feat: create nightly builds

.github/workflows/main.yml

@@ -2,40 +2,131 @@ name: CI
 
 on:
   push:
-    branches:
-      - master
-  pull_request:
-    branches:
-      - master
+# TODO: restore before merging
+#    branches:
+#      - master
+#  pull_request:
+#    branches:
+#      - master
+
+env:
+ # TODO: restore DIST_ROOT: '/ipns/dist.ipfs.io' # content root used for calculating diff to build
+ DIST_ROOT: '/ipfs/QmX6J3hVtMF9Y73CKcyLHfgviEfXGFFQABWPXsD17EsBhg' # dist.ipfs.io without ipfs-update@v1.7.1
+ GO_IPFS_VER: 'v0.9.1'           # go-ipfs daemon used for chunking and applying diff
+ CLUSTER_CTL_VER: 'v0.14.0'      # ipfs-cluster-ctl used for pinning
 
 jobs:
   build:
     runs-on: "ubuntu-latest"
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2-beta
+      - uses: actions/setup-node@v2
         with:
           node-version: '14'
-      - uses: actions/setup-go@v2
+      - name: Setup IPFS
+        run: ./scripts/ci/setup-ipfs.sh
+        env:
+          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
+          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
+        timeout-minutes: 5
+      - name: Build any new ./releases
+        run: ./dockerized make all_dists
+      - name: Inspect git status and contents of ./releases
+        run: git status && ls -Rhl ./releases
+      - name: Temporarily save ./releases artifacts
+        uses: actions/upload-artifact@v2
         with:
-          go-version: '1.16'
-      - run: sudo snap install ipfs jq
-      - run: ipfs init --profile server
-      - run: ipfs daemon &
-      - name: Wait for ipfs daemon
-        run: npx wait-port http://127.0.0.1:8080/api/v0/version
-      - name: Connect to ipfs cluster
-        run: ipfs swarm connect /dnsaddr/cluster.ipfs.io
-      - run: make publish
-      # todo: add $(cat versions) to cluster (and wait)
-      # todo: update dist dnslink if changed.
-
-  lint: 
+          name: releases-unsigned-diff
+          path: releases
+          retention-days: 1
+
+  lint:
     runs-on: "ubuntu-latest"
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2-beta
+      - uses: actions/setup-node@v2
         with:
           node-version: '14'
       - run: npm ci --no-audit --progress=false
       - run: npm run lint
+
+  sign-macos:
+    runs-on: "macos-latest"
+    needs: build
+    steps:
+      - uses: actions/checkout@v2
+      - name: Retrieve unsigned artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: releases-unsigned-diff
+          path: releases
+        continue-on-error: true # skip if no releases
+      - name: List ./releases before
+        run: ls -Rhl ./releases || echo "No ./releases"
+      - name: Install gon via HomeBrew for code signing and app notarization
+        run: |
+          brew tap mitchellh/gon
+          brew install ipfs coreutils gawk gnu-sed jq mitchellh/gon/gon
+          ipfs init --profile test # needed for calculating NEW_CID later
+      - name: Import Keychain Certs
+        uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 # v1@2020-02-03
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERTS_P12 }}
+          p12-password: ${{ secrets.APPLE_CERTS_PASS }}
+      - name: Verify identity used for signing
+        run: security find-identity -v
+      - name: Sign any new releases
+        run: ./scripts/ci/sign-new-macos-releases.sh
+        env:
+          WORK_DIR: ${{ github.workspace }}
+          AC_USERNAME: ${{ secrets.APPLE_AC_USERNAME }} # implicitly read from env by gon
+          AC_PASSWORD: ${{ secrets.APPLE_AC_PASSWORD }}
+      - name: List ./releases after
+        run: ls -Rhl ./releases || echo "No ./releases"
+      - name: Temporarily save notarized artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: releases-signed-macos-diff
+          path: releases
+          retention-days: 1
+        continue-on-error: true # skip if no releases
+
+  persist:
+    runs-on: "ubuntu-latest"
+    needs: sign-macos
+    steps:
+      - uses: actions/checkout@v2
+      - name: Retrieve signed artifacts
+        uses: actions/download-artifact@v2
+        continue-on-error: true # skip if no releases
+        with:
+          name: releases-signed-macos-diff
+          path: releases
+      - name: List ./releases
+        run: ls -Rhl ./releases || echo "No ./releases"
+      - name: Setup IPFS
+        run: ./scripts/ci/setup-ipfs.sh
+        env:
+          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
+          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
+        timeout-minutes: 5
+      - run: ./dockerized make publish
+      - run: git status
+      - name: Read CID of updated DAG
+        id: cid-reader
+        run: echo "::set-output name=CID::$(tail -1 ./versions)"
+      - name: Pin new website to ipfs-websites.collab.ipfscluster.io
+        run: ./scripts/ci/pin-to-cluster.sh
+        env:
+          PIN_CID: ${{ steps.cid-reader.outputs.CID }}
+          PIN_NAME: "https://github.com/ipfs/distributions/commits/${{ github.sha }}"
+          PIN_ADD_EXTRA_ARGS: ""
+          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
+          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
+        timeout-minutes: 60
+      - name: Update PR status with preview link
+        run: ./scripts/ci/github-preview-link.sh
+        env:
+          CONTENT_PATH: "/ipfs/${{ steps.cid-reader.outputs.CID }}/"
+          GIT_REVISION: ${{ github.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/nightly.yml

