feature: PAN-1882 release pipelines (#9)

* feature: PAN-1882 release pipelines
pantos-io · May 29, 2024 · 6fb100f · 6fb100f
1 parent e0ff56d
commit 6fb100f
Show file tree

Hide file tree

Showing 8 changed files with 491 additions and 537 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,77 @@
+name: Build Debian Package
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: 'Version to build'
+        required: false
+        type: string
+        default: "1.0.0"
+      revision:
+        description: 'Revision to build'
+        required: false
+        type: string
+        default: ${{ github.run_attempt }}
+      environment:
+        description: 'Environment where the secrets are stored'
+        required: false
+        type: string
+    secrets:
+      GPG_PRIVATE_KEY:
+        description: 'GPG private key'
+        required: false
+      GPG_PASSPHRASE:
+        description: 'GPG passphrase'
+        required: false
+
+jobs:
+  build-deb:
+    name: Build and attach .deb and .whl packages
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Poetry
+        uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1
+
+      - name: Check secrets
+        id: is-signed-build
+        run: |
+          echo "HAS_SECRETS=$(if [ -n "$GPG_PRIVATE_KEY" ] && [ -n "$GPG_PASSPHRASE" ]; then echo 'true'; else echo 'false'; fi)" >> $GITHUB_OUTPUT
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Import GPG key
+        if: steps.is-signed-build.outputs.HAS_SECRETS == 'true'
+        id: import-gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Install signing dependencies
+        if: steps.is-signed-build.outputs.HAS_SECRETS == 'true'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y debsigs
+
+      - name: Build package
+        run: |
+          make debian
+          make wheel
+        env:
+          PANTOS_SERVICE_NODE_VERSION: ${{ inputs.version }}
+          PANTOS_SERVICE_NODE_REVISION: ${{ inputs.revision }}
+
+      - name: Sign package
+        if: steps.is-signed-build.outputs.HAS_SECRETS == 'true'
+        run: |
+          debsigs --sign=origin -k ${{ steps.import-gpg.outputs.keyid }} dist/*.deb
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: build
+          path: dist/*
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -10,3 +10,66 @@ jobs:
   shared:
     uses: pantos-io/ci-workflows/.github/workflows/python-ci.yml@v1
     secrets: inherit  
+
+  docker-build:
+    name: Build Docker images
+    runs-on: ubuntu-latest
+    needs: [shared]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        id: buildx
+
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-v1.0-service-node-
+
+      - name: Build and load
+        run: |
+          docker buildx bake \
+            --set "*.cache-from=type=local,src=/tmp/.buildx-cache" \
+            --set "*.cache-to=type=local,dest=/tmp/.buildx-cache-new" \
+            --set "*.platform=linux/amd64" \
+            --builder ${{ steps.buildx.outputs.name }} \
+            -f docker-compose.yml \
+            --load
+
+      - name: Create local keystore
+        run: |
+          echo "1234" >> password.keystore
+          mkdir keystore_folder
+          docker run --rm -v=.:/local ethereum/client-go account new --keystore /local/keystore_folder --password /local/password.keystore
+          sudo chmod -R 777 keystore_folder
+          mv keystore_folder/UTC* ./keystore
+
+      - name: Create local signer_key
+        run: |
+          echo "1234" >> password.key
+          python3 -m venv .venv
+          source .venv/bin/activate
+          pip3 install pycryptodome==3.18.0
+          chmod +x scripts/generate-signer-key.py
+          cat password.key | ./scripts/generate-signer-key.py
+          mv signer-key*.pem signer_key.pem
+
+      # - name: Test image
+      #   run: |
+      #     docker compose up -d
+
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+  build:
+    needs: [shared]
+    uses: ./.github/workflows/build.yml