Merge branch 'main' into retry_block_results

.github/CODEOWNERS

@@ -2,3 +2,6 @@
 # Each line is a file pattern followed by one or more owners.
 
 * @axelarnetwork/core
+.github/workflows/* @axelarnetwork/devops
+.github/actions/* @axelarnetwork/devops
+**/Dockerfile @axelarnetwork/devops

.github/workflows/basic.yaml

@@ -12,22 +12,24 @@ name: Basic
 jobs:
   test:
     name: Test Suite
-    runs-on: ubuntu-8-core-32-gb
+    runs-on: blacksmith-32vcpu-ubuntu-2204
     steps:
       - uses: actions/checkout@v4
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: 1.76.0
+          toolchain: 1.73.0
           override: true
 
       - name: Install protoc
         uses: arduino/setup-protoc@v2
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Cache build artifacts
-        uses: Swatinem/rust-cache@v2
+        uses: useblacksmith/rust-cache@v3
         with:
           shared-key: "cache"
 
@@ -42,20 +44,20 @@ jobs:
 
   cosmwasm-compilation:
     name: Cosmwasm Compilation
-    runs-on: ubuntu-8-core-32-gb
+    runs-on: blacksmith-32vcpu-ubuntu-2204
     steps:
       - uses: actions/checkout@v4
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: 1.76.0
+          toolchain: 1.73.0
           target: wasm32-unknown-unknown
           override: true
 
       - name: Cache build artifacts
-        uses: Swatinem/rust-cache@v2
+        uses: useblacksmith/rust-cache@v3
         with:
           shared-key: "cache"
 
@@ -78,15 +80,15 @@ jobs:
 
   lints:
     name: Lints
-    runs-on: ubuntu-8-core-32-gb
+    runs-on: blacksmith-16vcpu-ubuntu-2204
     steps:
       - uses: actions/checkout@v4
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: 1.76.0
+          toolchain: 1.73.0
           override: true
           components: rustfmt, clippy
 
@@ -96,7 +98,7 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Cache build artifacts
-        uses: Swatinem/rust-cache@v2
+        uses: useblacksmith/rust-cache@v3
         with:
           shared-key: "cache"
 

.github/workflows/build-latest-docker-image.yaml → .github/workflows/build-ampd-main.yaml

@@ -1,17 +1,14 @@
-name: Build and push latest docker image
+name: Amplifier - Build main branch
 
 on:
   push:
     branches:
       - main
   workflow_dispatch:
+
 jobs:
   build-and-push-latest-docker-image:
-    strategy:
-      matrix:
-        os:
-          - ubuntu-20.04
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-22.04
     permissions:
       id-token: write
       contents: read
@@ -44,6 +41,7 @@ jobs:
 
       - uses: docker/setup-buildx-action@v3
         if: steps.image-tag-check.outputs.image_tag_exists == 0
+
       - uses: docker/build-push-action@v5
         if: steps.image-tag-check.outputs.image_tag_exists == 0
         env:

.github/workflows/build-ampd-release.yaml

@@ -0,0 +1,226 @@
+name: Amplifier - Build Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Github tag to release binaries for (reusing an existing tag will make the pipeline fail)
+        required: true
+        default: latest
+
+jobs:
+  release-binaries:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-22.04, macos-12]
+        arch: [amd64, arm64]
+
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }}
+
+      - name: Validate tag
+        env:
+          SEMVER: ${{ github.event.inputs.tag }}
+        run: |
+          if [[ $SEMVER =~ v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi
+          aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+          ref: ${{ github.event.inputs.tag }}
+          submodules: recursive
+
+      - name: Install Rust
+        run: |
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: build and sign darwin binaries
+        env:
+          SEMVER: ${{ github.event.inputs.tag }}
+        if: matrix.os == 'macos-12'
+        run: |
+          OS="darwin"
+          ARCH="${{ matrix.arch }}"
+          if [ "$ARCH" == "arm64" ]
+          then
+            brew install protobuf
+            rustup target add aarch64-apple-darwin
+            cargo build --release --target aarch64-apple-darwin
+            mkdir ampdbin
+            mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+          else
+            brew install protobuf
+            cargo build --release
+            mkdir ampdbin
+            mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+          fi
+
+      - name: build and sign linux binaries
+        env:
+          SEMVER: ${{ github.event.inputs.tag }}
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+          OS="linux"
+          ARCH="${{ matrix.arch }}"
+          if [ "$ARCH" == "arm64" ]
+          then
+            sudo apt-get install protobuf-compiler gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
+            rustup target add aarch64-unknown-linux-gnu
+            export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
+            cargo build --release --target aarch64-unknown-linux-gnu
+            mkdir ampdbin
+            mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+          else
+            sudo apt-get install protobuf-compiler
+            cargo build --release
+            mkdir ampdbin
+            mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
+          fi
+
+      - name: Test Binary Format
+        working-directory: ./ampdbin
+        run: |
+          for binary in ./ampd-*; do
+          if [[ "$binary" != *.asc ]]; then
+            echo "Testing binary: $binary"
+            OUTPUT=$(file "$binary" | cut -d: -f2- | awk -F, '{print $1"," $2}')
+            if [[ "${{ matrix.os }}" == "ubuntu-22.04" ]]; then
+              if [[ "${{ matrix.arch }}" == "amd64" ]]; then
+                EXPECTED="ELF 64-bit LSB pie executable, x86-64"
+              elif [[ "${{ matrix.arch }}" == "arm64" ]]; then
+                EXPECTED="ELF 64-bit LSB pie executable, ARM aarch64"
+              fi
+            elif [[ "${{ matrix.os }}" == "macos-12" ]]; then
+              OUTPUT=$(file "$binary" | cut -d: -f2-)
+              if [[ "${{ matrix.arch }}" == "amd64" ]]; then
+                EXPECTED="Mach-O 64-bit executable x86_64"
+              elif [[ "${{ matrix.arch }}" == "arm64" ]]; then
+                EXPECTED="Mach-O 64-bit executable arm64"
+              fi
+            fi
+        
+            echo "Output: $OUTPUT"
+            echo "Expected: $EXPECTED"
+        
+            if [[ "$OUTPUT" == *"$EXPECTED"* ]]; then
+              echo "The binary format is correct."
+            else
+              echo "Error: The binary format does not match the expected format."
+              exit 1
+            fi
+          fi
+          done
+
+      - name: Create zip and sha256 files
+        working-directory: ./ampdbin
+        run: |
+          for i in `ls | grep -v .asc`
+          do
+            shasum -a 256 $i | awk '{print $1}' > $i.sha256
+            zip $i.zip $i
+            shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256
+          done
+
+      - name: Upload binaries to release
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: ./ampdbin/*
+          tag: ${{ github.event.inputs.tag }}
+          overwrite: true
+          file_glob: true
+
+      - name: Upload binaries to S3
+        env:
+          S3_PATH: s3://axelar-releases/ampd/${{ github.event.inputs.tag }}
+        run: |
+          aws s3 cp ./ampdbin ${S3_PATH}/ --recursive
+
+  release-docker:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+          ref: ${{ github.event.inputs.tag }}
+          submodules: recursive
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Build and push docker images
+        run: |
+          make build-push-docker-images
+        env:
+          PLATFORM: linux/amd64
+          SEMVER: ${{ github.event.inputs.tag }}
+
+  combine-sign:
+    needs: release-docker
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.1'
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Create multiarch manifest
+        run: |
+          docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \
+            axelarnet/axelar-ampd-linux-amd64:${SEMVER}
+        env:
+          SEMVER: ${{ github.event.inputs.tag }}
+
+      - name: Sign the images with GitHub OIDC
+        run: cosign sign --oidc-issuer https://token.actions.githubusercontent.com ${TAGS}
+        env:
+          TAGS: axelarnet/axelar-ampd:${{ github.event.inputs.tag }}
+          COSIGN_EXPERIMENTAL: 1

.github/workflows/codecov.yaml

@@ -9,7 +9,7 @@ on:
 
 jobs:
   coverage:
-    runs-on: ubuntu-8-core-32-gb
+    runs-on: blacksmith-16vcpu-ubuntu-2204
     env:
       CARGO_TERM_COLOR: always
     steps:
@@ -19,17 +19,19 @@ jobs:
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: 1.76.0
+          toolchain: 1.73.0
           override: true
 
       - name: Install protoc
         uses: arduino/setup-protoc@v2
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install libclang-dev
         run: sudo apt-get install libclang-dev
 
       - name: Cache build artifacts
-        uses: Swatinem/rust-cache@v2
+        uses: useblacksmith/rust-cache@v3
         with:
           shared-key: "cache"