From 592bb3205be7569cf2d705b31a272340038bbed7 Mon Sep 17 00:00:00 2001
From: Egor_P <egor@parity.io>
Date: Tue, 3 Dec 2024 13:06:43 +0100
Subject: [PATCH] [Release/CICD] Re-worked Create Release Draft flow (#6734)
This PR contains following changes in release pipelines:
- re-built Create Release Draft workflow
- binaries builds are moved completely to the `Release - Build node
release candidate` flow
- added upload of all the release artefacts to the S3
- adjusted `Release - Publish Docker Image` workflow, so that it will
match now the new release flow.
---
.github/scripts/common/lib.sh | 45 +++-
.github/scripts/release/release_lib.sh | 22 ++
...le.yml => release-10_branchoff-stable.yml} | 0
...ation.yml => release-11_rc-automation.yml} | 0
...e-build-rc.yml => release-20_build-rc.yml} | 96 +++++++-
.../release-30_publish_release_draft.yml | 206 +++++++++++-------
.../workflows/release-50_publish-docker.yml | 97 +++------
.../workflows/release-reusable-rc-buid.yml | 53 ++++-
.github/workflows/release-srtool.yml | 18 +-
9 files changed, 373 insertions(+), 164 deletions(-)
rename .github/workflows/{release-branchoff-stable.yml => release-10_branchoff-stable.yml} (100%)
rename .github/workflows/{release-10_rc-automation.yml => release-11_rc-automation.yml} (100%)
rename .github/workflows/{release-build-rc.yml => release-20_build-rc.yml} (62%)
diff --git a/.github/scripts/common/lib.sh b/.github/scripts/common/lib.sh
index 6b8f70a26d7..41dc0ba06dd 100755
--- a/.github/scripts/common/lib.sh
+++ b/.github/scripts/common/lib.sh
@@ -270,20 +270,19 @@ fetch_debian_package_from_s3() {
}
# Fetch the release artifacts like binary and signatures from S3. Assumes the ENV are set:
-# - RELEASE_ID
-# - GITHUB_TOKEN
-# - REPO in the form paritytech/polkadot
+# inputs: binary (polkadot), target(aarch64-apple-darwin)
fetch_release_artifacts_from_s3() {
BINARY=$1
- OUTPUT_DIR=${OUTPUT_DIR:-"./release-artifacts/${BINARY}"}
+ TARGET=$2
+ OUTPUT_DIR=${OUTPUT_DIR:-"./release-artifacts/${TARGET}/${BINARY}"}
echo "OUTPUT_DIR : $OUTPUT_DIR"
URL_BASE=$(get_s3_url_base $BINARY)
echo "URL_BASE=$URL_BASE"
- URL_BINARY=$URL_BASE/$VERSION/$BINARY
- URL_SHA=$URL_BASE/$VERSION/$BINARY.sha256
- URL_ASC=$URL_BASE/$VERSION/$BINARY.asc
+ URL_BINARY=$URL_BASE/$VERSION/$TARGET/$BINARY
+ URL_SHA=$URL_BASE/$VERSION/$TARGET/$BINARY.sha256
+ URL_ASC=$URL_BASE/$VERSION/$TARGET/$BINARY.asc
# Fetch artifacts
mkdir -p "$OUTPUT_DIR"
@@ -306,15 +305,26 @@ fetch_release_artifacts_from_s3() {
function get_s3_url_base() {
name=$1
case $name in
- polkadot | polkadot-execute-worker | polkadot-prepare-worker | staking-miner)
+ polkadot | polkadot-execute-worker | polkadot-prepare-worker )
printf "https://releases.parity.io/polkadot"
;;
- polkadot-parachain)
- printf "https://releases.parity.io/cumulus"
+ polkadot-parachain)
+ printf "https://releases.parity.io/polkadot-parachain"
+ ;;
+
+ polkadot-omni-node)
+ printf "https://releases.parity.io/polkadot-omni-node"
+ ;;
+
+ chain-spec-builder)
+ printf "https://releases.parity.io/chain-spec-builder"
;;
- *)
+ frame-omni-bencher)
+ printf "https://releases.parity.io/frame-omni-bencher"
+ ;;
+ *)
printf "UNSUPPORTED BINARY $name"
exit 1
;;
@@ -497,3 +507,16 @@ validate_stable_tag() {
exit 1
fi
}
+
+# Prepare docker stable tag form the polkadot stable tag
+# input: tag (polkaodot-stableYYMM(-X) or polkadot-stableYYMM(-X)-rcX)
+# output: stableYYMM(-X) or stableYYMM(-X)-rcX
+prepare_docker_stable_tag() {
+ tag="$1"
+ if [[ "$tag" =~ stable[0-9]{4}(-[0-9]+)?(-rc[0-9]+)? ]]; then
+ echo "${BASH_REMATCH[0]}"
+ else
+ echo "Tag is invalid: $tag"
+ exit 1
+ fi
+}
diff --git a/.github/scripts/release/release_lib.sh b/.github/scripts/release/release_lib.sh
index 8b9254ec3f2..43227180cb7 100644
--- a/.github/scripts/release/release_lib.sh
+++ b/.github/scripts/release/release_lib.sh
@@ -139,3 +139,25 @@ upload_s3_release() {
