.github/workflows/build-ampd-release.yaml

name: ampd - Build and release binary and image

on:
  workflow_dispatch:
    inputs:
      tag:
        description: Github tag to release binaries for (reusing an existing tag will make the pipeline fail)
        required: true
        default: latest

jobs:
  extract-semver:
    runs-on: ubuntu-22.04
    name: Validate tag and extract semver
    outputs:
      semver: ${{ steps.extract_semver.outputs.semver }}
      version: ${{ steps.extract_semver.outputs.version }}
    steps:
      - name: Extract semver from tag
        id: extract_semver
        run: |
          full_semver=$(echo ${{ github.event.inputs.tag }} | sed 's/ampd-//')
          version_number=$(echo $full_semver | sed 's/^v//')
          echo "semver=$full_semver" >> $GITHUB_OUTPUT
          echo "version=$version_number" >> $GITHUB_OUTPUT

      - name: Validate tag
        env:
          TAG: ${{ github.event.inputs.tag }}
          SEMVER: ${{ steps.extract_semver.outputs.semver }}
        run: |
          if [[ $TAG =~ ampd-v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi
          aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1


  release-binaries:
    runs-on: ${{ matrix.os }}
    needs: extract-semver
    strategy:
      matrix:
        os: [ ubuntu-22.04, macos-12 ]
        arch: [ amd64, arm64 ]

    permissions:
      contents: write
      packages: write
      id-token: write

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }}

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: '0'
          ref: ${{ github.event.inputs.tag }}
          submodules: recursive

      - name: Set up Rust
        uses: actions-rs/toolchain@v1
        with:
          toolchain: 1.78
          override: true

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: build and sign darwin binaries
        env:
          SEMVER: ${{ needs.extract-semver.outputs.semver }}
        if: matrix.os == 'macos-12'
        run: |
          OS="darwin"
          ARCH="${{ matrix.arch }}"
          
          brew install protobuf
          
          if [ "$ARCH" == "arm64" ]
          then
            rustup target add aarch64-apple-darwin
            cargo build --release --target aarch64-apple-darwin
            mkdir ampdbin
            mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          else
            cargo build --release
            mkdir ampdbin
            mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          fi
          
          gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"

      - name: build and sign linux binaries
        env:
          SEMVER: ${{ needs.extract-semver.outputs.semver }}
        if: matrix.os == 'ubuntu-22.04'
        run: |
          OS="linux"
          ARCH="${{ matrix.arch }}"
          
          if [ "$ARCH" == "arm64" ]
          then
            sudo apt-get install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu 
          
            sudo tee /etc/apt/sources.list > /dev/null << EOF
          
          # AMD64 repositories
          deb [arch=amd64] http://azure.archive.ubuntu.com/ubuntu jammy main restricted universe multiverse
          deb [arch=amd64] http://azure.archive.ubuntu.com/ubuntu jammy-updates main restricted universe multiverse
          deb [arch=amd64] http://azure.archive.ubuntu.com/ubuntu jammy-backports main restricted universe multiverse
          deb [arch=amd64] http://security.ubuntu.com/ubuntu jammy-security main restricted universe multiverse
          
          # ARM64 repositories
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted universe multiverse
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted universe multiverse
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse
          deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted universe multiverse
          EOF

            cat /etc/apt/sources.list
            sudo apt-get update
          fi          
          
          sudo apt-get install protobuf-compiler
          
          if [ "$ARCH" == "arm64" ]
          then
            echo "installing libssl-dev:arm64"
            sudo apt-get install libssl-dev:arm64
          
            echo "OPENSSL_INCLUDE_DIR" $(ls /usr/include/openssl) 
            echo "find opensslconf.h:" $(find /usr -name opensslconf.h)
          
            rustup target add aarch64-unknown-linux-gnu
            export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
            export OPENSSL_DIR=/usr
            export OPENSSL_LIB_DIR=/usr/lib/aarch64-linux-gnu
            export OPENSSL_INCLUDE_DIR=/usr/include/openssl
            cargo build --release --target aarch64-unknown-linux-gnu
            mkdir ampdbin
            mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"            
          else
            cargo build --release
            mkdir ampdbin
            mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          fi
          
          gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"

