refactor: use only goreleaser to build unsigned chainlink images in o…

…ne workflow (#14034) * refactor: use only goreleaser to build unsigned chainlink images in one workflow * fix: use branches-ignore filter instead * rename and switch runner * temp switch back name because of env protection rule * back to use the refactored name * update goreleaser yaml * add new docker inputs, rename IMAGE_NAME, add goreleaser build-sign-publish workflow * add output image name and digest to github summary * refactor gha workflow names and add output image name and digest to build-develop * remove unnecessary outputs * add a git_ref validation job * temp delete workflows for easier testing * add if conditional to validate step * fix metric name and add debug log * update docker registry * no goreleaser output since we don't use the goreleaser/action * remove debug log and use bash shell * fix formatting * remove root images from goreleaser yaml * use custom setup-go * fix typo * use tee instead * add back setup-go and refactor output summary step * update with new filename and workflow trigger * fix docker registry input * remove role-duration input * change conditional * revert temp gha workflow delete commit * sync with origin develop * refactor trigger based on push and pr label * fix install remote plugins bug include * add new docker builds for plugins and update dockerfile * add goreleaser --split to gha and refactor action_utils script * fix add shell * fix metrics job name and publish docker manifest files * fix image_templates goreleaser * fix check artifacts.json and metrics name * fix if not end * ls -al dist * add --single-target flag and split checksum * remove split in checksum * remove --single-target and update output artifact.json path * cat artifacts.json * use ubuntu-latest runner * update build-publish workflow output summary step * build on every pr - conditional publish | add workflow_dispatch trigger * add workflow_dispatch conditional build-publish * fix typo * fix typo * use ubuntu-20.04 runner * fix conditional * add comment
smartcontractkit · Aug 15, 2024 · e2a8841 · e2a8841
1 parent 5e99bdb
commit e2a8841
Show file tree

Hide file tree

Showing 11 changed files with 283 additions and 290 deletions.
diff --git a/.github/actions/goreleaser-build-sign-publish/action.yml b/.github/actions/goreleaser-build-sign-publish/action.yml
@@ -29,10 +29,13 @@ inputs:
     description: The docker registry
     default: localhost:5001
     required: false
-  # snapshot inputs
-  enable-goreleaser-snapshot:
-    description: Enable goreleaser build / release snapshot
-    default: "false"
+  docker-image-name:
+    description: The docker image name
+    default: chainlink
+    required: false
+  docker-image-tag:
+    description: The docker image tag
+    default: develop
     required: false
   # goreleaser inputs
   goreleaser-exec:
@@ -43,6 +46,17 @@ inputs:
     description: "The goreleaser configuration yaml"
     default: ".goreleaser.yaml"
     required: false
+  enable-goreleaser-snapshot:
+    description: Enable goreleaser build / release snapshot
+    default: "false"
+    required: false
+  enable-goreleaser-split:
+    description: Enable goreleaser split and merge builds
+    default: "false"
+    required: false
+  goreleaser-split-arch:
+    description: The architecture to split the goreleaser build
+    required: false
   # signing inputs
   enable-cosign:
     description: Enable signing of docker images
@@ -57,13 +71,6 @@ inputs:
   cosign-password:
     description: The password to decrypt the cosign private key needed to sign the image
     required: false
-outputs:
-  goreleaser-metadata:
-    description: "Build result metadata"
-    value: ${{ steps.goreleaser.outputs.metadata }}
-  goreleaser-artifacts:
-    description: "Build result artifacts"
-    value: ${{ steps.goreleaser.outputs.artifacts }}
 runs:
   using: composite
   steps:
@@ -97,14 +104,22 @@ runs:
       uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
       with:
         registry: ${{ inputs.docker-registry }}
-    - name: Goreleaser release
-      id: goreleaser
+    - name: Set goreleaser split env
+      if: inputs.enable-goreleaser-split == 'true'
+      shell: bash
+      run: |
+        echo "GOOS=linux" | tee -a $GITHUB_ENV
+        echo "GOARCH=${{ inputs.goreleaser-split-arch }}" | tee -a $GITHUB_ENV
+    - name: Run goreleaser release
       shell: bash
       env:
         ENABLE_COSIGN: ${{ inputs.enable-cosign }}
         ENABLE_GORELEASER_SNAPSHOT: ${{ inputs.enable-goreleaser-snapshot }}
+        ENABLE_GORELEASER_SPLIT: ${{ inputs.enable-goreleaser-split }}
         ENABLE_DOCKER_PUBLISH: ${{ inputs.enable-docker-publish }}
         IMAGE_PREFIX: ${{ inputs.docker-registry }}
+        IMAGE_NAME: ${{ inputs.docker-image-name }}
+        IMAGE_TAG: ${{ inputs.docker-image-tag }}
         GORELEASER_EXEC: ${{ inputs.goreleaser-exec }}
         GORELEASER_CONFIG: ${{ inputs.goreleaser-config }}
         COSIGN_PASSWORD: ${{ inputs.cosign-password }}

