Release - Publish Docker Image #68

Workflow file for this run

.github/workflows/release-50_publish-docker.yml at a427d8f

	name: Release - Publish Docker Image

	# This workflow listens to published releases or can be triggered manually.
	# It builds and published releases and rc candidates.

	on:
	#TODO: activate automated run later
	# release:
	# types:
	# - published
	workflow_dispatch:
	inputs:
	image_type:
	description: Type of the image to be published
	required: true
	default: rc
	type: choice
	options:
	- rc
	- release

	binary:
	description: Binary to be published
	required: true
	default: polkadot
	type: choice
	options:
	- polkadot
	- polkadot-parachain
	- chain-spec-builder

	release_id:
	description: \|
	Release ID.
	You can find it using the command:
	curl -s \
	-H "Authorization: Bearer ${GITHUB_TOKEN}" https://api.github.com/repos/$OWNER/$REPO/releases \| \
	jq '.[] \| { name: .name, id: .id }'
	required: true
	type: number

	registry:
	description: Container registry
	required: true
	type: string
	default: docker.io

	# The owner is often the same as the Docker Hub username but does ont have to be.
	# In our case, it is not.
	owner:
	description: Owner of the container image repo
	required: true
	type: string
	default: parity

	version:
	description: version to build/release
	default: v0.9.18
	required: true

	stable_tag:
	description: Tag matching the actual stable release version in the format stableYYMM or stableYYMM-X for patch releases
	required: true

	permissions:
	contents: write

	env:
	ENGINE: docker
	REGISTRY: ${{ inputs.registry }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	DOCKER_OWNER: ${{ inputs.owner \|\| github.repository_owner }}
	REPO: ${{ github.repository }}
	BINARY: ${{ inputs.binary }}
	# EVENT_ACTION: ${{ github.event.action }}
	EVENT_NAME: ${{ github.event_name }}
	IMAGE_TYPE: ${{ inputs.image_type }}

	jobs:
	validate-inputs:
	runs-on: ubuntu-latest
	outputs:
	version: ${{ steps.validate_inputs.outputs.VERSION }}
	release_id: ${{ steps.validate_inputs.outputs.RELEASE_ID }}
	stable_tag: ${{ steps.validate_inputs.outputs.stable_tag }}

	steps:
	- name: Checkout sources
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Validate inputs
	id: validate_inputs
	run: \|
	. ./.github/scripts/common/lib.sh

	VERSION=$(filter_version_from_input "${{ inputs.version }}")
	echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT

	RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
	echo "RELEASE_ID=${RELEASE_ID}" >> $GITHUB_OUTPUT

	echo "Release ID: $RELEASE_ID"

	STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }})
	echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT

	fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
	if: ${{ inputs.binary == 'polkadot-parachain' \|\| inputs.binary == 'chain-spec-builder' \|\| inputs.image_type == 'rc' }}
	runs-on: ubuntu-latest
	needs: [validate-inputs]

	steps:
	- name: Checkout sources
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	#TODO: this step will be needed when automated triggering will work
	#this step runs only if the workflow is triggered automatically when new release is published
	# if: ${{ env.EVENT_NAME == 'release' && env.EVENT_ACTION != '' && env.EVENT_ACTION == 'published' }}
	# run: \|
	# mkdir -p release-artifacts && cd release-artifacts

	# for f in $BINARY $BINARY.asc $BINARY.sha256; do
	# URL="https://github.com/${{ github.event.repository.full_name }}/releases/download/${{ github.event.release.tag_name }}/$f"
	# echo " - Fetching $f from $URL"
	# wget "$URL" -O "$f"
	# done
	# chmod a+x $BINARY
	# ls -al

	- name: Fetch rc artifacts or release artifacts from s3 based on version
	#this step runs only if the workflow is triggered manually
	if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'chain-spec-builder'}}
	run: \|
	. ./.github/scripts/common/lib.sh

	VERSION="${{ needs.validate-inputs.outputs.VERSION }}"
	fetch_release_artifacts_from_s3

