Build, Sign and Publish Chainlink #1067

Workflow file for this run

.github/workflows/build-publish.yml at 15cbe34

	name: "Build, Sign and Publish Chainlink"

	on:
	# Mimics old circleci behaviour
	push:
	tags:
	- "v*"
	branches:
	- "release/**"

	env:
	ECR_HOSTNAME: public.ecr.aws
	ECR_IMAGE_NAME: chainlink/chainlink

	jobs:
	checks:
	name: "Checks"
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout repository
	uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
	- name: Check for VERSION file bump on tags
	# Avoids checking VERSION file bump on forks.
	if: ${{ github.repository == 'smartcontractkit/chainlink' && startsWith(github.ref, 'refs/tags/v') }}
	uses: ./.github/actions/version-file-bump
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}

	# build-sign-publish-chainlink:
	# needs: [checks]
	# if: ${{ ! startsWith(github.ref_name, 'release/') }}
	# runs-on: ubuntu-20.04
	# environment: build-publish
	# permissions:
	# id-token: write
	# contents: write
	# attestations: write
	# outputs:
	# docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
	# docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
	# steps:
	# - name: Checkout repository
	# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

	# - name: Build, sign and publish chainlink image
	# id: build-sign-publish
	# uses: ./.github/actions/build-sign-publish-chainlink
	# with:
	# publish: true
	# aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
	# aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
	# aws-region: ${{ secrets.AWS_REGION }}
	# ecr-hostname: ${{ env.ECR_HOSTNAME }}
	# ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
	# dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
	# dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
	# sign-images: true
	# verify-signature: true

	# - name: Attest Docker image
	# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
	# with:
	# subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
	# subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
	# push-to-registry: true

	# - name: Collect Metrics
	# if: always()
	# id: collect-gha-metrics
	# uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
	# with:
	# id: build-chainlink-publish
	# org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
	# basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
	# hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
	# this-job-name: build-sign-publish-chainlink
	# continue-on-error: true

	goreleaser-build-sign-publish-chainlink:
	needs: [checks]
	if: ${{ ! startsWith(github.ref_name, 'release/') }}
	runs-on: ubuntu-20.04
	environment: build-publish
	permissions:
	id-token: write
	contents: write
	attestations: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

	- name: Configure aws credentials
	uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
	with:
	role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
	role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
	aws-region: ${{ secrets.AWS_REGION }}
	mask-aws-account-id: true
	role-session-name: goreleaser-build-sign-publish-chainlink

	- name: Set build configs
	shell: bash
	id: set-build-configs
	run: \|
	if [[ ${{ github.ref_name }} =~ "-ccip" ]]; then
	echo "ECR_IMAGE_NAME=chainlink/ccip" \| tee -a $GITHUB_OUTPUT
	echo "GORELEASER_CONFIG=.goreleaser.ccip.production.yaml" \| tee -a $GITHUB_OUTPUT
	else
	echo "ECR_IMAGE_NAME=chainlink/chainlink" \| tee -a $GITHUB_OUTPUT
	echo "GORELEASER_CONFIG=.goreleaser.production.yaml" \| tee -a $GITHUB_OUTPUT
	fi

	- name: Build, sign, and publish image
	id: goreleaser-build-sign-publish
	uses: ./.github/actions/goreleaser-build-sign-publish
	with:
	docker-registry: ${{ env.ECR_HOSTNAME}}
	docker-image-name: ${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
	docker-image-tag: ${{ github.ref_name }}
	goreleaser-exec: ./tools/bin/goreleaser_wrapper
	goreleaser-config: ${{ steps.set-build-configs.outputs.GORELEASER_CONFIG }}
	goreleaser-key: ${{ secrets.GORELEASER_KEY }}
	zig-version: 0.11.0
	enable-cosign: true
	cosign-version: "v2.4.0"

