |
| curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-osx-x86_64.zip | |
| unzip protoc.zip | |
| sudo mv bin/protoc /usr/local/bin/ | |
| sudo mv include/* /usr/local/include/ | |
| - name: Install Homebrew Packages | |
| run: | | |
| brew install lmdb llvm | |
| - name: Build macOS Package | |
| env: | |
| # Apple code signing variables: | |
| APPLEIDPASS: ${{ secrets.APPLEIDPASS }} | |
| APPLEID: ${{ secrets.APPLEID }} | |
| run: | | |
| printf "Y\n" | ./scripts/distribution/macOS-package/build.sh ${{ needs.validate-preconditions.outputs.version }} | |
| cp ./scripts/distribution/macOS-package/build/packages/concordium-node-${{ needs.validate-preconditions.outputs.version }}.pkg ./${{ env.ARTIFACT_NAME }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.job }} | |
| path: ${{ env.ARTIFACT_NAME }} | |
| generate-node-matrix: | |
| runs-on: ubuntu-latest | |
| needs: [validate-preconditions] | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - name: Initialize Matrix with alpha environments | |
| run: | | |
| MATRIX_JSON=$(echo '[ | |
| { | |
| "env": "stagenet", | |
| "tld": "com", | |
| "genesis_path": "stagenet/2024-09-12/genesis_data", | |
| "grpc_port": 20500, | |
| "listen_port": 9500 | |
| }, | |
| { | |
| "env": "flynet", | |
| "tld": "com", | |
| "genesis_path": "flynet/2023-02-01/genesis_data", | |
| "grpc_port": 20002, | |
| "listen_port": 8890 | |
| } | |
| ]' | jq -c) | |
| echo "MATRIX_JSON=${MATRIX_JSON}" >> $GITHUB_ENV | |
| - name: Release candidate environments | |
| if: needs.validate-preconditions.outputs.release_type == 'rc' | |
| run: | | |
| MATRIX_JSON=$(echo "$MATRIX_JSON" | jq -c '. + [ | |
| { | |
| "env": "testnet", | |
| "tld": "com", | |
| "genesis_path": "testnet/2022-06-13/genesis_data", | |
| "grpc_port": 20001, | |
| "listen_port": 8889 | |
| }, | |
| { | |
| "env": "mainnet", | |
| "tld": "software", | |
| "genesis_path": "mainnet/2021-06-09", | |
| "grpc_port": 20000, | |
| "listen_port": 8888 | |
| } | |
| ]') | |
| echo "MATRIX_JSON=${MATRIX_JSON}" >> $GITHUB_ENV | |
| - name: Output Matrix JSON | |
| id: set-matrix | |
| run: echo "matrix=$MATRIX_JSON" >> $GITHUB_OUTPUT | |
| node-linux: | |
| runs-on: ubuntu-latest | |
| if: contains(fromJSON('["rc", "alpha", "node-linux"]'), needs.validate-preconditions.outputs.release_type) | |
| needs: [ build-static-binaries, validate-preconditions, generate-node-matrix ] | |
| env: | |
| DATA_DIR: './scripts/distribution/ubuntu-packages/template/data' | |
| strategy: | |
| matrix: | |
| node: ${{ fromJSON(needs.generate-node-matrix.outputs.matrix) }} | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }} | |
| path: /tmp | |
| - name: Extrapolate artifact name | |
| run: | | |
| ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["node-${{ matrix.node.env }}-linux"].name') | |
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | |
| - name: Load image | |
| run: | | |
| docker load --input /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar | |
| rm /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Checkout Genesis Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: 'Concordium/concordium-infra-genesis-data' | |
| path: 'genesis' | |
| ssh-key: ${{ secrets.GENESIS_DATA_KEY }} | |
| ref: 'main' | |
| - name: Define domain | |
| run: echo "DOMAIN=${{ matrix.node.env }}.concordium.${{ matrix.node.tld }}" >> $GITHUB_ENV | |
| - name: Define project name | |
| run: echo "PROJECT_NAME=node-${{ matrix.node.env }}-linux" >> $GITHUB_ENV | |
| - name: Copy Genesis Data | |
| run: | | |
| mkdir -p ${{ env.DATA_DIR }} | |
| cp genesis/${{ matrix.node.genesis_path }}/genesis.dat ${{ env.DATA_DIR }}/${{ matrix.node.env }}-genesis.dat | |
| - name: Set environment variables | |
| run: | | |
| echo "BUILD_ENV_NAME=$(echo "${{ matrix.node.env }}" | awk '{ $1=toupper(substr($1,1,1)) substr($1,2); print }')" >> $GITHUB_ENV | |