aws s3 ls "s3://releases.parity.io/${product}/${version}/${target}" --recursive --human-readable --summarize
echo "✅ The release should be at https://releases.parity.io/${product}/${version}/${target}"
}
+
+# Upload runtimes artifacts to s3 release bucket
+#
+# input: version (stable release tage.g. polkadot-stable2412 or polkadot-stable2412-rc1)
+# output: none
+upload_s3_runtimes_release_artifacts() {
+ alias aws='podman run --rm -it docker.io/paritytech/awscli -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_BUCKET aws'
+
+ version=$1
+
+ echo "Working on version: $version "
+
+ echo "Current content, should be empty on new uploads:"
+ aws s3 ls "s3://releases.parity.io/polkadot/runtimes/${version}/" --recursive --human-readable --summarize || true
+ echo "Content to be uploaded:"
+ artifacts="artifacts/runtimes/"
+ ls "$artifacts"
+ aws s3 sync --acl public-read "$artifacts" "s3://releases.parity.io/polkadot/runtimes/${version}/"
+ echo "Uploaded files:"
+ aws s3 ls "s3://releases.parity.io/polkadot/runtimes/${version}/" --recursive --human-readable --summarize
+ echo "✅ The release should be at https://releases.parity.io/polkadot/runtimes/${version}"
+}
diff --git a/.github/workflows/release-branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml
similarity index 100%
rename from .github/workflows/release-branchoff-stable.yml
rename to .github/workflows/release-10_branchoff-stable.yml
diff --git a/.github/workflows/release-10_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml
similarity index 100%
rename from .github/workflows/release-10_rc-automation.yml
rename to .github/workflows/release-11_rc-automation.yml
diff --git a/.github/workflows/release-build-rc.yml b/.github/workflows/release-20_build-rc.yml
similarity index 62%
rename from .github/workflows/release-build-rc.yml
rename to .github/workflows/release-20_build-rc.yml
index a43c2b282a8..d4c7055c37c 100644
--- a/.github/workflows/release-build-rc.yml
+++ b/.github/workflows/release-20_build-rc.yml
@@ -11,10 +11,12 @@ on:
- polkadot
- polkadot-parachain
- polkadot-omni-node
+ - frame-omni-bencher
+ - chain-spec-builder
- all
release_tag:
- description: Tag matching the actual release candidate with the format stableYYMM-rcX or stableYYMM
+ description: Tag matching the actual release candidate with the format polkadot-stableYYMM(-X)-rcX or polkadot-stableYYMM(-X)
type: string
jobs:
@@ -106,6 +108,50 @@ jobs:
attestations: write
contents: read
+ build-frame-omni-bencher-binary:
+ needs: [validate-inputs]
+ if: ${{ inputs.binary == 'frame-omni-bencher' || inputs.binary == 'all' }}
+ uses: "./.github/workflows/release-reusable-rc-buid.yml"
+ with:
+ binary: '["frame-omni-bencher"]'
+ package: "frame-omni-bencher"
+ release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+ target: x86_64-unknown-linux-gnu
+ secrets:
+ PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+ PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+ permissions:
+ id-token: write
+ attestations: write
+ contents: read
+
+ build-chain-spec-builder-binary:
+ needs: [validate-inputs]
+ if: ${{ inputs.binary == 'chain-spec-builder' || inputs.binary == 'all' }}
+ uses: "./.github/workflows/release-reusable-rc-buid.yml"
+ with:
+ binary: '["chain-spec-builder"]'
+ package: staging-chain-spec-builder
+ release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+ target: x86_64-unknown-linux-gnu
+ secrets:
+ PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+ PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+ permissions:
+ id-token: write
+ attestations: write
+ contents: read
+
build-polkadot-macos-binary:
needs: [validate-inputs]
if: ${{ inputs.binary == 'polkadot' || inputs.binary == 'all' }}
@@ -134,7 +180,7 @@ jobs:
uses: "./.github/workflows/release-reusable-rc-buid.yml"
with:
binary: '["polkadot-parachain"]'
- package: "polkadot-parachain-bin"
+ package: polkadot-parachain-bin
release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
