COR-1627: streamline windows node signing process #351

Workflow file for this run

.github/workflows/release.yaml at 3709c33

	name: Concordium node release

	on:
	workflow_dispatch:
	inputs:
	service:
	type: choice
	description: Choose which workflow should be ran
	options:
	- node-macos
	- node-windows
	- node-linux
	- docker
	- p2p-bootstrapper
	- database-exporter

	push:
	tags:
	- '..--rc'
	- '..--alpha'

	env:
	UBUNTU_VERSION: '22.04'
	STATIC_LIBRARIES_IMAGE_TAG: 'rust-1.82_ghc-9.10.2'
	RUST_VERSION: '1.82'
	STACK_VERSION: '3.7.1'
	FLATBUFFERS_VERSION: '23.5.26'
	GHC_VERSION: '9.10.2'
	PROTOC_VERSION: '28.3'
	STATIC_NODE_BINARY_IMAGE_NAME: 'static-node-binaries'
	DOCKER_ARTIFACT_NAME: 'image'
	AWS_ROLE_TO_ASSUME: 'arn:aws:iam::192549843005:role/github_concordium-node'
	S3_ARN_TEMPLATES: '{
	\"database-exporter\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"database-exporter_${VERSION}.deb\"},
	\"p2p-bootstrapper\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"p2p-bootstrapper_${VERSION}.deb\"},
	\"node-stagenet-linux\": {\"bucket\": \"distribution.stagenet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-stagenet-node_${VERSION}_amd64.deb\"},
	\"node-flynet-linux\": {\"bucket\": \"distribution.flynet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-flynet-node_${VERSION}_amd64.deb\"},
	\"node-testnet-linux\": {\"bucket\": \"distribution.testnet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-testnet-node_${VERSION}_amd64.deb\"},
	\"node-mainnet-linux\": {\"bucket\": \"distribution.mainnet.concordium.software\", \"dir\": \"deb\", \"name\": \"concordium-mainnet-node_${VERSION}_amd64.deb\"},
	\"node-macos\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"macos\", \"name\": \"concordium-node-${VERSION}.pkg\"},
	\"node-windows\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"windows\", \"name\": \"Node-${VERSION}.msi\"}
	}'
	DOCKER_TAGS_TEMPLATES: '{
	\"docker-stagenet\": \"concordium/stagenet-node:${VERSION}\",
	\"docker-testnet\": \"concordium/testnet-node:${VERSION}\",
	\"docker-mainnet\": \"concordium/mainnet-node:${VERSION}\",
	\"docker-bootstrapper\": \"concordium/bootstrapper:${VERSION}\"
	}'
	REGISTRY: docker.io
	SERVICE: "${{ inputs.service }}"

	permissions:
	id-token: write
	contents: read

	jobs:

	validate-preconditions:
	runs-on: ubuntu-latest
	outputs:
	s3_arns: ${{ steps.render.outputs.s3_arns }}
	docker_tags: ${{ steps.render.outputs.docker_tags }}
	release_type: ${{ steps.versions_derivation.outputs.release_type }}
	base_version: ${{ steps.versions_derivation.outputs.base_version }}
	version: ${{ steps.versions_derivation.outputs.version }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4

	- name: Validate version
	id: versions_derivation
	run: \|
	CARGO_VERSION=$(yq .package.version concordium-node/Cargo.toml)
	if [ -z "${{ env.SERVICE }}" ]; then
	IFS='-' read -r VERSION BUILD RELEASE_TYPE <<< "${{ github.ref_name }}"
	if [ ! "$VERSION" = "$CARGO_VERSION" ]; then
	echo "::error::${CARGO_VERSION} does not match ${VERSION}."
	exit 1
	fi
	else
	RELEASE_TYPE="${{ env.SERVICE }}"
	BUILD=$(git rev-parse --short HEAD)
	fi
	echo "::notice::RELEASE_TYPE=${RELEASE_TYPE}"
	echo "release_type=${RELEASE_TYPE}" >> "$GITHUB_OUTPUT"
	echo "version=${CARGO_VERSION}-${BUILD}" >> "$GITHUB_OUTPUT"
	echo "base_version=${CARGO_VERSION}" >> "$GITHUB_OUTPUT"
	- name: Templates rendering
	id: render
	run: \|
	export VERSION="${{ steps.versions_derivation.outputs.version }}"
	echo "s3_arns=${{ env.S3_ARN_TEMPLATES }}" >> $GITHUB_OUTPUT
	echo "docker_tags=${{ env.DOCKER_TAGS_TEMPLATES }}" >> $GITHUB_OUTPUT

