ci(common): fix re-tag race conditions

Author: eudelins-zama

.github/workflows/check-changes-for-docker-build.yml

@@ -0,0 +1,118 @@
+name: check-changes-for-docker-build
+
+on:
+  workflow_call:
+    secrets:
+      GHCR_READ_TOKEN:
+        required: true
+    inputs:
+      caller-workflow-event-name:
+        description: "The github.name of the caller workflow"
+        type: string
+        required: true
+      caller-workflow-event-before:
+        description: "The github.event.before sha of the caller workflow"
+        type: string
+        required: true
+      docker-image:
+        description: "The name of the docker image of the service"
+        type: string
+        required: true
+      max-commit-count:
+        description: Maximum number of commits to search for an image
+        default: 50
+        required: false
+      filters:
+        description: "The filters for the dorny/paths-filter action"
+        type: string
+        required: true
+    outputs:
+      base-commit:
+        description: "The base commit of the previous docker image"
+        value: ${{ jobs.check-changes.outputs.base-commit }}
+      changes:
+        description: "Output of the dorny/paths-filter action"
+        value: ${{ jobs.check-changes.outputs.changes }}
+
+permissions: {}
+
+jobs:
+  check-changes:
+    name: check-changes
+    permissions:
+      actions: 'read' # Required to read workflow run information
+      contents: 'read' # Required to checkout repository code
+      pull-requests: 'read' # Required to read pull request information
+    runs-on: ubuntu-latest
+    outputs:
+      changes: ${{ steps.set-changes-output.outputs.changes }}
+      base-commit: ${{ steps.set-base-commit.outputs.base-commit }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: 'false'
+
+      - name: Install Docker (push only)
+        # if: inputs.caller-workflow-event-name == 'push' # TODO
+        uses: docker/setup-docker-action@efe9e3891a4f7307e689f2100b33a155b900a608 # v4.5.0
+
+      - name: Login to GitHub Container Registry (push only)
+        # if: inputs.caller-workflow-event-name == 'push' # TODO
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_READ_TOKEN }}
+
+      - name: Find latest commit with existing image (push only)
+        id: find-latest-image-commit
+        # if: inputs.caller-workflow-event-name == 'push' # TODO
+        shell: bash
+        env:
+          BASE_BRANCH_COMMIT: ${{ inputs.caller-workflow-event-before }}
+          IMAGE: ghcr.io/zama-ai/${{ inputs.docker-image }}
+          MAX_COMMIT_COUNT: ${{ inputs.max-commit-count }}
+        run: |
+          git fetch origin main
+          mapfile -t CANDIDATES < <(git rev-list "${BASE_BRANCH_COMMIT}" --max-count=${MAX_COMMIT_COUNT})
+
+          LATEST_IMAGE_COMMIT=""
+          for commit in "${CANDIDATES[@]}"; do
+            short_commit=${commit:0:7}
+            echo "Checking if ${IMAGE}:${short_commit} image exists..."
+            if docker manifest inspect "${IMAGE}:${short_commit}"; then
+              LATEST_IMAGE_COMMIT="${commit}"
+              echo "${IMAGE}:${short_commit} was found!"
+              break
+            fi
+          done
+
+          if [[ -z "${LATEST_IMAGE_COMMIT}" ]]; then
+            echo "No images found for ${IMAGE} with the last ${MAX_COMMIT_COUNT} commits!"
+            exit 1
+          fi
+
+          echo "latest-image-commit=${LATEST_IMAGE_COMMIT}" >> "$GITHUB_OUTPUT"
+
+      - id: set-base-commit
+        shell: bash
+        env:
+          LATEST_IMAGE_COMMIT: ${{ steps.find-latest-image-commit.outputs.latest-image-commit }}
+          BASE_BRANCH_COMMIT: ${{ inputs.caller-workflow-event-before }}
+        run: |
+          echo "base-commit=${LATEST_IMAGE_COMMIT:-$BASE_BRANCH_COMMIT}" >> "$GITHUB_OUTPUT"
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          base: ${{ steps.set-base-commit.outputs.base-commit }}
+          filters: ${{ inputs.filters }}
+
+      - id: set-changes-output
+        shell: bash
+        env:
+          FILTER_OUTPUTS_JSON: ${{ toJSON(steps.filter.outputs) }}
+        run: |
+          first_key=$(jq -r 'keys[0]' <<< "$FILTER_OUTPUTS_JSON")
+          first_value=$(jq -r --arg k "$first_key" '.[$k]' <<< "$FILTER_OUTPUTS_JSON")
+          echo "changes=$first_value" >> "$GITHUB_OUTPUT"

