From d81396be12a9440e7cf02ba496e8d785d42e1a82 Mon Sep 17 00:00:00 2001 From: Piotr Galar Date: Tue, 2 Apr 2024 14:22:09 +0100 Subject: [PATCH] ci: ci: migrate the release workflow to github actions (#11785) * ci: rename install ubuntu deps to install system dependencies * ci: migrate the release workflow to github actions * ci: set permissions required by the newly added workflows explicitly * ci: prevent duplicate release and docker publishing * ci: trigger docker workflow on push to master * ci: do not pass tokens to goreleaser on dry release runs * ci: specify higher permissions on a job level --- .github/actions/export-circle-env/action.yml | 14 +++ .../install-system-dependencies/action.yml | 19 +++ .../actions/install-ubuntu-deps/action.yml | 10 -- .github/workflows/build.yml | 4 +- .github/workflows/builtin-actor-tests.yml | 4 + .github/workflows/check.yml | 8 +- .github/workflows/docker.yml | 100 ++++++++++++++++ .github/workflows/release.yml | 113 ++++++++++++++++++ .github/workflows/stale.yml | 6 +- .github/workflows/sync-master-main.yaml | 6 +- .github/workflows/test.yml | 7 +- .goreleaser.yaml | 6 +- 12 files changed, 271 insertions(+), 26 deletions(-) create mode 100644 .github/actions/export-circle-env/action.yml create mode 100644 .github/actions/install-system-dependencies/action.yml delete mode 100644 .github/actions/install-ubuntu-deps/action.yml create mode 100644 .github/workflows/docker.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/actions/export-circle-env/action.yml b/.github/actions/export-circle-env/action.yml new file mode 100644 index 00000000000..ded4bbb0579 --- /dev/null +++ b/.github/actions/export-circle-env/action.yml @@ -0,0 +1,14 @@ +name: Export Circle Env +description: Export CircleCI environment variables for Filecoin Lotus + +runs: + using: composite + steps: + - run: | + if [[ "$GITHUB_REF" == refs/tags/* ]]; then + echo "CIRCLE_TAG=${GITHUB_REF#refs/tags/}" | tee -a $GITHUB_ENV + fi + echo "CIRCLE_PROJECT_USERNAME=$GITHUB_REPOSITORY_OWNER" | tee -a $GITHUB_ENV + echo "CIRCLE_PROJECT_REPONAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" | tee -a $GITHUB_ENV + echo "CIRCLE_SHA1=$GITHUB_SHA" | tee -a $GITHUB_ENV + shell: bash diff --git a/.github/actions/install-system-dependencies/action.yml b/.github/actions/install-system-dependencies/action.yml new file mode 100644 index 00000000000..0a048f8e1b2 --- /dev/null +++ b/.github/actions/install-system-dependencies/action.yml @@ -0,0 +1,19 @@ +name: Install System Dependencies +description: Install System dependencies for Filecoin Lotus + +runs: + using: composite + steps: + - if: runner.os == 'Linux' + run: | + sudo apt-get update -y + sudo apt-get install -y ocl-icd-opencl-dev libhwloc-dev pkg-config + shell: bash + - if: runner.os == 'macOS' + env: + HOMEBREW_NO_AUTO_UPDATE: '1' + run: | + brew install hwloc pkg-config + echo "CPATH=$(brew --prefix)/include" | tee -a $GITHUB_ENV + echo "LIBRARY_PATH=$(brew --prefix)/lib" | tee -a $GITHUB_ENV + shell: bash diff --git a/.github/actions/install-ubuntu-deps/action.yml b/.github/actions/install-ubuntu-deps/action.yml deleted file mode 100644 index 395e8d47b8b..00000000000 --- a/.github/actions/install-ubuntu-deps/action.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: Install Ubuntu Dependencies -description: Install Ubuntu dependencies for Filecoin Lotus - -runs: - using: composite - steps: - - run: | - sudo apt-get update -y - sudo apt-get install -y ocl-icd-opencl-dev libhwloc-dev pkg-config - shell: bash diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cb56c05de45..ce46a4a5f73 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: build: name: Build @@ -24,6 +26,6 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'recursive' - - uses: ./.github/actions/install-ubuntu-deps + - uses: ./.github/actions/install-system-dependencies - uses: ./.github/actions/install-go - run: make deps lotus diff --git a/.github/workflows/builtin-actor-tests.yml b/.github/workflows/builtin-actor-tests.yml index e0d95de5194..93d4c669e59 100644 --- a/.github/workflows/builtin-actor-tests.yml +++ b/.github/workflows/builtin-actor-tests.yml @@ -1,4 +1,5 @@ name: Built-in Actors + on: push: paths: @@ -6,6 +7,9 @@ on: - build/builtin_actors_gen.go branches: - release/* + +permissions: {} + jobs: release: name: Release Tests diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 