@@ -0,0 +1,104 @@
+name: Nightly
+
+on:
+  push:
+  ## Allow manual invocation
+  #workflow_dispatch:
+  #schedule:
+  #  - cron: '0 5 * * *' # UTC
+
+env:
+ DIST_ROOT: '/ipns/dist.ipfs.io' # content root used for calculating diff to build
+ GO_IPFS_VER: 'v0.9.1'           # go-ipfs daemon used for chunking and applying diff
+ CLUSTER_CTL_VER: 'v0.14.0'      # ipfs-cluster-ctl used for pinning
+
+concurrency:
+  group: nightly
+  cancel-in-progress: true
+
+jobs:
+  prepare-matrix:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - id: set-matrix
+        run: echo "::set-output name=matrix::$(jq -nc '$ARGS.positional' --args $(ls ./dists -1))"
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+
+  build:
+    runs-on: "ubuntu-latest"
+    needs: prepare-matrix
+    strategy:
+      max-parallel: 15 # avoid using all workers from the org pool
+      fail-fast: false
+      matrix:
+        dist_name: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setup IPFS
+        run: ./scripts/ci/setup-ipfs.sh
+        env:
+          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
+          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
+        timeout-minutes: 5
+      - run: cd ./dists/${{ matrix.dist_name }} && make nightly
+      - run: ./dockerized make publish
+      - name: Create issue if build failed
+        uses: actions/github-script@v4
+        if: ${{ failure() }}
+        with:
+          script: |
+            const title = 'Nightly build failed for ${{ matrix.dist_name }}'
+            const body = '${{ matrix.dist_name }} failed to build from the latest commit: https://github.com/ipfs/distributions/actions/runs/${{ github.run_id }}'
+            const opts = { owner: context.repo.owner, repo: context.repo.repo }
+            const response = await github.search.issuesAndPullRequests({
+              q: `repo:ipfs/distributions is:issue is:open in:title ${title}`
+            })
+            console.log('github.issuesAndPullRequests', response)
+            let link
+            if (response.data.items.length === 0) {
+              const created = await github.issues.create({ ...opts, title, body,
+                labels: ['kind/bug', 'need/triage']
+              })
+              console.log('no open issues, created a new one', created)
+              link = created.data.html_url
+            }
+            for (const issue of response.data.items) {
+              if (issue.title !== title) continue
+              console.log('found existing open issue', issue)
+              const created = await github.issues.createComment({ ...opts,
+                issue_number: issue.number,
+                body
+              })
+              console.log('commented on existing open issue', created)
+              link = created.data.html_url
+            }
+            await github.repos.createCommitStatus({ ...opts,
+              sha: '${{ github.sha }}',
+              state: 'error',
+              target_url: link,
+              context: 'Problem with ${{ matrix.dist_name }}',
+              description: 'See details in the linked issue'
+            })
+      - name: Inspect git status and contents of ./releases
+        run: git status && ls -Rhl ./releases
+      - name: Read CID of updated DAG
+        id: cid-reader
+        run: echo "::set-output name=CID::$(tail -1 ./versions)"
+      - name: Pin new website to ipfs-websites.collab.ipfscluster.io
+        run: ./scripts/ci/pin-to-cluster.sh
+        env:
+          PIN_CID: ${{ steps.cid-reader.outputs.CID }}
+          PIN_NAME: "ipfs/distributions/nightly/${{ matrix.dist_name }}"
+          PIN_ADD_EXTRA_ARGS: "--expire-in 168h"
+          CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
+          CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
+        timeout-minutes: 60
+      - name: Update PR status with preview link
+        run: ./scripts/ci/github-preview-link.sh
+        env:
+          GITHUB_TITLE: "Preview for ${{ matrix.dist_name }}"
+          CONTENT_PATH: "/ipfs/${{ steps.cid-reader.outputs.CID }}/${{ matrix.dist_name }}"
+          GIT_REVISION: ${{ github.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -1,7 +1,8 @@
 FROM ubuntu:20.04
 ARG USER_UID
+ARG GO_IPFS_VER
 RUN apt-get update -q && apt-get install -y git curl gnupg jq build-essential gawk zip 
-RUN curl -s https://dist.ipfs.io/go-ipfs/v0.8.0/go-ipfs_v0.8.0_linux-amd64.tar.gz | tar vzx -C /usr/local/bin/ go-ipfs/ipfs --strip-components=1
+RUN curl -s "https://dist.ipfs.io/go-ipfs/${GO_IPFS_VER}/go-ipfs_${GO_IPFS_VER}_linux-amd64.tar.gz" | tar vzx -C /usr/local/bin/ go-ipfs/ipfs --strip-components=1
 
