Skip to content

Use a rust layer with a full app build #5046

Use a rust layer with a full app build

Use a rust layer with a full app build #5046

Workflow file for this run

name: Docker
on:
pull_request:
release:
types: [published]
push:
branches:
- develop
- main
- release\/*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build_deb:
name: Build debian package
runs-on: selfhosted-ubuntu-22.04-16-cores
needs:
- setup_version_properties
outputs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
env:
VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }}
VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
permissions:
id-token: write
contents: read
pull-requests: read
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Docker meta
id: meta
uses: RDXWorks-actions/metadata-action@master
with:
images: |
docker.io/radixdlt/babylon-node
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
flavor: |
latest=false
- uses: RDXWorks-actions/toolchain@master
with:
toolchain: stable
- name: Set up JDK 17
uses: RDXWorks-actions/setup-java@main
with:
distribution: 'zulu'
java-version: '17'
- name: Cache Gradle packages
uses: RDXWorks-actions/cache@main
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb
restore-keys: ${{ runner.os }}-gradle-deb
- name: Restore cached image-cache
id: cache-image-restore
uses: RDXWorks-actions/cache/restore@main
with:
path: /tmp/outputs/cache/docker
key: babylon-node-default-${{ hashFiles('./Dockerfile') }}
- name: Set up Docker Context for Buildx
run: |
docker context create builders | true
- name: Set up Docker Buildx
uses: RDXWorks-actions/setup-buildx-action@master
with:
version: latest
endpoint: builders
- name: Create deb package
run: |
sudo apt-get update && sudo apt-get install -y make
cd core && make build-core
- name: Upload generated debian package
uses: RDXWorks-actions/upload-artifact@main
with:
name: deb4docker
path: "${{ github.workspace }}/docker/*.deb"
setup_tags:
name: Setup Docker tags
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.setup_tags.outputs.tag }}
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- id: setup_tags
run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
setup_version_properties:
name: Setup version properties
runs-on: ubuntu-latest
outputs:
VERSION_BRANCH: ${{ steps.setup_version_properties.outputs.VERSION_BRANCH }}
VERSION_BUILD: ${{ steps.setup_version_properties.outputs.VERSION_BUILD }}
VERSION_COMMIT: ${{ steps.setup_version_properties.outputs.VERSION_COMMIT }}
VERSION_DISPLAY: ${{ steps.setup_version_properties.outputs.VERSION_DISPLAY }}
VERSION_TAG: ${{ steps.setup_version_properties.outputs.VERSION_TAG }}
VERSION_LAST_TAG: ${{ steps.setup_version_properties.outputs.VERSION_LAST_TAG }}
steps:
- uses: RDXWorks-actions/checkout@main
with:
fetch-depth: 0
- name: Setup version properties
id: setup_version_properties
uses: ./.github/actions/setup-version-properties
build_push_container_private:
name: (PRIVATE) Docker AMD
needs:
- setup_tags
- setup_version_properties
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-16-cores-selfhosted
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-node"
tag: ${{ needs.setup_tags.outputs.tag }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
flavor:
${{ contains( github.event.pull_request.labels.*.name, 'ARM-TEST') && 'suffix=-amd64' || '' }}
${{ github.event_name != 'pull_request' && 'suffix=-amd64' || '' }}
context: "."
dockerfile: "./Dockerfile"
platforms: "linux/amd64"
cache_tag_suffix: "amd64"
use_gh_remote_cache: true
provenance: "false"
scan_image: true
snyk_target_ref: ${{ github.ref_name }}
build-args: |
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }}
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
build_push_container_private_arm:
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
name: (PRIVATE) Docker ARM
needs:
- setup_tags
- setup_version_properties
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: selfhosted-ubuntu-22.04-arm
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "private-babylon-node"
tag: ${{ needs.setup_tags.outputs.tag }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=ref,event=tag
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha
flavor: |
suffix=-arm64
context: "."
dockerfile: "./Dockerfile"
use_gh_remote_cache: true
provenance: "false"
scan_image: false
snyk_target_ref: ${{ github.ref_name }}
platforms: "linux/arm64"
cache_tag_suffix: arm64
build-args: |
WGET_VERSION=1.21.3-1+b1
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }}
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
join_multiarch_image_private_dockerhub:
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
name: Join Multiarch Image Private Dockerhub
needs:
- build_push_container_private
- build_push_container_private_arm
permissions:
id-token: write
contents: read
pull-requests: read
