From 90440d948d0b7c56f25cf814e6c47937c861e75d Mon Sep 17 00:00:00 2001
From: Marcin Rataj <lidel@lidel.org>
Date: Sat, 16 Mar 2024 00:08:11 +0100
Subject: [PATCH] feat(ci): update inbrowser.link on release publish (#117)

* feat(ci): update inbrowser.link on release publish
* feat(ci): release-please
* refactor: move smoke-tests to new workflow
---
 .github/workflows/dnslink-smoke-tests.yml | 71 +++++++++++++++++++++
 .github/workflows/main.yml                | 78 +++++++++++++----------
 .github/workflows/pin-to-cluster.yml      | 71 ---------------------
 public/index.html                         |  3 +-
 webpack.config.js                         | 18 +++++-
 5 files changed, 136 insertions(+), 105 deletions(-)
 create mode 100644 .github/workflows/dnslink-smoke-tests.yml
 delete mode 100644 .github/workflows/pin-to-cluster.yml

diff --git a/.github/workflows/dnslink-smoke-tests.yml b/.github/workflows/dnslink-smoke-tests.yml
new file mode 100644
index 00000000..99d74cfb
--- /dev/null
+++ b/.github/workflows/dnslink-smoke-tests.yml
@@ -0,0 +1,71 @@
+name: DNSLink Smoke-tests
+
+on:
+  schedule:
+    - cron: '0 * * * *'
+  workflow_dispatch:
+
+env:
+  KUBO_VER: 'v0.27.0'       # kubo daemon used for publishing to IPFS
+  CLUSTER_CTL_VER: 'v1.0.8' # ipfs-cluster-ctl used by publish-to-ipfs
+
+jobs:
+  smoke-test-cached-http: # basic smoke test that lets us know when stale-while-revalidate caching does not work on either env
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        dnslink:
+          - inbrowser.link
+          - inbrowser.dev
+    steps:
+      - name: Smoke-test instant (cached, stale-while-revalidate) /ipfs-sw-main.js at ${{ matrix.dnslink }}
+        run: curl --retry 3 --retry-delay 61 --retry-all-errors -v -L "https://${{ matrix.dnslink }}/ipfs-sw-main.js" > /dev/null
+
+  smoke-test-fresh-http: # basic smoke test for getting latest DNSLink DAG over HTTP gateways
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        gateway:
+          - trustless-gateway.link
+          - cloudflare-ipfs.com
+        dnslink:
+          - inbrowser.link
+          - inbrowser.dev
+    steps:
+      - uses: ipfs/download-ipfs-distribution-action@v1
+        with:
+          name: kubo
+          version: "${{ env.KUBO_VER }}"
+      - uses: ipfs/start-ipfs-daemon-action@v1
+      - name: Try fetching the new CID as CAR from ${{ matrix.gateway }}
+        run: |
+          CID=$(ipfs resolve /ipns/${{ matrix.dnslink }} | sed 's|^/ipfs/||')
+          curl --retry 6 --retry-delay 61 --retry-all-errors -v -L --http1.1 "https://${{ matrix.gateway }}/ipfs/${CID}?format=car" -o dag.car
+      - name: Confirm the CAR contains the entire DAG
+        run: ipfs dag import --offline --pin-roots=true dag.car
+
+  smoke-test-fresh-p2p: # basic smoke test for getting latest DNSLink DAG over P2P with Kubo
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        routing-type:
+          - dhtclient
+          - autoclient
+        dnslink:
+          - inbrowser.link
+          - inbrowser.dev
+    steps:
+      - uses: ipfs/download-ipfs-distribution-action@v1
+        with:
+          name: kubo
+          version: "${{ env.KUBO_VER }}"
+      - name: Init IPFS daemon
+        run: |
+          ipfs init --profile server
+          ipfs config Routing.Type ${{ matrix.routing-type }}
+      - uses: ipfs/start-ipfs-daemon-action@v1
+      - name: Confirm Kubo can fetch with Routing.Type=${{ matrix.routing-type }}
+        run: ipfs dag stat /ipns/${{ matrix.dnslink }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3455e129..7e6c5b03 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches:
       - '**'
+  release:
+    types: [ published ]
   workflow_dispatch:
 
 env:
@@ -169,11 +171,11 @@ jobs:
           files: .coverage/*,packages/*/.coverage/*
 
