From 634dccc3237677c208fd186c3bd9f9138a12dc21 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 9 Apr 2024 10:35:37 -0700 Subject: [PATCH 1/2] ci: add container build workflow for fork We cannot depend on the upstream `informalsystems/hermes` repo for CI deployments, because we need the forked Hermes code for compatiblity with Penumbra chains. Added a new workflow that will publish as `ghcr.io/penumbra-zone/hermes`, and removed the informalsystems one. --- .dockerignore | 17 ++--- .github/workflows/container.yml | 60 +++++++++++++++ .github/workflows/docker.yml | 130 -------------------------------- Cargo.toml | 14 ++-- ci/release/Containerfile | 41 ++++++++++ 5 files changed, 115 insertions(+), 147 deletions(-) create mode 100644 .github/workflows/container.yml delete mode 100644 .github/workflows/docker.yml create mode 100644 ci/release/Containerfile diff --git a/.dockerignore b/.dockerignore index 72d7d43e48..7ed7dfe44d 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,7 @@ -/.changelog/ -/.git/ -/.gitignore -/.github -/ci/ -/docs/ -/e2e/ -/guide/ -/scripts/ -/target/ +# ignore everything +** +# selectively un-ignore rust files +!crates/ +!tools/ +!Cargo.* +!.cargo/config.toml diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml new file mode 100644 index 0000000000..34cd3d4c54 --- /dev/null +++ b/.github/workflows/container.yml @@ -0,0 +1,60 @@ +--- +name: Build container image +on: + workflow_call: + workflow_dispatch: + # Support triggering builds from penumbra-zone/penumbra CI. + repository_dispatch: + types: + - container-build + push: + branches: + - main + tags: + - '**' +jobs: + hermes: + runs-on: buildjet-16vcpu-ubuntu-2004 + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Docker Hub container registry (for pulls) + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Log in to the GitHub container registry (for pushes) + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/penumbra-zone/hermes + + # Grab the tag from the Cargo.toml file, so we can use it as a tag on the container image. + - name: Look up Penumbra dep version + id: penumbra_version + run: echo "PENUMBRA_VERSION=$(grep -P '^penumbra-proto ' Cargo.toml | grep -oP 'v[\d.]+')" >> "$GITHUB_OUTPUT" + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64 + file: ci/release/Containerfile + push: true + # We include a tag with the associated Penumbra, e.g. `penumbra-v0.61.0`. + # This is important to maintain compatibility with a long-running testnet. + tags: ${{ steps.meta.outputs.tags }},ghcr.io/penumbra-zone/hermes:penumbra-${{ steps.penumbra_version.outputs.PENUMBRA_VERSION }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml deleted file mode 100644 index bd2c49c0f2..0000000000 --- a/.github/workflows/docker.yml +++ /dev/null @@ -1,130 +0,0 @@ -# Build Hermes Docker image, push to Docker Hub and GHCR.io. - -name: Docker - -on: - workflow_dispatch: - push: - tags: - - v[0-9]+.* - -env: - REGISTRY_IMAGE: informalsystems/hermes - -jobs: - docker-build: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - platform: - - id: linux/amd64 - name: amd64 - - id: linux/arm64 - name: arm64 - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=ref,event=tag - type=ref,event=branch - type=semver,pattern={{version}} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v5 - with: - context: . - file: ./ci/release/hermes.Dockerfile - platforms: ${{ matrix.platform.id }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform.name }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - docker-merge: - runs-on: ubuntu-latest - needs: - - docker-build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - pattern: digests-* - merge-multiple: true - path: /tmp/digests - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=ref,event=tag - type=ref,event=branch - type=semver,pattern={{version}} - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push image to GHCR - run: | - docker buildx imagetools create \ - --tag ghcr.io/${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/Cargo.toml b/Cargo.toml index fa9e451476..2f41b8676c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -41,17 +41,11 @@ astria-sequencer-client = { git = "https://github.com/astriaorg/astria", rev = " "http", ] } -# Penumbra dependencies +# Penumbra dependencies. penumbra-asset = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } penumbra-custody = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } penumbra-fee = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } penumbra-ibc = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } -# Astria is on v0.69.1 right now -penumbra-ibc-astria = { git = "https://github.com/penumbra-zone/penumbra", package = "penumbra-ibc", tag = "v0.69.1" } -penumbra-proto-astria = { git = "https://github.com/penumbra-zone/penumbra", package = "penumbra-proto", tag = "v0.69.1", features = [ - "box-grpc", - "rpc", -] } penumbra-keys = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } penumbra-proto = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0", features = [ "box-grpc", @@ -60,6 +54,12 @@ penumbra-proto = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0. penumbra-transaction = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } penumbra-wallet = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } penumbra-view = { git = "https://github.com/penumbra-zone/penumbra", tag = "v0.71.0" } +# Penumbra dependencies, specifically for Astria support. Renamespaced, to avoid conflicts with Penumbra support. +penumbra-ibc-astria = { git = "https://github.com/penumbra-zone/penumbra", package = "penumbra-ibc", tag = "v0.69.1" } +penumbra-proto-astria = { git = "https://github.com/penumbra-zone/penumbra", package = "penumbra-proto", tag = "v0.69.1", features = [ + "box-grpc", + "rpc", +] } # Other dependencies abscissa_core = "=0.6.0" diff --git a/ci/release/Containerfile b/ci/release/Containerfile new file mode 100644 index 0000000000..97f352d1a9 --- /dev/null +++ b/ci/release/Containerfile @@ -0,0 +1,41 @@ +FROM docker.io/rust:1-bookworm AS builder +# Install build dependencies. These packages should match what's recommended on +# https://guide.penumbra.zone/main/pcli/install.html +RUN apt-get update && apt-get install -y --no-install-recommends \ + git-lfs \ + build-essential \ + pkg-config \ + libssl-dev \ + clang \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Install toml-cli, so we can munge config.toml files, e.g. updating chain ids. +RUN cargo install --quiet toml-cli + +WORKDIR /usr/src/hermes +COPY . . +# In the future we may want to support building against multiple versions of Penumbra, +# so we can get early warning about breaking changes in CI. Not hooking that up now: +# we'll use the Penumbra versions specified in the `Cargo.toml` workspace settings. +# ARG PENUMBRA_VERSION="v0.71.0" +# Set the desired PENUMBRA_VERSION in the Cargo.toml file prior to building. +# This regex intentionally ignores the renamespaced Astria deps. +# RUN sed -i -e "/^penumbra-.*-astria/! s/^\(penumbra-.*\)\(tag = \".*\"\)\(.*\)$/\1branch = \"${PENUMBRA_VERSION}\"\3/" Cargo.toml && cat Cargo.toml +RUN cargo build --release + +# Runtime container, with binary and normal user account. +FROM docker.io/debian:bookworm-slim +LABEL maintainer="team@penumbralabs.xyz" + +COPY --from=builder /usr/local/cargo/bin/toml /usr/local/bin/toml +COPY --from=builder /usr/src/hermes/target/release/hermes /usr/bin/hermes +RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +RUN groupadd --gid 1000 hermes \ + && useradd -m -d /home/hermes -g 1000 -u 1000 hermes +WORKDIR /home/hermes +USER hermes +ENTRYPOINT ["/usr/bin/hermes"] From 2e9893a1e5b9d2f0a5ba4fe642a2bb9e935486af Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Fri, 12 Apr 2024 11:36:46 -0700 Subject: [PATCH 2/2] ci: raise timeout on ics-light-client-attack This single job was failing due to timeout. Bumping its timeout. We could also switch to a faster runner, but a separate job takes ~1h, which is really where we should focus attention. --- .github/workflows/misbehaviour.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/misbehaviour.yml b/.github/workflows/misbehaviour.yml index cdd5c5f3d8..faf2e3ade3 100644 --- a/.github/workflows/misbehaviour.yml +++ b/.github/workflows/misbehaviour.yml @@ -88,7 +88,7 @@ jobs: ics-light-client-attack: runs-on: ubuntu-20.04 - timeout-minutes: 20 + timeout-minutes: 60 strategy: fail-fast: false matrix: