Update github action CI workflow (stacks-network#3199)

* Updating Github Action - build all release images from binaries - create checksum of binary artifacts for release - adds clippy and crate advisory actions - update all dockerfiles to use ramdisk for building - separate actions to relevant files - adds arm64 binaries/docker image - update all debian builds to use bullseye (latest debian) * only run btc int tests on default branch * enable btc int test on develop * Feat/update ci (stacks-network#38) * Updating Github Action - build all release images from binaries - create checksum of binary artifacts for release - adds clippy and crate advisory actions - update all dockerfiles to use ramdisk for building - separate actions to relevant files - adds arm64 binaries/docker image - update all debian builds to use bullseye (latest debian) * only run btc int tests on default branch * final action test disabled a lot of the long-running tests * Update ci.yml * Update ci.yml * Update bitcoin-tests.yml * Update bitcoin-tests.yml * run on push to master (merge) * Update Github Actions - build all release images from binaries - create checksum of binary artifacts for release - adds clippy and crate advisory actions - update all dockerfiles to use ramdisk for building - separate actions to relevant files - adds arm64 binaries/docker image - update all debian builds to use bullseye (latest debian) * adding build features to dockerfiles * update repo org to stacks-network missed a ref to wileyj forked repo * addressing comments in pr 3199 see stacks-network#3199 for changes requested * cleaning up docker tags prevent overwriting of docker image branch tags * disabling audit workflow disabling this workflow until we can test further * Adding a release file * Update to trigger logic Updating the logic of how/when builds and releases happen based on comments in PR. Updated the RELEASING.md file to reflect these changes * chore: delete circle.yml CircleCI hasn't been used in 11+ months. Fixes stacks-network#3072 * switch repo&owner to var remove hardcoded value in favor or `GITHUB_REPOSITORY` * use local workflows * fix: don't assume that the bitcoin node always gives a non-zero number of headers * fix: add unit test and change log entry * fix: Exclude benchmarks from compilation * fix: Resolve conflicts and the remaining two errors * clean: remove benchmark files * fix: use explicit version number * minor update to reconcile diffs since some files were renamed, some minor changes had to be made manually here, i.e. fail_ci_if_error: false * hardcode some vals for testing * revert * use org/repo locations for jobs testing the locally built packages/docker images is successful, this reverts those changes need for testing the resulting artifacts * Moving file to docs dir * continue build if unit-tests fail use current settings from master branch * 3199 - minor updates for recent upstream changes --------- Co-authored-by: Diwaker Gupta <[email protected]> Co-authored-by: Jude Nelson <[email protected]> Co-authored-by: Stjepan Golemac <[email protected]>
fess-v · Sep 10, 2023 · 9cb4600 · 9cb4600
1 parent 7c10037
commit 9cb4600
Show file tree

