stacks-core/.github/workflows/github-release.yml at master · Shellnco/stacks-core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
## Github workflow to create a github release and upload binary artifacts

name: Github Release

on:
  workflow_call:
    inputs:
      node_tag:
        description: "Node Release Tag"
        required: true
        type: string
      node_docker_tag:
        description: "Node Docker Release Tag"
        required: true
        type: string
      signer_tag:
        description: "Signer Release Tag"
        required: true
        type: string
      signer_docker_tag:
        description: "Signer Docker Release Tag"
        required: true
        type: string
      is_node_release:
        description: "True if it is a node release"
        required: true
        type: string
      is_signer_release:
        description: "True if it is a signer release"
        required: true
        type: string

concurrency:
  group: github-release-${{ github.head_ref || github.ref }}
  ## Always cancel duplicate jobs
  cancel-in-progress: true

run-name: ${{ inputs.node_tag || inputs.signer_tag }}

jobs:
  ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below.
  ##   - If this job isn't approved to run, then the subsequent jobs will also not run - for this reason, we always exit 0
  ##   - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow.
  andon-cord:
    if: |
      inputs.node_tag != '' ||
      inputs.signer_tag != ''
    name: Andon Cord
    runs-on: ubuntu-latest
    environment: "Build Release"
    steps:
      - name: Check Approval
        id: check
        run: |
          exit 0
  ## Build arch dependent binaries from source
  ##
  ## Runs when the following is true:
  ##  - either node or signer tag is provided
  build-binaries:
    if: |
      inputs.node_tag != '' ||
      inputs.signer_tag != ''
    name: Build Binaries
    runs-on: ubuntu-latest-m
    needs:
      - andon-cord
    permissions:
      id-token: write
      attestations: write
    strategy:
      ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch
      max-parallel: 10
      matrix:
        arch:
          - linux-musl
          - linux-glibc
          - macos
          - windows
        cpu:
          - arm64
          - x86-64 ## defaults to x86-64-v3 variant - intel haswell (2013) and newer
          # - x86-64-v2 ## intel nehalem (2008) and newer
          # - x86-64-v3 ## intel haswell (2013) and newer
          # - x86-64-v4 ## intel skylake (2017) and newer
        exclude:
          - arch: windows # excludes windows-arm64
            cpu: arm64
          - arch: windows # excludes windows-armv7
            cpu: armv7
          - arch: macos # excludes macos-armv7
            cpu: armv7
          - arch: macos # excludes macos-x64
            cpu: x86-64
    steps:
      - name: Build Binary (${{ matrix.arch }}_${{ matrix.cpu }})
        uses: stacks-network/actions/stacks-core/release/create-source-binary@main
        with:
          arch: ${{ matrix.arch }}
          cpu: ${{ matrix.cpu }}
          node_tag: ${{ inputs.node_tag }}
          signer_tag: ${{ inputs.signer_tag }}
          signer_docker_tag: ${{ inputs.signer_docker_tag }}
          is_node_release: ${{ inputs.is_node_release }}

  ## Runs when the following is true:
  ##  - either node or signer tag is provided
  create-release:
    if: |
      inputs.node_tag != '' ||
      inputs.signer_tag != ''
    name: Create Release
    runs-on: ubuntu-latest
    needs:
      - andon-cord
      - build-binaries
    permissions:
      contents: write
    steps:
      ## Creates releases
      - name: Create Release
        uses: stacks-network/actions/stacks-core/release/create-releases@main
        with:
          node_tag: ${{ inputs.node_tag }}
          node_docker_tag: ${{ inputs.node_docker_tag }}
          signer_tag: ${{ inputs.signer_tag }}
          signer_docker_tag: ${{ inputs.signer_docker_tag }}
          is_node_release: ${{ inputs.is_node_release }}
          is_signer_release: ${{ inputs.is_signer_release }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  ## Builds arch dependent Docker images from binaries
  ##
  ## Note: this step requires the binaries in the create-release step to be uploaded
  ## Runs when the following is true:
  ##  - either node or signer tag is provided
  docker-image:
    if: |
      inputs.node_tag != '' ||
      inputs.signer_tag != ''
    name: Docker Image (Binary)
    runs-on: ubuntu-latest
    environment: "Push to Docker"
    permissions:
      id-token: write
      attestations: write
    needs:
      - andon-cord
      - build-binaries
      - create-release
    strategy:
      fail-fast: false
      ## Build a maximum of 2 images concurrently based on matrix.dist
      max-parallel: 2
      matrix:
        dist:
          - alpine
          - debian
    steps:
      - name: Create Docker Image
        uses: stacks-network/actions/stacks-core/release/docker-images@main
        with:
          node_tag: ${{ inputs.node_tag }}
          node_docker_tag: ${{ inputs.node_docker_tag }}
          signer_tag: ${{ inputs.signer_tag }}
          signer_docker_tag: ${{ inputs.signer_docker_tag }}
          is_node_release: ${{ inputs.is_node_release }}
          is_signer_release: ${{ inputs.is_signer_release }}
          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
          dist: ${{ matrix.dist }}

  ## Create the downstream PR for the release branch to master,develop
  create-pr:
    if: |
      (
        inputs.node_tag != '' ||
        inputs.signer_tag != ''
      )
    name: Create Downstream PR (${{ github.ref_name }})
    runs-on: ubuntu-latest
    needs:
      - andon-cord
      - build-binaries
      - create-release
      - docker-image
    permissions:
      pull-requests: write
    steps:
      - name: Open Downstream PR
        id: create-pr
        uses: stacks-network/actions/stacks-core/release/downstream-pr@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}