From e191ab855837bb3066f8a841fe19d445cf7b4c6a Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 18 Nov 2025 11:46:25 -0800 Subject: [PATCH 01/10] Updating relase workflow to use artifacts and push images to ghcr --- .../dockerfiles/Dockerfile.alpine-binary | 39 -- .../dockerfiles/Dockerfile.debian-binary | 39 -- .../dockerfiles/alpine/Dockerfile.release | 18 + .../alpine/Dockerfile.release.signer | 20 + .github/actions/dockerfiles/debian/Dockerfile | 19 + .../dockerfiles/debian/Dockerfile.release | 18 + .../debian/Dockerfile.release.signer | 19 + .github/workflows/ci.yml | 485 +++++++++--------- .github/workflows/docker-image.yml | 252 +++++++++ .github/workflows/github-release.yml | 194 ------- .github/workflows/image-build-source.yml | 91 ---- .github/workflows/release-build.yml | 302 +++++++++++ .github/workflows/release-docker.yml | 217 ++++++++ .github/workflows/release-github.yml | 143 ++++++ 14 files changed, 1253 insertions(+), 603 deletions(-) delete mode 100644 .github/actions/dockerfiles/Dockerfile.alpine-binary delete mode 100644 .github/actions/dockerfiles/Dockerfile.debian-binary create mode 100644 .github/actions/dockerfiles/alpine/Dockerfile.release create mode 100644 .github/actions/dockerfiles/alpine/Dockerfile.release.signer create mode 100644 .github/actions/dockerfiles/debian/Dockerfile create mode 100644 .github/actions/dockerfiles/debian/Dockerfile.release create mode 100644 .github/actions/dockerfiles/debian/Dockerfile.release.signer create mode 100644 .github/workflows/docker-image.yml delete mode 100644 .github/workflows/github-release.yml delete mode 100644 .github/workflows/image-build-source.yml create mode 100644 .github/workflows/release-build.yml create mode 100644 .github/workflows/release-docker.yml create mode 100644 .github/workflows/release-github.yml diff --git a/.github/actions/dockerfiles/Dockerfile.alpine-binary b/.github/actions/dockerfiles/Dockerfile.alpine-binary deleted file mode 100644 index 691d39ee3dd..00000000000 --- a/.github/actions/dockerfiles/Dockerfile.alpine-binary +++ /dev/null @@ -1,39 +0,0 @@ -FROM --platform=${TARGETPLATFORM} alpine as builder -# Use a small image to download and extract the release archive - -ARG TAG -ARG BIN_ARCH -ARG TARGETPLATFORM -ARG BUILDPLATFORM -ARG TARGETARCH -ARG TARGETVARIANT -ARG REPO - -RUN case ${TARGETPLATFORM} in \ - linux/amd64*) BIN_ARCH=linux-musl-x64 ;; \ - linux/arm64*) BIN_ARCH=linux-musl-arm64 ;; \ - linux/arm/v7) BIN_ARCH=linux-musl-armv7 ;; \ - *) exit 1 ;; \ - esac \ - && echo "TARGETPLATFORM: $TARGETPLATFORM" \ - && echo "BIN_ARCH: $BIN_ARCH" \ - && echo "wget -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip" \ - && wget -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip \ - && unzip ${BIN_ARCH}.zip -d /out - -FROM --platform=${TARGETPLATFORM} alpine -COPY --from=builder /out/* /bin/ -ARG TAG - -RUN case "${TAG}" in \ - signer-*) \ - echo "/bin/stacks-signer run --config /signer-config.toml" > /tmp/command.sh \ - ;; \ - *) \ - echo "/bin/stacks-node mainnet" > /tmp/command.sh && \ - rm /bin/stacks-cli /bin/clarity-cli /bin/stacks-inspect \ - ;; \ - esac && \ - chmod +x /tmp/command.sh - -CMD ["sh", "-c", "/tmp/command.sh"] diff --git a/.github/actions/dockerfiles/Dockerfile.debian-binary b/.github/actions/dockerfiles/Dockerfile.debian-binary deleted file mode 100644 index 83687722d3a..00000000000 --- a/.github/actions/dockerfiles/Dockerfile.debian-binary +++ /dev/null @@ -1,39 +0,0 @@ -FROM --platform=${TARGETPLATFORM} alpine as builder -# Use a small image to download and