 RUN adduser --shell /bin/bash --home /asdf --disabled-password --gecos asdf asdf --uid $USER_UID
 ENV PATH="${PATH}:/asdf/.asdf/shims:/asdf/.asdf/bin"

Makefile

@@ -1,19 +1,31 @@
 all: deps releases all_dists site
 
-.PHONY: all all_dists deps
-all_dists: $(notdir $(wildcard dists/*))
+DISTS = $(notdir $(wildcard dists/*))
 
-%:
+NDISTS = $(DISTS:%=nightly-%)
+
+.PHONY: all all_dists deps nightly
+all_dists: $(DISTS)
+
+$(DISTS):
 	@echo "** $@ **"
 	$(MAKE) -C dists/$@
 	@echo ""
 
+nightly: $(NDISTS)
+
+$(NDISTS):
+	@echo "** $@ Nightly **"
+	$(MAKE) -C dists/$(@:nightly-%=%) nightly
+	@echo ""
+
 deps:
 	./deps-check.sh
 
 releases:
 	mkdir -p releases
 
+
 .PHONY: site
 site: deps
 	@echo "** Building site **"

README.md

@@ -90,6 +90,9 @@ Example:
 > ./dist.sh add-version fs-repo-99-to-100 v1.0.1
 ```
 
+**Official build:** If you want to build official signed binaries for added version, commit changes to `dists/<dist>` and open a PR against `ipfs/distributions`.
+Github Action workflow for a PR builds and signs new version using deterministic toolchain and spits out updated root CID at the end.
+
 ### Adding a new (go) distribution
 
 Run:
@@ -107,25 +110,27 @@ The optional `sub_package` argument is used to specify a module within a repo.
 
 ### Publishing
 
-In the root of the repository, run:
+To produce a CID (`<NEW_HASH>`) that includes binaries for all versions defined in `./dists/`, in the root of the repository, run:
 
 ```sh
 > make publish
 ```
 
-This will build any new binaries defined by dist and the website to the `releases` dir, add it to ipfs and patch it into the existing dag for the published dist.ipfs.io. Save the hash it spits out (we'll call it `<NEW_HASH>`), that's the new hash for `dists.ipfs.io`. We also append it to a file called `versions` in the repo root (*not* checked into git).
-
-Next, you should probably:
+- This will build any new binaries defined by dist and the website to the `releases` dir, add it to ipfs and patch it into the existing dag for the published `/ipns/dist.ipfs.io`.
+- Versions that are already present on the website will be reused, speeding up the build.
+- Updated CID (`<NEW_HASH>`) will be printed at the end. That's the new hash for `dists.ipfs.io`. We also append it to a file called `versions` in the repo root (*not* checked into git).
 
-1. Load the dists website in your browser to make sure everything looks right: `http://127.0.0.1:8080/ipfs/<NEW_HASH>`.
-2. Compare `<NEW_HASH>` with the current `dists.ipfs.io` to make sure nothing is amiss: `ipfs object diff /ipns/dist.ipfs.io /ipfs/<NEW_HASH>`
+After the local build is done, make a quick inspection:
 
-If all looks well, **pin the hash using pinbot** (#ipfs-pinbot on Freenode, ask someone if you don't have permission to do so).
+2. Load the dists website in your browser to make sure everything looks right: `http://localhost:8080/ipfs/<NEW_HASH>`.
+3. Compare `<NEW_HASH>` with the current `dists.ipfs.io` to make sure nothing is amiss: `ipfs object diff /ipns/dist.ipfs.io /ipfs/<NEW_HASH>`
 
 Finally,
 
 1. Commit your changes and make a PR. Specifically, the changes to `dists/<dist>/versions` and `dists/<dist>/current`.
-2. Make a PR with an edit on [protocol/infra](https://github.com/protocol/infra/blob/master/dns/config/dist.ipfs.io.yaml) with the hash you got from `make publish` and a link to the PR above.
+2. Wait for [Github Action](https://github.com/ipfs/distributions/actions/) on your PR to build **signed** binaries. `<NEW_SIGNED_HASH>` will be different than one from local build.
+3. Make a PR with an edit on [protocol/infra](https://github.com/protocol/infra/blob/master/dns/config/dist.ipfs.io.yaml) with `<NEW_SIGNED_HASH>` you got from the Github Action output and a link to the PR above.
+   - TODO: this step may be automated in the future - see the [discussion](https://github.com/ipfs/distributions/issues/372).
 
 If you have permission, you can just merge the PR, update the DNS, and then immediately, close the issue on ipfs/infrastructure. Ping someone on IRC.