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
with:
aws_dockerhub_secret: github-actions/common/dockerhub-credentials-read-only
amd_meta_data_json: ${{needs.build_push_container_private.outputs.json}}
secrets:
role-to-assume: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access"
build_push_container_dockerhub:
if: github.event_name == 'release'
name: (DockerHub) Docker AMD
needs:
- setup_version_properties
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: ubuntu-16-cores-selfhosted
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "babylon-node"
tag: ${{ github.event.release.tag_name }}
flavor: |
suffix=-amd64
context: "."
dockerfile: "./Dockerfile"
platforms: "linux/amd64"
cache_tag_suffix: "amd64"
use_gh_remote_cache: true
enable_dockerhub: "true"
provenance: "false"
build-args: |
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }}
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
secrets:
role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
build_push_container_dockerhub_arm:
if: github.event_name == 'release'
name: (DockerHub) Docker ARM
needs:
- setup_version_properties
permissions:
id-token: write
contents: read
pull-requests: write
packages: write
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
with:
runs_on: selfhosted-ubuntu-22.04-arm
image_registry: "docker.io"
image_organization: "radixdlt"
image_name: "babylon-node"
tag: ${{ github.event.release.tag_name }}
flavor: |
suffix=-arm64
context: "."
dockerfile: "./Dockerfile"
platforms: "linux/arm64"
cache_tag_suffix: "arm64"
use_gh_remote_cache: true
enable_dockerhub: "true"
provenance: "false"
build-args: |
WGET_VERSION=1.21.3-1+b1
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }}
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }}
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }}
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }}
secrets:
role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
join_multiarch_image_dockerhub:
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request'
name: Join Multiarch Image Private Dockerhub
needs:
- build_push_container_dockerhub
- build_push_container_dockerhub_arm
permissions:
id-token: write
contents: read
pull-requests: read
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
with:
aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
amd_meta_data_json: ${{needs.build_push_container_dockerhub.outputs.json}}
secrets:
role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
snyk_container_monitor:
name: Snyk monitor container
runs-on: ubuntu-latest
needs:
- build_push_container_dockerhub
- build_push_container_dockerhub_arm
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
image: docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64
target_ref: ${{ github.ref_name }}
snyk_monitor:
name: Snyk monitor
runs-on: ubuntu-latest
needs:
- build_push_container_dockerhub
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: RDXWorks-actions/checkout@main
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-node'
step_name: 'snyk-monitor'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Enable Snyk online monitoring to check for vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }}
command: monitor
ephemeral-deploy-and-benchmark:
permissions:
id-token: write
contents: read
name: Deploy ephemeral environment and run benchmark tests.
needs:
- setup_tags
- build_push_container_private
runs-on: ubuntu-22.04
steps:
- uses: RDXWorks-actions/checkout@main
with:
# Shallow clones should be disabled for a better relevancy of analysis
fetch-depth: 0
- uses: ./.github/actions/fetch-secrets
with:
role_name: "${{ secrets.BABYLON_SECRETS_ROLE_ARN }}"
app_name: "babylon-node"
step_name: "deploy"
secret_prefix: "JENKINS"
secret_name: "github-actions/radixdlt/babylon-node/jenkins-api-token"
parse_json: true
- name: Connect to tailnet
uses: radixdlt/public-iac-resuable-artifacts/tailnet@main
with:
role_name: "arn:aws:iam::${{ secrets.SECRETS_ACCOUNT_ID }}:role/gh-common-secrets-read-access"
region: "eu-west-2"
secret_name: "arn:aws:secretsmanager:eu-west-2:${{ secrets.SECRETS_ACCOUNT_ID }}:secret:github-actions/common/tailscale-public-workflows-DpiE80"
- name: Get docker image tag
run: |
echo "GITHUB_REF_NAME=$GITHUB_REF_NAME" >> $GITHUB_ENV
echo "GITHUB_REPOSITORY=$GITHUB_REPOSITORY" >> $GITHUB_ENV
- name: Deploy and test on ephemeral network
uses: RDXWorks-actions/jenkins-job-trigger-action@master
with:
jenkins_url: "${{ env.JENKINS_URL }}"
jenkins_user: ${{ env.JENKINS_USER }}
jenkins_token: ${{ env.JENKINS_TOKEN }}
job_name: "babylon-testing/job/ephemeral-deployments/job/ephemeral-node-ci-benchmark"
job_params: |
{
"RADIXDLT_NODE_DOCKER_TAG": "${{ needs.setup_tags.outputs.tag }}",
"RADIXDLT_GITHUB_TRIGGER" : "${{ env.GITHUB_REPOSITORY }}:${{ env.GITHUB_REF_NAME }}"
}
job_timeout: "3600"