.github/workflows/kms-connector-docker-build.yml

@@ -9,6 +9,8 @@ on:
         required: true
       BLOCKCHAIN_ACTIONS_TOKEN:
         required: true
+      GHCR_READ_TOKEN:
+        required: true
       CGR_USERNAME:
         required: true
       CGR_PASSWORD:
@@ -50,6 +52,7 @@ on:
   push:
     branches:
       - main
+  pull_request: # TODO: remove later
 
 permissions: {}
 
@@ -58,50 +61,31 @@ concurrency:
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
 
 jobs:
-  check-changes:
-    name: check-changes
-    permissions:
+  ########################################################################
+  #                             DB MIGRATION                             #
+  ########################################################################
+  check-changes-db-migration:
+    uses: ./.github/workflows/check-changes-for-docker-build.yml
+    secrets: &check_changes_secrets
+      GHCR_READ_TOKEN: ${{ secrets.GHCR_READ_TOKEN }}
+    permissions: &check_changes_permissions
       actions: 'read' # Required to read workflow run information
       contents: 'read' # Required to checkout repository code
       pull-requests: 'read' # Required to read pull request information
-    runs-on: ubuntu-latest
-    outputs:
-      changes-db-migration: ${{ steps.filter.outputs.db-migration }}
-      changes-gw-listener: ${{ steps.filter.outputs.gw-listener }}
-      changes-kms-worker: ${{ steps.filter.outputs.kms-worker }}
-      changes-tx-sender: ${{ steps.filter.outputs.tx-sender }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: 'false'
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-        id: filter
-        with:
-          filters: |
-            db-migration:
-              - .github/workflows/kms-connector-docker-build.yml
-              - kms-connector/connector-db/**
-            gw-listener:
-              - .github/workflows/kms-connector-docker-build.yml
-              - kms-connector/crates/gw-listener/**
-              - kms-connector/crates/utils/**
-              - kms-connector/Cargo.*
-            kms-worker:
-              - .github/workflows/kms-connector-docker-build.yml
-              - kms-connector/crates/kms-worker/**
-              - kms-connector/crates/utils/**
-              - kms-connector/Cargo.*
-            tx-sender:
-              - .github/workflows/kms-connector-docker-build.yml
-              - kms-connector/crates/tx-sender/**
-              - kms-connector/crates/utils/**
-              - kms-connector/Cargo.*
+    with:
+      caller-workflow-event-name: ${{ github.event_name }}
+      caller-workflow-event-before: ${{ github.event.before }}
+      docker-image: fhevm/kms-connector/db-migration
+      filters: |
+        db-migration:
+          - .github/workflows/kms-connector-docker-build.yml
+          - kms-connector/connector-db/**
 
   build-db-migration:
-    needs: check-changes
+    needs: check-changes-db-migration
     if: |
       github.event_name == 'release'
-      || (github.event_name != 'workflow_dispatch' && needs.check-changes.outputs.changes-db-migration == 'true')
+      || (github.event_name != 'workflow_dispatch' && needs.check-changes-db-migration.outputs.changes == 'true')
       || (github.event_name == 'workflow_dispatch' && inputs.build_db_migration)
     uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
     secrets: &docker_secrets
@@ -125,11 +109,44 @@ jobs:
       app-cache-dir: "fhevm-kms-connector-db-migration"
       rust-toolchain-file-path: kms-connector/rust-toolchain.toml
 
+  re-tag-db-migration-image:
+    needs: check-changes-db-migration
+    if: |
+      needs.check-changes-db-migration.outputs.changes != 'true' && github.event_name == 'push'
+    permissions: &re-tag-image-permissions
+      actions: 'read' # Required to read workflow run information
+      contents: 'read' # Required to checkout repository code
+      packages: 'write' # Required to publish Docker images
+      id-token: 'write' # Required for OIDC authentication
+    uses: ./.github/workflows/re-tag-docker-image.yml
+    with:
+      image-name: "fhevm/kms-connector/db-migration"
+      previous-tag-or-commit: ${{ needs.check-changes-db-migration.outputs.base-commit }}
+      new-tag-or-commit: ${{ github.event.after }}
+
+  ########################################################################
+  #                           GATEWAY LISTENER                           #
+  ########################################################################
+  check-changes-gw-listener:
+    uses: ./.github/workflows/check-changes-for-docker-build.yml
+    secrets: *check_changes_secrets
+    permissions: *check_changes_permissions
+    with:
+      caller-workflow-event-name: ${{ github.event_name }}
+      caller-workflow-event-before: ${{ github.event.before }}
+      docker-image: fhevm/kms-connector/gw-listener
+      filters: |
+        gw-listener:
+          - .github/workflows/kms-connector-docker-build.yml
+          - kms-connector/crates/gw-listener/**
+          - kms-connector/crates/utils/**
+          - kms-connector/Cargo.*
+
   build-gw-listener:
-    needs: check-changes
+    needs: check-changes-gw-listener
     if: |
       github.event_name == 'release'
-      || (github.event_name != 'workflow_dispatch' && needs.check-changes.outputs.changes-gw-listener == 'true')
+      || (github.event_name != 'workflow_dispatch' && needs.check-changes-gw-listener.outputs.changes == 'true')
       || (github.event_name == 'workflow_dispatch' && inputs.build_gw_listener)
     uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
     permissions: *docker_permissions
@@ -142,11 +159,40 @@ jobs:
       app-cache-dir: "fhevm-kms-connector-gw-listener"
       rust-toolchain-file-path: kms-connector/rust-toolchain.toml
 
+  re-tag-gw-listener-image:
+    needs: check-changes-gw-listener
+    if: |
+      needs.check-changes-gw-listener.outputs.changes != 'true' && github.event_name == 'push'
+    permissions: *re-tag-image-permissions
+    uses: ./.github/workflows/re-tag-docker-image.yml
+    with:
+      image-name: "fhevm/kms-connector/gw-listener"
+      previous-tag-or-commit: ${{ needs.check-changes-gw-listener.outputs.base-commit }}
+      new-tag-or-commit: ${{ github.event.after }}
+
+  ########################################################################
+  #                              KMS WORKER                              #
+  ########################################################################
+  check-changes-kms-worker:
+    uses: ./.github/workflows/check-changes-for-docker-build.yml
+    secrets: *check_changes_secrets
+    permissions: *check_changes_permissions
+    with:
+      caller-workflow-event-name: ${{ github.event_name }}
+      caller-workflow-event-before: ${{ github.event.before }}
+      docker-image: fhevm/kms-connector/kms-worker
+      filters: |
+        kms-worker:
+          - .github/workflows/kms-connector-docker-build.yml
+          - kms-connector/crates/kms-worker/**
+          - kms-connector/crates/utils/**
+          - kms-connector/Cargo.*
+
   build-kms-worker:
-    needs: check-changes
+    needs: check-changes-kms-worker
     if: |
       github.event_name == 'release'
-      || (github.event_name != 'workflow_dispatch' && needs.check-changes.outputs.changes-kms-worker == 'true')
+      || (github.event_name != 'workflow_dispatch' && needs.check-changes-kms-worker.outputs.changes == 'true')
       || (github.event_name == 'workflow_dispatch' && inputs.build_kms_worker)
     uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
     permissions: *docker_permissions
@@ -159,11 +205,40 @@ jobs:
       app-cache-dir: "fhevm-kms-connector-kms-worker"
       rust-toolchain-file-path: kms-connector/rust-toolchain.toml
 
