Use a rust layer with a full app build #5048
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker | |
on: | |
pull_request: | |
release: | |
types: [published] | |
push: | |
branches: | |
- develop | |
- main | |
- release\/* | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build_deb: | |
name: Build debian package | |
runs-on: selfhosted-ubuntu-22.04-16-cores | |
needs: | |
- setup_version_properties | |
outputs: | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
env: | |
VERSION_BRANCH: ${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
VERSION_COMMIT: ${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
VERSION_DISPLAY: ${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
VERSION_BUILD: ${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
VERSION_TAG: ${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
VERSION_LAST_TAG: ${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Docker meta | |
id: meta | |
uses: RDXWorks-actions/metadata-action@master | |
with: | |
images: | | |
docker.io/radixdlt/babylon-node | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=ref,event=tag | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
flavor: | | |
latest=false | |
- uses: RDXWorks-actions/toolchain@master | |
with: | |
toolchain: stable | |
- name: Set up JDK 17 | |
uses: RDXWorks-actions/setup-java@main | |
with: | |
distribution: 'zulu' | |
java-version: '17' | |
- name: Cache Gradle packages | |
uses: RDXWorks-actions/cache@main | |
with: | |
path: ~/.gradle/caches | |
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}-deb | |
restore-keys: ${{ runner.os }}-gradle-deb | |
- name: Restore cached image-cache | |
id: cache-image-restore | |
uses: RDXWorks-actions/cache/restore@main | |
with: | |
path: /tmp/outputs/cache/docker | |
key: babylon-node-default-${{ hashFiles('./Dockerfile') }} | |
- name: Set up Docker Context for Buildx | |
run: | | |
docker context create builders | true | |
- name: Set up Docker Buildx | |
uses: RDXWorks-actions/setup-buildx-action@master | |
with: | |
version: latest | |
endpoint: builders | |
- name: Create deb package | |
run: | | |
sudo apt-get update && sudo apt-get install -y make | |
cd core && make build-core | |
- name: Upload generated debian package | |
uses: RDXWorks-actions/upload-artifact@main | |
with: | |
name: deb4docker | |
path: "${{ github.workspace }}/docker/*.deb" | |
setup_tags: | |
name: Setup Docker tags | |
runs-on: ubuntu-latest | |
outputs: | |
tag: ${{ steps.setup_tags.outputs.tag }} | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- id: setup_tags | |
run: echo "tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
setup_version_properties: | |
name: Setup version properties | |
runs-on: ubuntu-latest | |
outputs: | |
VERSION_BRANCH: ${{ steps.setup_version_properties.outputs.VERSION_BRANCH }} | |
VERSION_BUILD: ${{ steps.setup_version_properties.outputs.VERSION_BUILD }} | |
VERSION_COMMIT: ${{ steps.setup_version_properties.outputs.VERSION_COMMIT }} | |
VERSION_DISPLAY: ${{ steps.setup_version_properties.outputs.VERSION_DISPLAY }} | |
VERSION_TAG: ${{ steps.setup_version_properties.outputs.VERSION_TAG }} | |
VERSION_LAST_TAG: ${{ steps.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
with: | |
fetch-depth: 0 | |
- name: Setup version properties | |
id: setup_version_properties | |
uses: ./.github/actions/setup-version-properties | |
build_push_container_private: | |
name: (PRIVATE) Docker AMD | |
needs: | |
- setup_tags | |
- setup_version_properties | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: write | |
packages: write | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
with: | |
runs_on: ubuntu-16-cores-selfhosted | |
image_registry: "docker.io" | |
image_organization: "radixdlt" | |
image_name: "private-babylon-node" | |
tag: ${{ needs.setup_tags.outputs.tag }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=ref,event=tag | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
flavor: | |
${{ contains( github.event.pull_request.labels.*.name, 'ARM-TEST') && 'suffix=-amd64' || '' }} | |
${{ github.event_name != 'pull_request' && 'suffix=-amd64' || '' }} | |
context: "." | |
dockerfile: "./Dockerfile" | |
platforms: "linux/amd64" | |
cache_tag_suffix: "amd64" | |
use_gh_remote_cache: true | |
provenance: "false" | |
scan_image: true | |
snyk_target_ref: ${{ github.ref_name }} | |
build-args: | | |
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
build_push_container_private_arm: | |
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request' | |
name: (PRIVATE) Docker ARM | |
needs: | |
- setup_tags | |
- setup_version_properties | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: write | |
packages: write | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
with: | |
runs_on: selfhosted-ubuntu-22.04-arm | |
image_registry: "docker.io" | |
image_organization: "radixdlt" | |
image_name: "private-babylon-node" | |
tag: ${{ needs.setup_tags.outputs.tag }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=ref,event=tag | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=semver,pattern={{major}} | |
type=sha | |
flavor: | | |
suffix=-arm64 | |
context: "." | |
dockerfile: "./Dockerfile" | |
use_gh_remote_cache: true | |
provenance: "false" | |
scan_image: false | |
snyk_target_ref: ${{ github.ref_name }} | |
platforms: "linux/arm64" | |
cache_tag_suffix: arm64 | |
build-args: | | |
WGET_VERSION=1.21.3-1+b1 | |
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
join_multiarch_image_private_dockerhub: | |
