From ad07153a7a6dcc1bcf2a32f8c85049e01b598ef5 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 9 Apr 2024 10:35:37 -0700 Subject: [PATCH] ci: add container build workflow for fork We cannot depend on the upstream `informalsystems/hermes` repo for CI deployments, because we need the forked Hermes code for compatiblity with Penumbra chains. Added a new workflow that will publish as `ghcr.io/penumbra-zone/hermes`, and removed the informalsystems one. --- .dockerignore | 17 ++--- .github/workflows/container.yml | 71 +++++++++++++++++ .github/workflows/docker.yml | 130 -------------------------------- ci/release/Containerfile | 37 +++++++++ 4 files changed, 115 insertions(+), 140 deletions(-) create mode 100644 .github/workflows/container.yml delete mode 100644 .github/workflows/docker.yml create mode 100644 ci/release/Containerfile diff --git a/.dockerignore b/.dockerignore index 72d7d43e48..7ed7dfe44d 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,7 @@ -/.changelog/ -/.git/ -/.gitignore -/.github -/ci/ -/docs/ -/e2e/ -/guide/ -/scripts/ -/target/ +# ignore everything +** +# selectively un-ignore rust files +!crates/ +!tools/ +!Cargo.* +!.cargo/config.toml diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml new file mode 100644 index 0000000000..8698525e94 --- /dev/null +++ b/.github/workflows/container.yml @@ -0,0 +1,71 @@ +--- +name: Build container image +on: + workflow_call: + workflow_dispatch: + inputs: + penumbra_version: + description: 'Git ref (e.g. branch or tag) of Penumbra repo for building' + default: "main" + required: true + # Support triggering builds from penumbra-zone/penumbra CI. + repository_dispatch: + types: + - container-build + inputs: + penumbra_version: + description: 'Git ref (e.g. branch or tag) of Penumbra repo for building' + default: "main" + required: true + push: + branches: + - main + tags: + - '**' +jobs: + hermes: + runs-on: buildjet-16vcpu-ubuntu-2004 + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Log in to the Docker Hub container registry (for pulls) + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Log in to the GitHub container registry (for pushes) + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v4 + with: + images: ghcr.io/penumbra-zone/hermes + + - name: Build and push Docker image + uses: docker/build-push-action@v3 + with: + context: . + platforms: linux/amd64 + file: ci/release/Containerfile + push: true + # We include a tag with the associated Penumbra, e.g. `penumbra-v0.61.0`. + # This is important to maintain compatibility with a long-running testnet. + tags: ${{ steps.meta.outputs.tags }},ghcr.io/penumbra-zone/hermes:penumbra-${{ github.event.inputs.penumbra_version || 'main' }} + build-args: | + PENUMBRA_VERSION=${{ github.event.inputs.penumbra_version || 'main' }} + # We disable layer caching to ensure that the most recent penumbra repo is used. + # Otherwise, the static git url for the repo will always result in a cache hit. + # TODO: update with dynamic build-args using e.g. current date to bust cache. + no-cache: true + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml deleted file mode 100644 index bd2c49c0f2..0000000000 --- a/.github/workflows/docker.yml +++ /dev/null @@ -1,130 +0,0 @@ -# Build Hermes Docker image, push to Docker Hub and GHCR.io. - -name: Docker - -on: - workflow_dispatch: - push: - tags: - - v[0-9]+.* - -env: - REGISTRY_IMAGE: informalsystems/hermes - -jobs: - docker-build: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - platform: - - id: linux/amd64 - name: amd64 - - id: linux/arm64 - name: arm64 - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=ref,event=tag - type=ref,event=branch - type=semver,pattern={{version}} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v5 - with: - context: . - file: ./ci/release/hermes.Dockerfile - platforms: ${{ matrix.platform.id }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform.name }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - docker-merge: - runs-on: ubuntu-latest - needs: - - docker-build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - pattern: digests-* - merge-multiple: true - path: /tmp/digests - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY_IMAGE }} - tags: | - type=ref,event=tag - type=ref,event=branch - type=semver,pattern={{version}} - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push image to GHCR - run: | - docker buildx imagetools create \ - --tag ghcr.io/${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} \ - ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/ci/release/Containerfile b/ci/release/Containerfile new file mode 100644 index 0000000000..55ed661f8e --- /dev/null +++ b/ci/release/Containerfile @@ -0,0 +1,37 @@ +FROM docker.io/rust:1-bookworm AS builder +COPY . /usr/src/hermes +WORKDIR /usr/src/hermes + +# Install build dependencies. These packages should match what's recommended on +# https://guide.penumbra.zone/main/pcli/install.html +RUN apt-get update && apt-get install -y \ + git-lfs \ + build-essential \ + pkg-config \ + libssl-dev \ + clang + +# Support building from a specific git dependency of the upstream Penumbra repo. +# N.B. As of 2024-04, the Hermes fork only builds against v0.68.1 of Penumbra, +# so we'll hardcode that version for now. Once we have the deps up to date, +# we should support overrides like "main" to predict breaking changes. +# ARG PENUMBRA_VERSION=main +ARG PENUMBRA_VERSION="v0.68.1" + +# ARG PENUMBRA_VERSION=v0.61.0 +# Set the desired PENUMBRA_VERSION in the Cargo.toml file prior to building. +# RUN sed -i -e "s/^\(penumbra-.*\)\(tag = \".*\"\)\(.*\)$/\1branch = \"${PENUMBRA_VERSION}\"\3/" ./crates/relayer/Cargo.toml \ +# && cat ./crates/relayer/Cargo.toml +RUN cargo build --release + +# Runtime container, with binary and normal user account. +FROM docker.io/debian:bookworm-slim +LABEL maintainer="team@penumbralabs.xyz" + +COPY --from=builder /usr/src/hermes/target/release/hermes /usr/bin/hermes +RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates +RUN groupadd --gid 1000 hermes \ + && useradd -m -d /home/hermes -g 1000 -u 1000 hermes +WORKDIR /home/hermes +USER hermes +ENTRYPOINT ["/usr/bin/hermes"]