+  re-tag-kms-worker-image:
+    needs: check-changes-kms-worker
+    if: |
+      needs.check-changes-kms-worker.outputs.changes != 'true' && github.event_name == 'push'
+    permissions: *re-tag-image-permissions
+    uses: ./.github/workflows/re-tag-docker-image.yml
+    with:
+      image-name: "fhevm/kms-connector/kms-worker"
+      previous-tag-or-commit: ${{ needs.check-changes-kms-worker.outputs.base-commit }}
+      new-tag-or-commit: ${{ github.event.after }}
+
+  ########################################################################
+  #                          TRANSACTION SENDER                          #
+  ########################################################################
+  check-changes-tx-sender:
+    uses: ./.github/workflows/check-changes-for-docker-build.yml
+    secrets: *check_changes_secrets
+    permissions: *check_changes_permissions
+    with:
+      caller-workflow-event-name: ${{ github.event_name }}
+      caller-workflow-event-before: ${{ github.event.before }}
+      docker-image: fhevm/kms-connector/tx-sender
+      filters: |
+        tx-sender:
+          - .github/workflows/kms-connector-docker-build.yml
+          - kms-connector/crates/tx-sender/**
+          - kms-connector/crates/utils/**
+          - kms-connector/Cargo.*
+
   build-tx-sender:
-    needs: check-changes
+    needs: check-changes-tx-sender
     if: |
       github.event_name == 'release'
-      || (github.event_name != 'workflow_dispatch' && needs.check-changes.outputs.changes-tx-sender == 'true')
+      || (github.event_name != 'workflow_dispatch' && needs.check-changes-tx-sender.outputs.changes == 'true')
       || (github.event_name == 'workflow_dispatch' && inputs.build_tx_sender)
     uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
     permissions: *docker_permissions
@@ -176,50 +251,13 @@ jobs:
       app-cache-dir: "fhevm-kms-connector-tx-sender"
       rust-toolchain-file-path: kms-connector/rust-toolchain.toml
 
-  re-tag-db-migration-image:
-    needs: check-changes
-    if: |
-      needs.check-changes.outputs.changes-db-migration != 'true' && github.event_name == 'push'
-    permissions: &re-tag-image-permissions
-      actions: 'read' # Required to read workflow run information
-      contents: 'read' # Required to checkout repository code
-      packages: 'write' # Required to publish Docker images
-      id-token: 'write' # Required for OIDC authentication
-    uses: ./.github/workflows/re-tag-docker-image.yml
-    with:
-      image-name: "fhevm/kms-connector/db-migration"
-      previous-tag-or-commit: ${{ github.event.before }}
-      new-tag-or-commit: ${{ github.event.after }}
-
-  re-tag-gw-listener-image:
-    needs: check-changes
-    if: |
-      needs.check-changes.outputs.changes-gw-listener != 'true' && github.event_name == 'push'
-    permissions: *re-tag-image-permissions
-    uses: ./.github/workflows/re-tag-docker-image.yml
-    with:
-      image-name: "fhevm/kms-connector/gw-listener"
-      previous-tag-or-commit: ${{ github.event.before }}
-      new-tag-or-commit: ${{ github.event.after }}
-
-  re-tag-kms-worker-image:
-    needs: check-changes
-    if: |
-      needs.check-changes.outputs.changes-kms-worker != 'true' && github.event_name == 'push'
-    permissions: *re-tag-image-permissions
-    uses: ./.github/workflows/re-tag-docker-image.yml
-    with:
-      image-name: "fhevm/kms-connector/kms-worker"
-      previous-tag-or-commit: ${{ github.event.before }}
-      new-tag-or-commit: ${{ github.event.after }}
-
   re-tag-tx-sender-image:
-    needs: check-changes
+    needs: check-changes-tx-sender
     if: |
-      needs.check-changes.outputs.changes-tx-sender != 'true' && github.event_name == 'push'
+      needs.check-changes-tx-sender.outputs.changes != 'true' && github.event_name == 'push'
     permissions: *re-tag-image-permissions
     uses: ./.github/workflows/re-tag-docker-image.yml
     with:
       image-name: "fhevm/kms-connector/tx-sender"
-      previous-tag-or-commit: ${{ github.event.before }}
+      previous-tag-or-commit: ${{ needs.check-changes-tx-sender.outputs.base-commit }}
       new-tag-or-commit: ${{ github.event.after }}