extract the release archive - -ARG TAG -ARG BIN_ARCH -ARG TARGETPLATFORM -ARG BUILDPLATFORM -ARG TARGETARCH -ARG TARGETVARIANT -ARG REPO - -RUN case ${TARGETPLATFORM} in \ - linux/amd64*) BIN_ARCH=linux-glibc-x64 ;; \ - linux/arm64*) BIN_ARCH=linux-glibc-arm64 ;; \ - linux/arm/v7) BIN_ARCH=linux-glibc-armv7 ;; \ - *) exit 1 ;; \ - esac \ - && echo "TARGETPLATFORM: $TARGETPLATFORM" \ - && echo "BIN_ARCH: $BIN_ARCH" \ - && echo "wget -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip" \ - && wget -q https://github.com/${REPO}/releases/download/${TAG}/${BIN_ARCH}.zip -O /${BIN_ARCH}.zip \ - && unzip ${BIN_ARCH}.zip -d /out - -FROM --platform=${TARGETPLATFORM} debian:bookworm -COPY --from=builder /out/* /bin/ -ARG TAG - -RUN case "${TAG}" in \ - signer-*) \ - echo "/bin/stacks-signer run --config /signer-config.toml" > /tmp/command.sh \ - ;; \ - *) \ - echo "/bin/stacks-node mainnet" > /tmp/command.sh && \ - rm /bin/stacks-cli /bin/clarity-cli /bin/stacks-inspect \ - ;; \ - esac && \ - chmod +x /tmp/command.sh - -CMD ["sh", "-c", "/tmp/command.sh"] diff --git a/.github/actions/dockerfiles/alpine/Dockerfile.release b/.github/actions/dockerfiles/alpine/Dockerfile.release new file mode 100644 index 00000000000..a925ed7de54 --- /dev/null +++ b/.github/actions/dockerfiles/alpine/Dockerfile.release @@ -0,0 +1,18 @@ +FROM alpine AS builder + +ARG TARGETPLATFORM +ENV ARCHIVE_ROOT="/release" + +# upload the release artifacts downloaded to /tmp/release to /release in the build stage +COPY ./release/ $ARCHIVE_ROOT + +RUN case ${TARGETPLATFORM} in \ + linux/amd64*) ARCHIVE=${ARCHIVE_ROOT}/linux-musl-x64.zip ;; \ + linux/arm64*) ARCHIVE=${ARCHIVE_ROOT}/linux-musl-arm64.zip ;; \ + *) exit 1 ;; \ + esac \ + && unzip "$ARCHIVE" "stacks-node" -d /out + +FROM alpine +COPY --from=builder /out/* /bin/ +CMD ["/bin/stacks-node run --config /signer-config.toml"] diff --git a/.github/actions/dockerfiles/alpine/Dockerfile.release.signer b/.github/actions/dockerfiles/alpine/Dockerfile.release.signer new file mode 100644 index 00000000000..1eb57543a35 --- /dev/null +++ b/.github/actions/dockerfiles/alpine/Dockerfile.release.signer @@ -0,0 +1,20 @@ +FROM alpine AS builder + +LABEL org.opencontainers.image.description="Stacks Signer CLI" + +ARG TARGETPLATFORM +ENV ARCHIVE_ROOT="/release" + +# upload the release artifacts downloaded to /tmp/release to /release in the build stage +COPY ./release/ $ARCHIVE_ROOT + +RUN case ${TARGETPLATFORM} in \ + linux/amd64*) ARCHIVE=${ARCHIVE_ROOT}/linux-musl-x64.zip ;; \ + linux/arm64*) ARCHIVE=${ARCHIVE_ROOT}/linux-musl-arm64.zip ;; \ + *) exit 1 ;; \ + esac \ + && unzip "$ARCHIVE" "stacks-signer" -d /out + +FROM alpine +COPY --from=builder /out/* /bin/ +CMD ["/bin/stacks-signer run --config /signer-config.toml"] diff --git a/.github/actions/dockerfiles/debian/Dockerfile b/.github/actions/dockerfiles/debian/Dockerfile new file mode 100644 index 00000000000..5340ad64fef --- /dev/null +++ b/.github/actions/dockerfiles/debian/Dockerfile @@ -0,0 +1,19 @@ +# Dockerfile used to build an image including all binaries +FROM alpine AS builder + +ARG TARGETPLATFORM +ENV ARCHIVE_ROOT="/release" + +# upload the release artifacts downloaded to /tmp/release to /release in the build stage +COPY ./release/ $ARCHIVE_ROOT + +RUN case ${TARGETPLATFORM} in \ + linux/amd64*) ARCHIVE=${ARCHIVE_ROOT}/linux-glibc-x64.zip ;; \ + linux/arm64*) ARCHIVE=${ARCHIVE_ROOT}/linux-glibc-arm64.zip ;; \ + *) exit 1 ;; \ + esac \ + && unzip "$ARCHIVE" -d /out + +FROM debian:stable-slim +COPY --from=builder /out/* /bin/ +CMD ["/bin/stacks-node mainnet"] diff --git a/.github/actions/dockerfiles/debian/Dockerfile.release b/.github/actions/dockerfiles/debian/Dockerfile.release new file mode 100644 index 00000000000..61f7a260bac --- /dev/null +++ b/.github/actions/dockerfiles/debian/Dockerfile.release @@ -0,0 +1,18 @@ +FROM alpine AS builder + +ARG TARGETPLATFORM +ENV ARCHIVE_ROOT="/release" + +# upload the release artifacts downloaded to /tmp/release to /release in the build stage +COPY ./release/ $ARCHIVE_ROOT + +RUN case ${TARGETPLATFORM} in \ + linux/amd64*) ARCHIVE=${ARCHIVE_ROOT}/linux-glibc-x64.zip ;; \ + linux/arm64*) ARCHIVE=${ARCHIVE_ROOT}/linux-glibc-arm64.zip ;; \ + *) exit 1 ;; \ + esac \ + && unzip "$ARCHIVE" "stacks-node" -d /out + +FROM debian:stable-slim +COPY --from=builder /out/* /bin/ +CMD ["/bin/stacks-signer run --config /signer-config.toml"] diff --git a/.github/actions/dockerfiles/debian/Dockerfile.release.signer b/.github/actions/dockerfiles/debian/Dockerfile.release.signer new file mode 100644 index 00000000000..9a305673ab6 --- /dev/null +++ b/.github/actions/dockerfiles/debian/Dockerfile.release.signer @@ -0,0 +1,19 @@ +FROM alpine AS builder +LABEL org.opencontainers.image.description="Stacks Signer CLI" + +ARG TARGETPLATFORM +ENV ARCHIVE_ROOT="/release" + +# upload the release artifacts downloaded to /tmp/release to /release in the build stage +COPY ./release/ $ARCHIVE_ROOT + +RUN case ${TARGETPLATFORM} in \ + linux/amd64*) ARCHIVE=${ARCHIVE_ROOT}/linux-glibc-x64.zip ;; \ + linux/arm64*) ARCHIVE=${ARCHIVE_ROOT}/linux-glibc-arm64.zip ;; \ + *) exit 1 ;; \ + esac \ + && unzip "$ARCHIVE" "stacks-signer" -d /out + +FROM debian:stable-slim +COPY --from=builder /out/* /bin/ +CMD ["/bin/stacks-signer run --config /signer-config.toml"] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d892d8d515..8c8e9335fb9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,252 +2,257 @@ name: CI on: - merge_group: - types: - - checks_requested - push: - branches: - - master - - develop - - next - paths-ignore: - - "**.md" - - "**.yml" - workflow_dispatch: - pull_request: - types: - - opened - - reopened - - synchronize + merge_group: + types: + - checks_requested + push: + branches: + - master + - develop + - next + paths-ignore: + - "**.md" + - "**.yml" + workflow_dispatch: + pull_request: + types: + - opened + - reopened + - synchronize defaults: - run: - shell: bash + run: + shell: bash concurrency: - group: ci-${{ github.head_ref || github.ref || github.run_id }} - ## Always cancel duplicate jobs - cancel-in-progress: true + group: ci-${{ github.head_ref || github.ref || github.run_id }} + ## Always cancel duplicate jobs + cancel-in-progress: true run-name: ${{ github.ref_name }} jobs: - ## - ## Jobs to execute everytime workflow runs - ## do not run if the trigger is any of the following: - ## - PR review submitted (not approved) - ## and any of: - ## - PR review comment - ## - PR change is requested - rustfmt: - name: Rust Format - runs-on: ubuntu-latest - steps: - - name: Rustfmt - id: rustfmt - uses: stacks-network/actions/rustfmt@main - with: - alias: "fmt-stacks" - - ###################################################################################### - ## Check if the branch that this workflow is being run against is a release branch - ## - ## Outputs: - ## - node_tag: Tag of the stacks-node if the branch is a release one (example: release/3.4.0.0.1), null otherwise - ## - node_docker_tag: Version of the stacks-node if the branch is a release one (example: 3.4.0.0.1), null otherwise - ## - signer_tag: Tag of the stacks-signer if the branch is a release one (example: release/3.4.0.0.1.0), null otherwise - ## - signer_docker_tag: Version of the stacks-signer if the branch is a release one (example: 3.4.0.0.1.0), null otherwise - ## - is_node_release: True if the branch represents a 'stacks-node' release, false otherwise. - ## If this is true, 'is_signer_release' will also be true, since a 'stacks-signer' binary - ## is always released alongside 'stacks-node'. - ## - is_signer_release: True if the branch represents a 'stacks-signer' release, false otherwise. - check-release: - name: Check Release - needs: - - rustfmt - runs-on: ubuntu-latest - outputs: - node_tag: ${{ steps.check_release.outputs.node_tag }} - node_docker_tag: ${{ steps.check_release.outputs.node_docker_tag }} - signer_tag: ${{ steps.check_release.outputs.signer_tag }} - signer_docker_tag: ${{ steps.check_release.outputs.signer_docker_tag }} - is_node_release: ${{ steps.check_release.outputs.is_node_release }} - is_signer_release: ${{ steps.check_release.outputs.is_signer_release }} - steps: - - name: Check Release - id: check_release - uses: stacks-network/actions/stacks-core/release/check-release@main + ## + ## Jobs to execute everytime workflow runs + ## do not run if the trigger is any of the following: + ## - PR review submitted (not approved) + ## and any of: + ## - PR review comment + ## - PR change is requested + rustfmt: + name: Rust Format + runs-on: ubuntu-latest + steps: + - name: Rustfmt + id: rustfmt + uses: stacks-network/actions/rustfmt@main + with: + alias: "fmt-stacks" + + ###################################################################################### + ## Check if the branch that this workflow is being run against is a release branch + ## + ## Outputs: + ## - node_tag: Tag of the stacks-node if the branch is a release one (example: release/3.4.0.0.1), null otherwise + ## - node_docker_tag: Version of the stacks-node if the branch is a release one (example: 3.4.0.0.1), null otherwise + ## - signer_tag: Tag of the stacks-signer if the branch is a release one (example: release/3.4.0.0.1.0), null otherwise + ## - signer_docker_tag: Version of the stacks-signer if the branch is a release one (example: 3.4.0.0.1.0), null otherwise + ## - is_node_release: True if the branch represents a 'stacks-node' release, false otherwise. + ## If this is true, 'is_signer_release' will also be true, since a 'stacks-signer' binary + ## is always released alongside 'stacks-node'. + ## - is_signer_release: True if the branch represents a 'stacks-signer' release, false otherwise. + check-release: + name: Check Release + needs: + - rustfmt + runs-on: ubuntu-latest + outputs: + node_tag: ${{ steps.check_release.outputs.node_tag }} + node_docker_tag: ${{ steps.check_release.outputs.node_docker_tag }} + signer_tag: ${{ steps.check_release.outputs.signer_tag }} + signer_docker_tag: ${{ steps.check_release.outputs.signer_docker_tag }} + is_node_release: ${{ steps.check_release.outputs.is_node_release }} + is_signer_release: ${{ steps.check_release.outputs.is_signer_release }} + steps: + - name: Check Release + id: check_release + uses: stacks-network/actions/stacks-core/release/check-release@main + with: + tag: ${{ github.ref_name }} + + ###################################################################################### + ## Create a tagged github release + ## + ## Runs when: + ## - it is either a node release or a signer release + + ## create-workflow will call the reusable workflows to: + # - build the binary