Merge pull request #8738 from Agoric/mhofman/explicit-harden #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build release Docker Images | |
on: | |
push: | |
branches: | |
# $default-branch | |
- master | |
- 'release-*' | |
tags: | |
- '@agoric/sdk@*' | |
workflow_dispatch: | |
env: | |
REGISTRY: ghcr.io | |
jobs: | |
snapshot: | |
if: ${{ github.repository_owner == 'agoric' }} | |
runs-on: ubuntu-latest | |
outputs: | |
tag: '${{ steps.snapshot-tag.outputs.tag }}' | |
steps: | |
- name: Generate Snapshot Tag | |
id: snapshot-tag | |
run: | | |
COMMIT_TIME=$(curl --fail --silent \ | |
--url https://api.github.com/repos/${{ github.repository }}/commits/${{ github.sha }} \ | |
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ | |
--header 'content-type: application/json' \ | |
| jq '(.commit.committer.date | fromdate)') | |
TIMESTAMP=`date +%Y%m%d%H%M%S --date="@${COMMIT_TIME}"` | |
SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-6) | |
SNAPSHOT_TAG="${TIMESTAMP}-${SHORT_SHA}" | |
echo "tag=$SNAPSHOT_TAG" >> $GITHUB_OUTPUT | |
docker-parallel-build: | |
needs: snapshot | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
strategy: | |
matrix: | |
platform: | |
- linux/amd64 | |
- linux/arm64/v8 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Save BUILD_TAG | |
run: | | |
ARCH=$(echo '${{ matrix.platform }}' | tr / _) | |
echo "BUILD_TAG=${{ needs.snapshot.outputs.tag }}-$ARCH" >> $GITHUB_ENV | |
- name: Save GIT_REVISION | |
run: echo "GIT_REVISION=$(git rev-parse HEAD)" >> $GITHUB_ENV | |
- name: Save GIT_COMMIT | |
run: echo "GIT_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- name: Save commit hash, url of submodules to environment | |
run: | | |
node packages/xsnap/src/build.js --show-env >> $GITHUB_ENV | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
buildkitd-flags: --debug | |
- name: Login to Docker Registry | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: ${{ env.REGISTRY }} | |
- name: Build and Push ssh-node | |
uses: docker/build-push-action@v4 | |
with: | |
file: packages/deployment/Dockerfile.ssh-node | |
context: packages/deployment/docker | |
platforms: ${{ matrix.platform }} | |
push: true | |
tags: '${{ env.REGISTRY }}/agoric/ssh-node:${{ env.BUILD_TAG }}' | |
- name: Build and Push sdk | |
uses: docker/build-push-action@v4 | |
with: | |
file: packages/deployment/Dockerfile.sdk | |
context: ./ | |
platforms: ${{ matrix.platform }} | |
push: true | |
tags: '${{ env.REGISTRY }}/agoric/agoric-sdk:${{ env.BUILD_TAG }}' | |
# When changing/adding entries here, make sure to search the whole | |
# project for `@@AGORIC_DOCKER_SUBMODULES@@` | |
build-args: | | |
GIT_COMMIT=${{env.GIT_COMMIT}} | |
MODDABLE_COMMIT_HASH=${{env.MODDABLE_COMMIT_HASH}} | |
MODDABLE_URL=${{env.MODDABLE_URL}} | |
XSNAP_NATIVE_COMMIT_HASH=${{env.XSNAP_NATIVE_COMMIT_HASH}} | |
XSNAP_NATIVE_URL=${{env.XSNAP_NATIVE_URL}} | |
GIT_REVISION=${{env.GIT_REVISION}} | |
- name: Build and Push setup | |
uses: docker/build-push-action@v4 | |
with: | |
file: packages/deployment/Dockerfile | |
context: packages/deployment | |
platforms: ${{ matrix.platform }} | |
tags: '${{ env.REGISTRY }}/agoric/cosmic-swingset-setup:${{ env.BUILD_TAG }}' | |
push: true | |
build-args: | | |
TAG=${{ env.BUILD_TAG }} | |
- name: notify on failure | |
if: failure() | |
uses: ./.github/actions/notify-status | |
with: | |
webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
from: ${{ secrets.NOTIFY_EMAIL_FROM }} | |
to: ${{ secrets.NOTIFY_EMAIL_TO }} | |
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }} | |
# Publish the build's multiarch images to Docker Registry. | |
docker-sdk: | |
needs: [docker-parallel-build, snapshot] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
outputs: | |
tag: '${{ steps.docker-tags.outputs.tags }}' | |
tags: '${{ steps.docker-tags.outputs.tags }} ${{ needs.snapshot.outputs.tag }}' | |
steps: | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
buildkitd-flags: --debug | |
