Improve starknet-go-tests workflow flexibility and security #236
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD pipeline | |
env: | |
DOCKER_REGISTRY: nethermind.jfrog.io | |
REPO_DEV: nubia-oci-local-dev | |
REPO_STAGING: nubia-oci-local-staging | |
REPO_PROD: nubia-oci-local-prod | |
on: | |
push: | |
branches: [main] | |
tags: ["v*"] | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
id-token: write | |
contents: write | |
jobs: | |
build_docker_image: | |
runs-on: ubuntu-latest | |
outputs: | |
DOCKER_IMAGE_TAG: ${{ steps.set_tag.outputs.DOCKER_IMAGE_TAG }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Define image tag | |
id: set_tag | |
run: | | |
export DOCKER_IMAGE_TAG=$(git describe --tags) | |
# This one is to be able to use the image tag in the next steps in this job | |
echo "DOCKER_IMAGE_TAG=$DOCKER_IMAGE_TAG" >> $GITHUB_ENV | |
# This one is to be able to use the image tag in the next jobs | |
echo "DOCKER_IMAGE_TAG=$DOCKER_IMAGE_TAG" >> $GITHUB_OUTPUT | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to registry | |
run: | | |
docker login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.ARTIFACTORY_NUBIA_USERNAME }} -p ${{ secrets.ARTIFACTORY_NUBIA_TOKEN_DEVELOPER }} | |
- name: Build and Push | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
platforms: "linux/amd64" | |
push: true | |
tags: | | |
${{ env.DOCKER_REGISTRY }}/${{ env.REPO_DEV }}/juno:${{ env.DOCKER_IMAGE_TAG }} | |
${{ env.DOCKER_REGISTRY }}/${{ env.REPO_DEV }}/juno:latest | |
validate_dev: | |
permissions: | |
id-token: write | |
contents: write | |
needs: [build_docker_image] | |
runs-on: ubuntu-latest | |
environment: | |
name: Development | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Verify Deployment Version (Dev) | |
run: | | |
bash .github/workflow-scripts/verify_deployment.sh ${{ secrets.DEV_SEPOLIA_URL }} ${{ needs.build_docker_image.outputs.DOCKER_IMAGE_TAG }} | |
dev-starknet-rs-tests: | |
needs: [validate_dev] | |
uses: ./.github/workflows/starknet-rs-tests.yml | |
secrets: | |
STARKNET_RPC: ${{ secrets.DEV_SEPOLIA_URL }}/v0_6 | |
dev-starknet-js-tests: | |
needs: [validate_dev] | |
uses: ./.github/workflows/starknet-js-tests.yml | |
secrets: | |
TEST_RPC_URL: ${{ secrets.DEV_SEPOLIA_URL }}/v0_7 | |
TEST_ACCOUNT_ADDRESS: ${{ secrets.TEST_ACCOUNT_ADDRESS }} | |
TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }} | |
dev-starknet-go-tests: | |
needs: [validate_dev] | |
uses: ./.github/workflows/starknet-go-tests.yml | |
secrets: | |
TEST_RPC_URL: ${{ secrets.DEV_SEPOLIA_URL }}/v0_7 | |
promote_to_staging: | |
needs: [build_docker_image, validate_dev] | |
runs-on: ubuntu-latest | |
environment: | |
name: Staging | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup oras cli | |
uses: oras-project/setup-oras@v1 | |
- name: Login to registry | |
run: | | |
oras login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.ARTIFACTORY_NUBIA_USERNAME }} -p ${{ secrets.ARTIFACTORY_NUBIA_TOKEN_DEVELOPER }} | |
- name: Promote to Staging | |
run: | | |
OLD_TAG=${{ env.DOCKER_REGISTRY }}/${{ env.REPO_DEV }}/juno:${{ needs.build_docker_image.outputs.DOCKER_IMAGE_TAG }} | |
NEW_TAG=${{ env.DOCKER_REGISTRY }}/${{ env.REPO_STAGING }}/juno:${{ needs.build_docker_image.outputs.DOCKER_IMAGE_TAG }} | |
oras cp -r $OLD_TAG $NEW_TAG,latest | |
- name: Verify Deployment Version (Staging) | |
run: | | |
bash .github/workflow-scripts/verify_deployment.sh ${{ secrets.STAGING_SEPOLIA_URL }} ${{ needs.build_docker_image.outputs.DOCKER_IMAGE_TAG }} | |
staging-starknet-rs-tests: | |
needs: [promote_to_staging] | |
uses: ./.github/workflows/starknet-rs-tests.yml | |
secrets: | |
STARKNET_RPC: ${{ secrets.STAGING_SEPOLIA_URL }}/v0_6 | |
staging-starknet-js-tests: | |
needs: [promote_to_staging] | |
uses: ./.github/workflows/starknet-js-tests.yml | |
secrets: | |
TEST_RPC_URL: ${{ secrets.STAGING_SEPOLIA_URL }}/v0_7 | |
TEST_ACCOUNT_ADDRESS: ${{ secrets.TEST_ACCOUNT_ADDRESS }} | |
TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }} | |
staging-starknet-go-tests: | |
needs: [promote_to_staging] | |
uses: ./.github/workflows/starknet-go-tests.yml | |
secrets: | |
TEST_RPC_URL: ${{ secrets.STAGING_SEPOLIA_URL }}/v0_7 | |
promote_to_production: | |
needs: [build_docker_image, promote_to_staging] | |
runs-on: ubuntu-latest | |
environment: | |
name: Production | |
steps: | |
- name: Setup oras cli | |
uses: oras-project/setup-oras@v1 | |
- name: Login to registry | |
run: | | |
oras login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.ARTIFACTORY_NUBIA_USERNAME }} -p ${{ secrets.ARTIFACTORY_NUBIA_TOKEN_DEVELOPER }} | |
- name: Promote to Production | |
run: | | |
OLD_TAG=${{ env.DOCKER_REGISTRY }}/${{ env.REPO_STAGING }}/juno:${{ needs.build_docker_image.outputs.DOCKER_IMAGE_TAG }} | |
NEW_TAG=${{ env.DOCKER_REGISTRY }}/${{ env.REPO_PROD }}/juno:${{ needs.build_docker_image.outputs.DOCKER_IMAGE_TAG }} | |
oras cp -r $OLD_TAG $NEW_TAG,latest | |
test_in_production: | |
needs: [promote_to_production] | |
runs-on: ubuntu-latest | |
environment: | |
name: ProductionTests # Artificial gate to enforce manual approval | |
steps: | |
- name: Starting production tests | |
run: | | |
echo "Tests in production will start shortly." | |
prod-starknet-rs-tests: | |
needs: [test_in_production] | |
uses: ./.github/workflows/starknet-rs-tests.yml | |
secrets: | |
STARKNET_RPC: ${{ secrets.PROD_SEPOLIA_URL }}/v0_6 | |
prod-starknet-js-tests: | |
needs: [test_in_production] | |
uses: ./.github/workflows/starknet-js-tests.yml | |
secrets: | |
TEST_RPC_URL: ${{ secrets.PROD_SEPOLIA_URL }}/v0_7 | |
TEST_ACCOUNT_ADDRESS: ${{ secrets.TEST_ACCOUNT_ADDRESS }} | |
TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }} | |
prod-starknet-go-tests: | |
needs: [test_in_production] | |
uses: ./.github/workflows/starknet-go-tests.yml | |
secrets: | |
TEST_RPC_URL: ${{ secrets.PROD_SEPOLIA_URL }}/v0_7 |