	build-static-binaries:
	needs: [validate-preconditions]
	runs-on: ubuntu-latest-8core
	if: contains(fromJSON('["rc", "alpha", "docker", "node-linux", "p2p-bootstrapper"]'), needs.validate-preconditions.outputs.release_type)
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build Static Node Binary Image
	uses: docker/build-push-action@v6
	with:
	context: .
	push: false
	file: scripts/static-binaries/static-binaries.Dockerfile
	tags: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}:${{ github.run_id }}
	no-cache: true
	build-args: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }}
	ghc_version=${{ env.GHC_VERSION }}
	protoc_version=${{ env.PROTOC_VERSION }}
	flatbuffers_version=${{ env.FLATBUFFERS_VERSION }}
	rust_toolchain_version=${{ env.RUST_VERSION }}
	labels: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }}
	ghc_version=${{ env.GHC_VERSION }}
	outputs: type=docker,dest=/tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar
	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}
	path: /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar

	database-exporter:
	needs: [validate-preconditions]
	runs-on: ubuntu-latest
	if: contains(fromJSON('["rc", "alpha", "database-exporter"]'), needs.validate-preconditions.outputs.release_type)
	steps:

	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Extrapolate artifact name
	run: \|
	ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["${{ github.job }}"].name')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV

	- name: Build Database Exporter
	uses: docker/build-push-action@v6
	with:
	context: .
	push: false
	tags: build-deb:${{ github.run_id }}
	file: scripts/db-exporter/Dockerfile
	build-args: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	version=${{ needs.validate-preconditions.outputs.version }}
	ghc_version=${{ env.GHC_VERSION }}
	static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }}
	labels: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	version=${{ needs.validate-preconditions.outputs.version }}
	ghc_version=${{ env.GHC_VERSION }}
	static_libraries_image_tag=${{ env.STATIC_LIBRARIES_IMAGE_TAG }}
	no-cache: true

	- name: Run Docker and Extract Artifacts
	run: \|
	id=$(docker create build-deb:${{ github.run_id }})
	docker cp $id:/build/${{ github.job }}_${{ needs.validate-preconditions.outputs.version }}.deb ./${{ env.ARTIFACT_NAME }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.job }}
	path: ./${{ env.ARTIFACT_NAME }}

	p2p-bootstrapper:
	runs-on: ubuntu-latest
	if: contains(fromJSON('["rc", "alpha", "p2p-bootstrapper"]'), needs.validate-preconditions.outputs.release_type)
	needs: [build-static-binaries, validate-preconditions]
	steps:
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}
	path: /tmp

	- name: Set tag
	run: echo "TAG=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' \| jq -r '.["docker-bootstrapper"]')" >> $GITHUB_ENV

	- name: Extrapolate artifact name
	run: \|
	ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["${{ github.job }}"].name')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV

	- name: Load image
	run: docker load --input /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar

	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Build Docker Image
	uses: docker/build-push-action@v6
	with:
	context: .
	push: false
	file: scripts/bootstrapper/Dockerfile
	tags: ${{ env.TAG }}
	no-cache: true
	build-args: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	version=${{ needs.validate-preconditions.outputs.version }}
	static_binaries_image_tag=${{ github.run_id }}
	labels: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	version=${{ needs.validate-preconditions.outputs.version }}
	static_binaries_image_tag=${{ github.run_id }}

	- name: Run Docker and Extract Artifacts
	run: \|
	id=$(docker create ${{ env.TAG }})
	docker cp $id:/build/${{ github.job }}_${{ needs.validate-preconditions.outputs.version }}.deb ./${{ env.ARTIFACT_NAME }}

	- name: Save image
	run: docker save -o /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar ${{ env.TAG }}