| echo "BUILD_GENESIS_HASH=$(cat genesis/${{ matrix.node.genesis_path }}/genesis_hash | tr -cd "[:alnum:]")" >> $GITHUB_ENV | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./scripts/distribution/ubuntu-packages/ | |
| push: false | |
| file: ./scripts/distribution/ubuntu-packages/deb.Dockerfile | |
| tags: ${{ matrix.node.env }}-deb | |
| no-cache: true | |
| build-args: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| version=${{ needs.validate-preconditions.outputs.version }} | |
| static_binaries_image_tag=${{ github.run_id }} | |
| build_env_name=${{ env.BUILD_ENV_NAME }} | |
| build_env_name_lower=${{ matrix.node.env }} | |
| build_catchup_url=https://${{ env.DOMAIN }}/blocks.idx | |
| build_genesis_hash=${{ env.BUILD_GENESIS_HASH }} | |
| build_collector_backend_url=https://dashboard.${{ env.DOMAIN }}/nodes/post | |
| build_grpc2_listen_port=${{ matrix.node.grpc_port }} | |
| build_listen_port=${{ matrix.node.listen_port }} | |
| build_bootstrap=bootstrap.${{ env.DOMAIN }}:8888 | |
| - name: Run Docker and Extract Artifacts | |
| run: | | |
| id=$(docker create ${{ matrix.node.env }}-deb) | |
| docker cp $id:/out/concordium-${{ matrix.node.env }}-node_${{ needs.validate-preconditions.outputs.base_version }}_amd64.deb ${{ env.ARTIFACT_NAME }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: node-${{ matrix.node.env }}-linux | |
| path: ${{ env.ARTIFACT_NAME }} | |
| generate-release-matrixes: | |
| runs-on: ubuntu-latest | |
| needs: [ node-linux, node-macos, node-windows, p2p-bootstrapper, database-exporter, validate-preconditions, docker-build ] | |
| outputs: | |
| s3_names: ${{ steps.s3-matrix.outputs.intersection }} | |
| docker_names: ${{ steps.docker-matrix.outputs.intersection }} | |
| steps: | |
| - name: Find list of potential s3 releases | |
| run: | | |
| echo "S3_CANDIDATES=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r -c 'keys')" >> $GITHUB_ENV | |
| - name: Find list of potential docker releases | |
| run: | | |
| echo "DOCKER_CANDIDATES=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' | jq -r -c 'keys')" >> $GITHUB_ENV | |
| - name: Find released artifacts | |
| run: | | |
| ARTIFACTS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts" | jq -r -c '.artifacts | map(.name) | @json') | |
| echo "ARTIFACT_NAMES=$ARTIFACTS" >> $GITHUB_ENV | |
| - name: s3-matrix | |
| id: s3-matrix | |
| run: | | |
| intersection=$(jq -n -c \ | |
| --argjson s3 '${{ env.S3_CANDIDATES }}' \ | |
| --argjson artifacts '${{ env.ARTIFACT_NAMES }}' \ | |
| '$s3 - ($s3 - $artifacts)') | |
| echo "intersection=$intersection" >> $GITHUB_OUTPUT | |
| - name: docker-matrix | |
| id: docker-matrix | |
| run: | | |
| intersection=$(jq -n -c \ | |
| --argjson docker '${{ env.DOCKER_CANDIDATES }}' \ | |
| --argjson artifacts '${{ env.ARTIFACT_NAMES }}' \ | |
| '$docker - ($docker - $artifacts)') | |
| echo "intersection=$intersection" >> $GITHUB_OUTPUT | |
| docker-build: | |
| runs-on: ubuntu-latest | |
| if: contains(fromJSON('["rc", "alpha", "docker"]'), needs.validate-preconditions.outputs.release_type) | |
| needs: [ build-static-binaries, validate-preconditions, generate-node-matrix ] | |
| strategy: | |
| matrix: | |
| node: ${{ fromJSON(needs.generate-node-matrix.outputs.matrix) }} | |
| exclude: | |
| - node: | |
| env: flynet | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }} | |
| path: /tmp | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Setup genesis deployment key | |
| run: echo "${{ env.GENESIS_DATA_KEY }}" > id_rsa | |
| env: | |
| GENESIS_DATA_KEY: ${{ secrets.GENESIS_DATA_KEY }} | |
| - name: Set tag | |
| run: echo "TAG=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' | jq -r '.["docker-${{ matrix.node.env }}"]')" >> $GITHUB_ENV | |
| - name: Load image | |
| run: | | |
| docker load --input /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar | |
| docker images | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: scripts/distribution/docker/builder.Dockerfile | |