target: aarch64-apple-darwin
secrets:
@@ -156,7 +202,51 @@ jobs:
uses: "./.github/workflows/release-reusable-rc-buid.yml"
with:
binary: '["polkadot-omni-node"]'
- package: "polkadot-omni-node"
+ package: polkadot-omni-node
+ release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+ target: aarch64-apple-darwin
+ secrets:
+ PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+ PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+ permissions:
+ id-token: write
+ attestations: write
+ contents: read
+
+ build-frame-omni-bencher-macos-binary:
+ needs: [validate-inputs]
+ if: ${{ inputs.binary == 'frame-omni-bencher' || inputs.binary == 'all' }}
+ uses: "./.github/workflows/release-reusable-rc-buid.yml"
+ with:
+ binary: '["frame-omni-bencher"]'
+ package: frame-omni-bencher
+ release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+ target: aarch64-apple-darwin
+ secrets:
+ PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+ PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+ AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+ permissions:
+ id-token: write
+ attestations: write
+ contents: read
+
+ build-chain-spec-builder-macos-binary:
+ needs: [validate-inputs]
+ if: ${{ inputs.binary == 'chain-spec-builder' || inputs.binary == 'all' }}
+ uses: "./.github/workflows/release-reusable-rc-buid.yml"
+ with:
+ binary: '["chain-spec-builder"]'
+ package: staging-chain-spec-builder
release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
target: aarch64-apple-darwin
secrets:
diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml
index 4364b4f8045..78ceea91f10 100644
--- a/.github/workflows/release-30_publish_release_draft.yml
+++ b/.github/workflows/release-30_publish_release_draft.yml
@@ -1,19 +1,46 @@
name: Release - Publish draft
-on:
- push:
- tags:
- # Catches v1.2.3 and v1.2.3-rc1
- - v[0-9]+.[0-9]+.[0-9]+*
- # - polkadot-stable[0-9]+* Activate when the release process from release org is setteled
+# This workflow runs in paritytech-release and creates full release draft with:
+# - release notes
+# - info about the runtimes
+# - attached artifacts:
+# - runtimes
+# - binaries
+# - signatures
+on:
workflow_dispatch:
inputs:
- version:
- description: Current release/rc version
+ release_tag:
+ description: Tag matching the actual release candidate with the format polkadot-stableYYMM(-X)-rcX or polkadot-stableYYMM(-X)
+ required: true
+ type: string
jobs:
+ check-synchronization:
+ uses: paritytech-release/sync-workflows/.github/workflows/check-syncronization.yml@main
+
+ validate-inputs:
+ needs: [ check-synchronization ]
+ if: ${{ needs.check-synchronization.outputs.checks_passed }} == 'true'
+ runs-on: ubuntu-latest
+ outputs:
+ release_tag: ${{ steps.validate_inputs.outputs.release_tag }}
+
+ steps:
+ - name: Checkout sources
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+ - name: Validate inputs
+ id: validate_inputs
+ run: |
+ . ./.github/scripts/common/lib.sh
+
+ RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }})
+ echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
+
get-rust-versions:
+ needs: [ validate-inputs ]
runs-on: ubuntu-latest
outputs:
rustc-stable: ${{ steps.get-rust-versions.outputs.stable }}
@@ -24,47 +51,28 @@ jobs:
echo "stable=$RUST_STABLE_VERSION" >> $GITHUB_OUTPUT
build-runtimes:
+ needs: [ validate-inputs ]
uses: "./.github/workflows/release-srtool.yml"
with:
excluded_runtimes: "asset-hub-rococo bridge-hub-rococo contracts-rococo coretime-rococo people-rococo rococo rococo-parachain substrate-test bp cumulus-test kitchensink minimal-template parachain-template penpal polkadot-test seedling shell frame-try sp solochain-template polkadot-sdk-docs-first"
build_opts: "--features on-chain-release-build"
-
- build-binaries:
- runs-on: ubuntu-latest
- strategy:
- matrix:
- # Tuples of [package, binary-name]
- binary: [ [frame-omni-bencher, frame-omni-bencher], [staging-chain-spec-builder, chain-spec-builder] ]