	- name: Upload docker artifact
	uses: actions/upload-artifact@v4
	with:
	name: docker-bootstrapper
	path: /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.job }}
	path: ${{ env.ARTIFACT_NAME }}

	node-windows:
	runs-on: windows-latest
	environment: release # This step needs to use the release context to access credentials for code signing.
	needs: [validate-preconditions]
	if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type)
	defaults:
	run:
	shell: pwsh
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Install dependencies
	run: \|
	choco install yq jq -y
	shell: bash

	- name: Extrapolate artifact name
	run: \|
	ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["${{ github.job }}"].name')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV
	shell: bash

	- name: Install DigiCert Client tools (Windows only)
	id: digicert_client
	uses: digicert/[email protected]

	- name: Import Windows certificate (Windows only)
	id: windows_certificate
	env:
	# Base64 encoding of the pfx/p12 certificate for Windows code signing.
	SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }}
	run: \|
	$CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt"
	$CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx"

	Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64
	certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH
	echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT

	- name: Run smctl healthcheck to confirm if the tool is configured properly.
	working-directory: ${{steps.build.outputs.bin_dir}}
	env:
	WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
	WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
	SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
	SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
	SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
	run: \|
	smctl healthcheck --all
	shell: cmd

	- name: Install Rust
	uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-msvc

	- name: Install Rust
	uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-gnu

	- name: Setup node folder
	run: \|
	mkdir -p "C:/Program Files/node/include"
	Add-Content -Path $env:GITHUB_PATH -Value "C:/Program Files/node"

	- name: Install flatbuffers
	run: \|
	curl -L -O https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/Windows.flatc.binary.zip
	unzip Windows.flatc.binary.zip
	mv flatc.exe "C:/Program Files/node/"

	- name: Install protobuf (protoc)
	run: \|
	curl -L -O https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-win64.zip
	unzip protoc-${{ env.PROTOC_VERSION }}-win64.zip
	mv bin/protoc.exe "C:/Program Files/node/"
	mv include/* "C:/Program Files/node/include"

	- name: Setup Haskell
	uses: haskell-actions/setup@v2
	with:
	ghc-version: ${{ env.GHC_VERSION }}
	enable-stack: true
	stack-version: ${{ env.STACK_VERSION }}

	- uses: milliewalky/setup-7-zip@v1

	- name: Install GCC
	run: \|
	curl -L -O https://github.com/brechtsanders/winlibs_mingw/releases/download/14.2.0posix-19.1.1-12.0.0-msvcrt-r2/winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z
	7z x winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z -oC:/gcc
	Add-Content -Path $env:GITHUB_PATH -Value "C:/gcc/mingw64/bin"

	- name: Install LMDB
	run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb

	- name: Build Windows Node
	run: \|
	./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}

	- name: Extract files to prepare for signing
	run: \|
	dir service\windows\installer
	"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer/Node.msi -x Node.cab
	mkdir Node
	dir
	expand -d Node.cab
	expand -F:* Node.cab ./Node
	dir Node
	shell: cmd

	- name: Rename files to prepare for signing (smctl can only sign files of certain types supported by signtool)
	# See: https://docs.digicert.com/it/digicert-keylocker/client-tools/signing-tools/files-supported-for-signing.html
	run: \|
	mv ./Node/ConcordiumConsensusDLL ./Node/ConcordiumConsensusDLL.dll
	mv ./Node/ConcordiumBaseDLL ./Node/ConcordiumBaseDLL.dll
	mv ./Node/ConcordiumSmartContractEngineDLL ./Node/ConcordiumSmartContractEngineDLL.dll
	mv ./Node/Sha2DLL ./Node/Sha2DLL.dll
	mv ./Node/NodeRunnerService ./Node/NodeRunnerService.exe
	mv ./Node/NodeCollector ./Node/NodeCollector.exe
	mv ./Node/ConcordiumNode ./Node/ConcordiumNode.exe

	- name: Sign files with smctl
	working-directory: ${{steps.build.outputs.bin_dir}}
	env:
	WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
	WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
	SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
	SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
	SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
	SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
	run: \|
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumConsensusDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumBaseDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumSmartContractEngineDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/Sha2DLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeRunnerService.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeCollector.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumNode.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	shell: cmd

