[feature] migrate workflows to main

storyprotocol · Aug 16, 2024 · 4e1a077 · 4e1a077
1 parent aa55f5e
commit 4e1a077
Show file tree

Hide file tree

Showing 2 changed files with 177 additions and 0 deletions.
diff --git a/.github/workflows/ci-ecr.yml b/.github/workflows/ci-ecr.yml
@@ -0,0 +1,100 @@
+name: Build and Upload geth Binary
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+  actions: write
+
+env:
+  NUM_BINARIES_TO_KEEP: 5
+  ECR_REPOSITORY: geth-bootnode
+
+jobs:
+  # Add  timestamp
+  Timestamp:
+    uses: storyprotocol/gha-workflows/.github/workflows/reusable-timestamp.yml@main
+
+  # Build and upload the geth binary
+  build_and_push:
+    needs: Timestamp
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::478656756051:role/iac-max-role
+          aws-region: us-west-1
+          role-session-name: github-actions
+
+      - name: Set build arguments
+        run: |
+          echo "COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+          echo "VERSION=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
+          echo "BUILDNUM=$GITHUB_RUN_NUMBER" >> $GITHUB_ENV
+
+      - name: Login to Amaon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+          
+      - name: Extract ECR repository URI
+        id: ecr-repo
+        run: |
+          echo "REPOSITORY_URI=$(aws ecr describe-repositories --repository-names ${{ env.ECR_REPOSITORY }} --query 'repositories[0].repositoryUri' --output text)" >> $GITHUB_ENV
+
+      - name: Dockerize the geth and bootnode binary
+        env:
+          DOCKER_BUILDKIT: 1
+        run: |
+          docker buildx create --use
+          docker buildx build \
+            --build-arg COMMIT=$COMMIT \
+            --build-arg VERSION=$VERSION \
+            --build-arg BUILDNUM=$BUILDNUM \
+            -t $REPOSITORY_URI:latest \
+            -t $REPOSITORY_URI:$COMMIT \
+            -t $REPOSITORY_URI:$VERSION \
+            --cache-from=type=local,src=/tmp/.buildx-cache \
+            --cache-to=type=local,dest=/tmp/.buildx-cache \
+            --load \
+            -f ./Dockerfile \
+            . 
+      
+      - name: Scan image for vulnerabilities using Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.REPOSITORY_URI }}:latest
+          format: 'table'
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Push the Docker image to ECR
+        run: |
+          docker push $REPOSITORY_URI:latest 
+          docker push $REPOSITORY_URI:$COMMIT
diff --git a/.github/workflows/ci-geth-s3.yml b/.github/workflows/ci-geth-s3.yml
@@ -0,0 +1,77 @@
+name: Build and Upload geth Binary
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+  actions: write
+
+env:
+  NUM_BINARIES_TO_KEEP: 50
+
+jobs:
+  # Add timestamp
+  Timestamp:
+    # limit a few authorized users to trigger this job
+    # since all other jobs depend on this job, no need to secure other jobs
+    if: github.actor == 'andybowu' || github.actor == 'edisonz0718' || github == 'LeoHChen'
+    uses: storyprotocol/gha-workflows/.github/workflows/reusable-timestamp.yml@main
+
+  # Build and upload the geth binary
+  build_and_push:
+    needs: Timestamp
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::478656756051:role/iac-max-role
+          aws-region: us-west-1
+          role-session-name: github-actions
+
+      - name: Build the geth binary
+        run: |
+          make geth
+
+      - name: Upload the geth binary to S3
+        run: |
+          export TZ=America/Los_Angeles
+          VERSION=$(date +%Y%m%d%H%M%S)
+          HUMAN_READABLE_VERSION=$(date)
+          echo "Building version $VERSION at $HUMAN_READABLE_VERSION"
+          aws s3 cp ./build/bin/geth s3://iliad-geth-binaries/geth/geth-$VERSION --quiet
+          
+          # Update manifest file
+          aws s3 cp s3://iliad-geth-binaries/geth/manifest.txt manifest.txt --quiet || touch manifest.txt
+          echo $VERSION >> manifest.txt
+          aws s3 cp manifest.txt s3://iliad-geth-binaries/geth/manifest.txt --quiet
+
+          echo "ILIAD_VERSION=$VERSION" >> $GITHUB_ENV
+  
+      - name: Cleanup old binaries
+        run: |
+          # List objects in the bucket and sort by LastModified date
+          aws s3api list-objects-v2 --bucket iliad-geth-binaries --prefix geth/ --query "sort_by(Contents,&LastModified)[*].Key" > all_binaries.json
+          
+          # Extract the list of keys, remove the latest NUM_BINARIES_TO_KEEP
+          BINARIES_TO_DELETE=$(jq -r ".[0:-${NUM_BINARIES_TO_KEEP}][]" all_binaries.json)
+          
+          if [ -n "$BINARIES_TO_DELETE" ]; then
+            # Delete old binaries
+            for key in $BINARIES_TO_DELETE; do
+              aws s3 rm s3://iliad-geth-binaries/$key --quiet
+            done
+            echo "Deleted old binaries: $BINARIES_TO_DELETE"
+          else
+            echo "No old binaries to delete."
+          fi