- steps:
- - name: Checkout sources
- uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.0.0
-
- - name: Install protobuf-compiler
- run: |
- sudo apt update
- sudo apt install -y protobuf-compiler
-
- - name: Build ${{ matrix.binary[1] }} binary
- run: |
- cargo build --locked --profile=production -p ${{ matrix.binary[0] }} --bin ${{ matrix.binary[1] }}
- target/production/${{ matrix.binary[1] }} --version
-
- - name: Upload ${{ matrix.binary[1] }} binary
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
- with:
- name: ${{ matrix.binary[1] }}
- path: target/production/${{ matrix.binary[1] }}
-
+ profile: production
+ permissions:
+ id-token: write
+ attestations: write
+ contents: read
publish-release-draft:
runs-on: ubuntu-latest
- needs: [ get-rust-versions, build-runtimes ]
+ environment: release
+ needs: [ validate-inputs, get-rust-versions, build-runtimes ]
outputs:
release_url: ${{ steps.create-release.outputs.html_url }}
asset_upload_url: ${{ steps.create-release.outputs.upload_url }}
+
steps:
- name: Checkout
- uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.0.0
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -87,20 +95,21 @@ jobs:
GLUTTON_WESTEND_DIGEST: ${{ github.workspace}}/glutton-westend-runtime/glutton-westend-srtool-digest.json
PEOPLE_WESTEND_DIGEST: ${{ github.workspace}}/people-westend-runtime/people-westend-srtool-digest.json
WESTEND_DIGEST: ${{ github.workspace}}/westend-runtime/westend-srtool-digest.json
+ RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }}
shell: bash
run: |
. ./.github/scripts/common/lib.sh
export REF1=$(get_latest_release_tag)
- if [[ -z "${{ inputs.version }}" ]]; then
+ if [[ -z "$RELEASE_TAG" ]]; then
export REF2="${{ github.ref_name }}"
echo "REF2: ${REF2}"
else
- export REF2="${{ inputs.version }}"
+ export REF2="$RELEASE_TAG"
echo "REF2: ${REF2}"
fi
echo "REL_TAG=$REF2" >> $GITHUB_ENV
- export VERSION=$(echo "$REF2" | sed -E 's/.*(stable[0-9]+).*$/\1/')
+ export VERSION=$(echo "$REF2" | sed -E 's/.*(stable[0-9]{4}(-[0-9]+)?).*$/\1/')
./scripts/release/build-changelogs.sh
@@ -112,19 +121,29 @@ jobs:
scripts/release/context.json
**/*-srtool-digest.json
+ - name: Generate content write token for the release automation
+ id: generate_write_token
+ uses: actions/create-github-app-token@v1
+ with:
+ app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }}
+ private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }}
+ owner: paritytech
+ repositories: polkadot-sdk
+
- name: Create draft release
id: create-release
- uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- tag_name: ${{ env.REL_TAG }}
- release_name: Polkadot ${{ env.REL_TAG }}
- body_path: ${{ github.workspace}}/scripts/release/RELEASE_DRAFT.md
- draft: true
+ GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }}
+ run: |
+ gh release create ${{ env.REL_TAG }} \
+ --repo paritytech/polkadot-sdk \
+ --draft \
+ --title "Polkadot ${{ env.REL_TAG }}" \
+ --notes-file ${{ github.workspace}}/scripts/release/RELEASE_DRAFT.md
publish-runtimes:
- needs: [ build-runtimes, publish-release-draft ]
+ needs: [ validate-inputs, build-runtimes, publish-release-draft ]
+ environment: release
continue-on-error: true
runs-on: ubuntu-latest
strategy:
@@ -132,7 +151,7 @@ jobs:
steps:
- name: Checkout sources
- uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.0.0
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -144,44 +163,83 @@ jobs:
>>$GITHUB_ENV echo ASSET=$(find ${{ matrix.chain }}-runtime -name '*.compact.compressed.wasm')
>>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion)
+ - name: Generate content write token for the release automation
+ id: generate_write_token
+ uses: actions/create-github-app-token@v1
+ with:
+ app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }}
+ private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }}
+ owner: paritytech
+ repositories: polkadot-sdk
+