	- name: Rename files back to their original form without extension.
	run: \|
	mv ./Node/ConcordiumConsensusDLL.dll ./Node/ConcordiumConsensusDLL
	mv ./Node/ConcordiumBaseDLL.dll ./Node/ConcordiumBaseDLL
	mv ./Node/ConcordiumSmartContractEngineDLL.dll ./Node/ConcordiumSmartContractEngineDLL
	mv ./Node/Sha2DLL.dll ./Node/Sha2DLL
	mv ./Node/NodeRunnerService.exe ./Node/NodeRunnerService
	mv ./Node/NodeCollector.exe ./Node/NodeCollector
	mv ./Node/ConcordiumNode.exe ./Node/ConcordiumNode

	- name: Recreate the cabinet file.
	run: \|
	dir Node /b /a-d > cabfiles.txt
	makecab.exe /D MaxDiskSize=0 /D Cabinet=ON /D Compress=ON /D CabinetName1=Node.cab /D SourceDir=Node /f cabfiles.txt
	shell: cmd

	- name: Repackage the cabinet file.
	run: \|
	del Node.cab
	move disk1\Node.cab .
	expand -d Node.cab
	"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer\Node.msi -k Node.cab
	"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\MsiDb.exe" -d service\windows\installer\Node.msi -a Node.cab
	shell: cmd

	- name: Sign files with smctl
	working-directory: ${{steps.build.outputs.bin_dir}}
	env:
	WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
	WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
	SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
	SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
	SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
	SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
	run: \|
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./service/windows/installer/Node.msi --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	shell: cmd

	- name: Rename the package to target filename.
	run: \|
	cp ./service/windows/installer/Node.msi ./${{ env.ARTIFACT_NAME }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.job }}
	path: ${{ env.ARTIFACT_NAME }}

	node-macos:
	runs-on: macos-latest-large
	environment: release # This step needs to use the release context to access credentials for code signing.
	needs: [validate-preconditions]
	if: contains(fromJSON('["rc", "alpha", "node-macos"]'), needs.validate-preconditions.outputs.release_type)
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Extrapolate artifact name
	run: \|
	ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["${{ github.job }}"].name')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV

	- name: Import Apple signing certificates into a keychain)
	env:
	# Base64 encoding of the p12 certificate for Apple code signing.
	BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_CERTIFICATE_BASE64 }}
	BUILD_INSTALLER_CERTIFICATE_BASE64: ${{ secrets.APPLE_BUILD_INSTALLER_CERTIFICATE_BASE64 }}
	# Password for the p12 certificate for Apple code signing.
	BUILD_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_CERTIFICATE_PASSWORD }}
	BUILD_INSTALLER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_BUILD_INSTALLER_CERTIFICATE_PASSWORD }}
	# Random string to use as the keychain password.
	KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
	run: \|
	# create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/apple_build_certificate.p12
	INSTALLER_CERTIFICATE_PATH=$RUNNER_TEMP/apple_build_installer_certificate.p12
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# import certificate and provisioning profile from secrets
	echo -n "$BUILD_CERTIFICATE_BASE64" \| base64 --decode -o $CERTIFICATE_PATH
	echo -n "$BUILD_INSTALLER_CERTIFICATE_BASE64" \| base64 --decode -o $INSTALLER_CERTIFICATE_PATH

	# create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# import certificate to keychain
	security import $CERTIFICATE_PATH -P "$BUILD_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security import $INSTALLER_CERTIFICATE_PATH -P "$BUILD_INSTALLER_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	- uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	toolchain: ${{ env.RUST_VERSION }}

	- uses: haskell-actions/setup@v2
	with:
	ghc-version: ${{ env.GHC_VERSION }}
	enable-stack: true
	stack-version: ${{ env.STACK_VERSION }}

	- name: Install flatbuffers
	run: \|
	wget https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/MacIntel.flatc.binary.zip -O MacIntel.flatc.binary.zip
	unzip MacIntel.flatc.binary.zip -d flatbuffers
	sudo mv flatbuffers/flatc /usr/local/bin/

	- name: Install protobuf
	run: \|
	curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-osx-x86_64.zip
	unzip protoc.zip
	sudo mv bin/protoc /usr/local/bin/
	sudo mv include/* /usr/local/include/