   publish-to-ipfs:
-    # TODO: make this run also on release
-    if: github.ref == 'refs/heads/main'
+    # NOTE: workflow_dispatch here allows maintainer to manually run against any branch, and it will produce a CAR with CID that is pinned to our cluster
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/main') || (github.event_name == 'release' && github.event.action == 'published')
     needs: build
     runs-on: ubuntu-latest
-    environment: Deploy # CF and Clusteer secrets
+    environment: Deploy # Clusteer secrets
     concurrency:
       # only one job runs at a time == DNSLinks are updated in-order
       group: ${{ github.workflow }}-${{ github.ref }}
@@ -195,17 +197,7 @@ jobs:
         with:
           name: ipfs-cluster-ctl
           version: "${{ env.CLUSTER_CTL_VER }}"
-      - name: Init IPFS daemon
-        run: |
-          # fix resolv - DNS provided by Github is unreliable for DNSLik/dnsaddr
-          sudo sed -i -e 's/nameserver 127.0.0.*/nameserver 1.1.1.1/g' /etc/resolv.conf
-          ipfs init --profile flatfs,server,randomports,lowpower
-          # make flatfs async for faster ci
-          ipfs config --json 'Datastore.Spec.mounts' "$(ipfs config 'Datastore.Spec.mounts' | jq -c '.[0].child.sync=false')"
-        shell: bash
       - uses: ipfs/start-ipfs-daemon-action@v1
-        with:
-          args: --enable-gc=false
       - name: Preconnect to cluster peers
         run: |
           ipfs-cluster-ctl --enc=json \
@@ -251,8 +243,17 @@ jobs:
           CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
           CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
         timeout-minutes: 60
-      - name: Update DNSLink at inbrowser.dev (Dev Testing)
-        if: github.ref == 'refs/heads/main'
+      - name: Attach the CAR to release if building a release tag
+        if: github.event_name == 'release' && github.event.action == 'published'
+        run: |
+          curl \
+            -XPOST \
+            -H "Authorization: Bearer ${{ secrets.UCI_GITHUB_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary "@dist_${{ github.sha }}.car" \
+            "https://api.github.com/repos/${{ github.repository }}/releases/${{ steps.get_release.outputs.release_id }}/assets?name=dist_${{ github.event.release.tag_name }}_${{ github.sha }}.car"
+      - name: Update DNSLink at inbrowser.dev (Staging for Dev Testing) if main branch was updated
+        if: (github.event_name == 'workflow_dispatch' || github.event_name == 'push') && github.ref == 'refs/heads/main'
         run: |
           curl --request PUT --header "Authorization: Bearer ${AUTH_TOKEN}" --header 'Content-Type: application/json' \
             --url "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
@@ -263,9 +264,8 @@ jobs:
           ZONE_ID: ${{ secrets.CF_INBROWSERDEV_ZONE_ID }}
           RECORD_ID:  ${{ secrets.CF_INBROWSERDEV_RECORD_ID }}
           AUTH_TOKEN: ${{ secrets.CF_INBROWSERDEV_AUTH_TOKEN }}
-      - name: Update DNSLink at inbrowser.link (Stable Production)
-        # TODO: make this run only on release
-        if: github.ref == 'refs/heads/main'
+      - name: Update DNSLink at inbrowser.link (Stable Production) if new release was published
+        if: github.event_name == 'release' && github.event.action == 'published'
         run: |
           curl --request PUT --header "Authorization: Bearer ${AUTH_TOKEN}" --header 'Content-Type: application/json'  \
             --url "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
@@ -278,7 +278,7 @@ jobs:
           AUTH_TOKEN: ${{ secrets.CF_INBROWSERLINK_AUTH_TOKEN }}
 
   pin-to-w3: # ported from ipfs/ipfs-webui
-    if: ${{ success() && needs.publish-to-ipfs.outputs.cid }}
+    if: needs.publish-to-ipfs.outputs.cid
     needs: publish-to-ipfs
     runs-on: ubuntu-latest
     environment: web3.storage
@@ -315,7 +315,7 @@ jobs:
           W3CLI_SPACE_DELEGATION_PROOF_BASE64_STRING: ${{ secrets.W3CLI_SPACE_DELEGATION_PROOF_BASE64_STRING }}
 
   pin-to-scaleway:
-    if: ${{ success() && needs.publish-to-ipfs.outputs.cid }}
+    if: needs.publish-to-ipfs.outputs.cid
     needs: publish-to-ipfs
     runs-on: ubuntu-latest
     environment: Scaleway
@@ -328,14 +328,12 @@ jobs:
       - name: Init IPFS daemon
         run: ipfs init --profile flatfs,server,randomports,lowpower
       - uses: ipfs/start-ipfs-daemon-action@v1
-        with:
-          args: --enable-gc=false
       - name: Retrieve CAR produced by publish-to-ipfs job
         uses: actions/download-artifact@v4
         with:
           name: dist_${{ github.sha }}.car
       - name: Import CAR to local Kubo
-        run: ipfs dag import --offline dist_${{ github.sha }}.car
+        run: ipfs dag import --offline --pin-roots=true dist_${{ github.sha }}.car
       - name: Set up and check Scaleway
         id: scaleway
         run: |
@@ -351,15 +349,31 @@ jobs:
         env:
           CID: ${{ needs.publish-to-ipfs.outputs.cid }}
 