Hide file tree

Showing 28 changed files with 1,173 additions and 588 deletions.
diff --git a/.github/actions/dockerfiles/Dockerfile.alpine-binary b/.github/actions/dockerfiles/Dockerfile.alpine-binary
@@ -0,0 +1,23 @@
+FROM --platform=${TARGETPLATFORM} alpine as builder
+# Use a small image to download and extract the release archive
+
+ARG TAG
+ARG BIN_ARCH
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG REPO=stacks-network/stacks-blockchain
+
+RUN case ${TARGETARCH} in \
+    "amd64")  BIN_ARCH=linux-musl-x64  ;; \
+    "arm64")  BIN_ARCH=linux-musl-arm64  ;; \
+    "*") exit 1 ;; \
+    esac \
+    && echo "wget  -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip" \
+    && wget  -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip \
+    && unzip ${BIN_ARCH}.zip -d /out
+
+FROM --platform=${TARGETPLATFORM} alpine
+COPY --from=builder /out/stacks-node /bin/
+CMD ["stacks-node", "mainnet"]
diff --git a/.github/actions/dockerfiles/Dockerfile.debian-binary b/.github/actions/dockerfiles/Dockerfile.debian-binary
@@ -0,0 +1,23 @@
+FROM --platform=${TARGETPLATFORM} alpine as builder
+# Use a small image to download and extract the release archive
+
+ARG TAG
+ARG BIN_ARCH
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG REPO=stacks-network/stacks-blockchain
+
+RUN case ${TARGETARCH} in \
+    "amd64")  BIN_ARCH=linux-musl-x64  ;; \
+    "arm64")  BIN_ARCH=linux-musl-arm64  ;; \
+    "*") exit 1 ;; \
+    esac \
+    && echo "wget  -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip" \
+    && wget  -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip \
+    && unzip ${BIN_ARCH}.zip -d /out
+
+FROM --platform=${TARGETPLATFORM} debian:bullseye
+COPY --from=builder /out/stacks-node /bin/
+CMD ["stacks-node", "mainnet"]
diff --git a/.github/actions/dockerfiles/Dockerfile.debian-source b/.github/actions/dockerfiles/Dockerfile.debian-source
@@ -0,0 +1,24 @@
+FROM rust:bullseye as build
+
+ARG STACKS_NODE_VERSION="No Version Info"
+ARG GIT_BRANCH='No Branch Info'
+ARG GIT_COMMIT='No Commit Info'
+ARG BUILD_DIR=/build
+ARG TARGET=x86_64-unknown-linux-gnu
+WORKDIR /src
+
+COPY . .
+
+RUN apt-get update && apt-get install -y git
+
+# Run all the build steps in ramdisk in an attempt to speed things up
+RUN --mount=type=tmpfs,target=${BUILD_DIR} cp -R /src/. ${BUILD_DIR}/ \
+    && cd ${BUILD_DIR} \
+    && rustup target add ${TARGET} \
+    && cargo build --features monitoring_prom,slog_json --release --workspace --target ${TARGET} \
+    && mkdir -p /out \
+    && cp -R ${BUILD_DIR}/target/${TARGET}/release/. /out
+
+FROM --platform=${TARGETPLATFORM} debian:bullseye
+COPY --from=build /out/stacks-node /bin/
+CMD ["stacks-node", "mainnet"]
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,35 @@
+##
+## Performs an audit for crate advisories against cargo dependencies
+##
+
+name: Security Audit
+
+# Only run when:
+#   - workflow is manually triggered
+#   - Cargo.toml/lock is changed
+#   - Daily at 0330 UTC
+# Note: this will create issues for any crate advisories unless they already exist
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+  schedule:
+    - cron: 30 03 * * *
+
+jobs:
+  security_audit:
+    if: ${{ false }}
+    name: Crate Vulnerability Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the latest code
+        id: git_checkout
+        uses: actions/checkout@v3
+      - name: Rust Dependency Check
+        id: rust_dep_check
+        uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/bitcoin-tests.yml b/.github/workflows/bitcoin-tests.yml
@@ -1,36 +1,53 @@
-name: stacks-bitcoin-integration-tests
+##
+## Bitcoin Integration Tests
+##
+
+name: Bitcoin Integration Tests
 
 # Only run when:
-#   - PRs are opened
+#   - PRs are (re)opened against master branch
+
 on:
   pull_request:
+    types:
+      - opened
+      - reopened
 