	- name: Install Homebrew Packages
	run: \|
	brew install lmdb llvm

	- name: Build macOS Package
	env:
	# Apple code signing variables:
	APPLEIDPASS: ${{ secrets.APPLEIDPASS }}
	APPLEID: ${{ secrets.APPLEID }}
	run: \|
	printf "Y\n" \| ./scripts/distribution/macOS-package/build.sh ${{ needs.validate-preconditions.outputs.version }}
	cp ./scripts/distribution/macOS-package/build/packages/concordium-node-${{ needs.validate-preconditions.outputs.version }}.pkg ./${{ env.ARTIFACT_NAME }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.job }}
	path: ${{ env.ARTIFACT_NAME }}

	generate-node-matrix:
	runs-on: ubuntu-latest
	needs: [validate-preconditions]
	outputs:
	matrix: ${{ steps.set-matrix.outputs.matrix }}
	steps:

	- name: Initialize Matrix with alpha environments
	run: \|
	MATRIX_JSON=$(echo '[
	{
	"env": "stagenet",
	"tld": "com",
	"genesis_path": "stagenet/2024-09-12/genesis_data",
	"grpc_port": 20500,
	"listen_port": 9500
	},
	{
	"env": "flynet",
	"tld": "com",
	"genesis_path": "flynet/2023-02-01/genesis_data",
	"grpc_port": 20002,
	"listen_port": 8890
	}
	]' \| jq -c)
	echo "MATRIX_JSON=${MATRIX_JSON}" >> $GITHUB_ENV

	- name: Release candidate environments
	if: needs.validate-preconditions.outputs.release_type == 'rc'
	run: \|
	MATRIX_JSON=$(echo "$MATRIX_JSON" \| jq -c '. + [
	{
	"env": "testnet",
	"tld": "com",
	"genesis_path": "testnet/2022-06-13/genesis_data",
	"grpc_port": 20001,
	"listen_port": 8889
	},
	{
	"env": "mainnet",
	"tld": "software",
	"genesis_path": "mainnet/2021-06-09",
	"grpc_port": 20000,
	"listen_port": 8888
	}
	]')
	echo "MATRIX_JSON=${MATRIX_JSON}" >> $GITHUB_ENV

	- name: Output Matrix JSON
	id: set-matrix
	run: echo "matrix=$MATRIX_JSON" >> $GITHUB_OUTPUT

	node-linux:
	runs-on: ubuntu-latest
	if: contains(fromJSON('["rc", "alpha", "node-linux"]'), needs.validate-preconditions.outputs.release_type)
	needs: [ build-static-binaries, validate-preconditions, generate-node-matrix ]
	env:
	DATA_DIR: './scripts/distribution/ubuntu-packages/template/data'
	strategy:
	matrix:
	node: ${{ fromJSON(needs.generate-node-matrix.outputs.matrix) }}
	steps:
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}
	path: /tmp

	- name: Extrapolate artifact name
	run: \|
	ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["node-${{ matrix.node.env }}-linux"].name')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV

	- name: Load image
	run: \|
	docker load --input /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar
	rm /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar

	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Checkout Genesis Repository
	uses: actions/checkout@v4
	with:
	repository: 'Concordium/concordium-infra-genesis-data'
	path: 'genesis'
	ssh-key: ${{ secrets.GENESIS_DATA_KEY }}
	ref: 'main'

	- name: Define domain
	run: echo "DOMAIN=${{ matrix.node.env }}.concordium.${{ matrix.node.tld }}" >> $GITHUB_ENV

	- name: Define project name
	run: echo "PROJECT_NAME=node-${{ matrix.node.env }}-linux" >> $GITHUB_ENV

	- name: Copy Genesis Data
	run: \|
	mkdir -p ${{ env.DATA_DIR }}
	cp genesis/${{ matrix.node.genesis_path }}/genesis.dat ${{ env.DATA_DIR }}/${{ matrix.node.env }}-genesis.dat

	- name: Set environment variables
	run: \|
	echo "BUILD_ENV_NAME=$(echo "${{ matrix.node.env }}" \| awk '{ $1=toupper(substr($1,1,1)) substr($1,2); print }')" >> $GITHUB_ENV
	echo "BUILD_GENESIS_HASH=$(cat genesis/${{ matrix.node.genesis_path }}/genesis_hash \| tr -cd "[:alnum:]")" >> $GITHUB_ENV