	- name: Output image name and digest
	id: get-image-name-digest
	shell: bash
	run: \|
	artifact_path="dist/artifacts.json"
	jq -r '.[] \| select(.type == "Docker Image") \| "\(.name)"' ${artifact_path} >> output.txt

	echo "### Docker Images" \| tee -a "$GITHUB_STEP_SUMMARY"
	while read -r line; do
	echo "$line" \| tee -a "$GITHUB_STEP_SUMMARY"
	done < output.txt

	core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64"
	plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64"
	core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64"
	plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64"

	echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]\|select(.type=="Published Docker Image" and .name==$name)\|.extra.Digest' ${artifact_path})" \| tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
	echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]\|select(.type=="Published Docker Image" and .name==$name)\|.extra.Digest' ${artifact_path})" \| tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
	echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]\|select(.type=="Published Docker Image" and .name==$name)\|.extra.Digest' ${artifact_path})" \| tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
	echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]\|select(.type=="Published Docker Image" and .name==$name)\|.extra.Digest' ${artifact_path})" \| tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"

	- name: Attest tarballs
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
	with:
	subject-path: "dist/*.tar.gz"

	- name: Attest Docker image (core-amd64)
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
	with:
	subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }}
	subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
	push-to-registry: true

	- name: Attest Docker image (plugins-amd64)
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
	with:
	subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }}
	subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
	push-to-registry: true

	- name: Attest Docker image (core-arm64)
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
	with:
	subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }}
	subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
	push-to-registry: true

	- name: Attest Docker image (plugins-arm64)
	uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
	with:
	subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }}
	subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
	push-to-registry: true

	- name: Upload SBOMs
	uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
	with:
	name: goreleaser-sboms
	path: dist/*.sbom.json

	- name: Print SBOM artifact to job summary
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	shell: bash
	run: \|
	ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
	ARTIFACT_ID=$(echo "$ARTIFACTS" \| jq '.artifacts[] \| select(.name=="goreleaser-sboms") \| .id')
	echo "Artifact ID: $ARTIFACT_ID"
	echo "### SBOM Artifact" \| tee -a "$GITHUB_STEP_SUMMARY"
	artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID"
	echo "[Artifact URL]($artifact_url)" \| tee -a $GITHUB_STEP_SUMMARY

	- name: Collect Metrics
	if: always()
	id: collect-gha-metrics
	uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
	with:
	id: goreleaser-build-chainlink-publish
	org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
	basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
	hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
	this-job-name: goreleaser-build-sign-publish-chainlink
	continue-on-error: true

	# Notify Slack channel for new git tags.
	# slack-notify:
	# if: github.ref_type == 'tag'
	# needs: [build-sign-publish-chainlink]
	# runs-on: ubuntu-24.04
	# environment: build-publish
	# steps:
	# - name: Checkout repository
	# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
	# - name: Notify Slack
	# uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # slack-notify-git-ref@0.1.2
	# with:
	# slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }}
	# slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot
	# git-ref: ${{ github.ref_name }}
	# git-ref-type: ${{ github.ref_type }}
	# changelog-url: >-
	# ${{
	# github.ref_type == 'tag' &&
	# format(
	# 'https://github.com/{0}/blob/{1}/CHANGELOG.md',
	# github.repository,
	# github.ref_name
	# ) \|\| ''
	# }}
	# docker-image-name: >-
	# ${{
	# github.ref_type == 'tag' &&
	# format(
	# '{0}/{1}:{2}',
	# env.ECR_HOSTNAME,
	# env.ECR_IMAGE_NAME,
	# needs.build-sign-publish-chainlink.outputs.docker-image-tag
	# ) \|\| ''
	# }}
	# docker-image-digest: >-
	# ${{
	# github.ref_type == 'tag' &&
	# needs.build-sign-publish-chainlink.outputs.docker-image-digest \|\| ''
	# }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build, Sign and Publish Chainlink #1067

Workflow file

Build, Sign and Publish Chainlink #1067

Jobs

Run details

Workflow file for this run