forked from stacks-network/stacks-core
-
Notifications
You must be signed in to change notification settings - Fork 0
203 lines (183 loc) · 7.16 KB
/
Copy pathrelease-github.yml
File metadata and controls
203 lines (183 loc) · 7.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
# Github workflow to create a github release and upload binary artifacts
name: "Release: Github"
on:
workflow_call:
inputs:
node_tag:
description: "Node Docker Release Tag"
required: true
type: string
signer_tag:
description: "Signer Docker Release Tag"
required: true
type: string
is_node_release:
description: "True if it is a node release"
required: true
type: string
# Set default permissions
permissions:
contents: read
# Configure concurrency
concurrency:
group: release-github-${{ github.head_ref || github.ref }}
# Always cancel duplicate jobs
cancel-in-progress: true
run-name: ${{ inputs.node_tag || inputs.signer_tag }}
jobs:
# Build arch dependent binaries from source
#
# Runs when the following is true:
# - either node or signer tag is provided
# - workflow approval is provided
andon-cord:
name: Andon Cord
if: >-
(inputs.node_tag != '' || inputs.signer_tag != '')
runs-on: ubuntu-latest
environment: "Build Release"
steps:
- name: Check Approval
run: |
exit 0
# Build binaries as artifacts
build-binaries:
name: Build Binaries
needs:
- andon-cord
if: |
inputs.node_tag != '' ||
inputs.signer_tag != ''
permissions:
contents: read # required for checkout inside release-build.yml
id-token: write # required for attestation inside release-build.yml
attestations: write # required for attestation inside release-build.yml
uses: ./.github/workflows/release-build.yml
with:
node_tag: ${{ inputs.node_tag }} # used to conditionally run step in release-build.yml
signer_tag: ${{ inputs.signer_tag }} # used to conditionally run step in release-build.yml
# Build docker images using the binary artifacts
docker-images:
name: Build Docker Images
needs:
- andon-cord
- build-binaries
if: |
inputs.node_tag != '' ||
inputs.signer_tag != ''
permissions:
contents: read # required for checkout inside release-docker.yml
id-token: write # required for attestation inside release-docker.yml
attestations: write # required for attestation inside release-docker.yml
packages: write # required for image push inside release-docker.yml
strategy:
fail-fast: false
# Build a maximum of 2 images concurrently based on matrix.dist
max-parallel: 2
matrix:
type:
- stacks-core
- stacks-signer
exclude:
# When is_node_release is false, only build stacks-signer.
- type: ${{ inputs.is_node_release == 'false' && 'stacks-core' }}
# Build the docker images
uses: ./.github/workflows/release-docker.yml
with:
node_tag: ${{ inputs.node_tag }} # node_tag will contains the 5 char node version, i.e. 3.3.0.0.0
signer_tag: ${{ inputs.signer_tag }} # signer_tag contains 6 char signer version, i.e. 3.3.0.0.0.1
release_type: ${{ matrix.type }} # one of stacks-signer or stacks-core
# Consolidate all digest artifacts from docker-images matrix into a single manifest
consolidate-digests:
name: Consolidate Digest Artifacts
needs: docker-images
if: always()
runs-on: ubuntu-latest
steps:
# Download all individual digest artifacts from all matrix jobs
- name: Download All Digest Artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: digest-*
path: /tmp/digest-artifacts
merge-multiple: true
# Consolidate individual digests into single manifest
- name: Create Consolidated Digest Manifest
run: |
echo "Consolidating digests from all matrix jobs"
echo "Files downloaded:"
find /tmp/digest-artifacts -type f -name "*.json" | sort
# Initialize the manifest JSON
manifest='{}'
# Process each digest file and merge into manifest
for digest_file in /tmp/digest-artifacts/*.json; do
if [[ ! -f "${digest_file}" ]]; then
continue
fi
echo "Processing: $(basename ${digest_file})"
# Extract release_type and libc_variant from the file
release_type=$(jq -r '.release_type // empty' "${digest_file}" 2>/dev/null)
libc_variant=$(jq -r '.libc_variant // empty' "${digest_file}" 2>/dev/null)
digest=$(jq -r '.digest // empty' "${digest_file}" 2>/dev/null)
package_id=$(jq -r '.package_id // empty' "${digest_file}" 2>/dev/null)
# Only process if all required fields are present
if [[ -n "${release_type}" && -n "${libc_variant}" && -n "${digest}" && -n "${package_id}" ]]; then
echo " Adding: ${release_type}/${libc_variant} = ${digest:0:20}... (package_id: ${package_id})"
# Add to manifest using jq with safe variable substitution
manifest=$(printf '%s' "${manifest}" | jq \
--arg rt "${release_type}" \
--arg lc "${libc_variant}" \
--arg d "${digest}" \
--arg pid "${package_id}" \
'.[$rt] |= . // {} | .[$rt][$lc] = {digest: $d, package_id: $pid}' 2>/dev/null)
fi
done
# Write the consolidated manifest
echo "${manifest}" | jq . > /tmp/digest-manifest.json
echo "Consolidated manifest created:"
jq . /tmp/digest-manifest.json
# Upload the consolidated manifest as an artifact
- name: Upload Consolidated Manifest
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: digest-manifest
path: /tmp/digest-manifest.json
retention-days: 1
# Create the github release
create-release:
name: Create Release
needs:
- andon-cord
- build-binaries
- docker-images
- consolidate-digests
if: >-
github.event.repository.visibility == 'public' &&
(inputs.node_tag != '' ||
inputs.signer_tag != '')
runs-on: ubuntu-latest
permissions:
contents: write
steps:
# Checkout the code
# - only .github is required for this job
- name: Checkout the latest code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
sparse-checkout: |
.github
# Download consolidated digest manifest from consolidate-digests job
- name: Download Docker Image Digest Manifest
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: digest-manifest
path: /tmp
# Creates github release(s)
- name: Create Release
uses: ./.github/actions/release
with:
node_tag: ${{ inputs.node_tag }} # name used for release (use the version by itself
# node_epoch: ${{ inputs.node_epoch }}
signer_tag: signer-${{ inputs.signer_tag }} # name used for release (prefix with 'signer-')
digest_manifest: /tmp/digest-manifest.json