diff --git a/.github/actions/goreleaser-build-sign-publish/action_utils b/.github/actions/goreleaser-build-sign-publish/action_utils
@@ -4,6 +4,7 @@ set -euo pipefail
 
 ENABLE_COSIGN=${ENABLE_COSIGN:-false}
 ENABLE_GORELEASER_SNAPSHOT=${ENABLE_GORELEASER_SNAPSHOT:-false}
+ENABLE_GORELEASER_SPLIT=${ENABLE_GORELEASER_SPLIT:-false}
 ENABLE_DOCKER_PUBLISH=${ENABLE_DOCKER_PUBLISH:-false}
 COSIGN_PASSWORD=${COSIGN_PASSWORD:-""}
 GORELEASER_EXEC=${GORELEASER_EXEC:-goreleaser}
@@ -27,8 +28,12 @@ _publish_snapshot_manifests() {
   local docker_manifest_extra_args=$DOCKER_MANIFEST_EXTRA_ARGS
   local full_sha=$(git rev-parse HEAD)
   local images=$(docker images --filter "label=org.opencontainers.image.revision=$full_sha" --format "{{.Repository}}:{{.Tag}}" | sort)
-  local arches=(amd64 arm64)
   local raw_manifest_lists=""
+  if [[ $ENABLE_GORELEASER_SPLIT == "true" ]]; then
+    local arches=(${GOARCH:-""})
+  else
+    local arches=(amd64 arm64)
+  fi
   for image in $images; do
     for arch in "${arches[@]}"; do
       image=${image%"-$arch"}
@@ -51,22 +56,35 @@ _publish_snapshot_manifests() {
 
 # wrapper function to invoke goreleaser release
 goreleaser_release() {
+  goreleaser_flags=()
+
+  # set goreleaser flags
+  if [[ $ENABLE_GORELEASER_SNAPSHOT == "true" ]]; then
+    goreleaser_flags+=("--snapshot")
+    goreleaser_flags+=("--clean")
+  fi
+  if [[ $ENABLE_GORELEASER_SPLIT == "true" ]]; then
+    goreleaser_flags+=("--split")
+  fi
+  flags=$(printf "%s " "${goreleaser_flags[@]}")
+  flags=$(echo "$flags" | sed 's/ *$//')
+
   if [[ $ENABLE_COSIGN == "true" ]]; then
     echo "$COSIGN_PUBLIC_KEY" > cosign.pub
     echo "$COSIGN_PRIVATE_KEY" > cosign.key
   fi
+
   if [[ -n $MACOS_SDK_DIR ]]; then
     MACOS_SDK_DIR=$(echo "$(cd "$(dirname "$MACOS_SDK_DIR")" || exit; pwd)/$(basename "$MACOS_SDK_DIR")")
   fi
-  if [[ $ENABLE_GORELEASER_SNAPSHOT == "true" ]]; then
-    $GORELEASER_EXEC release --snapshot --clean --config "$GORELEASER_CONFIG" "$@"
-    if [[ $ENABLE_DOCKER_PUBLISH == "true" ]]; then
+
+  $GORELEASER_EXEC release ${flags} --config "$GORELEASER_CONFIG" "$@"
+
+  if [[ $ENABLE_DOCKER_PUBLISH == "true" ]]; then
       _publish_snapshot_images
       _publish_snapshot_manifests
-    fi
-  else
-    $GORELEASER_EXEC release --clean --config "$GORELEASER_CONFIG" "$@"
   fi
+
   if [[ $ENABLE_COSIGN == "true" ]]; then
     rm -rf cosign.pub
     rm -rf cosign.key

