build: add signed binaries to releases (#854)

* feat: signed binaries * build: built binaries are not static * build: build and sign x86-64 and arm64 releases
dashpay · Jul 31, 2024 · c4d6346 · c4d6346
1 parent 456bc83
commit c4d6346
Show file tree

Hide file tree

Showing 2 changed files with 115 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -3,14 +3,14 @@
 OUTPUT ?= build/tenderdash
 BUILDDIR ?= $(CURDIR)/build
 REPO_NAME ?= github.com/dashevo/tenderdash
-BUILD_TAGS ?= tenderdash
+BUILD_TAGS ?= tenderdash,netgo,osusergo
 # If building a release, please checkout the version tag to get the correct version setting
 ifneq ($(shell git symbolic-ref -q --short HEAD),)
 VERSION := unreleased-$(shell git symbolic-ref -q --short HEAD)-$(shell git rev-parse HEAD)
 else
-VERSION := $(shell git describe)
+VERSION := $(shell git describe --tags)
 endif
-LD_FLAGS = -X ${REPO_NAME}/version.TMCoreSemVer=$(VERSION)
+LD_FLAGS = -X ${REPO_NAME}/version.TMCoreSemVer=$(VERSION) -linkmode 'external' -extldflags '-static'
 BUILD_FLAGS = -mod=readonly -ldflags "$(LD_FLAGS)"
 HTTPS_GIT := https://${REPO_NAME}.git
 BUILD_IMAGE := ghcr.io/tendermint/docker-build-proto

diff --git a/scripts/release/release.sh b/scripts/release/release.sh
@@ -116,7 +116,7 @@ function configureFinal() {
  CURRENT_BRANCH="$(git branch --show-current)"
  SOURCE_BRANCH="v${VERSION_WITHOUT_PRERELEASE%.*}-dev"
  RELEASE_BRANCH="release_${NEW_PACKAGE_VERSION}"
- MILESTONE="v${VERSION_WITHOUT_PRERELEASE}"
+ MILESTONE="v${VERSION_WITHOUT_PRERELEASE%.*}"
 
  if [[ ${RELEASE_TYPE} != "prerelease" ]]; then # full release
  TARGET_BRANCH="master"
@@ -235,7 +235,7 @@ function createRelease() {
  --generate-notes \
  --target "${TARGET_BRANCH}" \
  ${gh_args} \
- "v${NEW_PACKAGE_VERSION}"
+  "v${NEW_PACKAGE_VERSION}"
 }
 
 function deleteRelease() {
@@ -251,6 +251,109 @@ function getReleaseUrl() {
  gh release view --json url --jq .url "v${NEW_PACKAGE_VERSION}"
 }
 
+function waitForRelease() {
+ debug 'Waiting for release to be published; use ^C to cancel'
+
+ while [[ "$(gh release view --json isDraft --jq .isDraft "v${NEW_PACKAGE_VERSION}")" != "false" ]]; do
+ sleep 10
+ done
+}
+
+function buildAndUploadArtifacts() {
+
+ bindir="$(mktemp -d)"
+ local platforms=("linux/amd64" "linux/arm64")
+
+ waitForRelease
+ # checkout and build binaries from release tag
+ # TODO: uncomment
+ # git fetch --tags && git checkout "v${NEW_PACKAGE_VERSION}"
+
+ buildBinaries "${bindir}" "${platforms[@]}"
+
+ # Sign binaries
+ signBinary "${bindir}"/tenderdash-*
+
+ # Create tarball
+ for platform in "${platforms[@]}"; do
+ local platform_safe="${platform//\//-}"
+
+ tar -C "${bindir}" \
+ -czf "${bindir}/tenderdash-${NEW_PACKAGE_VERSION}-${platform_safe}.tar.gz" \
+ "tenderdash-${platform_safe}" "tenderdash-${platform_safe}.sig"
+ done
+
+ sha256sum "${bindir}"/*.tar.gz >"${bindir}"/SHA256SUMS
+
+ # Upload to release
+ uploadBinaries "${bindir}"
+
+ # Cleanup
+ rm -r "${bindir}"
+}
+
+# buildBinaries <destdir> <platform1> <platform2> ...
+function buildBinaries() {
+ local dest_dir="$1"
+ shift
+ if [[ -z "${dest_dir}" ]]; then
+ error "Destination directory is required to build binaries"
+ fi
+
+ debug Building binaries
+ pushd "$(realpath "$(dirname "${0}")/../..")"
+
+ while [ -n "$1" ]; do
+ platform="$1"
+ shift
+
+ local platform_safe="${platform//\//-}"
+
+ debug "Building binaries for ${platform}"
+ make clean
+ docker buildx build \
+ --platform "${platform}" \
+ --build-arg TENDERMINT_BUILD_OPTIONS='tenderdash,stable' \
+ -f DOCKER/Dockerfile \
+ -t tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}" \
+ --load \
+ .
+ # Copy /usr/bin/tenderdash from image to dest_dir
+ docker create --name tenderdash-local-"${platform_safe}" --platform "${platform}" tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}"
+ docker cp tenderdash-local-"${platform_safe}":/usr/bin/tenderdash "${dest_dir}/tenderdash-${platform_safe}"
+ docker rm tenderdash-local-"${platform_safe}"
+ # Remove the image
+ docker rmi tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}"
+ done
+
+ popd
+}
+
+# Sign tenederdash binary using default gpg key
+#
+# The key can be overridden by setting GPG_KEY_ID environment variable
+#
+# Args: list of binaries to sign
+function signBinary() {
+
+ local gpg_cmd="gpg"
+ if [[ -n "${GPG_KEY_ID}" ]]; then
+ gpg_cmd="gpg --local-user=${GPG_KEY_ID}"
+ fi
+
+ for binary in "$@"; do
+ debug "Signing binaries with GPG ${gpg_cmd}"
+ $gpg_cmd --armor "--output=${binary}.sig" --detach-sign "${binary}"
+ done
+}
+
+function uploadBinaries() {
+ local bin_dir="$1"
+
+ debug uploading artifacts to release "v${NEW_PACKAGE_VERSION}"
+ gh release upload --clobber "v${NEW_PACKAGE_VERSION}" "${bin_dir}"/{*.tar.gz,SHA256SUMS}
+}
+
 function cleanup() {
  debug Cleaning up
 
@@ -260,6 +363,8 @@ function cleanup() {
 
  # We need to re-detect current branch again
  CURRENT_BRANCH="$(git branch --show-current)"
+
+ make clean
 }
 
 configureDefaults
@@ -283,11 +388,11 @@ success "Release PR: ${PR_URL}"
 
 success "Please review it and merge."
 
-if [[ "${RELEASE_TYPE}" = "prerelease" ]] ; then
+if [[ "${RELEASE_TYPE}" = "prerelease" ]]; then
  success "NOTE: Use 'squash and merge' approach."
-else 
+else
  success "NOTE: Use 'create merge commit' approach."
-fi 
+fi
 
 waitForMerge
 
@@ -300,3 +405,5 @@ sleep 5 # wait for the release to be finalized
 
 success "Release ${NEW_PACKAGE_VERSION} created successfully."
 success "Accept it at: $(getReleaseUrl)"
+
+buildAndUploadArtifacts