update msig flow for secrets module #447
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: pull-request-main | |
| on: | |
| merge_group: | |
| pull_request: | |
| branches: | |
| - main | |
| - "releases/**" | |
| env: | |
| # Ensure that a cached go version is used: | |
| # https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md#go | |
| GO_VERSION: 1.24 | |
| jobs: | |
| ci-lint: | |
| runs-on: ubuntu-latest-4cores-16GB | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: ci-lint | |
| uses: smartcontractkit/.github/actions/ci-lint-go@01d931b0455a754d12e7143cc54a5a3521a8f6f6 # [email protected] | |
| with: | |
| golangci-lint-args: --timeout 10m --out-format checkstyle:golangci-lint-report.xml | |
| only-new-issues: false | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| use-gati: "true" | |
| aws-role-arn-gati: ${{ secrets.AWS_OIDC_DEV_PLATFORM_READ_REPOS_EXTERNAL_TOKEN_ISSUER_ROLE_ARN }} | |
| aws-lambda-url-gati: ${{ secrets.AWS_DEV_SERVICES_TOKEN_ISSUER_LAMBDA_URL }} | |
| ci-lint-misc: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: ci-lint-misc | |
| uses: smartcontractkit/.github/actions/ci-lint-misc@01d931b0455a754d12e7143cc54a5a3521a8f6f6 # [email protected] | |
| ci-test-unit: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: ci-test | |
| uses: smartcontractkit/.github/actions/ci-test-go@ci-test-go/0.3.5 | |
| with: | |
| go-test-cmd: go test -v $(go list ./... | grep -v -e usbwallet -e test) | |
| use-go-cache: "true" | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| use-gati: "true" | |
| aws-role-arn-gati: ${{ secrets.AWS_OIDC_DEV_PLATFORM_READ_REPOS_EXTERNAL_TOKEN_ISSUER_ROLE_ARN }} | |
| aws-lambda-url-gati: ${{ secrets.AWS_DEV_SERVICES_TOKEN_ISSUER_LAMBDA_URL }} | |
| ci-test-e2e: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, windows-latest] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: read | |
| steps: | |
| - name: setup-foundry | |
| uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 | |
| with: | |
| version: "v1.1.0" | |
| - name: ci-test | |
| uses: smartcontractkit/.github/actions/ci-test-go@2b1d964024bb001ae9fba4f840019ac86ad1d824 #1.1.0 | |
| env: | |
| TEST_LOG_LEVEL: debug | |
| with: | |
| go-test-cmd: go test -p 5 -v -timeout 30m ./test/ 2>&1 | tee output.txt | |
| use-go-cache: "true" | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| use-gati: "true" | |
| aws-role-arn-gati: ${{ secrets.AWS_OIDC_DEV_PLATFORM_READ_REPOS_EXTERNAL_TOKEN_ISSUER_ROLE_ARN }} | |
| aws-lambda-url-gati: ${{ secrets.AWS_DEV_SERVICES_TOKEN_ISSUER_LAMBDA_URL }} | |
| artifact-name: go-test-${{ matrix.os }} | |
| ci-test-system: | |
| runs-on: ubuntu-latest-4cores-16GB | |
| if: false # Disable system test untill we have a version of the test that works with the new CRE CLI (Smartcon) | |
| environment: system-test | |
| permissions: | |
| contents: read | |
| actions: read | |
| id-token: write | |
| steps: | |
| # based on build-and-release.yml | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # actions/[email protected] | |
| - name: Setup GitHub Token | |
| id: setup-github-token | |
| uses: smartcontractkit/.github/actions/setup-github-token@ef78fa97bf3c77de6563db1175422703e9e6674f # [email protected] | |
| with: | |
| aws-role-arn: ${{ secrets.AWS_OIDC_DEV_PLATFORM_READ_REPOS_EXTERNAL_TOKEN_ISSUER_ROLE_ARN }} | |
| aws-lambda-url: ${{ secrets.AWS_DEV_SERVICES_TOKEN_ISSUER_LAMBDA_URL }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| aws-role-duration-seconds: "1800" # this is optional and defaults to 900 | |
| set-git-config: true | |
| - name: Install Dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y gcc-x86-64-linux-gnu libc6-dev-amd64-cross | |
| - name: Build the CRE CLI Go Binary | |
| env: | |
| GOOS: linux | |
| GOARCH: amd64 | |
| CGO_ENABLED: 1 | |
| CC: x86_64-linux-gnu-gcc | |
| GITHUB_TOKEN: ${{ steps.setup-github-token.outputs.access-token }} | |
| run: | | |
| VERSION="${{ github.ref_name }}" | |
| BINARY_NAME="cre_linux_amd64" | |
| go build -ldflags "-X 'github.com/smartcontractkit/cre-cli/cmd/version.Version=version $VERSION'" -o "${BINARY_NAME}" | |
| - name: Check if current branch exists in chainlink repo | |
| id: check-branch | |
| env: | |
| BRANCH_NAME: ${{ github.head_ref || github.ref_name }} | |
| GITHUB_TOKEN: ${{ steps.setup-github-token.outputs.access-token }} | |
| run: | | |
| echo "Current branch: $BRANCH_NAME" | |
| # Check if branch exists in the target repository | |
| if gh api "repos/smartcontractkit/chainlink/branches/$BRANCH_NAME" --silent 2>/dev/null; then | |
| echo "Branch $BRANCH_NAME exists in chainlink repository. Going to use it" | |
