From ec2dd8a03597a9e7f9cefe83e470e65cb22a8e86 Mon Sep 17 00:00:00 2001 From: frank zhu Date: Fri, 16 Aug 2024 15:59:01 -0500 Subject: [PATCH] remove cosign user/pass env and uncomment other workflow --- .../goreleaser-build-sign-publish/action.yml | 13 -- .../action_utils | 12 -- .github/workflows/build-publish.yml | 168 +++++++++--------- 3 files changed, 82 insertions(+), 111 deletions(-) diff --git a/.github/actions/goreleaser-build-sign-publish/action.yml b/.github/actions/goreleaser-build-sign-publish/action.yml index 86453037b9c..40486a095c1 100644 --- a/.github/actions/goreleaser-build-sign-publish/action.yml +++ b/.github/actions/goreleaser-build-sign-publish/action.yml @@ -62,15 +62,6 @@ inputs: description: Enable signing of docker images default: "false" required: false - cosign-private-key: - description: The private key to be used with cosign to sign the image - required: false - cosign-public-key: - description: The public key to be used with cosign for verification - required: false - cosign-password: - description: The password to decrypt the cosign private key needed to sign the image - required: false runs: using: composite steps: @@ -113,7 +104,6 @@ runs: - name: Run goreleaser release shell: bash env: - # ENABLE_COSIGN: ${{ inputs.enable-cosign }} ENABLE_GORELEASER_SNAPSHOT: ${{ inputs.enable-goreleaser-snapshot }} ENABLE_GORELEASER_SPLIT: ${{ inputs.enable-goreleaser-split }} ENABLE_DOCKER_PUBLISH: ${{ inputs.enable-docker-publish }} @@ -124,9 +114,6 @@ runs: GORELEASER_CONFIG: ${{ inputs.goreleaser-config }} GORELEASER_KEY: ${{ inputs.goreleaser-key }} GITHUB_TOKEN: ${{ github.token }} - # COSIGN_PASSWORD: ${{ inputs.cosign-password }} - # COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }} - # COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }} MACOS_SDK_DIR: ${{ inputs.macos-sdk-dir }} run: | # https://github.com/orgs/community/discussions/24950 diff --git a/.github/actions/goreleaser-build-sign-publish/action_utils b/.github/actions/goreleaser-build-sign-publish/action_utils index 986a0da125e..51c7c90aa1a 100755 --- a/.github/actions/goreleaser-build-sign-publish/action_utils +++ b/.github/actions/goreleaser-build-sign-publish/action_utils @@ -2,11 +2,9 @@ set -x set -euo pipefail -# ENABLE_COSIGN=${ENABLE_COSIGN:-false} ENABLE_GORELEASER_SNAPSHOT=${ENABLE_GORELEASER_SNAPSHOT:-false} ENABLE_GORELEASER_SPLIT=${ENABLE_GORELEASER_SPLIT:-false} ENABLE_DOCKER_PUBLISH=${ENABLE_DOCKER_PUBLISH:-false} -# COSIGN_PASSWORD=${COSIGN_PASSWORD:-""} GORELEASER_EXEC=${GORELEASER_EXEC:-goreleaser} GORELEASER_CONFIG=${GORELEASER_CONFIG:-.goreleaser.yaml} IMAGE_PREFIX=${IMAGE_PREFIX:-"localhost:5001"} @@ -69,11 +67,6 @@ goreleaser_release() { flags=$(printf "%s " "${goreleaser_flags[@]}") flags=$(echo "$flags" | sed 's/ *$//') - # if [[ $ENABLE_COSIGN == "true" ]]; then - # echo "$COSIGN_PUBLIC_KEY" > cosign.pub - # echo "$COSIGN_PRIVATE_KEY" > cosign.key - # fi - if [[ -n $MACOS_SDK_DIR ]]; then MACOS_SDK_DIR=$(echo "$(cd "$(dirname "$MACOS_SDK_DIR")" || exit; pwd)/$(basename "$MACOS_SDK_DIR")") fi @@ -84,11 +77,6 @@ goreleaser_release() { _publish_snapshot_images _publish_snapshot_manifests fi - - # if [[ $ENABLE_COSIGN == "true" ]]; then - # rm -rf cosign.pub - # rm -rf cosign.key - # fi } "$@" diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index a8a774df570..0ba9d20787a 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -7,7 +7,6 @@ on: - "v*" branches: - "release/**" - - "re-2756/build-sign-publish-gha-goreleaser" env: ECR_HOSTNAME: public.ecr.aws @@ -27,51 +26,51 @@ jobs: with: github-token: ${{ secrets.GITHUB_TOKEN }} - # build-sign-publish-chainlink: - # needs: [checks] - # if: ${{ ! startsWith(github.ref_name, 'release/') }} - # runs-on: ubuntu-20.04 - # environment: build-publish - # permissions: - # id-token: write - # contents: read - # outputs: - # docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }} - # docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} - # steps: - # - name: Checkout repository - # uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + build-sign-publish-chainlink: + needs: [checks] + if: ${{ ! startsWith(github.ref_name, 'release/') }} + runs-on: ubuntu-20.04 + environment: build-publish + permissions: + id-token: write + contents: read + outputs: + docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }} + docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} + steps: + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - # - name: Build, sign and publish chainlink image - # id: build-sign-publish - # uses: ./.github/actions/build-sign-publish-chainlink - # with: - # publish: true - # aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} - # aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} - # aws-region: ${{ secrets.AWS_REGION }} - # ecr-hostname: ${{ env.ECR_HOSTNAME }} - # ecr-image-name: ${{ env.ECR_IMAGE_NAME }} - # sign-images: true - # sign-method: "keypair" - # cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - # cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} - # cosign-password: ${{ secrets.COSIGN_PASSWORD }} - # dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} - # dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} - # verify-signature: true + - name: Build, sign and publish chainlink image + id: build-sign-publish + uses: ./.github/actions/build-sign-publish-chainlink + with: + publish: true + aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} + aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} + aws-region: ${{ secrets.AWS_REGION }} + ecr-hostname: ${{ env.ECR_HOSTNAME }} + ecr-image-name: ${{ env.ECR_IMAGE_NAME }} + sign-images: true + sign-method: "keypair" + cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} + cosign-password: ${{ secrets.COSIGN_PASSWORD }} + dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} + dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} + verify-signature: true - # - name: Collect Metrics - # if: always() - # id: collect-gha-metrics - # uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 - # with: - # id: build-chainlink-publish - # org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} - # basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} - # hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} - # this-job-name: build-sign-publish-chainlink - # continue-on-error: true + - name: Collect Metrics + if: always() + id: collect-gha-metrics + uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 + with: + id: build-chainlink-publish + org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} + basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} + hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} + this-job-name: build-sign-publish-chainlink + continue-on-error: true goreleaser-build-sign-publish-chainlink: needs: [checks] @@ -107,9 +106,6 @@ jobs: zig-version: 0.11.0 enable-cosign: "true" cosign-version: "v2.4.0" - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }} - cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }} - name: Output image name and digest shell: sh @@ -135,42 +131,42 @@ jobs: continue-on-error: true # Notify Slack channel for new git tags. - # slack-notify: - # if: github.ref_type == 'tag' - # needs: [build-sign-publish-chainlink] - # runs-on: ubuntu-24.04 - # environment: build-publish - # steps: - # - name: Checkout repository - # uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - # - name: Notify Slack - # uses: smartcontractkit/.github/actions/slack-notify-git-ref@7fa90bbeff35aa6ce3a9054f542bcf10b7d47cec # slack-notify-git-ref@0.1.0 - # with: - # slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }} - # slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot - # git-ref: ${{ github.ref_name }} - # git-ref-type: ${{ github.ref_type }} - # changelog-url: >- - # ${{ - # github.ref_type == 'tag' && - # format( - # 'https://github.com/{0}/blob/{1}/CHANGELOG.md', - # github.repository, - # github.ref_name - # ) || '' - # }} - # docker-image-name: >- - # ${{ - # github.ref_type == 'tag' && - # format( - # '{0}/{1}:{2}', - # env.ECR_HOSTNAME, - # env.ECR_IMAGE_NAME, - # needs.build-sign-publish-chainlink.outputs.docker-image-tag - # ) || '' - # }} - # docker-image-digest: >- - # ${{ - # github.ref_type == 'tag' && - # needs.build-sign-publish-chainlink.outputs.docker-image-digest || '' - # }} + slack-notify: + if: github.ref_type == 'tag' + needs: [build-sign-publish-chainlink] + runs-on: ubuntu-24.04 + environment: build-publish + steps: + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Notify Slack + uses: smartcontractkit/.github/actions/slack-notify-git-ref@7fa90bbeff35aa6ce3a9054f542bcf10b7d47cec # slack-notify-git-ref@0.1.0 + with: + slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }} + slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot + git-ref: ${{ github.ref_name }} + git-ref-type: ${{ github.ref_type }} + changelog-url: >- + ${{ + github.ref_type == 'tag' && + format( + 'https://github.com/{0}/blob/{1}/CHANGELOG.md', + github.repository, + github.ref_name + ) || '' + }} + docker-image-name: >- + ${{ + github.ref_type == 'tag' && + format( + '{0}/{1}:{2}', + env.ECR_HOSTNAME, + env.ECR_IMAGE_NAME, + needs.build-sign-publish-chainlink.outputs.docker-image-tag + ) || '' + }} + docker-image-digest: >- + ${{ + github.ref_type == 'tag' && + needs.build-sign-publish-chainlink.outputs.docker-image-digest || '' + }}