build-publish.yml

name: "Build, Sign and Publish Chainlink"

on:
  # Mimics old circleci behaviour
  push:
    tags:
      - "v*"
    branches:
      - "release/**"

env:
  ECR_HOSTNAME: public.ecr.aws
  ECR_IMAGE_NAME: chainlink/chainlink

jobs:
  checks:
    name: "Checks"
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout repository
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      - name: Check for VERSION file bump on tags
        # Avoids checking VERSION file bump on forks.
        if: ${{ github.repository == 'smartcontractkit/chainlink' && startsWith(github.ref, 'refs/tags/v') }}
        uses: ./.github/actions/version-file-bump
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

  build-sign-publish-chainlink:
    needs: [checks]
    if: ${{ ! startsWith(github.ref_name, 'release/') }}
    runs-on: ubuntu-20.04
    environment: build-publish
    permissions:
      id-token: write
      contents: write
      attestations: write
    outputs:
      docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
      docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

      - name: Build, sign and publish chainlink image
        id: build-sign-publish
        uses: ./.github/actions/build-sign-publish-chainlink
        with:
          publish: true
          aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
          aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
          aws-region: ${{ secrets.AWS_REGION }}
          ecr-hostname: ${{ env.ECR_HOSTNAME }}
          ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
          dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
          dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
          sign-images: true
          verify-signature: true

      - name: Attest Docker image
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
          subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
          push-to-registry: true

      - name: Collect Metrics
        if: always()
        id: collect-gha-metrics
        uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
        with:
          id: build-chainlink-publish
          org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
          basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
          hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
          this-job-name: build-sign-publish-chainlink
        continue-on-error: true

  goreleaser-build-sign-publish-chainlink:
    needs: [checks]
    if: ${{ ! startsWith(github.ref_name, 'release/') }}
    runs-on: ubuntu-20.04
    environment: build-publish
    permissions:
      id-token: write
      contents: write
      attestations: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

      - name: Configure aws credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
          role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
          aws-region: ${{ secrets.AWS_REGION }}
          mask-aws-account-id: true
          role-session-name: goreleaser-build-sign-publish-chainlink

      - name: Set build configs
        shell: bash
        id: set-build-configs
        run: |
          if [[ ${{ github.ref_name }} =~ "-ccip" ]]; then
            echo "ECR_IMAGE_NAME=chainlink/ccip" | tee -a $GITHUB_OUTPUT
            echo "GORELEASER_CONFIG=.goreleaser.ccip.production.yaml" | tee -a $GITHUB_OUTPUT
          else
            echo "ECR_IMAGE_NAME=chainlink/chainlink" | tee -a $GITHUB_OUTPUT
            echo "GORELEASER_CONFIG=.goreleaser.production.yaml" | tee -a $GITHUB_OUTPUT
          fi

      - name: Build, sign, and publish image
        id: goreleaser-build-sign-publish
        uses: ./.github/actions/goreleaser-build-sign-publish
        with:
          docker-registry: ${{ env.ECR_HOSTNAME}}
          docker-image-name: ${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
          docker-image-tag: ${{ github.ref_name }}
          goreleaser-exec: ./tools/bin/goreleaser_wrapper
          goreleaser-config: ${{ steps.set-build-configs.outputs.GORELEASER_CONFIG }}
          goreleaser-key: ${{ secrets.GORELEASER_KEY }}
          zig-version: 0.11.0
          enable-cosign: true
          cosign-version: "v2.4.0"

      - name: Output image name and digest
        id: get-image-name-digest
        shell: bash
        run: |
          artifact_path="dist/artifacts.json"
          jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt

          echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
          while read -r line; do
            echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
          done < output.txt

          core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64"
          plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64"
          core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64"
          plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64"

          echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
          echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
          echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
          echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"

      - name: Attest tarballs
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-path: "dist/*.tar.gz"

      - name: Attest Docker image (core-amd64)
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }}
          subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
          push-to-registry: true

      - name: Attest Docker image (plugins-amd64)
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }}
          subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
          push-to-registry: true

      - name: Attest Docker image (core-arm64)
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }}
          subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
          push-to-registry: true

      - name: Attest Docker image (plugins-arm64)
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }}
          subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
          push-to-registry: true

      - name: Upload SBOMs
        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: goreleaser-sboms
          path: dist/*.sbom.json
      
      - name: Print SBOM artifact to job summary
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        shell: bash
        run: |
          ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
          ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id')
          echo "Artifact ID: $ARTIFACT_ID"
          echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY"
          artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID"
          echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY

      - name: Collect Metrics
        if: always()
        id: collect-gha-metrics
        uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
        with:
          id: goreleaser-build-chainlink-publish
          org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
          basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
          hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
          this-job-name: goreleaser-build-sign-publish-chainlink
        continue-on-error: true

  # Notify Slack channel for new git tags.
  slack-notify:
    if: github.ref_type == 'tag'
    needs: [build-sign-publish-chainlink]
    runs-on: ubuntu-24.04
    environment: build-publish
    steps:
      - name: Checkout repository
        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      - name: Notify Slack
        uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # slack-notify-git-ref@0.1.2
        with:
          slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }}
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot
          git-ref: ${{ github.ref_name }}
          git-ref-type: ${{ github.ref_type }}
          changelog-url: >-
            ${{
              github.ref_type == 'tag' &&
              format(
                'https://github.com/{0}/blob/{1}/CHANGELOG.md',
                github.repository,
                github.ref_name
              ) || ''
            }}
          docker-image-name: >-
            ${{ 
              github.ref_type == 'tag' && 
              format(
                '{0}/{1}:{2}', 
                env.ECR_HOSTNAME, 
                env.ECR_IMAGE_NAME, 
                needs.build-sign-publish-chainlink.outputs.docker-image-tag
              ) || ''
            }}
          docker-image-digest: >-
            ${{ 
              github.ref_type == 'tag' && 
              needs.build-sign-publish-chainlink.outputs.docker-image-digest || ''
            }}