-  smoke-test-http: # basic smoke test that lets us know when eother caching or content routing does not work
-    if: ${{ success() && needs.publish-to-ipfs.outputs.cid }}
-    needs: [ publish-to-ipfs, pin-to-scaleway, pin-to-w3 ]
+  smoke-test-fresh-p2p: # basic smoke test for getting DAG with Kubo
+    if: needs.publish-to-ipfs.outputs.cid
+    needs: publish-to-ipfs
     runs-on: ubuntu-latest
     steps:
-      - name: Smoke-test instant (cached, stale-while-revalidate) /ipfs-sw-main.js at inbrowser.link
-        run: curl --retry 3 --retry-delay 61 --retry-all-errors -v https://inbrowser.link/ipfs-sw-main.js > /dev/null
-      - name: Smoke-test instant (cached, stale-while-revalidate) /ipfs-sw-main.js at inbrowser.dev
-        run: curl --retry 3 --retry-delay 61 --retry-all-errors -v https://inbrowser.dev/ipfs-sw-main.js > /dev/null
-      - name: Smoke-test fetching the new CID as CAR from trustless-gateway.link
-        run: curl --retry 3 --retry-delay 61 --retry-all-errors -v "https://trustless-gateway.link/ipfs/${{ needs.publish-to-ipfs.outputs.cid }}?format=car" > /dev/null
+      - uses: ipfs/download-ipfs-distribution-action@v1
+        with:
+          name: kubo
+          version: "${{ env.KUBO_VER }}"
+      - uses: ipfs/start-ipfs-daemon-action@v1
+      - name: Confirm Kubo can fetch published DAG
+        run: ipfs dag stat ${{ needs.publish-to-ipfs.outputs.cid }}
 
+  release-please:
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'workflow_dispatch' || github.event_name == 'push') && github.ref == 'refs/heads/main'
+    needs: [ build, check ]
+    permissions:
+      contents: write # to create release
+      pull-requests: write # to create release PR
+    steps:
+      - uses: google-github-actions/release-please-action@v4
+        with:
+          # NOTE: we need elevated PAT token for production DNSLink to be updated. this is because tags created by the default token
+          # will not trigger CI build, and we need publish-to-ipfs to run when a new release tag is created by this action
+          # https://github.com/google-github-actions/release-please-action?tab=readme-ov-file#github-credentials
+          token: ${{ secrets.UCI_GITHUB_TOKEN || github.token }}
+          release-type: node
diff --git a/.github/workflows/pin-to-cluster.yml b/.github/workflows/pin-to-cluster.yml
deleted file mode 100644
index 9434cd93..00000000
--- a/.github/workflows/pin-to-cluster.yml
+++ /dev/null
@@ -1,71 +0,0 @@
-name: Pin Latest DNSLink to Cluster
-
-on:
-  schedule:
-    - cron: '6 0 * * *'
-  workflow_dispatch:
-
-env:
- KUBO_VER: 'v0.26.0'       # kubo daemon used for chunking and applying diff
- CLUSTER_CTL_VER: 'v1.0.8' # ipfs-cluster-ctl used for pinning
-
-jobs:
-  persist:
-    runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }}
-    environment: Deploy
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.inputs.branch }}
-      - uses: ipfs/download-ipfs-distribution-action@v1
-        with:
-          name: kubo
-          version: "${{ env.KUBO_VER }}"
-      - uses: ipfs/download-ipfs-distribution-action@v1
-        with:
-          name: ipfs-cluster-ctl
-          version: "${{ env.CLUSTER_CTL_VER }}"
-      - name: Init IPFS daemon
-        run: |
-          # fix resolv - DNS provided by Github is unreliable for DNSLik/dnsaddr
-          sudo sed -i -e 's/nameserver 127.0.0.*/nameserver 1.1.1.1/g' /etc/resolv.conf
-          ipfs init --profile flatfs,server,randomports,lowpower
-          # make flatfs async for faster ci
-          ipfs config --json 'Datastore.Spec.mounts' "$(ipfs config 'Datastore.Spec.mounts' | jq -c '.[0].child.sync=false')"
-        shell: bash
-      - uses: ipfs/start-ipfs-daemon-action@v1
-        with:
-          args: --enable-gc=false
-      - name: Preconnect to cluster peers
-        run: |
-          ipfs-cluster-ctl --enc=json \
-            --host "/dnsaddr/ipfs-websites.collab.ipfscluster.io" \
-            --basic-auth "$CLUSTER_USER:$CLUSTER_PASSWORD" \
-            peers ls | tee cluster-peers-ls
-          for maddr in $(jq -r '.ipfs.addresses[]?' cluster-peers-ls); do
-            ipfs swarm peering add $maddr
-            ipfs swarm connect $maddr || true &
-          done
-        shell: bash
-        env:
-          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
-          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
-      - name: Read CID from DNSLink at inbrowser.link
-        id: cid-reader
-        run: echo "CID=$(ipfs resolve /ipns/inbrowser.link | sed 's|^/ipfs/||')" >> $GITHUB_OUTPUT
-      - name: Pin latest CID to ipfs-websites.collab.ipfscluster.io
-        run: |
-          ipfs-cluster-ctl --enc=json \
-              --host "/dnsaddr/ipfs-websites.collab.ipfscluster.io" \
-              --basic-auth "${CLUSTER_USER}:${CLUSTER_PASSWORD}" \
-              pin add \
-              --name "inbrowser.link_$(date +"%Y-%m-%d_%H:%M:%S")" \
-              --replication-min 2 \
-              --replication-max 6 \
-              --wait \
-              "$PIN_CID"
-        env:
-          PIN_CID: ${{ steps.cid-reader.outputs.CID }}
-          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
-          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
-        timeout-minutes: 60
diff --git a/public/index.html b/public/index.html
index a9d3d994..795d0713 100644
--- a/public/index.html
+++ b/public/index.html
@@ -4,6 +4,7 @@
     <!--
 
