Enable the use of test key or prod key for PKI #1875
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Continuous Integration & Deployment | |
on: | |
workflow_dispatch: | |
push: | |
tags: | |
- '*' | |
branches: | |
- master | |
pull_request: | |
branches: | |
- master | |
jobs: | |
coverage: | |
name: Code coverage | |
runs-on: ubuntu-latest | |
container: | |
image: docker://ghcr.io/ledgerhq/speculos-builder:latest | |
steps: | |
- name: Clone | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Build with code coverage instrumentation | |
env: | |
CTEST_OUTPUT_ON_FAILURE: 1 | |
RNG_SEED: 0 | |
run: | | |
cmake -Bbuild -H. -DPRECOMPILED_DEPENDENCIES_DIR=/install -DWITH_VNC=1 -DCODE_COVERAGE=ON | |
make -C build clean | |
make -C build | |
make -C build test | |
pip install pytest-cov | |
pip install . | |
PYTHONPATH=. pytest --cov=speculos --cov-report=xml | |
- run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@v4 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
with: | |
name: codecov-speculos | |
build: | |
name: Clone, build, test | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python_version: ['3.8', '3.9', '3.10', '3.11'] | |
# Use https://ghcr.io/ledgerhq/speculos-builder which has all the required | |
# dependencies | |
container: | |
image: docker://ghcr.io/ledgerhq/speculos-builder:latest | |
steps: | |
- name: Clone | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Python version | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python_version }} | |
- name: Build and install package | |
run: | | |
cmake -Bbuild -H. -DPRECOMPILED_DEPENDENCIES_DIR=/install -DWITH_VNC=1 | |
make -C build | |
pip install pytest | |
pip install . | |
- name: Test | |
env: | |
CTEST_OUTPUT_ON_FAILURE: 1 | |
run: | | |
make -C build/ test | |
pytest | |
package_python: | |
name: Build and deploy Speculos Python Package | |
runs-on: ubuntu-latest | |
needs: [build] | |
container: | |
image: docker://ghcr.io/ledgerhq/speculos-builder:latest | |
steps: | |
- name: Clone | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Use pip to install Speculos in a virtual environment | |
run: | | |
python3 -m venv venv-test | |
./venv-test/bin/pip install . | |
./venv-test/bin/speculos --help | |
echo "TAG_VERSION=$(python -c 'from speculos import __version__; print(__version__)')" >> "$GITHUB_ENV" | |
- name: Build Speculos python package | |
run: | | |
git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
if [ -e dist ] ; then | |
echo >&2 "Error: dist/ directory already exists and this is unexpected. Refusing to build new packages." | |
exit 1 | |
fi | |
python3 -m venv venv-build | |
./venv-build/bin/pip install --upgrade pip build twine | |
./venv-build/bin/python -m build | |
./venv-build/bin/python -m twine check dist/* | |
- name: Check version against CHANGELOG | |
if: startsWith(github.ref, 'refs/tags/') | |
shell: bash | |
run: | | |
CHANGELOG_VERSION=$(grep -Po '(?<=## \[)(\d+\.)+[^\]]' CHANGELOG.md | head -n 1) | |
if [ "${{ env.TAG_VERSION }}" == "${CHANGELOG_VERSION}" ]; \ | |
then \ | |
exit 0; \ | |
else \ | |
echo "Tag '${{ env.TAG_VERSION }}' and CHANGELOG '${CHANGELOG_VERSION}' versions mismatch!"; \ | |
exit 1; \ | |
fi | |
- name: Publish Python package on pypi.org | |
if: success() && github.event_name == 'push' | |
run: ./venv-build/bin/python -m twine upload dist/* | |
env: | |
TWINE_USERNAME: __token__ | |
TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN }} | |
TWINE_NON_INTERACTIVE: 1 | |
package_and_test_docker: | |
name: Build and test the Speculos docker | |
uses: ./.github/workflows/reusable_ragger_tests_latest_speculos.yml | |
with: | |
app_repository: LedgerHQ/app-boilerplate | |
app_branch_name: master | |
test_dir: tests | |
speculos_app_branch_name: ${{ github.ref }} | |
package_and_test_docker_for_nanos: | |
name: Build and test the Speculos docker for Nano S | |
uses: ./.github/workflows/reusable_ragger_tests_latest_speculos.yml | |
with: | |
app_repository: LedgerHQ/app-boilerplate | |
app_branch_name: nanos_baseline | |
test_dir: tests | |
speculos_app_branch_name: ${{ github.ref }} | |
deploy_docker: | |
name: Build and Upload the Speculos docker | |
strategy: | |
matrix: | |
include: | |
- platform: linux/amd64 | |
runner: ubuntu-latest | |
- platform: linux/arm64 | |
runner: speculos-builder-2c-arm64-ubuntu_2404 | |
runs-on: ${{ matrix.runner }} | |
needs: [build] | |
steps: | |
- name: Prepare | |
run: | | |
platform=${{ matrix.platform }} | |
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV | |
if [[ "${{ github.event_name }}" == 'push' && ( "${{ github.ref }}" == 'refs/heads/master' || "${{ github.ref }}" =~ '^refs/tags/.*' ) ]]; then | |
PUSH_FLAG='true' | |
else | |
PUSH_FLAG='false' | |
fi | |
echo "PUSH_FLAG=${PUSH_FLAG}" >> $GITHUB_ENV | |
- name: Clone | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Extract metadata | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: ghcr.io/ledgerhq/speculos | |
tags: | | |
type=raw,value=${{ github.sha }} | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and publish to GitHub Packages | |
uses: docker/build-push-action@v6 | |
id: buildPush | |
with: | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: ${{ matrix.platform }} | |
outputs: type=image,name=ghcr.io/ledgerhq/speculos,push-by-digest=true,name-canonical=true,push=${{ env.PUSH_FLAG }} | |
- name: Export digest | |
run: | | |
mkdir -p /tmp/digests | |
digest="${{ steps.buildPush.outputs.digest }}" | |
touch "/tmp/digests/${digest#sha256:}" | |
- name: Upload digest | |
uses: actions/upload-artifact@v4 | |
with: | |
name: digests-${{ env.PLATFORM_PAIR }} | |
path: /tmp/digests/* | |
if-no-files-found: error | |
retention-days: 1 | |
final_tag_multiarch_merge_docker: | |
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')) }} | |
needs: | |
- deploy_docker | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download digests | |
uses: actions/download-artifact@v4 | |
with: | |
path: /tmp/digests | |
pattern: digests-* | |
merge-multiple: true | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract metadata | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
images: ghcr.io/ledgerhq/speculos | |
tags: | | |
type=raw,value=${{ github.sha }} | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Create manifest list and push | |
working-directory: /tmp/digests | |
run: | | |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ | |
$(printf 'ghcr.io/ledgerhq/speculos@sha256:%s ' *) | |
- name: Inspect image | |
run: | | |
docker buildx imagetools inspect ghcr.io/ledgerhq/speculos:latest |