From 4e1a077f183b0191b5e181eb9b8cd8e9b190cc4b Mon Sep 17 00:00:00 2001 From: Andy Wu Date: Thu, 15 Aug 2024 21:17:34 -0700 Subject: [PATCH] [feature] migrate workflows to main --- .github/workflows/ci-ecr.yml | 100 +++++++++++++++++++++++++++++++ .github/workflows/ci-geth-s3.yml | 77 ++++++++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 .github/workflows/ci-ecr.yml create mode 100644 .github/workflows/ci-geth-s3.yml diff --git a/.github/workflows/ci-ecr.yml b/.github/workflows/ci-ecr.yml new file mode 100644 index 000000000000..ed1e21182b54 --- /dev/null +++ b/.github/workflows/ci-ecr.yml @@ -0,0 +1,100 @@ +name: Build and Upload geth Binary + +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + id-token: write + contents: write + pull-requests: write + actions: write + +env: + NUM_BINARIES_TO_KEEP: 5 + ECR_REPOSITORY: geth-bootnode + +jobs: + # Add timestamp + Timestamp: + uses: storyprotocol/gha-workflows/.github/workflows/reusable-timestamp.yml@main + + # Build and upload the geth binary + build_and_push: + needs: Timestamp + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::478656756051:role/iac-max-role + aws-region: us-west-1 + role-session-name: github-actions + + - name: Set build arguments + run: | + echo "COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV + echo "VERSION=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV + echo "BUILDNUM=$GITHUB_RUN_NUMBER" >> $GITHUB_ENV + + - name: Login to Amaon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Extract ECR repository URI + id: ecr-repo + run: | + echo "REPOSITORY_URI=$(aws ecr describe-repositories --repository-names ${{ env.ECR_REPOSITORY }} --query 'repositories[0].repositoryUri' --output text)" >> $GITHUB_ENV + + - name: Dockerize the geth and bootnode binary + env: + DOCKER_BUILDKIT: 1 + run: | + docker buildx create --use + docker buildx build \ + --build-arg COMMIT=$COMMIT \ + --build-arg VERSION=$VERSION \ + --build-arg BUILDNUM=$BUILDNUM \ + -t $REPOSITORY_URI:latest \ + -t $REPOSITORY_URI:$COMMIT \ + -t $REPOSITORY_URI:$VERSION \ + --cache-from=type=local,src=/tmp/.buildx-cache \ + --cache-to=type=local,dest=/tmp/.buildx-cache \ + --load \ + -f ./Dockerfile \ + . + + - name: Scan image for vulnerabilities using Trivy + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: ${{ env.REPOSITORY_URI }}:latest + format: 'table' + exit-code: 1 + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'HIGH,CRITICAL' + + - name: Push the Docker image to ECR + run: | + docker push $REPOSITORY_URI:latest + docker push $REPOSITORY_URI:$COMMIT diff --git a/.github/workflows/ci-geth-s3.yml b/.github/workflows/ci-geth-s3.yml new file mode 100644 index 000000000000..6bcb24058d61 --- /dev/null +++ b/.github/workflows/ci-geth-s3.yml @@ -0,0 +1,77 @@ +name: Build and Upload geth Binary + +on: + push: + branches: + - main + workflow_dispatch: + +permissions: + id-token: write + contents: write + pull-requests: write + actions: write + +env: + NUM_BINARIES_TO_KEEP: 50 + +jobs: + # Add timestamp + Timestamp: + # limit a few authorized users to trigger this job + # since all other jobs depend on this job, no need to secure other jobs + if: github.actor == 'andybowu' || github.actor == 'edisonz0718' || github == 'LeoHChen' + uses: storyprotocol/gha-workflows/.github/workflows/reusable-timestamp.yml@main + + # Build and upload the geth binary + build_and_push: + needs: Timestamp + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: arn:aws:iam::478656756051:role/iac-max-role + aws-region: us-west-1 + role-session-name: github-actions + + - name: Build the geth binary + run: | + make geth + + - name: Upload the geth binary to S3 + run: | + export TZ=America/Los_Angeles + VERSION=$(date +%Y%m%d%H%M%S) + HUMAN_READABLE_VERSION=$(date) + echo "Building version $VERSION at $HUMAN_READABLE_VERSION" + aws s3 cp ./build/bin/geth s3://iliad-geth-binaries/geth/geth-$VERSION --quiet + + # Update manifest file + aws s3 cp s3://iliad-geth-binaries/geth/manifest.txt manifest.txt --quiet || touch manifest.txt + echo $VERSION >> manifest.txt + aws s3 cp manifest.txt s3://iliad-geth-binaries/geth/manifest.txt --quiet + + echo "ILIAD_VERSION=$VERSION" >> $GITHUB_ENV + + - name: Cleanup old binaries + run: | + # List objects in the bucket and sort by LastModified date + aws s3api list-objects-v2 --bucket iliad-geth-binaries --prefix geth/ --query "sort_by(Contents,&LastModified)[*].Key" > all_binaries.json + + # Extract the list of keys, remove the latest NUM_BINARIES_TO_KEEP + BINARIES_TO_DELETE=$(jq -r ".[0:-${NUM_BINARIES_TO_KEEP}][]" all_binaries.json) + + if [ -n "$BINARIES_TO_DELETE" ]; then + # Delete old binaries + for key in $BINARIES_TO_DELETE; do + aws s3 rm s3://iliad-geth-binaries/$key --quiet + done + echo "Deleted old binaries: $BINARIES_TO_DELETE" + else + echo "No old binaries to delete." + fi