From a6713c55fd5082d333518c3ca13f2a4294726fcc Mon Sep 17 00:00:00 2001
From: Egor_P <egor@parity.io>
Date: Mon, 11 Mar 2024 16:37:22 +0700
Subject: [PATCH] Fix release docker image GHA (#3547)
This PR add extra checks for the input fields in the GHA which does the
docker image build and publishing.
---
.github/scripts/common/lib.sh | 96 ++++++++++++++++++-
.../workflows/release-50_publish-docker.yml | 16 +++-
.../workflows/release-99_notif-published.yml | 10 +-
3 files changed, 107 insertions(+), 15 deletions(-)
diff --git a/.github/scripts/common/lib.sh b/.github/scripts/common/lib.sh
index bd12d9c6e6f..29dc269ffd2 100755
--- a/.github/scripts/common/lib.sh
+++ b/.github/scripts/common/lib.sh
@@ -237,6 +237,61 @@ fetch_release_artifacts() {
popd > /dev/null
}
+# Fetch the release artifacts like binary and sigantures from S3. Assumes the ENV are set:
+# - RELEASE_ID
+# - GITHUB_TOKEN
+# - REPO in the form paritytech/polkadot
+fetch_release_artifacts_from_s3() {
+ echo "Version : $VERSION"
+ echo "Repo : $REPO"
+ echo "Binary : $BINARY"
+ OUTPUT_DIR=${OUTPUT_DIR:-"./release-artifacts/${BINARY}"}
+ echo "OUTPUT_DIR : $OUTPUT_DIR"
+
+ URL_BASE=$(get_s3_url_base $BINARY)
+ echo "URL_BASE=$URL_BASE"
+
+ URL_BINARY=$URL_BASE/$VERSION/$BINARY
+ URL_SHA=$URL_BASE/$VERSION/$BINARY.sha256
+ URL_ASC=$URL_BASE/$VERSION/$BINARY.asc
+
+ # Fetch artifacts
+ mkdir -p "$OUTPUT_DIR"
+ pushd "$OUTPUT_DIR" > /dev/null
+
+ echo "Fetching artifacts..."
+ for URL in $URL_BINARY $URL_SHA $URL_ASC; do
+ echo "Fetching %s" "$URL"
+ curl --progress-bar -LO "$URL" || echo "Missing $URL"
+ done
+
+ pwd
+ ls -al --color
+ popd > /dev/null
+
+}
+
+# Pass the name of the binary as input, it will
+# return the s3 base url
+function get_s3_url_base() {
+ name=$1
+ case $name in
+ polkadot | polkadot-execute-worker | polkadot-prepare-worker | staking-miner)
+ printf "https://releases.parity.io/polkadot"
+ ;;
+
+ polkadot-parachain)
+ printf "https://releases.parity.io/cumulus"
+ ;;
+
+ *)
+ printf "UNSUPPORTED BINARY $name"
+ exit 1
+ ;;
+ esac
+}
+
+
# Check the checksum for a given binary
function check_sha256() {
echo "Checking SHA256 for $1"
@@ -248,13 +303,11 @@ function check_sha256() {
function import_gpg_keys() {
GPG_KEYSERVER=${GPG_KEYSERVER:-"keyserver.ubuntu.com"}
SEC="9D4B2B6EB8F97156D19669A9FF0812D491B96798"
- WILL="2835EAF92072BC01D188AF2C4A092B93E97CE1E2"
EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
- MARA="533C920F40E73A21EEB7E9EBF27AEA7E7594C9CF"
MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
echo "Importing GPG keys from $GPG_KEYSERVER in parallel"
- for key in $SEC $WILL $EGOR $MARA $MORGAN; do
+ for key in $SEC $EGOR $MORGAN; do
(
echo "Importing GPG key $key"
gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key
@@ -344,3 +397,40 @@ function find_runtimes() {
done
echo $JSON
}
+
+# Filter the version matches the particular pattern and return it.
