diff --git a/.github/workflows/build-ampd-release.yaml b/.github/workflows/build-ampd-release.yaml index abf218cb8..379c2f747 100644 --- a/.github/workflows/build-ampd-release.yaml +++ b/.github/workflows/build-ampd-release.yaml @@ -22,9 +22,205 @@ jobs: id-token: write steps: - - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-region: us-east-2 role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }} + + - name: Validate tag + env: + SEMVER: ${{ github.event.inputs.tag }} + run: | + if [[ $SEMVER =~ v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi + aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1 + + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: '0' + ref: ${{ github.event.inputs.tag }} + submodules: recursive + + - name: Install Rust + run: | + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + + - name: build and sign darwin binaries + env: + SEMVER: ${{ github.event.inputs.tag }} + if: matrix.os == 'macos-12' + run: | + OS="darwin" + ARCH="${{ matrix.arch }}" + if [ "$ARCH" == "arm64" ] + then + brew install protobuf + rustup target add aarch64-apple-darwin + cargo build --release --target aarch64-apple-darwin + mkdir ampdbin + mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + else + brew install protobuf + cargo build --release + mkdir ampdbin + mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + fi + + - name: build and sign linux binaries + env: + SEMVER: ${{ github.event.inputs.tag }} + if: matrix.os == 'ubuntu-22.04' + run: | + OS="linux" + ARCH="${{ matrix.arch }}" + if [ "$ARCH" == "arm64" ] + then + sudo apt-get install protobuf-compiler gcc-aarch64-linux-gnu g++-aarch64-linux-gnu + rustup target add aarch64-unknown-linux-gnu + export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc + cargo build --release --target aarch64-unknown-linux-gnu + mkdir ampdbin + mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + else + sudo apt-get install protobuf-compiler + cargo build --release + mkdir ampdbin + mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + gpg --armor --detach-sign "./ampdbin/ampd-$OS-$ARCH-$SEMVER" + fi + + - name: Test Binary Format + working-directory: ./ampdbin + run: | + for binary in ./ampd-*; do + if [[ "$binary" != *.asc ]]; then + echo "Testing binary: $binary" + OUTPUT=$(file "$binary" | cut -d: -f2- | awk -F, '{print $1"," $2}') + if [[ "${{ matrix.os }}" == "ubuntu-22.04" ]]; then + if [[ "${{ matrix.arch }}" == "amd64" ]]; then + EXPECTED="ELF 64-bit LSB pie executable, x86-64" + elif [[ "${{ matrix.arch }}" == "arm64" ]]; then + EXPECTED="ELF 64-bit LSB pie executable, ARM aarch64" + fi + elif [[ "${{ matrix.os }}" == "macos-12" ]]; then + OUTPUT=$(file "$binary" | cut -d: -f2-) + if [[ "${{ matrix.arch }}" == "amd64" ]]; then + EXPECTED="Mach-O 64-bit executable x86_64" + elif [[ "${{ matrix.arch }}" == "arm64" ]]; then + EXPECTED="Mach-O 64-bit executable arm64" + fi + fi + + echo "Output: $OUTPUT" + echo "Expected: $EXPECTED" + + if [[ "$OUTPUT" == *"$EXPECTED"* ]]; then + echo "The binary format is correct." + else + echo "Error: The binary format does not match the expected format." + exit 1 + fi + fi + done + + - name: Create zip and sha256 files + working-directory: ./ampdbin + run: | + for i in `ls | grep -v .asc` + do + shasum -a 256 $i | awk '{print $1}' > $i.sha256 + zip $i.zip $i + shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256 + done + + - name: Upload binaries to release + uses: svenstaro/upload-release-action@v2 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: ./ampdbin/* + tag: ${{ github.event.inputs.tag }} + overwrite: true + file_glob: true + + - name: Upload binaries to S3 + env: + S3_PATH: s3://axelar-releases/ampd/${{ github.event.inputs.tag }} + run: | + aws s3 cp ./ampdbin ${S3_PATH}/ --recursive + + release-docker: + runs-on: ubuntu-22.04 + permissions: + contents: write + packages: write + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: '0' + ref: ${{ github.event.inputs.tag }} + submodules: recursive + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + + - name: Build and push docker images + run: | + make build-push-docker-images + env: + PLATFORM: linux/amd64 + SEMVER: ${{ github.event.inputs.tag }} + + combine-sign: + needs: release-docker + runs-on: ubuntu-22.04 + permissions: + contents: write + packages: write + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.1' + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_TOKEN }} + + - name: Create multiarch manifest + run: | + docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \ + axelarnet/axelar-ampd-linux-amd64:${SEMVER} + env: + SEMVER: ${{ github.event.inputs.tag }} + + - name: Sign the images with GitHub OIDC + run: cosign sign --oidc-issuer https://token.actions.githubusercontent.com ${TAGS} + env: + TAGS: axelarnet/axelar-ampd:${{ github.event.inputs.tag }} + COSIGN_EXPERIMENTAL: 1 diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..2b4c9c9fe --- /dev/null +++ b/Makefile @@ -0,0 +1,11 @@ +PUSH_DOCKER_IMAGE := true +SUFFIX := $(shell echo $$PLATFORM | sed 's/\//-/' | sed 's/\///') + +.PHONY: build-push-docker-image +build-push-docker-images: + @DOCKER_BUILDKIT=1 docker buildx build \ + --platform ${PLATFORM} \ + --output "type=image,push=${PUSH_DOCKER_IMAGE}" \ + --build-arg ARCH="${ARCH}" \ + -f ampd/Dockerfile \ + -t axelarnet/axelar-ampd-${SUFFIX}:${SEMVER} --provenance=false .