- name: Login to Docker Registry | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: ${{ env.REGISTRY }} | |
- name: Compute tags | |
id: docker-tags | |
run: | | |
set -ex | |
SDK_TAG=$(echo "$GITHUB_REF_NAME" | sed -ne 's!^@agoric/sdk@!!p') | |
case $SDK_TAG in | |
"") | |
case $GITHUB_REF_NAME in | |
release-*) | |
# A pre-release. | |
DOCKER_TAGS=${GITHUB_REF_NAME#release-}-dev | |
;; | |
master) | |
# A trunk dev release. | |
DOCKER_TAGS=dev | |
;; | |
*) | |
# Some other dev release. | |
DOCKER_TAGS=other-dev | |
;; | |
esac | |
;; | |
*) | |
# A tagged SDK release. | |
# The commit may or may not be a descendant of the current master branch | |
DOCKER_TAGS="latest $SDK_TAG" | |
;; | |
esac | |
echo "tags=$DOCKER_TAGS" >> $GITHUB_OUTPUT | |
- name: Push SDK multiarch | |
run: | | |
set -ex | |
for IMAGE in agoric/agoric-sdk agoric/ssh-node agoric/cosmic-swingset-setup; do | |
for TAG in ${{ steps.docker-tags.outputs.tags }} ${{ needs.snapshot.outputs.tag }}; do | |
sources= | |
for ARCH in linux/amd64 linux/arm64/v8; do | |
uarch=$(echo "$ARCH" | tr / _) | |
BUILD_TAG="${{ needs.snapshot.outputs.tag }}-$uarch" | |
sources="$sources $REGISTRY/$IMAGE:$BUILD_TAG" | |
done | |
docker buildx imagetools create --tag "$REGISTRY/$IMAGE:$TAG"$sources | |
done | |
done | |
# This is currently needed for the relayer integration test framework. | |
# It just runs agoric/agoric-sdk with a "single-node" argument. | |
docker-ibc-alpha: | |
needs: [docker-sdk, snapshot] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
if: ${{ needs.docker-sdk.outputs.tag }} != dev | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Save SDK_TAG | |
run: echo "SDK_TAG=${{ needs.snapshot.outputs.tag }}" >> $GITHUB_ENV | |
- name: Prefix tags | |
id: prefix-tags | |
run: | | |
IMAGE="$REGISTRY/agoric/agoric-sdk" | |
for TAG in ibc-alpha; do | |
PREFIXED="$PREFIXED$sep$IMAGE:$TAG" | |
sep=, | |
done | |
echo "tags=$PREFIXED" >> $GITHUB_OUTPUT | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
buildkitd-flags: --debug | |
- name: Login to Docker Registry | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: ${{ env.REGISTRY }} | |
- name: Build and Push | |
uses: docker/build-push-action@v4 | |
with: | |
file: packages/deployment/Dockerfile.ibc-alpha | |
context: packages/deployment/docker | |
platforms: linux/amd64,linux/arm64/v8 | |
push: true | |
tags: '${{ steps.prefix-tags.outputs.tags }}' | |
build-args: | | |
SDK_TAG=${{env.SDK_TAG}} | |
- name: notify on failure | |
if: failure() | |
uses: ./.github/actions/notify-status | |
with: | |
webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
from: ${{ secrets.NOTIFY_EMAIL_FROM }} | |
to: ${{ secrets.NOTIFY_EMAIL_TO }} | |
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }} | |
docker-solo: | |
needs: [docker-sdk, snapshot] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Save SDK_TAG | |
run: echo "SDK_TAG=${{ needs.snapshot.outputs.tag }}" >> $GITHUB_ENV | |
- name: Prefix tags | |
id: prefix-tags | |
run: | | |
IMAGE="$REGISTRY/agoric/cosmic-swingset-solo" | |
for TAG in ${{ needs.docker-sdk.outputs.tags }}; do | |
PREFIXED="$PREFIXED$sep$IMAGE:$TAG" | |
sep=, | |
done | |
echo "tags=$PREFIXED" >> $GITHUB_OUTPUT | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
buildkitd-flags: --debug | |
- name: Login to Docker Registry | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: ${{ env.REGISTRY }} | |
- name: Build and Push | |
uses: docker/build-push-action@v4 | |
with: | |
file: packages/solo/Dockerfile | |
context: packages/solo | |
platforms: linux/amd64,linux/arm64/v8 | |
push: true | |
tags: '${{ steps.prefix-tags.outputs.tags }}' | |
build-args: | | |
TAG=${{env.SDK_TAG}} | |
- name: notify on failure | |
if: failure() | |
uses: ./.github/actions/notify-status | |
with: | |
webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
from: ${{ secrets.NOTIFY_EMAIL_FROM }} | |
to: ${{ secrets.NOTIFY_EMAIL_TO }} | |
password: ${{ secrets.NOTIFY_EMAIL_PASSWORD }} |