 concurrency:
   group: stacks-bitcoin-integration-tests-${{ github.ref }}
   # Only cancel in progress if this is for a PR
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
 jobs:
+  # Create bitcoin image used for later tests
   build-integration-image:
+    name: Build Image
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout the latest code
+        id: git_checkout
+        uses: actions/checkout@v3
       - name: Build bitcoin integration testing image
+        id: build_docker_image
         env:
           DOCKER_BUILDKIT: 1
-        # Remove .dockerignore file so codecov has access to git info
+        # Remove .dockerignore file so codecov has access to git info and build the image
         run: |
           rm .dockerignore
-          docker build -f ./.github/actions/bitcoin-int-tests/Dockerfile.generic.bitcoin-tests -t stacks-node:integrations .
+          docker build -f ./.github/actions/bitcoin-int-tests/Dockerfile.generic.bitcoin-tests -t stacks-blockchain:integrations .
       - name: Export docker image as tarball
-        run: docker save -o integration-image.tar stacks-node:integrations
+        id: export_docker_image
+        run: docker save -o integration-image.tar stacks-blockchain:integrations
       - name: Upload built docker image
-        uses: actions/upload-artifact@v2
+        id: upload_docker_image
+        uses: actions/upload-artifact@v3
         with:
           name: integration-image.tar
           path: integration-image.tar
+
   # Run integration tests using sampled genesis block
   sampled-genesis:
+    name: Sampled Genesis
     runs-on: ubuntu-latest
     needs:
       - build-integration-image
@@ -106,26 +123,35 @@ jobs:
           - tests::epoch_24::fix_to_pox_contract
           - tests::epoch_24::verify_auto_unlock_behavior
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout the latest code
+        id: git_checkout
+        uses: actions/checkout@v3
       - name: Download docker image
-        uses: actions/download-artifact@v2
+        id: download_docker_image
+        uses: actions/download-artifact@v3
         with:
           name: integration-image.tar
       - name: Load docker image
+        id: load_docker_image
         run: docker load -i integration-image.tar && rm integration-image.tar
       - name: All integration tests with sampled genesis
+        id: bitcoin_integration_tests
         timeout-minutes: 30
         env:
           DOCKER_BUILDKIT: 1
           TEST_NAME: ${{ matrix.test-name }}
         run: docker build -o coverage-output --build-arg test_name=${{ matrix.test-name }} -f ./.github/actions/bitcoin-int-tests/Dockerfile.bitcoin-tests .
-      - uses: codecov/codecov-action@v2
+      - name: Code Coverage
+        id: code_coverage
+        uses: codecov/codecov-action@v3
         with:
           files: ./coverage-output/lcov.info
           name: ${{ matrix.test-name }}
           fail_ci_if_error: false
+
+  # Run atlas integration tests
   atlas-test:
-    if: ${{ true }}
+    name: Atlas Test
     runs-on: ubuntu-latest
     needs:
       - build-integration-image
@@ -136,20 +162,27 @@ jobs:
           - tests::neon_integrations::atlas_integration_test
           - tests::neon_integrations::atlas_stress_integration_test
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout the latest code
+        id: git_checkout
+        uses: actions/checkout@v3
       - name: Download docker image
-        uses: actions/download-artifact@v2
+        id: download_docker_image
+        uses: actions/download-artifact@v3
         with:
           name: integration-image.tar
       - name: Load docker image
+        id: load_docker_image
         run: docker load -i integration-image.tar && rm integration-image.tar
       - name: Atlas integration tests
+        id: atlas_integration_tests
         timeout-minutes: 40
         env:
           DOCKER_BUILDKIT: 1
           TEST_NAME: ${{ matrix.test-name }}
         run: docker build -o coverage-output --build-arg test_name=${{ matrix.test-name }} -f ./.github/actions/bitcoin-int-tests/Dockerfile.bitcoin-tests .
-      - uses: codecov/codecov-action@v2
+      - name: Code Coverage
+        id: code_coverage
+        uses: codecov/codecov-action@v3
         with:
           files: ./coverage-output/lcov.info
           name: ${{ matrix.test-name }}

diff --git a/.github/workflows/build-source-binary.yml b/.github/workflows/build-source-binary.yml
@@ -0,0 +1,65 @@
+##
+## Builds binary assets of stacks-blockchain and creates a named tag github (draft) release
+##
+
+name: Build Distributable Assets
+
+# Only run when:
+#   - manually triggered via the ci.yml workflow with a provided input tag
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: "Tag name of this release (x.y.z)"
+        required: true
+        type: string
+      parallel_jobs:
+        description: "Number of parallel binary builds"
+        required: false
+        type: number
+        default: 4
+      arch:
+        description: "Stringified JSON object listing of platform matrix"
+        required: true
+        type: string
+
+jobs:
+  artifact:
+    if: ${{ inputs.tag != '' }}
+    name: Create Artifacts
+    runs-on: ubuntu-latest
+    strategy:
+      max-parallel: ${{ inputs.parallel_jobs }}
+      matrix:
+        platform: ${{ fromJson(inputs.arch) }}
+    steps:
+      - name: Checkout the latest code
+        id: git_checkout
+        uses: actions/checkout@v3
+      - name: Set Vars
+        id: set_vars
+        run: |
+          echo "GITHUB_SHA_SHORT=${GITHUB_SHA::7}" >> $GITHUB_ENV
+          echo "GITHUB_REF_SHORT=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+      - name: Set up Docker Buildx
+        id: setup_buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build Binaries
+        id: build_binaries
+        uses: docker/build-push-action@v3
+        with:
+          file: build-scripts/Dockerfile.${{ matrix.platform }}
+          outputs: type=local,dest=./release/${{ matrix.platform }}
+          build-args: |
+            OS_ARCH=${{ matrix.platform }}
+            GIT_BRANCH=${{ env.GITHUB_REF_SHORT }}
+            GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }}
+      - name: Compress artifact
+        id: compress_artifact
+        run: zip --junk-paths ${{ matrix.platform }} ./release/${{ matrix.platform }}/*
+      - name: Upload artifact
+        id: upload_artifact
+        uses: actions/upload-artifact@v3
+        with:
+          path: ${{ matrix.platform }}.zip