50c926a3118..7a77dc70bf4 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -16,6 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: check-docsgen: name: Check (docs-check) @@ -24,7 +26,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'recursive' - - uses: ./.github/actions/install-ubuntu-deps + - uses: ./.github/actions/install-system-dependencies - uses: ./.github/actions/install-go - run: go install golang.org/x/tools/cmd/goimports - run: make deps @@ -37,7 +39,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'recursive' - - uses: ./.github/actions/install-ubuntu-deps + - uses: ./.github/actions/install-system-dependencies - uses: ./.github/actions/install-go - run: make deps lotus - run: go install golang.org/x/tools/cmd/goimports @@ -53,7 +55,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'recursive' - - uses: ./.github/actions/install-ubuntu-deps + - uses: ./.github/actions/install-system-dependencies - uses: ./.github/actions/install-go - run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest - run: make deps diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 00000000000..8e0ca57a554 --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,100 @@ +name: Docker + +on: + push: + branches: + - master + - release/* + tags: + - v* + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + docker: + name: Docker (${{ matrix.image }} / ${{ matrix.network }}) [publish=${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}] + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + image: + - lotus-all-in-one + network: + - mainnet + - butterflynet + - calibnet + - debug + include: + - image: lotus + network: mainnet + env: + # Do not publish until CircleCI is deprecated + PUBLISH: false + # PUBLISH: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }} + steps: + - id: channel + env: + IS_MASTER: ${{ github.ref == 'refs/heads/master' }} + IS_TAG: ${{ startsWith(github.ref, 'refs/tags/') }} + IS_RC: ${{ endsWith(github.ref, '-rc') }} + IS_SCHEDULED: ${{ github.event_name == 'schedule' }} + run: | + channel='' + if [[ "$IS_MASTER" == 'true' ]]; then + if [[ "$IS_SCHEDULED" == 'true' ]]; then + channel=nightly + else + channel=master + fi + elif [[ "$IS_TAG" == 'true' ]]; then + if [[ "$IS_RC" == 'true' ]]; then + channel=candidate + else + channel=stable + fi + fi + echo "channel=$channel" | tee -a $GITHUB_ENV + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: filecoin/${{ matrix.image }} + tags: | + type=schedule + type=raw,enable=${{ github.event_name != 'schedule' && steps.channel.outputs.channel != '' }},value=${{ steps.channel.outputs.channel }} + type=ref,event=tag + type=sha,prefix= + flavor: | + latest=false + suffix=${{ matrix.network != 'mainnet' && format('-{0}', matrix.network) || '' }} + - if: env.PUBLISH == 'true' + name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Build and push if channel is set (channel=${{ steps.channel.outputs.channel }}) + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ env.PUBLISH == 'true' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + ${{ matrix.network != 'mainnet' && format('GOFLAGS=-tags={0}', matrix.network) || ''}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000000..35e139b7d17 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,113 @@ +name: Release + +on: + push: + branches: + - ci/* + - release/* + tags: + - v* + workflow_dispatch: + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: {} + +jobs: + build: + name: Build (${{ matrix.os }}/${{ matrix.arch }}) + runs-on: ${{ matrix.runner }} + strategy: + fail-fast: false + matrix: + include: + - runner: ubuntu-latest + os: Linux + arch: X64 + - runner: macos-13 + os: macOS + arch: X64 + - runner: macos-14 + os: macOS + arch: ARM64 + steps: + - env: + OS: ${{ matrix.os }} + ARCH: ${{ matrix.arch }} + run: | + if [[ "$OS" != "$RUNNER_OS" || "$ARCH" != "$RUNNER_ARCH" ]]; then + echo "::error title=Unexpected Runner::Expected $OS/$ARCH, got $RUNNER_OS/$RUNNER_ARCH" + exit 1 + fi + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + - uses: ./.github/actions/export-circle-env + - uses: ./.github/actions/install-system-dependencies + - uses: ./.github/actions/install-go + - env: + GITHUB_TOKEN: ${{ github.token }} + run: make deps lotus lotus-miner lotus-worker + - if: runner.os == 'macOS' + run: otool -hv lotus + - run: ./scripts/version-check.sh ./lotus + - uses: actions/upload-artifact@v4 + with: + name: lotus-${{ matrix.os }}-${{ matrix.arch }} + path: | + lotus + lotus-miner + lotus-worker + release: + name: Release [publish=${{ startsWith(github.ref, 'refs/tags/') }}] + permissions: + # This enables the job to create and/or update GitHub releases + contents: write + runs-on: ubuntu-latest + needs: [build] + env: + # Do not publish until CircleCI is deprecated + PUBLISH: false + # PUBLISH: ${{ startsWith(github.ref, 'refs/tags/') }} + steps: + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + fetch-depth: 0 + - uses: actions/download-artifact@v4 + with: + name: lotus-Linux-X64 + path: linux_amd64_v1 + - uses: actions/download-artifact@v4 + with: + name: lotus-macOS-X64 + path: darwin_amd64_v1 + - uses: actions/download-artifact@v4 + with: + name: lotus-macOS-ARM64 + path: darwin_arm64 + - uses: ./.github/actions/export-circle-env + - uses: ./.github/actions/install-go + - uses: ipfs/download-ipfs-distribution-action@v1 + with: + name: kubo + version: v0.16.0 + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + distribution: goreleaser-pro + version: latest + args: release --clean --debug ${{ env.PUBLISH == 'false' && '--snapshot' || '' }} + env: + GITHUB_TOKEN: ${{ env.PUBLISH == 'true' && github.token || '' }} + GORELEASER_KEY: ${{ env.PUBLISH == 'true' && secrets.GORELEASER_KEY || '' }} + - run: ./scripts/generate-checksums.sh + - if: env.PUBLISH == 'true' + env: + GITHUB_TOKEN: ${{ github.token }} + run: ./scripts/publish-checksums.sh diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c81d72430fa..3116da07c74 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,14 +4,14 @@ on: schedule: - cron: '0 12 * * *' +permissions: {} + jobs: stale: - - runs-on: ubuntu-latest permissions: issues: write pull-requests: write - + runs-on: ubuntu-latest steps: - uses: actions/stale@v9 with: diff --git a/.github/workflows/sync-master-main.yaml b/.github/workflows/sync-master-main.yaml index 05a60f08969..b629b560433 100644 --- a/.github/workflows/sync-master-main.yaml +++ b/.github/workflows/sync-master-main.yaml @@ -1,14 +1,16 @@ name: sync-master-main + on: push: branches: - master -permissions: - contents: write +permissions: {} jobs: sync: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 491a69d8e5e..127dd58d3f9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,8 +16,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: discover: @@ -239,7 +238,7 @@ jobs: path: ${{ steps.make_deps.outputs.path }} lookup-only: true - if: steps.restore_fetch_params.outputs.cache-hit != 'true' - uses: ./.github/actions/install-ubuntu-deps + uses: ./.github/actions/install-system-dependencies - if: steps.restore_fetch_params.outputs.cache-hit != 'true' uses: ./.github/actions/install-go - if: steps.restore_fetch_params.outputs.cache-hit != 'true' || steps.restore_make_deps.outputs.cache-hit != 'true' @@ -272,7 +271,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: 'recursive' - - uses: ./.github/actions/install-ubuntu-deps + - uses: ./.github/actions/install-system-dependencies - uses: ./.github/actions/install-go - run: go install gotest.tools/gotestsum@latest - name: Restore cached make deps outputs diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 766f4f30aed..f855ee969dd 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -27,7 +27,7 @@ builds: - goos: linux goarch: arm64 prebuilt: - path: /tmp/workspace/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus + path: '{{ if index .Env "GITHUB_WORKSPACE" }}{{ .Env.GITHUB_WORKSPACE }}{{ else }}/tmp/workspace{{ end }}/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus' - id: lotus-miner binary: lotus-miner builder: prebuilt @@ -43,7 +43,7 @@ builds: - goos: linux goarch: arm64 prebuilt: - path: /tmp/workspace/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-miner + path: '{{ if index .Env "GITHUB_WORKSPACE" }}{{ .Env.GITHUB_WORKSPACE }}{{ else }}/tmp/workspace{{ end }}/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-miner' - id: lotus-worker binary: lotus-worker builder: prebuilt @@ -59,7 +59,7 @@ builds: - goos: linux goarch: arm64 prebuilt: - path: /tmp/workspace/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-worker + path: '{{ if index .Env "GITHUB_WORKSPACE" }}{{ .Env.GITHUB_WORKSPACE }}{{ else }}/tmp/workspace{{ end }}/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-worker' archives: - id: primary