Skip to content

Enable the use of test key or prod key for PKI #1875

Enable the use of test key or prod key for PKI

Enable the use of test key or prod key for PKI #1875

name: Continuous Integration & Deployment
on:
workflow_dispatch:
push:
tags:
- '*'
branches:
- master
pull_request:
branches:
- master
jobs:
coverage:
name: Code coverage
runs-on: ubuntu-latest
container:
image: docker://ghcr.io/ledgerhq/speculos-builder:latest
steps:
- name: Clone
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Build with code coverage instrumentation
env:
CTEST_OUTPUT_ON_FAILURE: 1
RNG_SEED: 0
run: |
cmake -Bbuild -H. -DPRECOMPILED_DEPENDENCIES_DIR=/install -DWITH_VNC=1 -DCODE_COVERAGE=ON
make -C build clean
make -C build
make -C build test
pip install pytest-cov
pip install .
PYTHONPATH=. pytest --cov=speculos --cov-report=xml
- run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
with:
name: codecov-speculos
build:
name: Clone, build, test
runs-on: ubuntu-latest
strategy:
matrix:
python_version: ['3.8', '3.9', '3.10', '3.11']
# Use https://ghcr.io/ledgerhq/speculos-builder which has all the required
# dependencies
container:
image: docker://ghcr.io/ledgerhq/speculos-builder:latest
steps:
- name: Clone
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Python version
uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python_version }}
- name: Build and install package
run: |
cmake -Bbuild -H. -DPRECOMPILED_DEPENDENCIES_DIR=/install -DWITH_VNC=1
make -C build
pip install pytest
pip install .
- name: Test
env:
CTEST_OUTPUT_ON_FAILURE: 1
run: |
make -C build/ test
pytest
package_python:
name: Build and deploy Speculos Python Package
runs-on: ubuntu-latest
needs: [build]
container:
image: docker://ghcr.io/ledgerhq/speculos-builder:latest
steps:
- name: Clone
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Use pip to install Speculos in a virtual environment
run: |
python3 -m venv venv-test
./venv-test/bin/pip install .
./venv-test/bin/speculos --help
echo "TAG_VERSION=$(python -c 'from speculos import __version__; print(__version__)')" >> "$GITHUB_ENV"
- name: Build Speculos python package
run: |
git config --global --add safe.directory "$GITHUB_WORKSPACE"
if [ -e dist ] ; then
echo >&2 "Error: dist/ directory already exists and this is unexpected. Refusing to build new packages."
exit 1
fi
python3 -m venv venv-build
./venv-build/bin/pip install --upgrade pip build twine
./venv-build/bin/python -m build
./venv-build/bin/python -m twine check dist/*
- name: Check version against CHANGELOG
if: startsWith(github.ref, 'refs/tags/')
shell: bash
run: |
CHANGELOG_VERSION=$(grep -Po '(?<=## \[)(\d+\.)+[^\]]' CHANGELOG.md | head -n 1)
if [ "${{ env.TAG_VERSION }}" == "${CHANGELOG_VERSION}" ]; \
then \
exit 0; \
else \
echo "Tag '${{ env.TAG_VERSION }}' and CHANGELOG '${CHANGELOG_VERSION}' versions mismatch!"; \
exit 1; \
fi
- name: Publish Python package on pypi.org
if: success() && github.event_name == 'push'
run: ./venv-build/bin/python -m twine upload dist/*
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN }}
TWINE_NON_INTERACTIVE: 1
package_and_test_docker:
name: Build and test the Speculos docker
uses: ./.github/workflows/reusable_ragger_tests_latest_speculos.yml
with:
app_repository: LedgerHQ/app-boilerplate
app_branch_name: master
test_dir: tests
speculos_app_branch_name: ${{ github.ref }}
package_and_test_docker_for_nanos:
name: Build and test the Speculos docker for Nano S
uses: ./.github/workflows/reusable_ragger_tests_latest_speculos.yml
with:
app_repository: LedgerHQ/app-boilerplate
app_branch_name: nanos_baseline
test_dir: tests
speculos_app_branch_name: ${{ github.ref }}
deploy_docker:
name: Build and Upload the Speculos docker
strategy:
matrix:
include:
- platform: linux/amd64
runner: ubuntu-latest
- platform: linux/arm64
runner: speculos-builder-2c-arm64-ubuntu_2404
runs-on: ${{ matrix.runner }}
needs: [build]
steps:
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
if [[ "${{ github.event_name }}" == 'push' && ( "${{ github.ref }}" == 'refs/heads/master' || "${{ github.ref }}" =~ '^refs/tags/.*' ) ]]; then
PUSH_FLAG='true'
else
PUSH_FLAG='false'
fi
echo "PUSH_FLAG=${PUSH_FLAG}" >> $GITHUB_ENV
- name: Clone
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Extract metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ghcr.io/ledgerhq/speculos
tags: |
type=raw,value=${{ github.sha }}
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and publish to GitHub Packages
uses: docker/build-push-action@v6
id: buildPush
with:
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ matrix.platform }}
outputs: type=image,name=ghcr.io/ledgerhq/speculos,push-by-digest=true,name-canonical=true,push=${{ env.PUSH_FLAG }}
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.buildPush.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
final_tag_multiarch_merge_docker:
if: ${{ github.event_name == 'push' && (github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')) }}
needs:
- deploy_docker
runs-on: ubuntu-latest
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ghcr.io/ledgerhq/speculos
tags: |
type=raw,value=${{ github.sha }}
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf 'ghcr.io/ledgerhq/speculos@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ghcr.io/ledgerhq/speculos:latest