| echo "target_branch=$BRANCH_NAME" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "Branch $BRANCH_NAME does not exist in chainlink repository, will use develop" | |
| echo "target_branch=develop" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Derive nightly image tag | |
| id: derive-nightly-image-tag | |
| shell: bash | |
| run: | | |
| # use todays's nightly image tag, built at 03:00 UTC | |
| TODAY="$(date +%Y%m%d)" | |
| echo "nightly_image_tag=nightly-${TODAY}-plugins" >> "$GITHUB_OUTPUT" | |
| - name: Checkout chainlink repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # actions/[email protected] | |
| with: | |
| repository: smartcontractkit/chainlink | |
| ref: ${{ steps.check-branch.outputs.target_branch }} | |
| path: chainlink | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: chainlink/system-tests/tests/go.mod | |
| - name: Copy CRE CLI binary to test folder | |
| run: | | |
| cp cre_linux_amd64 chainlink/system-tests/tests/smoke/cre/cre_linux_amd64 | |
| # override a bit of test config with the new binary | |
| # currently, there's no elegant way to dynamically pass the binary to the test | |
| # also, override blockchains slice with only 1 blockchain | |
| cat > chainlink/system-tests/tests/smoke/cre/cre-cli.toml<< EOF | |
| [[blockchains]] | |
| type = "anvil" | |
| chain_id = "1337" | |
| [dependencies] | |
| cre_cli_binary_path = "./cre_linux_amd64" | |
| EOF | |
| # We need to login to ECR to allow the test to pull the Job Distributor and Chainlink images | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| role-to-assume: ${{ secrets.READ_JD_ECR_ROLE_ARN }} | |
| role-duration-seconds: 1800 | |
| mask-aws-account-id: true | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 | |
| with: | |
| registries: ${{ format('{0},{1}', secrets.PROD_AWS_ACCOUNT_NUMBER, secrets.SDLC_AWS_ACCOUNT_NUMBER) }} | |
| env: | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| - name: Run CRE System Test | |
| id: run_cre_tests | |
| timeout-minutes: 30 | |
| env: | |
| CI: "true" | |
| E2E_TEST_CHAINLINK_IMAGE: ${{ secrets.SDLC_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/chainlink | |
| E2E_TEST_CHAINLINK_VERSION: ${{ steps.derive-nightly-image-tag.outputs.nightly_image_tag }} | |
| E2E_JD_IMAGE: ${{ secrets.PROD_AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ | |
| secrets.AWS_REGION}}.amazonaws.com/job-distributor | |
| E2E_JD_VERSION: 0.9.0 | |
| CTF_CONFIGS: environment-one-don-multichain-ci.toml,cre-cli.toml | |
| GIST_WRITE_TOKEN: ${{ secrets.GIST_WRITE_TOKEN }} | |
| GITHUB_READ_TOKEN: ${{ steps.setup-github-token.outputs.access-token }} | |
| # Anvil developer key, not a secret | |
| PRIVATE_KEY: "ac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" | |
| shell: bash | |
| #TODO (DEVSVCS-2016) clean the GOLANG_PROTOBUF_REGISTRATION_CONFLICT flag | |
| run: | | |
| cd chainlink/system-tests/tests/smoke/cre | |
| go mod download | |
| # download the cron capability required by the test | |
| pushd cmd > /dev/null && \ | |
| go run main.go download capabilities --output-dir ../ --gh-token-env-var-name GITHUB_READ_TOKEN --names cron --version v1.0.2-alpha 1>&2 && \ | |
| popd > /dev/null | |
| # run the test | |
| GOLANG_PROTOBUF_REGISTRATION_CONFLICT=warn go test github.com/smartcontractkit/chainlink/system-tests/tests/smoke/cre -v -run "^(TestCRE_OCR3_PoR_Workflow_SingleDon_MultipleWriters_MockedPrice)$" -timeout 30m -count=1 -test.parallel=1 | |
| - name: Publish Artifacts | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: cre-system-tests-logs | |
| path: | | |
| ./chainlink/system-tests/tests/smoke/cre/logs/ | |
| /tmp/gotest.log | |
| tidy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| actions: read | |
| id-token: write | |
| steps: | |
| - name: Checkout the repo | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup GitHub Token | |
| id: setup-github-token | |
| uses: smartcontractkit/.github/actions/setup-github-token@ef78fa97bf3c77de6563db1175422703e9e6674f # [email protected] | |
| with: | |
| aws-role-arn: ${{ secrets.AWS_OIDC_DEV_PLATFORM_READ_REPOS_EXTERNAL_TOKEN_ISSUER_ROLE_ARN }} | |
| aws-lambda-url: ${{ secrets.AWS_DEV_SERVICES_TOKEN_ISSUER_LAMBDA_URL }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| aws-role-duration-seconds: "1800" # this is optional and defaults to 900 | |
| set-git-config: true | |
| - name: Set up Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # 5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Run "tidy" | |
| run: go mod tidy | |
| - name: Ensure no diff | |
| run: git diff --stat --exit-code |