| tags: ${{ env.TAG }} | |
| pull: false | |
| push: false | |
| ssh: | | |
| default=./id_rsa | |
| build-args: | | |
| ubuntu_version=${{ env.UBUNTU_VERSION }} | |
| static_binaries_image_tag=${{ github.run_id }} | |
| genesis_ref=main | |
| genesis_path=${{ matrix.node.genesis_path }} | |
| environment=${{ matrix.node.env }} | |
| - name: Save image | |
| run: docker save -o /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar ${{ env.TAG }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-${{ matrix.node.env }} | |
| path: /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar | |
| s3_publish: | |
| runs-on: ubuntu-latest | |
| environment: release | |
| needs: [generate-release-matrixes, validate-preconditions ] | |
| strategy: | |
| matrix: | |
| artifact_name: ${{ fromJSON(needs.generate-release-matrixes.outputs.s3_names) }} | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ matrix.artifact_name }} | |
| path: /tmp | |
| - name: Extrapolate artifact information | |
| run: | | |
| read S3_DIR S3_FILENAME S3_BUCKET < <(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ matrix.artifact_name }}"] | "\(.dir)\t\(.name)\t\(.bucket)"') | |
| echo "S3_FILENAME=${S3_FILENAME}" >> $GITHUB_ENV | |
| echo "S3_DIR=${S3_DIR}" >> $GITHUB_ENV | |
| echo "S3_BUCKET=${S3_BUCKET}" >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }} | |
| role-session-name: ValidatePreconditionsSession | |
| aws-region: "eu-west-1" | |
| - name: Upload artifact | |
| run: | | |
| aws s3api put-object --bucket=${{ env.S3_BUCKET }} --key=${{ env.S3_DIR }}/${{ env.S3_FILENAME }} --body=/tmp/${{ env.S3_FILENAME }} --if-none-match='*' | |
| docker_publish: | |
| runs-on: ubuntu-latest | |
| environment: release | |
| needs: [generate-release-matrixes, validate-preconditions] | |
| strategy: | |
| matrix: | |
| artifact_name: ${{ fromJSON(needs.generate-release-matrixes.outputs.docker_names) }} | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ matrix.artifact_name }} | |
| path: /tmp | |
| - name: Set tag | |
| run: echo "TAG=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' | jq -r '.["${{ matrix.artifact_name }}"]')" >> $GITHUB_ENV | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - name: Load image | |
| run: docker load --input /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar | |
| - name: Push image | |
| run: | | |
| if docker manifest inspect "${{ env.TAG }}" > /dev/null 2>&1; then | |
| echo "Error: Image ${{ env.TAG }} already exists in the registry." >&2 | |
| exit 1 | |
| fi | |
| docker push ${{ env.TAG }} | |
| - name: Digest docker image | |
| run: | | |
| echo "IMAGE_HASH=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.TAG }})" >> $GITHUB_ENV | |
| - name: Install cosign | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.5.0' | |
| - name: Sign image | |
| run: | | |
| echo ${{ env.IMAGE_HASH }} | |
| cosign sign --yes ${{ env.IMAGE_HASH }} | |
| notify-immutable-infrastructure: | |
| runs-on: ubuntu-latest | |
| needs: [ s3_publish, validate-preconditions ] | |
| if: contains(fromJSON('["rc", "alpha"]'), needs.validate-preconditions.outputs.release_type) | |
| steps: | |
| - uses: actions/create-github-app-token@v1 | |
| id: app-token | |
| with: | |
| app-id: ${{ vars.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| owner: ${{ github.repository_owner }} | |
| repositories: | | |
| concordium-infra-images | |
| - name: Invoke immutable node release flow | |
| run: | | |
| curl -X POST --fail \ | |
| -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| https://api.github.com/repos/Concordium/concordium-infra-images/actions/workflows/release-node-images.yaml/dispatches \ | |
| -d '{"ref":"main", "inputs":{"node_version": "${{ needs.validate-preconditions.outputs.version }}", "release_type": "${{ needs.validate-preconditions.outputs.release_type }}"}}' |