	- name: Fetch chain-spec-builder rc artifacts or release artifacts based on release id
	#this step runs only if the workflow is triggered manually and only for chain-spec-builder
	if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary == 'chain-spec-builder' }}
	run: \|
	. ./.github/scripts/common/lib.sh

	RELEASE_ID="${{ needs.validate-inputs.outputs.RELEASE_ID }}"
	fetch_release_artifacts

	- name: Upload artifacts
	uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
	with:
	name: release-artifacts
	path: release-artifacts/${{ env.BINARY }}/*/

	build-container: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
	if: ${{ inputs.binary == 'polkadot-parachain' \|\| inputs.binary == 'chain-spec-builder' \|\| inputs.image_type == 'rc' }}
	runs-on: ubuntu-latest
	needs: [fetch-artifacts, validate-inputs]
	environment: release

	steps:
	- name: Checkout sources
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Download artifacts
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8

	- name: Check sha256 ${{ env.BINARY }}
	if: ${{ inputs.binary == 'polkadot-parachain' \|\| inputs.binary == 'polkadot' }}
	working-directory: release-artifacts
	run: \|
	. ../.github/scripts/common/lib.sh

	echo "Checking binary $BINARY"
	check_sha256 $BINARY && echo "OK" \|\| echo "ERR"

	- name: Check GPG ${{ env.BINARY }}
	if: ${{ inputs.binary == 'polkadot-parachain' \|\| inputs.binary == 'polkadot' }}
	working-directory: release-artifacts
	run: \|
	. ../.github/scripts/common/lib.sh
	import_gpg_keys
	check_gpg $BINARY

	- name: Fetch rc commit and tag
	if: ${{ env.IMAGE_TYPE == 'rc' }}
	id: fetch_rc_refs
	run: \|
	. ./.github/scripts/common/lib.sh

	release="release-${{ needs.validate-inputs.outputs.RELEASE_ID }}" && \
	echo "release=${release}" >> $GITHUB_OUTPUT

	commit=$(git rev-parse --short HEAD) && \
	echo "commit=${commit}" >> $GITHUB_OUTPUT

	tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \
	[ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT \|\| \
	echo "No tag, doing without"

	- name: Fetch release tags
	working-directory: release-artifacts
	if: ${{ env.IMAGE_TYPE == 'release'}}
	id: fetch_release_refs
	run: \|
	chmod a+rx $BINARY

	if [[ $BINARY != 'chain-spec-builder' ]]; then
	VERSION=$(./$BINARY --version \| awk '{ print $2 }' )
	release=$( echo $VERSION \| cut -f1 -d- )
	else
	release=$(echo ${{ needs.validate-inputs.outputs.VERSION }} \| sed 's/^v//')
	fi

	echo "tag=latest" >> $GITHUB_OUTPUT
	echo "release=${release}" >> $GITHUB_OUTPUT
	echo "stable=${{ needs.validate-inputs.outputs.stable_tag }}" >> $GITHUB_OUTPUT

	- name: Build Injected Container image for polkadot rc or chain-spec-builder
	if: ${{ env.BINARY == 'polkadot' \|\| env.BINARY == 'chain-spec-builder' }}
	env:
	ARTIFACTS_FOLDER: release-artifacts
	IMAGE_NAME: ${{ env.BINARY }}
	OWNER: ${{ env.DOCKER_OWNER }}
	TAGS: ${{ join(steps.fetch_rc_refs.outputs., ',') \|\| join(steps.fetch_release_refs.outputs., ',') }}
	run: \|
	ls -al
	echo "Building container for $BINARY"
	./docker/scripts/build-injected.sh

	- name: Build Injected Container image for polkadot-parachain
	if: ${{ env.BINARY == 'polkadot-parachain' }}
	env:
	ARTIFACTS_FOLDER: release-artifacts
	IMAGE_NAME: ${{ env.BINARY }}
	OWNER: ${{ env.DOCKER_OWNER }}
	DOCKERFILE: docker/dockerfiles/polkadot-parachain/polkadot-parachain_injected.Dockerfile
	TAGS: ${{ join(steps.fetch_rc_refs.outputs., ',') \|\| join(steps.fetch_release_refs.outputs., ',') }}
	run: \|
	ls -al
	mkdir -p $ARTIFACTS_FOLDER/specs
	cp cumulus/parachains/chain-specs/*.json $ARTIFACTS_FOLDER/specs

	echo "Building container for $BINARY"
	./docker/scripts/build-injected.sh

	- name: Login to Dockerhub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.CUMULUS_DOCKERHUB_USERNAME }}
	password: ${{ secrets.CUMULUS_DOCKERHUB_TOKEN }}