- name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm
- if: ${{ matrix.chain != 'rococo-parachain' }}
- uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 #v1.0.2
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.publish-release-draft.outputs.asset_upload_url }}
- asset_path: ${{ env.ASSET }}
- asset_name: ${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm
- asset_content_type: application/wasm
+ GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }}
+ run: |
+ gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \
+ --repo paritytech/polkadot-sdk \
+ '${{ env.ASSET }}#${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm'
- publish-binaries:
- needs: [ publish-release-draft, build-binaries ]
+ publish-release-artifacts:
+ needs: [ validate-inputs, publish-release-draft ]
+ environment: release
continue-on-error: true
runs-on: ubuntu-latest
strategy:
matrix:
- binary: [frame-omni-bencher, chain-spec-builder]
+ binary: [ polkadot, polkadot-execute-worker, polkadot-prepare-worker, polkadot-parachain, polkadot-omni-node, frame-omni-bencher, chain-spec-builder ]
+ target: [ x86_64-unknown-linux-gnu, aarch64-apple-darwin ]
steps:
- - name: Download artifacts
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+ - name: Checkout sources
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+ - name: Fetch binaries from s3 based on version
+ run: |
+ . ./.github/scripts/common/lib.sh
+
+ VERSION="${{ needs.validate-inputs.outputs.release_tag }}"
+ fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }}
+
+ - name: Rename aarch64-apple-darwin binaries
+ if: ${{ matrix.target == 'aarch64-apple-darwin' }}
+ working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }}
+ run: |
+ mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin
+ mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc
+ mv ${{ matrix.binary }}.sha256 ${{ matrix.binary }}-aarch64-apple-darwin.sha256
+
+ - name: Generate content write token for the release automation
+ id: generate_write_token
+ uses: actions/create-github-app-token@v1
with:
- name: ${{ matrix.binary }}
+ app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }}
+ private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }}
+ owner: paritytech
+ repositories: polkadot-sdk
- - name: Upload ${{ matrix.binary }} binary
- uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 #v1.0.2
+ - name: Upload ${{ matrix.binary }} binary to release draft
env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.publish-release-draft.outputs.asset_upload_url }}
- asset_path: ${{ github.workspace}}/${{ matrix.binary }}
- asset_name: ${{ matrix.binary }}
- asset_content_type: application/octet-stream
+ GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }}
+ working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }}
+ run: |
+ if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then
+ gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \
+ --repo paritytech/polkadot-sdk \
+ ${{ matrix.binary }}-aarch64-apple-darwin \
+ ${{ matrix.binary }}-aarch64-apple-darwin.asc \
+ ${{ matrix.binary }}-aarch64-apple-darwin.sha256
+ else
+ gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \
+ --repo paritytech/polkadot-sdk \
+ ${{ matrix.binary }} \
+ ${{ matrix.binary }}.asc \
+ ${{ matrix.binary }}.sha256
+ fi
post_to_matrix:
runs-on: ubuntu-latest
- needs: publish-release-draft
+ needs: [ validate-inputs, publish-release-draft ]
environment: release
strategy:
matrix:
@@ -197,5 +255,5 @@ jobs:
access_token: ${{ secrets.RELEASENOTES_MATRIX_V2_ACCESS_TOKEN }}
server: m.parity.io
message: |
- **New version of polkadot tagged**: ${{ github.ref_name }}<br/>
- Draft release created: ${{ needs.publish-release-draft.outputs.release_url }}
+ **New version of polkadot tagged**: ${{ needs.validate-inputs.outputs.release_tag }}<br/>
+ And release draft is release created in [polkadot-sdk repo](https://github.com/paritytech/polkadot-sdk/releases)
diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml
index 627e53bacd8..5c3c3a6e854 100644
--- a/.github/workflows/release-50_publish-docker.yml
+++ b/.github/workflows/release-50_publish-docker.yml
@@ -4,10 +4,6 @@ name: Release - Publish Docker Image
# It builds and published releases and rc candidates.
on:
- #TODO: activate automated run later
- # release:
- # types:
- # - published
workflow_dispatch:
inputs:
image_type:
@@ -30,16 +26,6 @@ on:
- polkadot-parachain
- chain-spec-builder
- release_id:
- description: |
- Release ID.
- You can find it using the command:
- curl -s \
- -H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \
- jq '.[] | { name: .name, id: .id }'
- required: true
- type: number
-
registry:
description: Container registry
required: true
@@ -55,7 +41,7 @@ on:
default: parity
version:
- description: version to build/release
+ description: Version of the polkadot node release in format v1.16.0 or v1.16.0-rc1
default: v0.9.18
required: true
@@ -78,11 +64,15 @@ env:
IMAGE_TYPE: ${{ inputs.image_type }}
jobs:
+ check-synchronization:
+ uses: paritytech-release/sync-workflows/.github/workflows/check-syncronization.yml@main
+
validate-inputs:
+ needs: [check-synchronization]
+ if: ${{ needs.check-synchronization.outputs.checks_passed }} == 'true'
runs-on: ubuntu-latest
outputs:
version: ${{ steps.validate_inputs.outputs.VERSION }}
- release_id: ${{ steps.validate_inputs.outputs.RELEASE_ID }}
stable_tag: ${{ steps.validate_inputs.outputs.stable_tag }}
steps:
@@ -97,11 +87,6 @@ jobs:
VERSION=$(filter_version_from_input "${{ inputs.version }}")
echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
- RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
- echo "RELEASE_ID=${RELEASE_ID}" >> $GITHUB_OUTPUT
-
- echo "Release ID: $RELEASE_ID"
-
STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }})
echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT
@@ -114,50 +99,26 @@ jobs:
- name: Checkout sources
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- #TODO: this step will be needed when automated triggering will work
- #this step runs only if the workflow is triggered automatically when new release is published
- # if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }}
- # run: |
- # mkdir -p release-artifacts && cd release-artifacts
-
- # for f in $BINARY $BINARY.asc $BINARY.sha256; do
- # URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f"
- # echo " - Fetching $f from $URL"
- # wget "$URL" -O "$f"
- # done
- # chmod a+x $BINARY
- # ls -al
-
- name: Fetch rc artifacts or release artifacts from s3 based on version
- #this step runs only if the workflow is triggered manually
- if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}}
+ # if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}}
run: |
. ./.github/scripts/common/lib.sh
- VERSION="${{ needs.validate-inputs.outputs.VERSION }}"
+ VERSION="${{ needs.validate-inputs.outputs.stable_tag }}"
if [[ ${{ inputs.binary }} == 'polkadot' ]]; then
bins=(polkadot polkadot-prepare-worker polkadot-execute-worker)
for bin in "${bins[@]}"; do
- fetch_release_artifacts_from_s3 $bin
+ fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu
done
else
- fetch_release_artifacts_from_s3 $BINARY
+ fetch_release_artifacts_from_s3 $BINARY x86_64-unknown-linux-gnu
fi