       This HTML page initializes IPFS Service Worker Gateway.
+      Build: <%= htmlWebpackPlugin.options.version %>
 
       The HTTP server behind this HTTP URL does not host this website.
       Instead, it sends basic website code along with JavaScript. The JS sets
@@ -19,7 +20,7 @@
     <meta charset="UTF-8" />
     <meta http-equiv="X-UA-Compatible" content="IE=edge" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title><%= htmlWebpackPlugin.options.title %></title>
+    <title><%= htmlWebpackPlugin.options.title %> | <%= htmlWebpackPlugin.options.version %></title>
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/tachyons@4.12.0/css/tachyons.min.css" integrity="sha256-MgEf5i1a74lVzhT+1R6mBbWCUeUaxC8sQTaN5GY+CoI=" crossorigin="anonymous">
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/ipfs-css@1.4.0/ipfs.css" integrity="sha256-tlU/gvVvLjSbTOfSZyCzuQxY8QcmHPtJJ1oTXilA9gk=" crossorigin="anonymous">
   </head>
diff --git a/webpack.config.js b/webpack.config.js
index e6965a61..48159910 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -1,5 +1,6 @@
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
+import { execSync } from 'child_process'
 import CopyWebpackPlugin from 'copy-webpack-plugin'
 import HtmlWebpackPlugin from 'html-webpack-plugin'
 import MiniCssExtractPlugin from 'mini-css-extract-plugin'
@@ -143,7 +144,7 @@ const dev = {
       'access-control-allow-origin': '*',
       'access-control-allow-methods': 'GET'
     },
-    allowedHosts: ['helia-sw-gateway.localhost', 'localhost']
+    allowedHosts: ['swig.localhost', 'helia-sw-gateway.localhost', 'localhost']
   },
 
   plugins: [
@@ -155,6 +156,20 @@ const dev = {
   }
 }
 
+/**
+ * Retrieves the Git branch and short SHA of the current commit.
+ * @returns {string} A string representing the Git branch and short SHA.
+ */
+const gitRevision = () => {
+  try {
+    const ref = execSync('git rev-parse --abbrev-ref HEAD').toString().trim()
+    const sha = execSync('git rev-parse --short HEAD').toString().trim()
+    return `${ref}@${sha}`
+  } catch (_) {
+    return `no-git-dirty@${new Date().getTime().toString()}`
+  }
+}
+
 /**
  * @type {import('webpack').Configuration}
  */
@@ -187,6 +202,7 @@ const common = {
     new HtmlWebpackPlugin({
       excludeChunks: ['sw'],
       title: 'IPFS Service Worker Gateway',
+      version: gitRevision(),
       favicon: paths.public + '/favicon.ico',
       template: paths.public + '/index.html', // template file
       filename: 'index.html', // output file,