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request' | |
name: Join Multiarch Image Private Dockerhub | |
needs: | |
- build_push_container_private | |
- build_push_container_private_arm | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main | |
with: | |
aws_dockerhub_secret: github-actions/common/dockerhub-credentials-read-only | |
amd_meta_data_json: ${{needs.build_push_container_private.outputs.json}} | |
secrets: | |
role-to-assume: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access" | |
build_push_container_dockerhub: | |
if: github.event_name == 'release' | |
name: (DockerHub) Docker AMD | |
needs: | |
- setup_version_properties | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: write | |
packages: write | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
with: | |
runs_on: ubuntu-16-cores-selfhosted | |
image_registry: "docker.io" | |
image_organization: "radixdlt" | |
image_name: "babylon-node" | |
tag: ${{ github.event.release.tag_name }} | |
flavor: | | |
suffix=-amd64 | |
context: "." | |
dockerfile: "./Dockerfile" | |
platforms: "linux/amd64" | |
cache_tag_suffix: "amd64" | |
use_gh_remote_cache: true | |
enable_dockerhub: "true" | |
provenance: "false" | |
build-args: | | |
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
secrets: | |
role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }} | |
build_push_container_dockerhub_arm: | |
if: github.event_name == 'release' | |
name: (DockerHub) Docker ARM | |
needs: | |
- setup_version_properties | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: write | |
packages: write | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
with: | |
runs_on: selfhosted-ubuntu-22.04-arm | |
image_registry: "docker.io" | |
image_organization: "radixdlt" | |
image_name: "babylon-node" | |
tag: ${{ github.event.release.tag_name }} | |
flavor: | | |
suffix=-arm64 | |
context: "." | |
dockerfile: "./Dockerfile" | |
platforms: "linux/arm64" | |
cache_tag_suffix: "arm64" | |
use_gh_remote_cache: true | |
enable_dockerhub: "true" | |
provenance: "false" | |
build-args: | | |
WGET_VERSION=1.21.3-1+b1 | |
VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }} | |
VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }} | |
VERSION_DISPLAY=${{ needs.setup_version_properties.outputs.VERSION_DISPLAY }} | |
VERSION_BUILD=${{ needs.setup_version_properties.outputs.VERSION_BUILD }} | |
VERSION_TAG=${{ needs.setup_version_properties.outputs.VERSION_TAG }} | |
VERSION_LAST_TAG=${{ needs.setup_version_properties.outputs.VERSION_LAST_TAG }} | |
secrets: | |
role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }} | |
join_multiarch_image_dockerhub: | |
if: contains( github.event.pull_request.labels.*.name, 'ARM-TEST') || github.event_name != 'pull_request' | |
name: Join Multiarch Image Private Dockerhub | |
needs: | |
- build_push_container_dockerhub | |
- build_push_container_dockerhub_arm | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main | |
with: | |
aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials | |
amd_meta_data_json: ${{needs.build_push_container_dockerhub.outputs.json}} | |
secrets: | |
role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }} | |
snyk_container_monitor: | |
name: Snyk monitor container | |
runs-on: ubuntu-latest | |
needs: | |
- build_push_container_dockerhub | |
- build_push_container_dockerhub_arm | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'babylon-node' | |
dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }} | |
snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
snyk_org_id: ${{ secrets.SNYK_ORG_ID }} | |
image: docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64 | |
target_ref: ${{ github.ref_name }} | |
snyk_monitor: | |
name: Snyk monitor | |
runs-on: ubuntu-latest | |
needs: | |
- build_push_container_dockerhub | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: RDXWorks-actions/checkout@main | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'babylon-node' | |
step_name: 'snyk-monitor' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Enable Snyk online monitoring to check for vulnerabilities | |
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master | |
with: | |
args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} | |
command: monitor | |
# TEMPORARILY REMOVE EPHEMERAL TESTS | |
# => Until we can change them to only run the "node" tests and not the transaction tests | |
# ephemeral-deploy-and-test: | |
# name: Run ephemeral deploy and test | |
# needs: | |
# - build_deb | |
# - build_push_container | |
# runs-on: ubuntu-22.04 | |
# steps: | |
# - name: Get docker image tag | |
# run: | | |
# #There can be multiple tag entries. Get the first and only take the tag (i.e. not the image repo and name) | |
# TAGS="${{ needs.build_deb.outputs.tags }}" | |
# DOCKER_TAG=$(echo $TAGS | awk 'NR==1{print $1}' | cut -d':' -f2) | |
# echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV | |
# echo "BABYLON_NODE_BRANCH=$GITHUB_HEAD_REF" >> $GITHUB_ENV | |
# - name: Deploy and test on ephemeral network | |
# uses: RDXWorks-actions/jenkins-job-trigger-action@master | |
# with: | |
# jenkins_url: "${{ env.JENKINS_URL }}" | |
# jenkins_user: ${{ env.JENKINS_USER }} | |
# jenkins_token: ${{ env.JENKINS_TOKEN }} | |
# job_name: "ephemeral-deployments/job/ephemeral-env-deploy-and-test" | |
# job_params: | | |
# { | |
# "nodeDockerTag": "${{ env.DOCKER_TAG }}", | |
# "babylonNodeBranch": "${{ env.BABYLON_NODE_BRANCH }}" | |
# } | |
# job_timeout: "3600" |