Skip to content
Goreleaser Chainlink

Refactor artifact path handling in build-publish-goreleaser.yml #8

Sign in to view logs

Refactor artifact path handling in build-publish-goreleaser.yml

Refactor artifact path handling in build-publish-goreleaser.yml #8

Workflow file for this run

.github/workflows/build-publish-goreleaser.yml at 42f7c52
name: "Goreleaser Chainlink"
on:
push:
tags:
- "goreleaser-v*"
branches:
- RE-2997-error-building-chainlink-binary-with-wasmtime-go-dependency
env:
ECR_HOSTNAME: public.ecr.aws
jobs:
checks:
name: "Checks"
runs-on: ubuntu-20.04
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Check for VERSION file bump on tags
# Avoids checking VERSION file bump on forks.
if: ${{ github.repository == 'smartcontractkit/chainlink' }}
uses: ./.github/actions/version-file-bump
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# The main differences between this workflow and the develop one are:
# - Goreleaser pipeline only runs on tags
# - We only build ccip OR chainlink, not both
# - We perform artifact attestations
goreleaser-merge:
needs: [goreleaser-split]
name: merge
runs-on: ubuntu-latest
environment: build-publish
permissions:
id-token: write
contents: read
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
aws-region: ${{ secrets.AWS_REGION }}
mask-aws-account-id: true
role-session-name: goreleaser-build-sign-publish-chainlink
- uses: actions/cache/restore@v4
with:
path: dist/linux_amd64_v1
# We use ref_name here and not in develop b/c develop builds both ccip and chainlink
# whereas here we only build one or the other
key: chainlink-amd64-${{ github.sha }}-${{ github.ref_name }}
fail-on-cache-miss: true
- uses: actions/cache/restore@v4
with:
path: dist/linux_arm64
key: chainlink-arm64-${{ github.sha }}-${{ github.ref_name }}
fail-on-cache-miss: true
- name: Merge images for both architectures
id: goreleaser-build-sign-publish
uses: ./.github/actions/goreleaser-build-sign-publish
with:
docker-registry: ${{ env.ECR_HOSTNAME }}
docker-image-tag: ${{ github.ref_name }}
goreleaser-config: .goreleaser.production.yaml
goreleaser-release-type: merge
goreleaser-key: ${{ secrets.GORELEASER_KEY }}
# HACK: We should really derive the image name from the goreleaser output, artifacts.json contains everything we need
- name: Set build configs
shell: bash
id: set-build-configs
run: |
if [[ ${{ github.ref_name }} =~ "-ccip" ]]; then
echo "ECR_IMAGE_NAME=chainlink/chainlink-ccip-experimental-goreleaser" | tee -a $GITHUB_OUTPUT
else
echo "ECR_IMAGE_NAME=chainlink/chainlink-experimental-goreleaser" | tee -a $GITHUB_OUTPUT
fi
- name: Output image name and digest
id: get-image-name-digest
shell: bash
run: |
amd64_artifact_path=dist/linux_amd64_v1/artifacts.json
arm64_artifact_path=dist/linux_arm64/artifacts.json
jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${amd64_artifact_path} >> amd64_output.txt
echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
while read -r line; do
echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
done < amd64_output.txt
jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${arm64_artifact_path} >> arm64_output.txt
while read -r line; do
echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
done < arm64_output.txt
core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64"
plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64"
core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64"
plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64"
echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
- name: Attest tarballs
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-path: "dist/**/*.tar.gz"
- name: Attest Docker image (core-amd64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
push-to-registry: true
- name: Attest Docker image (plugins-amd64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
push-to-registry: true
- name: Attest Docker image (core-arm64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
push-to-registry: true
- name: Attest Docker image (plugins-arm64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}
push-to-registry: true
- name: Upload SBOMs
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: goreleaser-sboms
path: dist/**/*.sbom.json
- name: Print SBOM artifact to job summary
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id')
echo "Artifact ID: $ARTIFACT_ID"
echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY"
artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID"
echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY
- name: Collect Metrics
if: always()
id: collect-gha-metrics
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
with:
id: goreleaser-build-chainlink-publish
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
this-job-name: merge
continue-on-error: true
goreleaser-split:
name: "split-${{ matrix.goarch }}"
needs: [checks]
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- runner: ubuntu-latest
goarch: amd64
dist_name: linux_amd64_v1
- runner: ubuntu-24.04-4cores-16GB-ARM
goarch: arm64
dist_name: linux_arm64
environment: build-publish
permissions:
id-token: write
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
aws-region: ${{ secrets.AWS_REGION }}
mask-aws-account-id: true
role-session-name: goreleaser-build-sign-publish-chainlink
- id: cache
uses: actions/cache@v4
with:
path: dist/${{ matrix.dist_name }}
# We use ref_name here and not in develop b/c develop builds both ccip and chainlink
# whereas here we only build one or the other
key: chainlink-${{ matrix.goarch }}-${{ github.sha }}-${{ github.ref_name }}
- name: Build images for ${{ matrix.goarch }}
if: steps.cache.outputs.cache-hit != 'true'
uses: ./.github/actions/goreleaser-build-sign-publish
with:
docker-registry: ${{ env.ECR_HOSTNAME }}
docker-image-tag: ${{ github.ref_name }}
goreleaser-release-type: release
goreleaser-config: .goreleaser.production.yaml
goreleaser-key: ${{ secrets.GORELEASER_KEY }}
- name: Collect Metrics
if: always()
id: collect-gha-metrics
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
with:
id: goreleaser-build-chainlink-publish
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
this-job-name: split-${{ matrix.goarch }}
continue-on-error: true