ampd - Build and release binary and image #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Amplifier - Build Release | |
on: | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: Github tag to release binaries for (reusing an existing tag will make the pipeline fail) | |
required: true | |
default: latest | |
jobs: | |
extract-semver: | |
runs-on: ubuntu-22.04 | |
name: Validate tag and extract semver | |
outputs: | |
semver: ${{ steps.extract_semver.outputs.semver }} | |
steps: | |
- name: Extract semver from tag | |
id: extract_semver | |
run: | | |
echo "semver=$(echo ${{ github.event.inputs.tag }} | sed 's/ampd-//')" >> $GITHUB_OUTPUT | |
- name: Validate tag | |
env: | |
TAG: ${{ github.event.inputs.tag }} | |
SEMVER: ${{ steps.extract_semver.outputs.semver }} | |
run: | | |
if [[ $TAG =~ ampd-v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi | |
aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1 | |
release-binaries: | |
runs-on: ${{ matrix.os }} | |
needs: extract-semver | |
strategy: | |
matrix: | |
os: [ubuntu-22.04, macos-12] | |
arch: [amd64, arm64] | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: us-east-2 | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }} | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
ref: ${{ github.event.inputs.tag }} | |
submodules: recursive | |
- name: Install Rust | |
run: | | |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
- name: build and sign darwin binaries | |
env: | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
if: matrix.os == 'macos-12' | |
run: | | |
OS="darwin" | |
ARCH="${{ matrix.arch }}" | |
if [ "$ARCH" == "arm64" ] | |
then | |
brew install protobuf | |
rustup target add aarch64-apple-darwin | |
cargo build --release --target aarch64-apple-darwin | |
mkdir ampdbin | |
mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
else | |
brew install protobuf | |
cargo build --release | |
mkdir ampdbin | |
mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
fi | |
- name: build and sign linux binaries | |
env: | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
if: matrix.os == 'ubuntu-22.04' | |
run: | | |
OS="linux" | |
ARCH="${{ matrix.arch }}" | |
if [ "$ARCH" == "arm64" ] | |
then | |
sudo apt-get install protobuf-compiler gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
rustup target add aarch64-unknown-linux-gnu | |
export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc | |
cargo build --release --target aarch64-unknown-linux-gnu | |
mkdir ampdbin | |
mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
else | |
sudo apt-get install protobuf-compiler | |
cargo build --release | |
mkdir ampdbin | |
mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" | |
fi | |
- name: Test Binary Format | |
working-directory: ./ampdbin | |
run: | | |
for binary in ./ampd-*; do | |
if [[ "$binary" != *.asc ]]; then | |
echo "Testing binary: $binary" | |
OUTPUT=$(file "$binary" | cut -d: -f2- | awk -F, '{print $1"," $2}') | |
if [[ "${{ matrix.os }}" == "ubuntu-22.04" ]]; then | |
if [[ "${{ matrix.arch }}" == "amd64" ]]; then | |
EXPECTED="ELF 64-bit LSB pie executable, x86-64" | |
elif [[ "${{ matrix.arch }}" == "arm64" ]]; then | |
EXPECTED="ELF 64-bit LSB pie executable, ARM aarch64" | |
fi | |
elif [[ "${{ matrix.os }}" == "macos-12" ]]; then | |
OUTPUT=$(file "$binary" | cut -d: -f2-) | |
if [[ "${{ matrix.arch }}" == "amd64" ]]; then | |
EXPECTED="Mach-O 64-bit executable x86_64" | |
elif [[ "${{ matrix.arch }}" == "arm64" ]]; then | |
EXPECTED="Mach-O 64-bit executable arm64" | |
fi | |
fi | |
echo "Output: $OUTPUT" | |
echo "Expected: $EXPECTED" | |
if [[ "$OUTPUT" == *"$EXPECTED"* ]]; then | |
echo "The binary format is correct." | |
else | |
echo "Error: The binary format does not match the expected format." | |
exit 1 | |
fi | |
fi | |
done | |
- name: Create zip and sha256 files | |
working-directory: ./ampdbin | |
run: | | |
for i in `ls | grep -v .asc` | |
do | |
shasum -a 256 $i | awk '{print $1}' > $i.sha256 | |
zip $i.zip $i | |
shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256 | |
done | |
- name: Upload binaries to release | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: ./ampdbin/* | |
tag: ${{ github.event.inputs.tag }} | |
overwrite: true | |
file_glob: true | |
- name: Upload binaries to S3 | |
env: | |
S3_PATH: s3://axelar-releases/ampd/${{ needs.extract-semver.outputs.semver }} | |
run: | | |
aws s3 cp ./ampdbin ${S3_PATH}/ --recursive | |
release-docker: | |
runs-on: ubuntu-22.04 | |
needs: extract-semver | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' | |
ref: ${{ github.event.inputs.tag }} | |
submodules: recursive | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Build and push docker images | |
env: | |
PLATFORM: linux/amd64 | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
run: | | |
make build-push-docker-images | |
combine-sign: | |
needs: [ release-docker, extract-semver ] | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
with: | |
cosign-release: 'v1.13.1' | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
password: ${{ secrets.DOCKER_HUB_TOKEN }} | |
- name: Create multiarch manifest | |
env: | |
SEMVER: ${{ needs.extract-semver.outputs.semver }} | |
run: | | |
docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \ | |
axelarnet/axelar-ampd-linux-amd64:${SEMVER} | |
- name: Sign the images with GitHub OIDC | |
run: cosign sign --oidc-issuer https://token.actions.githubusercontent.com ${TAGS} | |
env: | |
TAGS: axelarnet/axelar-ampd:${{ needs.extract-semver.outputs.semver }} | |
COSIGN_EXPERIMENTAL: 1 |