artifacts + # - create the release docker images + # - create the github release. + create-workflow: + if: | + needs.check-release.outputs.is_node_release == 'true' || + needs.check-release.outputs.is_signer_release == 'true' + name: Create Release + needs: + - rustfmt + - check-release + secrets: inherit + uses: ./.github/workflows/release-github.yml with: - tag: ${{ github.ref_name }} - - ###################################################################################### - ## Create a tagged github release - ## - ## Runs when: - ## - it is either a node release or a signer release - create-release: - if: | - needs.check-release.outputs.is_node_release == 'true' || - needs.check-release.outputs.is_signer_release == 'true' - name: Create Release(s) - needs: - - rustfmt - - check-release - secrets: inherit - uses: ./.github/workflows/github-release.yml - with: - node_tag: ${{ needs.check-release.outputs.node_tag }} - node_docker_tag: ${{ needs.check-release.outputs.node_docker_tag }} - signer_tag: ${{ needs.check-release.outputs.signer_tag }} - signer_docker_tag: ${{ needs.check-release.outputs.signer_docker_tag }} - is_node_release: ${{ needs.check-release.outputs.is_node_release }} - is_signer_release: ${{ needs.check-release.outputs.is_signer_release }} - - ## Create a reusable cache for tests - ## - ## Runs when: - ## - it is a node release run - ## or any of: - ## - this workflow is called manually - ## - PR is opened - ## - PR added to merge queue - create-cache: - if: | - needs.check-release.outputs.is_node_release == 'true' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' || - github.event_name == 'merge_group' - name: Create Test Cache - needs: - - rustfmt - - check-release - uses: ./.github/workflows/create-cache.yml - - ## Tests to run regularly - ## - ## Runs when: - ## - it is a node or signer-only release run - ## or any of: - ## - this workflow is called manually - ## - PR is opened - ## - PR added to merge queue - stacks-core-tests: - if: | - needs.check-release.outputs.is_node_release == 'true' || - needs.check-release.outputs.is_signer_release == 'true' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' || - github.event_name == 'merge_group' - name: Stacks Core Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/stacks-core-tests.yml - - ## Validate constants dumped by stacks-inspect - ## - ## Runs when: - ## - it is a node or signer-only release run - ## or any of: - ## - this workflow is called manually - ## - PR is opened - ## - PR added to merge queue - constants-check: - if: | - needs.check-release.outputs.is_node_release == 'true' || - needs.check-release.outputs.is_signer_release == 'true' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' || - github.event_name == 'merge_group' - name: Constants Check - needs: - - rustfmt - - check-release - uses: ./.github/workflows/constants-check.yml - - ## Checks to run on built binaries - ## - ## Runs when: - ## - it is a node or signer-only release run - ## or any of: - ## - this workflow is called manually - ## - PR is opened - ## - PR added to merge queue - cargo-hack-check: - if: | - needs.check-release.outputs.is_node_release == 'true' || - needs.check-release.outputs.is_signer_release == 'true' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' || - github.event_name == 'merge_group' - name: Cargo Hack Check - needs: - - rustfmt - - check-release - uses: ./.github/workflows/cargo-hack-check.yml - - ## Checks to run on built binaries - ## - ## Runs when: - ## - it is a node release run - ## or any of: - ## - this workflow is called manually - ## - PR is opened - ## - PR added to merge queue - bitcoin-tests: - if: | - needs.check-release.outputs.is_node_release == 'true' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' || - github.event_name == 'merge_group' - name: Bitcoin Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/bitcoin-tests.yml - - p2p-tests: - if: | - needs.check-release.outputs.is_node_release == 'true' || - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' || - github.event_name == 'merge_group' - name: P2P Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/p2p-tests.yml - - ## Test to run on a tagged release - ## - ## Runs when: - ## - it is a node release run - atlas-tests: - if: needs.check-release.outputs.is_node_release == 'true' - name: Atlas Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/atlas-tests.yml - - epoch-tests: - if: needs.check-release.outputs.is_node_release == 'true' - name: Epoch Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/epoch-tests.yml - - slow-tests: - if: needs.check-release.outputs.is_node_release == 'true' - name: Slow Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/slow-tests.yml + # node_tag: ${{ needs.check-release.outputs.node_tag }} + node_tag: ${{ needs.check-release.outputs.node_docker_tag }} # 5 place version format like x.x.x.x.x + # signer_tag: ${{ needs.check-release.outputs.signer_tag }} + signer_tag: ${{ needs.check-release.outputs.signer_docker_tag }} # 6 place version format like x.x.x.x.x.x + is_node_release: ${{ needs.check-release.outputs.is_node_release }} # used in matrix conitional in release-github.yml + # is_signer_release: ${{ needs.check-release.outputs.is_signer_release }} # not used +## uncomment for PR +# ## Create a reusable cache for tests +# ## +# ## Runs when: +# ## - it is a node release run +# ## or any of: +# ## - this workflow is called manually +# ## - PR is opened +# ## - PR added to merge queue +# create-cache: +# if: | +# needs.check-release.outputs.is_node_release == 'true' || +# github.event_name == 'workflow_dispatch' || +# github.event_name == 'pull_request' || +# github.event_name == 'merge_group' +# name: Create Test Cache +# needs: +# - rustfmt +# - check-release +# uses: ./.github/workflows/create-cache.yml + +# ## Tests to run regularly +# ## +# ## Runs when: +# ## - it is a node or signer-only release run +# ## or any of: +# ## - this workflow is called manually +# ## - PR is opened +# ## - PR added to merge queue +# stacks-core-tests: +# if: | +# needs.check-release.outputs.is_node_release == 'true' || +# needs.check-release.outputs.is_signer_release == 'true' || +# github.event_name == 'workflow_dispatch' || +# github.event_name == 'pull_request' || +# github.event_name == 'merge_group' +# name: Stacks Core Tests +# needs: +# - rustfmt +# - create-cache +# - check-release +# uses: ./.github/workflows/stacks-core-tests.yml + +# ## Validate constants dumped by stacks-inspect +# ## +# ## Runs when: +# ## - it is a node or signer-only release run +# ## or any of: +# ## - this workflow is called manually +# ## - PR is opened +# ## - PR added to merge queue +# constants-check: +# if: | +# needs.check-release.outputs.is_node_release == 'true' || +# needs.check-release.outputs.is_signer_release == 'true' || +# github.event_name == 'workflow_dispatch' || +# github.event_name == 'pull_request' || +# github.event_name == 'merge_group' +# name: Constants Check +# needs: +# - rustfmt +# - check-release +# uses: ./.github/workflows/constants-check.yml + +# ## Checks to run on