Refactor artifact path handling in build-publish-goreleaser.yml #8
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Goreleaser Chainlink" | |
on: | |
push: | |
tags: | |
- "goreleaser-v*" | |
branches: | |
- RE-2997-error-building-chainlink-binary-with-wasmtime-go-dependency | |
env: | |
ECR_HOSTNAME: public.ecr.aws | |
jobs: | |
checks: | |
name: "Checks" | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Check for VERSION file bump on tags | |
# Avoids checking VERSION file bump on forks. | |
if: ${{ github.repository == 'smartcontractkit/chainlink' }} | |
uses: ./.github/actions/version-file-bump | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
# The main differences between this workflow and the develop one are: | |
# - Goreleaser pipeline only runs on tags | |
# - We only build ccip OR chainlink, not both | |
# - We perform artifact attestations | |
goreleaser-merge: | |
needs: [goreleaser-split] | |
name: merge | |
runs-on: ubuntu-latest | |
environment: build-publish | |
permissions: | |
id-token: write | |
contents: read | |
attestations: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
fetch-depth: 0 | |
- name: Configure aws credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} | |
role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} | |
aws-region: ${{ secrets.AWS_REGION }} | |
mask-aws-account-id: true | |
role-session-name: goreleaser-build-sign-publish-chainlink | |
- uses: actions/cache/restore@v4 | |
with: | |
path: dist/linux_amd64_v1 | |
# We use ref_name here and not in develop b/c develop builds both ccip and chainlink | |
# whereas here we only build one or the other | |
key: chainlink-amd64-${{ github.sha }}-${{ github.ref_name }} | |
fail-on-cache-miss: true | |
- uses: actions/cache/restore@v4 | |
with: | |
path: dist/linux_arm64 | |
key: chainlink-arm64-${{ github.sha }}-${{ github.ref_name }} | |
fail-on-cache-miss: true | |
- name: Merge images for both architectures | |
id: goreleaser-build-sign-publish | |
uses: ./.github/actions/goreleaser-build-sign-publish | |
with: | |
docker-registry: ${{ env.ECR_HOSTNAME }} | |
docker-image-tag: ${{ github.ref_name }} | |
goreleaser-config: .goreleaser.production.yaml | |
goreleaser-release-type: merge | |
goreleaser-key: ${{ secrets.GORELEASER_KEY }} | |
# HACK: We should really derive the image name from the goreleaser output, artifacts.json contains everything we need | |
- name: Set build configs | |
shell: bash | |
id: set-build-configs | |
run: | | |
if [[ ${{ github.ref_name }} =~ "-ccip" ]]; then | |
echo "ECR_IMAGE_NAME=chainlink/chainlink-ccip-experimental-goreleaser" | tee -a $GITHUB_OUTPUT | |
else | |
echo "ECR_IMAGE_NAME=chainlink/chainlink-experimental-goreleaser" | tee -a $GITHUB_OUTPUT | |
fi | |
- name: Output image name and digest | |
id: get-image-name-digest | |
shell: bash | |
run: | | |
amd64_artifact_path=dist/linux_amd64_v1/artifacts.json | |
arm64_artifact_path=dist/linux_arm64/artifacts.json | |
jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${amd64_artifact_path} >> amd64_output.txt | |
echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY" | |
while read -r line; do | |
echo "$line" | tee -a "$GITHUB_STEP_SUMMARY" | |
done < amd64_output.txt | |
jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${arm64_artifact_path} >> arm64_output.txt | |
while read -r line; do | |
echo "$line" | tee -a "$GITHUB_STEP_SUMMARY" | |
done < arm64_output.txt | |
core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64" | |
plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64" | |
core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64" | |
plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64" | |
echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" | |
- name: Attest tarballs | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-path: "dist/**/*.tar.gz" | |
- name: Attest Docker image (core-amd64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Attest Docker image (plugins-amd64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Attest Docker image (core-arm64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Attest Docker image (plugins-arm64) | |
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }} | |
subject-name: ${{ env.ECR_HOSTNAME }}/${{ steps.set-build-configs.outputs.ECR_IMAGE_NAME }} | |
push-to-registry: true | |
- name: Upload SBOMs | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 | |
with: | |
name: goreleaser-sboms | |
path: dist/**/*.sbom.json | |
- name: Print SBOM artifact to job summary | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
shell: bash | |
run: | | |
ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts) | |
ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id') | |
echo "Artifact ID: $ARTIFACT_ID" | |
echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY" | |
artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID" | |
echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY | |
- name: Collect Metrics | |
if: always() | |
id: collect-gha-metrics | |
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 | |
with: | |
id: goreleaser-build-chainlink-publish | |
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} | |
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} | |
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} | |
this-job-name: merge | |
continue-on-error: true | |
goreleaser-split: | |
name: "split-${{ matrix.goarch }}" | |
needs: [checks] | |
runs-on: ${{ matrix.runner }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- runner: ubuntu-latest | |
goarch: amd64 | |
dist_name: linux_amd64_v1 | |
- runner: ubuntu-24.04-4cores-16GB-ARM | |
goarch: arm64 | |
dist_name: linux_arm64 | |
environment: build-publish | |
permissions: | |
id-token: write | |
contents: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
with: | |
fetch-depth: 0 | |
- name: Configure aws credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} | |
role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} | |
aws-region: ${{ secrets.AWS_REGION }} | |
mask-aws-account-id: true | |
role-session-name: goreleaser-build-sign-publish-chainlink | |
- id: cache | |
uses: actions/cache@v4 | |
with: | |
path: dist/${{ matrix.dist_name }} | |
# We use ref_name here and not in develop b/c develop builds both ccip and chainlink | |
# whereas here we only build one or the other | |
key: chainlink-${{ matrix.goarch }}-${{ github.sha }}-${{ github.ref_name }} | |
- name: Build images for ${{ matrix.goarch }} | |
if: steps.cache.outputs.cache-hit != 'true' | |
uses: ./.github/actions/goreleaser-build-sign-publish | |
with: | |
docker-registry: ${{ env.ECR_HOSTNAME }} | |
docker-image-tag: ${{ github.ref_name }} | |
goreleaser-release-type: release | |
goreleaser-config: .goreleaser.production.yaml | |
goreleaser-key: ${{ secrets.GORELEASER_KEY }} | |
- name: Collect Metrics | |
if: always() | |
id: collect-gha-metrics | |
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 | |
with: | |
id: goreleaser-build-chainlink-publish | |
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} | |
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} | |
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} | |
this-job-name: split-${{ matrix.goarch }} | |
continue-on-error: true |