- - name: Fetch polkadot-omni-node/chain-spec-builder rc artifacts or release artifacts based on release id
- #this step runs only if the workflow is triggered manually and only for chain-spec-builder
- if: ${{ env.EVENT_NAME == 'workflow_dispatch' && (inputs.binary == 'polkadot-omni-node' || inputs.binary == 'chain-spec-builder') }}
- run: |
- . ./.github/scripts/common/lib.sh
-
- RELEASE_ID="${{ needs.validate-inputs.outputs.RELEASE_ID }}"
- fetch_release_artifacts
-
- name: Upload artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: release-artifacts
- path: release-artifacts/${{ env.BINARY }}/**/*
+ path: release-artifacts/x86_64-unknown-linux-gnu/${{ env.BINARY }}/**/*
build-container: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
if: ${{ inputs.binary == 'polkadot-omni-node' || inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }}
@@ -173,7 +134,7 @@ jobs:
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
- name: Check sha256 ${{ env.BINARY }}
- if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'polkadot' }}
+ # if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'polkadot' }}
working-directory: release-artifacts
run: |
. ../.github/scripts/common/lib.sh
@@ -182,7 +143,7 @@ jobs:
check_sha256 $BINARY && echo "OK" || echo "ERR"
- name: Check GPG ${{ env.BINARY }}
- if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'polkadot' }}
+ # if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'polkadot' }}
working-directory: release-artifacts
run: |
. ../.github/scripts/common/lib.sh
@@ -190,35 +151,29 @@ jobs:
check_gpg $BINARY
- name: Fetch rc commit and tag
+ working-directory: release-artifacts
if: ${{ env.IMAGE_TYPE == 'rc' }}
id: fetch_rc_refs
+ shell: bash
run: |
- . ./.github/scripts/common/lib.sh
-
- echo "release=${{ needs.validate-inputs.outputs.stable_tag }}" >> $GITHUB_OUTPUT
+ . ../.github/scripts/common/lib.sh
commit=$(git rev-parse --short HEAD) && \
echo "commit=${commit}" >> $GITHUB_OUTPUT
-
- echo "tag=${{ needs.validate-inputs.outputs.version }}" >> $GITHUB_OUTPUT
+ echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT
+ echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT
- name: Fetch release tags
working-directory: release-artifacts
if: ${{ env.IMAGE_TYPE == 'release'}}
id: fetch_release_refs
+ shell: bash
run: |
- chmod a+rx $BINARY
-
- if [[ $BINARY != 'chain-spec-builder' ]]; then
- VERSION=$(./$BINARY --version | awk '{ print $2 }' )
- release=$( echo $VERSION | cut -f1 -d- )
- else
- release=$(echo ${{ needs.validate-inputs.outputs.VERSION }} | sed 's/^v//')
- fi
+ . ../.github/scripts/common/lib.sh
echo "tag=latest" >> $GITHUB_OUTPUT
- echo "release=${release}" >> $GITHUB_OUTPUT
- echo "stable=${{ needs.validate-inputs.outputs.stable_tag }}" >> $GITHUB_OUTPUT
+ echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT
+ echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT
- name: Build Injected Container image for polkadot rc
if: ${{ env.BINARY == 'polkadot' }}
@@ -342,8 +297,10 @@ jobs:
- name: Fetch values
id: fetch-data
run: |
+ . ./.github/scripts/common/lib.sh
date=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
echo "date=$date" >> $GITHUB_OUTPUT
+ echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT
- name: Build and push
id: docker_build
@@ -354,9 +311,9 @@ jobs:
# TODO: The owner should be used below but buildx does not resolve the VARs
# TODO: It would be good to get rid of this GHA that we don't really need.
tags: |
- parity/polkadot:${{ needs.validate-inputs.outputs.stable_tag }}
- parity/polkadot:latest
- parity/polkadot:${{ needs.fetch-latest-debian-package-version.outputs.polkadot_container_tag }}
+ egorpop/polkadot:${{ steps.fetch-data.outputs.stable }}
+ egorpop/polkadot:latest
+ egorpop/polkadot:${{ needs.fetch-latest-debian-package-version.outputs.polkadot_container_tag }}
build-args: |
VCS_REF=${{ github.ref }}
POLKADOT_VERSION=${{ needs.fetch-latest-debian-package-version.outputs.polkadot_apt_version }}
diff --git a/.github/workflows/release-reusable-rc-buid.yml b/.github/workflows/release-reusable-rc-buid.yml
index f5240878cba..dc1b4553eb9 100644
--- a/.github/workflows/release-reusable-rc-buid.yml
+++ b/.github/workflows/release-reusable-rc-buid.yml
@@ -302,7 +302,6 @@ jobs:
AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
-
upload-polkadot-parachain-artifacts-to-s3:
if: ${{ inputs.package == 'polkadot-parachain-bin' && inputs.target == 'x86_64-unknown-linux-gnu' }}
needs: [build-rc]
@@ -329,6 +328,32 @@ jobs:
AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+ upload-frame-omni-bencher-artifacts-to-s3:
+ if: ${{ inputs.package == 'frame-omni-bencher' && inputs.target == 'x86_64-unknown-linux-gnu' }}
+ needs: [build-rc]
+ uses: ./.github/workflows/release-reusable-s3-upload.yml
+ with:
+ package: ${{ inputs.package }}
+ release_tag: ${{ inputs.release_tag }}
+ target: ${{ inputs.target }}
+ secrets:
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+
+ upload-chain-spec-builder-artifacts-to-s3:
+ if: ${{ inputs.package == 'staging-chain-spec-builder' && inputs.target == 'x86_64-unknown-linux-gnu' }}
+ needs: [build-rc]
+ uses: ./.github/workflows/release-reusable-s3-upload.yml
+ with:
+ package: chain-spec-builder
+ release_tag: ${{ inputs.release_tag }}
+ target: ${{ inputs.target }}
+ secrets:
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+
upload-polkadot-macos-artifacts-to-s3:
if: ${{ inputs.package == 'polkadot' && inputs.target == 'aarch64-apple-darwin' }}
# TODO: add and use a `build-polkadot-homebrew-package` which packs all `polkadot` binaries:
@@ -395,3 +420,29 @@ jobs:
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+
+ upload-frame-omni-bencher-macos-artifacts-to-s3:
+ if: ${{ inputs.package == 'frame-omni-bencher' && inputs.target == 'aarch64-apple-darwin' }}
+ needs: [build-macos-rc]
+ uses: ./.github/workflows/release-reusable-s3-upload.yml
+ with:
+ package: ${{ inputs.package }}
+ release_tag: ${{ inputs.release_tag }}
+ target: ${{ inputs.target }}
+ secrets:
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+
+ upload-chain-spec-builder-macos-artifacts-to-s3:
+ if: ${{ inputs.package == 'staging-chain-spec-builder' && inputs.target == 'aarch64-apple-darwin' }}
+ needs: [build-macos-rc]
+ uses: ./.github/workflows/release-reusable-s3-upload.yml
+ with:
+ package: chain-spec-builder
+ release_tag: ${{ inputs.release_tag }}
+ target: ${{ inputs.target }}
+ secrets:
+ AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+ AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+ AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml
index 9a29b46d2fc..fc10496d481 100644
--- a/.github/workflows/release-srtool.yml
+++ b/.github/workflows/release-srtool.yml
@@ -1,7 +1,7 @@
name: Srtool build
env:
- SUBWASM_VERSION: 0.20.0
+ SUBWASM_VERSION: 0.21.0
TOML_CLI_VERSION: 0.2.4
on:
@@ -11,14 +11,16 @@ on:
type: string
build_opts:
type: string
+ profile:
+ type: string
outputs:
published_runtimes:
value: ${{ jobs.find-runtimes.outputs.runtime }}
- schedule:
- - cron: "00 02 * * 1" # 2AM weekly on monday
-
- workflow_dispatch:
+permissions:
+ id-token: write
+ attestations: write
+ contents: read
jobs:
find-runtimes:
@@ -75,6 +77,7 @@ jobs:
with:
chain: ${{ matrix.chain }}
runtime_dir: ${{ matrix.runtime_dir }}
+ profile: ${{ inputs.profile }}
- name: Summary
run: |
@@ -83,6 +86,11 @@ jobs:
echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}"
echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}"
+ - name: Generate artifact attestation
+ uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+ with:
+ subject-path: ${{ steps.srtool_build.outputs.wasm }}
+
# We now get extra information thanks to subwasm
- name: Install subwasm
run: |
--
GitLab