	- name: Build Docker Image
	uses: docker/build-push-action@v6
	with:
	context: ./scripts/distribution/ubuntu-packages/
	push: false
	file: ./scripts/distribution/ubuntu-packages/deb.Dockerfile
	tags: ${{ matrix.node.env }}-deb
	no-cache: true
	build-args: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	version=${{ needs.validate-preconditions.outputs.version }}
	static_binaries_image_tag=${{ github.run_id }}
	build_env_name=${{ env.BUILD_ENV_NAME }}
	build_env_name_lower=${{ matrix.node.env }}
	build_catchup_url=https://${{ env.DOMAIN }}/blocks.idx
	build_genesis_hash=${{ env.BUILD_GENESIS_HASH }}
	build_collector_backend_url=https://dashboard.${{ env.DOMAIN }}/nodes/post
	build_grpc2_listen_port=${{ matrix.node.grpc_port }}
	build_listen_port=${{ matrix.node.listen_port }}
	build_bootstrap=bootstrap.${{ env.DOMAIN }}:8888

	- name: Run Docker and Extract Artifacts
	run: \|
	id=$(docker create ${{ matrix.node.env }}-deb)
	docker cp $id:/out/concordium-${{ matrix.node.env }}-node_${{ needs.validate-preconditions.outputs.base_version }}_amd64.deb ${{ env.ARTIFACT_NAME }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: node-${{ matrix.node.env }}-linux
	path: ${{ env.ARTIFACT_NAME }}

	generate-release-matrixes:
	runs-on: ubuntu-latest
	needs: [ node-linux, node-macos, node-windows, p2p-bootstrapper, database-exporter, validate-preconditions, docker-build ]
	outputs:
	s3_names: ${{ steps.s3-matrix.outputs.intersection }}
	docker_names: ${{ steps.docker-matrix.outputs.intersection }}
	steps:
	- name: Find list of potential s3 releases
	run: \|
	echo "S3_CANDIDATES=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r -c 'keys')" >> $GITHUB_ENV
	- name: Find list of potential docker releases
	run: \|
	echo "DOCKER_CANDIDATES=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' \| jq -r -c 'keys')" >> $GITHUB_ENV
	- name: Find released artifacts
	run: \|
	ARTIFACTS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	"https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts" \| jq -r -c '.artifacts \| map(.name) \| @json')
	echo "ARTIFACT_NAMES=$ARTIFACTS" >> $GITHUB_ENV
	- name: s3-matrix
	id: s3-matrix
	run: \|
	intersection=$(jq -n -c \
	--argjson s3 '${{ env.S3_CANDIDATES }}' \
	--argjson artifacts '${{ env.ARTIFACT_NAMES }}' \
	'$s3 - ($s3 - $artifacts)')
	echo "intersection=$intersection" >> $GITHUB_OUTPUT
	- name: docker-matrix
	id: docker-matrix
	run: \|
	intersection=$(jq -n -c \
	--argjson docker '${{ env.DOCKER_CANDIDATES }}' \
	--argjson artifacts '${{ env.ARTIFACT_NAMES }}' \
	'$docker - ($docker - $artifacts)')
	echo "intersection=$intersection" >> $GITHUB_OUTPUT

	docker-build:
	runs-on: ubuntu-latest
	if: contains(fromJSON('["rc", "alpha", "docker"]'), needs.validate-preconditions.outputs.release_type)
	needs: [ build-static-binaries, validate-preconditions, generate-node-matrix ]
	strategy:
	matrix:
	node: ${{ fromJSON(needs.generate-node-matrix.outputs.matrix) }}
	exclude:
	- node:
	env: flynet
	steps:
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}
	path: /tmp

	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Setup genesis deployment key
	run: echo "${{ env.GENESIS_DATA_KEY }}" > id_rsa
	env:
	GENESIS_DATA_KEY: ${{ secrets.GENESIS_DATA_KEY }}

	- name: Set tag
	run: echo "TAG=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' \| jq -r '.["docker-${{ matrix.node.env }}"]')" >> $GITHUB_ENV

	- name: Load image
	run: \|
	docker load --input /tmp/${{ env.STATIC_NODE_BINARY_IMAGE_NAME }}.tar
	docker images

