Skip to content

ampd - Build and release binary and image #35

ampd - Build and release binary and image

ampd - Build and release binary and image #35

name: ampd - Build and release binary and image
on:
workflow_dispatch:
inputs:
tag:
description: Github tag to release binaries for (reusing an existing tag will make the pipeline fail)
required: true
default: latest
jobs:
extract-semver:
runs-on: ubuntu-22.04
name: Validate tag and extract semver
outputs:
semver: ${{ steps.extract_semver.outputs.semver }}
version: ${{ steps.extract_semver.outputs.version }}
steps:
- name: Extract semver from tag
id: extract_semver
run: |
full_semver=$(echo ${{ github.event.inputs.tag }} | sed 's/ampd-//')
version_number=$(echo $full_semver | sed 's/^v//')
echo "semver=$full_semver" >> $GITHUB_OUTPUT
echo "version=$version_number" >> $GITHUB_OUTPUT
- name: Validate tag
env:
TAG: ${{ github.event.inputs.tag }}
SEMVER: ${{ steps.extract_semver.outputs.semver }}
run: |
if [[ $TAG =~ ampd-v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi
aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1
release-binaries:
runs-on: ${{ matrix.os }}
needs: extract-semver
strategy:
matrix:
os: [ ubuntu-22.04, macos-12 ]
arch: [ amd64, arm64 ]
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-2
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }}
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: '0'
ref: ${{ github.event.inputs.tag }}
submodules: recursive
- name: Set up Rust
uses: actions-rs/toolchain@v1
with:
toolchain: 1.78
override: true
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: build and sign darwin binaries
env:
SEMVER: ${{ needs.extract-semver.outputs.semver }}
if: matrix.os == 'macos-12'
run: |
OS="darwin"
ARCH="${{ matrix.arch }}"
brew install protobuf
if [ "$ARCH" == "arm64" ]
then
rustup target add aarch64-apple-darwin
cargo build --release --target aarch64-apple-darwin
mkdir ampdbin
mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
else
cargo build --release
mkdir ampdbin
mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
fi
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
- name: build and sign linux binaries
env:
SEMVER: ${{ needs.extract-semver.outputs.semver }}
if: matrix.os == 'ubuntu-22.04'
run: |
OS="linux"
ARCH="${{ matrix.arch }}"
if [ "$ARCH" == "arm64" ]
then
sudo dpkg --add-architecture arm64
# add the arm64 architecture to the sources.list
sudo sed -i '/^deb / s/^deb /deb [arch=amd64,arm64] /' /etc/apt/sources.list
sudo apt-get update
fi
sudo apt-get install protobuf-compiler pkg-config
if [ "$ARCH" == "arm64" ]
then
sudo apt-get install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libssl-dev:arm64
echo "OPENSSL_INCLUDE_DIR" $(ls /usr/include/openssl)
echo "find opensslconf.h:" $(find /usr -name opensslconf.h)
rustup target add aarch64-unknown-linux-gnu
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
export OPENSSL_DIR=/usr
export OPENSSL_LIB_DIR=/usr/lib/aarch64-linux-gnu
export OPENSSL_INCLUDE_DIR=/usr/include/openssl
cargo build --release --target aarch64-unknown-linux-gnu
mkdir ampdbin
mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
else
cargo build --release
mkdir ampdbin
mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
fi
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
- name: Test Binary Format
working-directory: ./ampdbin
run: |
for binary in ./ampd-*; do
if [[ "$binary" != *.asc ]]; then
echo "Testing binary: $binary"
OUTPUT=$(file "$binary" | cut -d: -f2- | awk -F, '{print $1"," $2}')
if [[ "${{ matrix.os }}" == "ubuntu-22.04" ]]; then
if [[ "${{ matrix.arch }}" == "amd64" ]]; then
EXPECTED="ELF 64-bit LSB pie executable, x86-64"
elif [[ "${{ matrix.arch }}" == "arm64" ]]; then
EXPECTED="ELF 64-bit LSB pie executable, ARM aarch64"
fi
elif [[ "${{ matrix.os }}" == "macos-12" ]]; then
OUTPUT=$(file "$binary" | cut -d: -f2-)
if [[ "${{ matrix.arch }}" == "amd64" ]]; then
EXPECTED="Mach-O 64-bit executable x86_64"
elif [[ "${{ matrix.arch }}" == "arm64" ]]; then
EXPECTED="Mach-O 64-bit executable arm64"
fi
fi
echo "Output: $OUTPUT"
echo "Expected: $EXPECTED"
if [[ "$OUTPUT" == *"$EXPECTED"* ]]; then
echo "The binary format is correct."
else
echo "Error: The binary format does not match the expected format."
exit 1
fi
fi
done
- name: Create zip and sha256 files
working-directory: ./ampdbin
run: |
for i in `ls | grep -v .asc`
do
shasum -a 256 $i | awk '{print $1}' > $i.sha256
zip $i.zip $i
shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256
done
- name: Upload binaries to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ./ampdbin/*
tag: ${{ github.event.inputs.tag }}
overwrite: true
file_glob: true
- name: Upload binaries to S3
env:
S3_PATH: s3://axelar-releases/ampd/${{ needs.extract-semver.outputs.semver }}
run: |
aws s3 cp ./ampdbin ${S3_PATH}/ --recursive
- name: Prepare source directory structure for r2 upload
id: prepare-r2-release
run: |
version="${{ needs.extract-semver.outputs.version }}"
mkdir -p "./${version}"
cp -R ./ampdbin/. "./${version}/"
echo "release-dir=./${version}" >> $GITHUB_OUTPUT
echo "r2-destination-dir=./releases/ampd/" >> $GITHUB_OUTPUT
- uses: ryand56/r2-upload-action@latest
with:
r2-account-id: ${{ secrets.R2_ACCOUNT_ID }}
r2-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CF }}
r2-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CF }}
r2-bucket: ${{ secrets.R2_BUCKET }}
source-dir: ${{ steps.prepare-r2-release.outputs.release-dir }}
destination-dir: ${{ steps.prepare-r2-release.outputs.r2-destination-dir }}
release-docker:
runs-on: ubuntu-22.04
needs: extract-semver
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: '0'
ref: ${{ github.event.inputs.tag }}
submodules: recursive
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Build and push docker images
env:
PLATFORM: linux/amd64
SEMVER: ${{ needs.extract-semver.outputs.semver }}
run: |
make build-push-docker-images
combine-sign:
needs: [ release-docker, extract-semver ]
runs-on: ubuntu-22.04
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }}
- name: Create multiarch manifest
env:
SEMVER: ${{ needs.extract-semver.outputs.semver }}
run: |
docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \
axelarnet/axelar-ampd-linux-amd64:${SEMVER}
- name: Sign the images with GitHub OIDC
run: cosign sign -y --oidc-issuer https://token.actions.githubusercontent.com ${TAGS}
env:
TAGS: axelarnet/axelar-ampd:${{ needs.extract-semver.outputs.semver }}
COSIGN_EXPERIMENTAL: 1