+# input: version (v1.8.0 or v1.8.0-rc1)
+# output: none
+filter_version_from_input() {
+ version=$1
+ regex="(^v[0-9]+\.[0-9]+\.[0-9]+)$|(^v[0-9]+\.[0-9]+\.[0-9]+-rc[0-9]+)$"
+
+ if [[ $version =~ $regex ]]; then
+ if [ -n "${BASH_REMATCH[1]}" ]; then
+ echo "${BASH_REMATCH[1]}"
+ elif [ -n "${BASH_REMATCH[2]}" ]; then
+ echo "${BASH_REMATCH[2]}"
+ fi
+ else
+ echo "Invalid version: $version"
+ exit 1
+ fi
+
+}
+
+# Check if the release_id is valid number
+# input: release_id
+# output: release_id or exit 1
+check_release_id() {
+ input=$1
+
+ release_id=$(echo "$input" | sed 's/[^0-9]//g')
+
+ if [[ $release_id =~ ^[0-9]+$ ]]; then
+ echo "$release_id"
+ else
+ echo "Invalid release_id from input: $input"
+ exit 1
+ fi
+
+}
diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml
index ecbac01cd3a..67e93ee9657 100644
--- a/.github/workflows/release-50_publish-docker.yml
+++ b/.github/workflows/release-50_publish-docker.yml
@@ -36,7 +36,7 @@ on:
-H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases | \
jq '.[] | { name: .name, id: .id }'
required: true
- type: string
+ type: number
registry:
description: Container registry
@@ -61,7 +61,6 @@ permissions:
contents: write
env:
- RELEASE_ID: ${{ inputs.release_id }}
ENGINE: docker
REGISTRY: ${{ inputs.registry }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -71,6 +70,7 @@ env:
# EVENT_ACTION: ${{ github.event.action }}
EVENT_NAME: ${{ github.event_name }}
IMAGE_TYPE: ${{ inputs.image_type }}
+ VERSION: ${{ inputs.version }}
jobs:
fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
@@ -95,13 +95,16 @@ jobs:
# chmod a+x $BINARY
# ls -al
- - name: Fetch rc artifacts or release artifacts based on release id
+ - name: Fetch rc artifacts or release artifacts from s3 based on version
#this step runs only if the workflow is triggered manually
if: ${{ env.EVENT_NAME == 'workflow_dispatch' }}
run: |
. ./.github/scripts/common/lib.sh
- fetch_release_artifacts
+ VERSION=$(filter_version_from_input "${{ inputs.version }}")
+ echo "VERSION=${VERSION}" >> $GITHUB_ENV
+
+ fetch_release_artifacts_from_s3
- name: Cache the artifacts
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
@@ -147,7 +150,10 @@ jobs:
if: ${{ env.IMAGE_TYPE == 'rc' }}
id: fetch_rc_refs
run: |
- release=release-${{ inputs.release_id }} && \
+ . ./.github/scripts/common/lib.sh
+
+ RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
+ release=release-$RELEASE_ID && \
echo "release=${release}" >> $GITHUB_OUTPUT
commit=$(git rev-parse --short HEAD) && \
diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml
index 732db15d9c0..05c9d6a47f5 100644
--- a/.github/workflows/release-99_notif-published.yml
+++ b/.github/workflows/release-99_notif-published.yml
@@ -16,12 +16,6 @@ jobs:
- name: "RelEng: Polkadot Release Coordination"
room: '!cqAmzdIcbOFwrdrubV:parity.io'
pre-release: true
- - name: 'General: Rust, Polkadot, Substrate'
- room: '!aJymqQYtCjjqImFLSb:parity.io'
- pre-release: false
- - name: 'Team: DevOps'
- room: '!lUslSijLMgNcEKcAiE:parity.io'
- pre-release: true
# External
- name: 'Ledger <> Polkadot Coordination'
@@ -48,7 +42,9 @@ jobs:
access_token: ${{ secrets.RELEASENOTES_MATRIX_V2_ACCESS_TOKEN }}
server: m.parity.io
message: |
- A (pre)release has been ${{github.event.action}} in **${{github.event.repository.full_name}}:**<br/>
+ @room
+
+ A new node release has been ${{github.event.action}} in **${{github.event.repository.full_name}}:**<br/>
Release version: [${{github.event.release.tag_name}}](${{github.event.release.html_url}})
-----
--
GitLab