	- name: Push Container image for ${{ env.BINARY }}
	id: docker_push
	run: \|
	$ENGINE images \| grep ${BINARY}
	$ENGINE push --all-tags ${REGISTRY}/${DOCKER_OWNER}/${BINARY}

	- name: Check version for the published image for ${{ env.BINARY }}
	env:
	RELEASE_TAG: ${{ steps.fetch_rc_refs.outputs.release \|\| steps.fetch_release_refs.outputs.release }}
	run: \|
	echo "Checking tag ${RELEASE_TAG} for image ${REGISTRY}/${DOCKER_OWNER}/${BINARY}"
	if [[ ${BINARY} == 'chain-spec-builder' ]]; then
	$ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG}
	else
	$ENGINE run -i ${REGISTRY}/${DOCKER_OWNER}/${BINARY}:${RELEASE_TAG} --version
	fi

	fetch-latest-debian-package-version: # this job will be triggered for polkadot release build
	if: ${{ inputs.binary == 'polkadot' && inputs.image_type == 'release' }}
	runs-on: ubuntu-latest
	outputs:
	polkadot_apt_version: ${{ steps.fetch-latest-apt.outputs.polkadot_apt_version }}
	polkadot_container_tag: ${{ steps.fetch-latest-apt.outputs.polkadot_container_tag }}
	container:
	image: paritytech/parity-keyring
	options: --user root
	steps:
	- name: Get version
	id: fetch-latest-apt
	run: \|
	apt update
	apt show polkadot
	version=$(apt show polkadot 2>/dev/null \| grep "Version:" \| awk '{print $2}')
	tag=$(echo $version \| sed 's/-.*//')
	echo "polkadot_apt_version=v$version" >> $GITHUB_OUTPUT
	echo "polkadot_container_tag=v$tag" >> $GITHUB_OUTPUT
	echo "You passed ${{ inputs.version }} but this is ignored"
	echo "We use the version from the Debian Package: $version"

	build-polkadot-release-container: # this job will be triggered for polkadot release build
	if: ${{ inputs.binary == 'polkadot' && inputs.image_type == 'release' }}
	runs-on: ubuntu-latest
	needs: [fetch-latest-debian-package-version, validate-inputs]
	environment: release
	steps:
	- name: Checkout sources
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

	- name: Cache Docker layers
	uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
	with:
	path: /tmp/.buildx-cache
	key: ${{ runner.os }}-buildx-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-buildx-

	- name: Login to Docker Hub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ secrets.POLKADOT_DOCKERHUB_USERNAME }}
	password: ${{ secrets.POLKADOT_DOCKERHUB_TOKEN }}

	- name: Fetch values
	id: fetch-data
	run: \|
	date=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
	echo "date=$date" >> $GITHUB_OUTPUT

	- name: Build and push
	id: docker_build
	uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
	with:
	push: true
	file: docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile
	# TODO: The owner should be used below but buildx does not resolve the VARs
	# TODO: It would be good to get rid of this GHA that we don't really need.
	tags: \|
	parity/polkadot:${{ needs.validate-inputs.outputs.stable_tag }}
	parity/polkadot:latest
	parity/polkadot:${{ needs.fetch-latest-debian-package-version.outputs.polkadot_container_tag }}
	build-args: \|
	VCS_REF=${{ github.ref }}
	POLKADOT_VERSION=${{ needs.fetch-latest-debian-package-version.outputs.polkadot_apt_version }}
	BUILD_DATE=${{ steps.fetch-data.outputs.date }}
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache
	- name: Image digest
	run: echo ${{ steps.docker_build.outputs.digest }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release - Publish Docker Image #68

Workflow file

Release - Publish Docker Image #68

Jobs

Run details

Workflow file for this run