	- name: Build Docker Image
	uses: docker/build-push-action@v6
	with:
	context: .
	file: scripts/distribution/docker/builder.Dockerfile
	tags: ${{ env.TAG }}
	pull: false
	push: false
	ssh: \|
	default=./id_rsa
	build-args: \|
	ubuntu_version=${{ env.UBUNTU_VERSION }}
	static_binaries_image_tag=${{ github.run_id }}
	genesis_ref=main
	genesis_path=${{ matrix.node.genesis_path }}
	environment=${{ matrix.node.env }}

	- name: Save image
	run: docker save -o /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar ${{ env.TAG }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: docker-${{ matrix.node.env }}
	path: /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar

	s3_publish:
	runs-on: ubuntu-latest
	environment: release
	needs: [generate-release-matrixes, validate-preconditions ]
	strategy:
	matrix:
	artifact_name: ${{ fromJSON(needs.generate-release-matrixes.outputs.s3_names) }}
	steps:
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ${{ matrix.artifact_name }}
	path: /tmp

	- name: Extrapolate artifact information
	run: \|
	read S3_DIR S3_FILENAME S3_BUCKET < <(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["${{ matrix.artifact_name }}"] \| "\(.dir)\t\(.name)\t\(.bucket)"')
	echo "S3_FILENAME=${S3_FILENAME}" >> $GITHUB_ENV
	echo "S3_DIR=${S3_DIR}" >> $GITHUB_ENV
	echo "S3_BUCKET=${S3_BUCKET}" >> $GITHUB_ENV

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }}
	role-session-name: ValidatePreconditionsSession
	aws-region: "eu-west-1"

	- name: Upload artifact
	run: \|
	aws s3api put-object --bucket=${{ env.S3_BUCKET }} --key=${{ env.S3_DIR }}/${{ env.S3_FILENAME }} --body=/tmp/${{ env.S3_FILENAME }} --if-none-match='*'

	docker_publish:
	runs-on: ubuntu-latest
	environment: release
	needs: [generate-release-matrixes, validate-preconditions]
	strategy:
	matrix:
	artifact_name: ${{ fromJSON(needs.generate-release-matrixes.outputs.docker_names) }}
	steps:
	- name: Download artifact
	uses: actions/download-artifact@v4
	with:
	name: ${{ matrix.artifact_name }}
	path: /tmp

	- name: Set tag
	run: echo "TAG=$(echo '${{ needs.validate-preconditions.outputs.docker_tags }}' \| jq -r '.["${{ matrix.artifact_name }}"]')" >> $GITHUB_ENV

	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_TOKEN }}

	- name: Load image
	run: docker load --input /tmp/${{ env.DOCKER_ARTIFACT_NAME }}.tar

	- name: Push image
	run: \|
	if docker manifest inspect "${{ env.TAG }}" > /dev/null 2>&1; then
	echo "Error: Image ${{ env.TAG }} already exists in the registry." >&2
	exit 1
	fi
	docker push ${{ env.TAG }}

	- name: Digest docker image
	run: \|
	echo "IMAGE_HASH=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ env.TAG }})" >> $GITHUB_ENV

	- name: Install cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.5.0'

	- name: Sign image
	run: \|
	echo ${{ env.IMAGE_HASH }}
	cosign sign --yes ${{ env.IMAGE_HASH }}

	notify-immutable-infrastructure:
	runs-on: ubuntu-latest
	needs: [ s3_publish, validate-preconditions ]
	if: contains(fromJSON('["rc", "alpha"]'), needs.validate-preconditions.outputs.release_type)
	steps:
	- uses: actions/create-github-app-token@v1
	id: app-token
	with:
	app-id: ${{ vars.APP_ID }}
	private-key: ${{ secrets.APP_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: \|
	concordium-infra-images
	- name: Invoke immutable node release flow
	run: \|
	curl -X POST --fail \
	-H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
	-H "Accept: application/vnd.github.v3+json" \
	https://api.github.com/repos/Concordium/concordium-infra-images/actions/workflows/release-node-images.yaml/dispatches \
	-d '{"ref":"main", "inputs":{"node_version": "${{ needs.validate-preconditions.outputs.version }}", "release_type": "${{ needs.validate-preconditions.outputs.release_type }}"}}'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

COR-1627: streamline windows node signing process #351

Workflow file

COR-1627: streamline windows node signing process #351

Uh oh!

Workflow file for this run