Restrict token pairs (#1398) #529
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Packages (boba-develop) | |
| on: | |
| push: | |
| branches: | |
| - 'develop' | |
| jobs: | |
| start-runner: | |
| name: Start self-hosted EC2 runner | |
| runs-on: ubuntu-latest | |
| outputs: | |
| label: ${{ steps.start-ec2-runner.outputs.label }} | |
| ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} | |
| # These permissions are needed to interact with GitHub's OIDC Token endpoint. | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Start EC2 runner | |
| id: start-ec2-runner | |
| uses: machulav/ec2-github-runner@v2 | |
| with: | |
| mode: start | |
| github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
| ec2-image-id: ami-00b46fa1102c70ff2 | |
| ec2-instance-type: m4.4xlarge | |
| subnet-id: subnet-905870ae | |
| security-group-id: sg-0855631d714870b32 | |
| aws-resource-tags: | | |
| [{ | |
| "Key": "Name", | |
| "Value": "github-actions" | |
| }] | |
| build-publish-win: | |
| needs: start-runner | |
| runs-on: ${{ needs.start-runner.outputs.label }} | |
| steps: | |
| - name: Check Docker Version | |
| run: docker --version | |
| - name: Install Latest Docker | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y ca-certificates curl gnupg | |
| sudo install -m 0755 -d /etc/apt/keyrings | |
| curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg | |
| sudo chmod a+r /etc/apt/keyrings/docker.gpg | |
| echo \ | |
| "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ | |
| "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ | |
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | |
| - name: Check Docker Version | |
| run: docker --version | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_ACCESS_TOKEN_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN_SECRET }} | |
| - uses: actions/checkout@v3 | |
| - uses: actions/setup-node@v3 | |
| with: | |
| node-version: 16 | |
| - name: yq - portable yaml processor | |
| uses: mikefarah/[email protected] | |
| - name: Get yarn cache directory path | |
| id: yarn-cache-dir-path | |
| run: echo "::set-output name=dir::$(yarn cache dir)" | |
| - uses: actions/cache@v3 | |
| id: yarn-cache | |
| with: | |
| path: ${{ steps.yarn-cache-dir-path.outputs.dir }} | |
| key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-yarn- | |
| - name: Cache yarn modules | |
| uses: actions/cache@v3 | |
| with: | |
| path: '**/node_modules' | |
| key: yarn-${{ hashFiles('yarn.lock') }} | |
| - name: Cache compilers | |
| uses: actions/cache@v3 | |
| id: cache-compilers | |
| with: | |
| path: | | |
| /root/.cache/hardhat-nodejs/compilers-v2/ | |
| key: solc-compilers-${{ hashFiles('packages/**/hardhat.config.ts') }}-${{ hashFiles('packages/boba/**/hardhat.config.ts') }} | |
| restore-keys: | | |
| solc-compilers-${{ hashFiles('packages/**/hardhat.config.ts') }}-${{ hashFiles('packages/boba/**/hardhat.config.ts') }} | |
| - if: ${{ steps.cache-npm.outputs.cache-hit != 'true' }} | |
| name: Pull compilers | |
| continue-on-error: true | |
| run: | | |
| mkdir -p /root/.cache/hardhat-nodejs/compilers-v2/linux-amd64/ | |
| cd /root/.cache/hardhat-nodejs/compilers-v2/linux-amd64/ | |
| find . -name list.json | grep . || curl -L https://github.com/ethereum/solc-bin/raw/gh-pages/linux-amd64/list.json -o ./list.json | |
| find . -name solc-linux-amd64-v0.4.11+commit.68ef5810 | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.4.11+commit.68ef5810 -o ./solc-linux-amd64-v0.4.11+commit.68ef5810 | |
| find . -name solc-linux-amd64-v0.5.17+commit.d19bba13 | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.5.17+commit.d19bba13 -o ./solc-linux-amd64-v0.5.17+commit.d19bba13 | |
| find . -name solc-linux-amd64-v0.6.6+commit.6c089d02 | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.6.6+commit.6c089d02 -o ./solc-linux-amd64-v0.6.6+commit.6c089d02 | |
| find . -name solc-linux-amd64-v0.8.9+commit.e5eed63a | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.8.9+commit.e5eed63a -o ./solc-linux-amd64-v0.8.9+commit.e5eed63a | |
| find . -name solc-linux-amd64-v0.8.11+commit.d7f03943 | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.8.11+commit.d7f03943 -o ./solc-linux-amd64-v0.8.11+commit.d7f03943 | |
| find . -name solc-linux-amd64-v0.8.15+commit.e14f2714 | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.8.15+commit.e14f2714 -o ./solc-linux-amd64-v0.8.15+commit.e14f2714 | |
| find . -name solc-linux-amd64-v0.8.17+commit.8df45f5f | grep . || curl -L https://binaries.soliditylang.org/linux-amd64/solc-linux-amd64-v0.8.17+commit.8df45f5f -o ./solc-linux-amd64-v0.8.17+commit.8df45f5f | |
| chmod +x /root/.cache/hardhat-nodejs/compilers-v2/linux-amd64/* | |
| - name: Build the services locally | |
| working-directory: ./ | |
| run: yarn && yarn build | |
| - name: Whats in the compilers folder? | |
| run: ls -altr ~/.cache/hardhat-nodejs/compilers-v2/linux-amd64/ | |
| - name: Build the core services | |
| working-directory: ./ops | |
| run: docker-compose build | |
| - name: Build the side services | |
| working-directory: ./ops | |
| run: | | |
| #standard yq setup: $(yq '(.services | keys)[]' docker-compose-side.yml | tr '\n' ' ') | |
| docker-compose -f docker-compose.yml -f docker-compose-side.yml build -- $(yq eval '(.services | keys)[]' < ./docker-compose-side.yml | tr '\n' ' ') | |
| - name: Print images | |
| working-directory: ./ | |
| run: docker images | |
| - name: Rename and retag images | |
| working-directory: ./ops | |
| run: | | |
| for i in $(docker images --format "{{.Repository}}:{{.Tag}}" | grep bobanetwork); do | |
| docker image tag "$i" bobanetwork/$(echo $i | awk -F'/' '{print $2}' | awk -F':' '{print $1}'):latest | |
| done | |
| docker images | |
| - name: Push images | |
| working-directory: ./ops | |
| run: | | |
| for i in $(docker images --format "{{.Repository}}:{{.Tag}}" | grep bobanetwork); do | |
| echo "$1" | |
| docker push "$i" | |
| done | |
| stop-runner: | |
| name: Stop self-hosted EC2 runner | |
| needs: | |
| - start-runner # required to get output from the start-runner job | |
| - build-publish-win # required to wait when the main job is done | |
| runs-on: ubuntu-latest | |
| if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs | |
| # These permissions are needed to interact with GitHub's OIDC Token endpoint. | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Stop EC2 runner | |
| uses: machulav/ec2-github-runner@v2 | |
| with: | |
| mode: stop | |
| github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} | |
| label: ${{ needs.start-runner.outputs.label }} | |
| ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} |