Build, Sign and Publish Chainlink #1063
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build, Sign and Publish Chainlink" | |
on: | |
# Mimics old circleci behaviour | |
push: | |
tags: | |
- "v*" | |
branches: | |
- "release/**" | |
env: | |
ECR_HOSTNAME: public.ecr.aws | |
ECR_IMAGE_NAME: chainlink/chainlink | |
jobs: | |
checks: | |
name: "Checks" | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Check for VERSION file bump on tags | |
# Avoids checking VERSION file bump on forks. | |
if: ${{ github.repository == 'smartcontractkit/chainlink' && startsWith(github.ref, 'refs/tags/v') }} | |
uses: ./.github/actions/version-file-bump | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
# build-sign-publish-chainlink: | |
# needs: [checks] | |
# if: ${{ ! startsWith(github.ref_name, 'release/') }} | |
# runs-on: ubuntu-20.04 | |
# environment: build-publish | |
# permissions: | |
# id-token: write | |
# contents: write | |
# attestations: write | |
# outputs: | |
# docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }} | |
# docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} | |
# steps: | |
# - name: Checkout repository | |
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
# - name: Build, sign and publish chainlink image | |
# id: build-sign-publish | |
# uses: ./.github/actions/build-sign-publish-chainlink | |
# with: | |
# publish: true | |
# aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} | |
# aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} | |
# aws-region: ${{ secrets.AWS_REGION }} | |
# ecr-hostname: ${{ env.ECR_HOSTNAME }} | |
# ecr-image-name: ${{ env.ECR_IMAGE_NAME }} | |
# dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} | |
# dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} | |
# sign-images: true | |
# verify-signature: true | |
# - name: Attest Docker image | |
# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
# with: | |
# subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} | |
# subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} | |
# push-to-registry: true | |
# - name: Collect Metrics | |
# if: always() | |
# id: collect-gha-metrics | |
# uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 | |
# with: | |
# id: build-chainlink-publish | |
# org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} | |
# basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} | |
# hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} | |
# this-job-name: build-sign-publish-chainlink | |
# continue-on-error: true | |
goreleaser-build-sign-publish-chainlink: | |
needs: [checks] | |
if: ${{ ! startsWith(github.ref_name, 'release/') }} | |
runs-on: ubuntu-20.04 | |
environment: build-publish | |
permissions: | |
id-token: write | |
contents: write | |
attestations: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Configure aws credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} | |
role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} | |
aws-region: ${{ secrets.AWS_REGION }} | |
mask-aws-account-id: true | |
role-session-name: goreleaser-build-sign-publish-chainlink | |
- name: Set build configs | |
shell: bash | |
id: set-build-configs | |
run: | | |
if [[ ${{ github.ref_name }} =~ "-ccip" ]]; then | |
echo "ECR_IMAGE_NAME=chainlink/ccip" | tee -a $GITHUB_OUTPUT | |
echo "GORELEASER_CONFIG=.goreleaser.ccip.production.yaml" | tee -a $GITHUB_OUTPUT | |
else | |
echo "ECR_IMAGE_NAME=chainlink/chainlink" | tee -a $GITHUB_OUTPUT | |
echo "GORELEASER_CONFIG=.goreleaser.production.yaml" | tee -a $GITHUB_OUTPUT | |
fi | |
- name: Build, sign, and publish image | |
id: goreleaser-build-sign-publish | |
uses: ./.github/actions/goreleaser-build-sign-publish | |
with: | |
docker-registry: ${{ env.ECR_HOSTNAME}} | |
docker-image-name: ${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
docker-image-tag: ${{ github.ref_name }} | |
goreleaser-exec: ./tools/bin/goreleaser_wrapper | |
goreleaser-config: ${{ steps.set-build-configs.outputs.GORELEASER_CONFIG }} | |
goreleaser-key: ${{ secrets.GORELEASER_KEY }} | |
zig-version: 0.11.0 | |
enable-cosign: true | |
cosign-version: "v2.4.0" | |
- name: Output image name and digest | |
id: get-image-name-digest | |
shell: bash | |
run: | | |
artifact_path="dist/artifacts.json" | |
jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt | |
echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY" | |
while read -r line; do | |
echo "$line" | tee -a "$GITHUB_STEP_SUMMARY" | |
done < output.txt | |
core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64" | |
plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64" | |
core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64" | |
plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64" | |
echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
- name: Attest tarballs | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-path: "dist/*.tar.gz" | |
- name: Attest Docker image (core-amd64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Attest Docker image (plugins-amd64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Attest Docker image (core-arm64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Attest Docker image (plugins-arm64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Upload SBOMs | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 | |
with: | |
name: goreleaser-sboms | |
path: dist/*.sbom.json | |
- name: Print SBOM artifact to job summary | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
shell: bash | |
run: | | |
ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts) | |
ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id') | |
echo "Artifact ID: $ARTIFACT_ID" | |
echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY" | |
artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID" | |
echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY | |
- name: Collect Metrics | |
if: always() | |
id: collect-gha-metrics | |
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 | |
with: | |
id: goreleaser-build-chainlink-publish | |
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} | |
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} | |
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} | |
this-job-name: goreleaser-build-sign-publish-chainlink | |
continue-on-error: true | |
# Notify Slack channel for new git tags. | |
# slack-notify: | |
# if: github.ref_type == 'tag' | |
# needs: [build-sign-publish-chainlink] | |
# runs-on: ubuntu-24.04 | |
# environment: build-publish | |
# steps: | |
# - name: Checkout repository | |
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
# - name: Notify Slack | |
# uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # [email protected] | |
# with: | |
# slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }} | |
# slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot | |
# git-ref: ${{ github.ref_name }} | |
# git-ref-type: ${{ github.ref_type }} | |
# changelog-url: >- | |
# ${{ | |
# github.ref_type == 'tag' && | |
# format( | |
# 'https://github.com/{0}/blob/{1}/CHANGELOG.md', | |
# github.repository, | |
# github.ref_name | |
# ) || '' | |
# }} | |
# docker-image-name: >- | |
# ${{ | |
# github.ref_type == 'tag' && | |
# format( | |
# '{0}/{1}:{2}', | |
# env.ECR_HOSTNAME, | |
# env.ECR_IMAGE_NAME, | |
# needs.build-sign-publish-chainlink.outputs.docker-image-tag | |
# ) || '' | |
# }} | |
# docker-image-digest: >- | |
# ${{ | |
# github.ref_type == 'tag' && | |
# needs.build-sign-publish-chainlink.outputs.docker-image-digest || '' | |
# }} |