      - name: Test Binary Format
        working-directory: ./ampdbin
        run: |
          for binary in ./ampd-*; do
          if [[ "$binary" != *.asc ]]; then
            echo "Testing binary: $binary"
            OUTPUT=$(file "$binary" | cut -d: -f2- | awk -F, '{print $1"," $2}')
            if [[ "${{ matrix.os }}" == "ubuntu-22.04" ]]; then
              if [[ "${{ matrix.arch }}" == "amd64" ]]; then
                EXPECTED="ELF 64-bit LSB pie executable, x86-64"
              elif [[ "${{ matrix.arch }}" == "arm64" ]]; then
                EXPECTED="ELF 64-bit LSB pie executable, ARM aarch64"
              fi
            elif [[ "${{ matrix.os }}" == "macos-12" ]]; then
              OUTPUT=$(file "$binary" | cut -d: -f2-)
              if [[ "${{ matrix.arch }}" == "amd64" ]]; then
                EXPECTED="Mach-O 64-bit executable x86_64"
              elif [[ "${{ matrix.arch }}" == "arm64" ]]; then
                EXPECTED="Mach-O 64-bit executable arm64"
              fi
            fi

            echo "Output: $OUTPUT"
            echo "Expected: $EXPECTED"

            if [[ "$OUTPUT" == *"$EXPECTED"* ]]; then
              echo "The binary format is correct."
            else
              echo "Error: The binary format does not match the expected format."
              exit 1
            fi
          fi
          done

      - name: Create zip and sha256 files
        working-directory: ./ampdbin
        run: |
          for i in `ls | grep -v .asc`
          do
            shasum -a 256 $i | awk '{print $1}' > $i.sha256
            zip $i.zip $i
            shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256
          done

      - name: Upload binaries to release
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./ampdbin/*
          tag: ${{ github.event.inputs.tag }}
          overwrite: true
          file_glob: true

      - name: Upload binaries to S3
        env:
          S3_PATH: s3://axelar-releases/ampd/${{ needs.extract-semver.outputs.semver }}
        run: |
          aws s3 cp ./ampdbin ${S3_PATH}/ --recursive

      - name: Prepare source directory structure for r2 upload
        id: prepare-r2-release
        run: |
          version="${{ needs.extract-semver.outputs.version }}"
          mkdir -p "./${version}"
          cp -R ./ampdbin/. "./${version}/"
          echo "release-dir=./${version}" >> $GITHUB_OUTPUT
          echo "r2-destination-dir=./releases/ampd/" >> $GITHUB_OUTPUT


      - uses: ryand56/r2-upload-action@latest
        with:
          r2-account-id: ${{ secrets.R2_ACCOUNT_ID }}
          r2-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_CF }}
          r2-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_CF }}
          r2-bucket: ${{ secrets.R2_BUCKET }}
          source-dir: ${{ steps.prepare-r2-release.outputs.release-dir }}
          destination-dir: ${{ steps.prepare-r2-release.outputs.r2-destination-dir }}

  release-docker:
    runs-on: ubuntu-22.04
    needs: extract-semver
    permissions:
      contents: write
      packages: write
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: '0'
          ref: ${{ github.event.inputs.tag }}
          submodules: recursive

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      - name: Build and push docker images
        env:
          PLATFORM: linux/amd64
          SEMVER: ${{ needs.extract-semver.outputs.semver }}
        run: |
          make build-push-docker-images

  combine-sign:
    needs: [ release-docker, extract-semver ]
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      packages: write
      id-token: write
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.3.0
        with:
          cosign-release: 'v2.2.2'

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      - name: Create multiarch manifest
        env:
          SEMVER: ${{ needs.extract-semver.outputs.semver }}
        run: |
          docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \
            axelarnet/axelar-ampd-linux-amd64:${SEMVER}

      - name: Sign the images with GitHub OIDC
        run: cosign sign -y --oidc-issuer https://token.actions.githubusercontent.com ${TAGS}
        env:
          TAGS: axelarnet/axelar-ampd:${{ needs.extract-semver.outputs.semver }}
          COSIGN_EXPERIMENTAL: 1