ampd - Build and release binary and image #39
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ampd - Build and release binary and image | |
on: | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: Github tag to release binaries for (reusing an existing tag will make the pipeline fail) | |
required: true | |
default: latest | |
jobs: | |
extract-semver: | |
runs-on: ubuntu-22.04 | |
name: Validate tag and extract semver | |
outputs: | |
semver: ${{ steps.extract_semver.outputs.semver }} | |
version: ${{ steps.extract_semver.outputs.version }} | |
steps: | |
- name: Extract semver from tag | |
id: extract_semver | |
run: | | |
full_semver=$(echo ${{ github.event.inputs.tag }} | sed 's/ampd-//') | |
version_number=$(echo $full_semver | sed 's/^v//') | |
echo "semver=$full_semver" >> $GITHUB_OUTPUT | |
echo "version=$version_number" >> $GITHUB_OUTPUT | |
- name: Validate tag | |
env: | |
TAG: ${{ github.event.inputs.tag }} | |
SEMVER: ${{ steps.extract_semver.outputs.semver }} | |
run: | | |
if [[ $TAG =~ ampd-v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi | |
aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1 | |
release-binaries: | |
runs-on: ${{ matrix.os }} | |
needs: extract-semver | |
strategy: | |
matrix: | |
os: [ ubuntu-22.04, macos-12 ] | |
arch: [ amd64, arm64 ] | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: us-east-2 | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }} | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
ref: ${{ github.event.inputs.tag }} | |
submodules: recursive | |
- name: Set up Rust | |
uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: 1.78 | |
override: true | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- name: build and sign darwin binaries | |
env: | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
if: matrix.os == 'macos-12' | |
run: | | |
OS="darwin" | |
ARCH="${{ matrix.arch }}" | |
brew install protobuf | |
if [ "$ARCH" == "arm64" ] | |
then | |
rustup target add aarch64-apple-darwin | |
cargo build --release --target aarch64-apple-darwin | |
mkdir ampdbin | |
mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
else | |
cargo build --release | |
mkdir ampdbin | |
mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
fi | |
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
- name: build and sign linux binaries | |
env: | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
if: matrix.os == 'ubuntu-22.04' | |
run: | | |
OS="linux" | |
ARCH="${{ matrix.arch }}" | |
if [ "$ARCH" == "arm64" ] | |
then | |
sudo dpkg --add-architecture arm64 | |
# add the arm64 architecture to the sources.list | |
sudo tee -a /etc/apt/sources.list << EOF | |
# ARM64 repositories | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted universe multiverse | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted universe multiverse | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse | |
deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted universe multiverse | |
EOF | |
cat /etc/apt/sources.list | |
sudo apt-get update | |
fi | |
sudo apt-get install protobuf-compiler pkg-config | |
if [ "$ARCH" == "arm64" ] | |
then | |
sudo apt-get install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libssl-dev:arm64 | |
echo "OPENSSL_INCLUDE_DIR" $(ls /usr/include/openssl) | |
echo "find opensslconf.h:" $(find /usr -name opensslconf.h) | |
rustup target add aarch64-unknown-linux-gnu | |
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc | |
export OPENSSL_DIR=/usr | |
export OPENSSL_LIB_DIR=/usr/lib/aarch64-linux-gnu | |
export OPENSSL_INCLUDE_DIR=/usr/include/openssl | |
cargo build --release --target aarch64-unknown-linux-gnu | |
mkdir ampdbin | |
mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
else | |
cargo build --release | |
mkdir ampdbin | |
mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
fi | |
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
- name: Test Binary Format | |
working-directory: ./ampdbin | |
run: | | |
for binary in ./ampd-*; do | |
if [[ "$binary" != *.asc ]]; then | |
echo "Testing binary: $binary" | |
OUTPUT=$(file "$binary" | cut -d: -f2- | awk -F, '{print $1"," $2}') | |
if [[ "${{ matrix.os }}" == "ubuntu-22.04" ]]; then | |
if [[ "${{ matrix.arch }}" == "amd64" ]]; then | |
EXPECTED="ELF 64-bit LSB pie executable, x86-64" | |
elif [[ "${{ matrix.arch }}" == "arm64" ]]; then | |
EXPECTED="ELF 64-bit LSB pie executable, ARM aarch64" | |
fi | |
elif [[ "${{ matrix.os }}" == "macos-12" ]]; then | |
OUTPUT=$(file "$binary" | cut -d: -f2-) | |
if [[ "${{ matrix.arch }}" == "amd64" ]]; then | |
EXPECTED="Mach-O 64-bit executable x86_64" | |
elif [[ "${{ matrix.arch }}" == "arm64" ]]; then | |
EXPECTED="Mach-O 64-bit executable arm64" | |
fi | |
fi | |
echo "Output: $OUTPUT" | |
echo "Expected: $EXPECTED" | |
if [[ "$OUTPUT" == *"$EXPECTED"* ]]; then | |
echo "The binary format is correct." | |
else | |
echo "Error: The binary format does not match the expected format." | |
exit 1 | |
fi | |
fi | |
done | |
- name: Create zip and sha256 files | |
working-directory: ./ampdbin | |
run: | | |
for i in `ls | grep -v .asc` | |
do | |
shasum -a 256 $i | awk '{print $1}' > $i.sha256 | |
zip $i.zip $i | |
shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256 | |
done | |
- name: Upload binaries to release | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: ./ampdbin/* | |
tag: ${{ github.event.inputs.tag }} | |
overwrite: true | |
file_glob: true | |
- name: Upload binaries to S3 | |
env: | |
S3_PATH: s3://axelar-releases/ampd/${{ needs.extract-semver.outputs.semver }} | |
run: | | |
aws s3 cp ./ampdbin ${S3_PATH}/ --recursive | |
- name: Prepare source directory structure for r2 upload | |
id: prepare-r2-release | |
run: | | |
version="${{ needs.extract-semver.outputs.version }}" | |
mkdir -p "./${version}" | |
cp -R ./ampdbin/. "./${version}/" | |
echo "release-dir=./${version}" >> $GITHUB_OUTPUT | |
echo "r2-destination-dir=./releases/ampd/" >> $GITHUB_OUTPUT | |
- uses: ryand56/r2-upload-action@latest | |
with: | |
r2-account-id: ${{ secrets.R2_ACCOUNT_ID }} | |
r2-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CF }} | |
r2-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CF }} | |
r2-bucket: ${{ secrets.R2_BUCKET }} | |
source-dir: ${{ steps.prepare-r2-release.outputs.release-dir }} | |
destination-dir: ${{ steps.prepare-r2-release.outputs.r2-destination-dir }} | |
release-docker: | |
runs-on: ubuntu-22.04 | |
needs: extract-semver | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
ref: ${{ github.event.inputs.tag }} | |
submodules: recursive | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Build and push docker images | |
env: | |
PLATFORM: linux/amd64 | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
run: | | |
make build-push-docker-images | |
combine-sign: | |
needs: [ release-docker, extract-semver ] | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Install Cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.2.2' | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Create multiarch manifest | |
env: | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
run: | | |
docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \ | |
axelarnet/axelar-ampd-linux-amd64:${SEMVER} | |
- name: Sign the images with GitHub OIDC | |
run: cosign sign -y --oidc-issuer https://token.actions.githubusercontent.com ${TAGS} | |
env: | |
TAGS: axelarnet/axelar-ampd:${{ needs.extract-semver.outputs.semver }} | |
COSIGN_EXPERIMENTAL: 1 |