diff --git a/.github/workflows/build-publish-develop-pr.yml b/.github/workflows/build-publish-develop-pr.yml
@@ -0,0 +1,119 @@
+name: "Build and Publish Chainlink"
+
+on:
+  pull_request:
+  push:
+    branches:
+      - develop
+      - "release/**"
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: "The git ref to check out"
+        required: true
+      build-publish:
+        description: "Whether to build and publish - defaults to just build"
+        required: false
+        default: "false"
+
+env:
+  GIT_REF: ${{ github.event.inputs.git_ref || github.ref }}
+
+jobs:
+  goreleaser-build-publish-chainlink:
+    runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      matrix:
+        goarch: [amd64, arm64]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ env.GIT_REF }}
+
+      # This gets the image tag and whether to publish the image based on the event type
+      # PR builds: pr-<pr_number>-<short_sha> (if label 'build-publish' is present publishes the image)
+      # develop builds: develop-<short_sha>
+      # release builds: release-<short_sha>
+      # manual builds: <short_sha> (if build-publish is true publishes the image)
+      - name: Get image tag
+        id: get-image-tag
+        run: |
+          short_sha=$(git rev-parse --short HEAD)
+          echo "build-publish=false" | tee -a $GITHUB_OUTPUT
+          if [[ ${{ github.event_name }} == 'push' ]]; then
+            if [[ ${{ github.ref_name }} == 'release/'* ]]; then
+              echo "image-tag=release-${short_sha}" | tee -a $GITHUB_OUTPUT
+              echo "build-publish=true" | tee -a $GITHUB_OUTPUT
+            else
+              echo "image-tag=develop-${short_sha}" | tee -a $GITHUB_OUTPUT
+              echo "build-publish=true" | tee -a $GITHUB_OUTPUT
+            fi
+          elif [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
+            echo "image-tag=${short_sha}" | tee -a $GITHUB_OUTPUT
+            echo "build-publish=${{ github.event.inputs.build-publish }}" | tee -a $GITHUB_OUTPUT
+          else
+            if [[ ${{ github.event_name }} == "pull_request" ]]; then
+              echo "image-tag=pr-${{ github.event.number }}-${short_sha}" | tee -a $GITHUB_OUTPUT
+              if [[ ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }} == "true" ]]; then
+                echo "build-publish=true" | tee -a $GITHUB_OUTPUT
+              fi
+            fi
+          fi
+
+      - name: Configure aws credentials
+        if: steps.get-image-tag.outputs.build-publish == 'true'
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_BUILD_PUBLISH_DEVELOP_PR }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          mask-aws-account-id: true
+          role-session-name: goreleaser-build-publish-chainlink
+
+      - name: Build and publish images
+        uses: ./.github/actions/goreleaser-build-sign-publish
+        with:
+          enable-docker-publish: ${{ steps.get-image-tag.outputs.build-publish }}
+          docker-registry: ${{ secrets.AWS_SDLC_ECR_HOSTNAME }}
+          docker-image-name: chainlink
+          docker-image-tag: ${{ steps.get-image-tag.outputs.image-tag }}
+          enable-goreleaser-snapshot: "true"
+          enable-goreleaser-split: "true"
+          goreleaser-split-arch: ${{ matrix.goarch }}
+          goreleaser-exec: ./tools/bin/goreleaser_wrapper
+          goreleaser-config: .goreleaser.develop.yaml
+          goreleaser-key: ${{ secrets.GORELEASER_KEY }}
+          zig-version: 0.11.0
+
+      - name: Output image name and digest
+        if: steps.get-image-tag.outputs.build-publish == 'true'
+        shell: bash
+        run: |
+          # need to check if artifacts.json exists because goreleaser splits the build
+          if [[ -f dist/artifacts.json ]]; then
+            artifact_path="dist/artifacts.json"
+          else
+            artifact_path="dist/linux_${{ matrix.goarch }}/artifacts.json"
+            cat dist/linux_${{ matrix.goarch }}/artifacts.json
+          fi
+          echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
+          jq -r '.[] | select(.type == "Docker Image") | "`\(.goarch)-image`: \(.name)"' ${artifact_path} >> output.txt
+          jq -r '.[] | select(.type == "Archive") | "`\(.goarch)-digest`: \(.extra.Checksum)"' ${artifact_path} >> output.txt
+          while read -r line; do
+            echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
+          done < output.txt
+
+      - name: Collect Metrics
+        if: always()
+        id: collect-gha-metrics
+        uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
+        with:
+          id: goreleaser-build-publish
+          org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
+          basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
+          hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
+          this-job-name: goreleaser-build-publish-chainlink (${{ matrix.goarch }})
+        continue-on-error: true
diff --git a/.github/workflows/build-publish-develop.yml b/.github/workflows/build-publish-develop.yml
diff --git a/.github/workflows/build-publish-pr.yml b/.github/workflows/build-publish-pr.yml