built binaries +# ## +# ## Runs when: +# ## - it is a node or signer-only release run +# ## or any of: +# ## - this workflow is called manually +# ## - PR is opened +# ## - PR added to merge queue +# cargo-hack-check: +# if: | +# needs.check-release.outputs.is_node_release == 'true' || +# needs.check-release.outputs.is_signer_release == 'true' || +# github.event_name == 'workflow_dispatch' || +# github.event_name == 'pull_request' || +# github.event_name == 'merge_group' +# name: Cargo Hack Check +# needs: +# - rustfmt +# - check-release +# uses: ./.github/workflows/cargo-hack-check.yml + +# ## Checks to run on built binaries +# ## +# ## Runs when: +# ## - it is a node release run +# ## or any of: +# ## - this workflow is called manually +# ## - PR is opened +# ## - PR added to merge queue +# bitcoin-tests: +# if: | +# needs.check-release.outputs.is_node_release == 'true' || +# github.event_name == 'workflow_dispatch' || +# github.event_name == 'pull_request' || +# github.event_name == 'merge_group' +# name: Bitcoin Tests +# needs: +# - rustfmt +# - create-cache +# - check-release +# uses: ./.github/workflows/bitcoin-tests.yml + +# p2p-tests: +# if: | +# needs.check-release.outputs.is_node_release == 'true' || +# github.event_name == 'workflow_dispatch' || +# github.event_name == 'pull_request' || +# github.event_name == 'merge_group' +# name: P2P Tests +# needs: +# - rustfmt +# - create-cache +# - check-release +# uses: ./.github/workflows/p2p-tests.yml + +# ## Test to run on a tagged release +# ## +# ## Runs when: +# ## - it is a node release run +# atlas-tests: +# if: needs.check-release.outputs.is_node_release == 'true' +# name: Atlas Tests +# needs: +# - rustfmt +# - create-cache +# - check-release +# uses: ./.github/workflows/atlas-tests.yml + +# epoch-tests: +# if: needs.check-release.outputs.is_node_release == 'true' +# name: Epoch Tests +# needs: +# - rustfmt +# - create-cache +# - check-release +# uses: ./.github/workflows/epoch-tests.yml + +# slow-tests: +# if: needs.check-release.outputs.is_node_release == 'true' +# name: Slow Tests +# needs: +# - rustfmt +# - create-cache +# - check-release +# uses: ./.github/workflows/slow-tests.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 00000000000..d8870cf4333 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,252 @@ +## Github workflow to build a docker image from source + +name: Docker Image + +on: + workflow_dispatch: + +env: + docker_platforms: "linux/amd64,linux/arm64" + docker_registry: "ghcr.io" + # set a default command to build. we'll define specific build config options later per arch. + CMD: "cargo build --features monitoring_prom,slog_json --profile release-lite --workspace" + # ensure these env vars have no values since they will be explicitly set later + TARGET_CPU: "" + LINKER: "" + provenance: false + +concurrency: + group: docker-image-${{ github.head_ref || github.ref || github.run_id }} + ## Always cancel duplicate jobs + cancel-in-progress: true +jobs: + ## Build arch dependent binaries from source + build-binaries: + name: Build Binaries + runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write + strategy: + max-parallel: 2 + matrix: + arch: + - linux-glibc + cpu: + - x86-64 + - arm64 + steps: + ## Checkout the code + - name: Checkout the latest code + id: git_checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ github.ref }} + + ## Set target env var based on the type of arch build + ## - simplified from ./release-build.yml configure_target_platform step + - name: Configure Target Platform + id: configure_target_platform + shell: bash + run: | + case ${{ matrix.cpu }} in + x86-64*) + ARCHIVE_NAME="$(echo "${{matrix.cpu}}" | sed -e 's|86-||g')" # if matrix.cpu ever changes to a different x86 version, this will set the archive naming appropriately. + # set the CPU to build for. if the matrix defines x86-64, default to -v3, else use what's defined in the matrix + case ${{ matrix.cpu }} in + x86-64) + TARGET_CPU="${{ matrix.cpu }}-v3" # default to x86-64-v3 if generic x86-64 is used for the build + ;; + *) + TARGET_CPU="${{ matrix.cpu }}" # if matrix.cpu is specifically v3/v4, we should target that + ;; + esac + # install dependencies for the x86-64 architecture, and set the rust target for the build step + sudo apt-get update && sudo apt-get install -y git libclang-dev llvm || exit 1 + TARGET="x86_64-unknown-linux-gnu" + ;; + arm64) + # install dependencies for the arm64 architecture, and set the rust target for the build step + ARCHIVE_NAME=${{matrix.cpu}} + sudo apt-get update && sudo apt-get install -y git gcc-aarch64-linux-gnu libclang-dev llvm || exit 1 + TARGET="aarch64-unknown-linux-gnu" + ;; + *) + echo "Unsupported architecture: ${{ matrix.cpu }}" + exit 1 + ;; + esac + if [[ -z "$TARGET" ]]; then + echo "[ERROR] TARGET Variable is empty for ${{ matrix.arch }}-${{ matrix.cpu }}"; + exit 1 + fi + echo "TARGET=${TARGET}" >> "$GITHUB_ENV" + echo "TARGET_CPU=${TARGET_CPU}" >> "$GITHUB_ENV" + echo "ZIPFILE_NAME=${{matrix.arch}}-${ARCHIVE_NAME}" >> "$GITHUB_ENV" + + ## Install rust toolchain for the target being built + - name: Setup Rust Toolchain + id: setup_rust_toolchain + uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2 + with: + toolchain: stable + cache: false + target: ${{ env.TARGET }} + + ## Build the binaries + - name: Build Binaries + id: build_binaries + shell: bash + run: | + # + # for each target, we will also echo the command being run so it's easier to see in the logs what command was run + # + case "${{env.TARGET}}" in + # linux glibc aarch64 + aarch64-unknown-linux-gnu) + LINKER=aarch64-linux-gnu-gcc + echo "$CMD --target $TARGET --config \"target.${TARGET}.linker=\\\"${LINKER}\\\"\" " + ${{env.CMD}} --target $TARGET --config "target.${{env.TARGET}}.linker=\"${LINKER}\"" || exit 1 + ;; + # linux glibc x64 + x86_64-unknown-linux-gnu) + # use the default linker + echo "$CMD --target $TARGET --config build.rustflags=\"\\\"-C target-cpu=${TARGET_CPU}\\\"\" " + ${{env.CMD}} --target $TARGET --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 + ;; + *) + echo "No matrix match for build target ($TARGET). using defaults" + ${{env.CMD}} || exit 1 + ;; + esac + exit 0 + + ## Compress the binary artifacts + - name: Compress binaries + id: compress_artifacts + shell: bash + run: | + # compress all binaries in the target directory for any architecture + file -0 ./target/${{env.TARGET}}/release-lite/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{env.ZIPFILE_NAME}}.zip -@ + + ## Upload the binary archive using the commit sha as the key + - name: Upload Artifact + id: upload_artifact + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: ${{github.sha}}-${{ env.ZIPFILE_NAME }} + path: ${{ env.ZIPFILE_NAME }}.zip + + ## Attest the binary archive + - name: Attest Artifact + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-path: ${{ env.ZIPFILE_NAME }}.zip + + image: + name: Build Image + runs-on: ubuntu-latest + needs: + - build-binaries + permissions: + id-token: write + attestations: write + packages: write + steps: + ## set local env vars + - name: Set Local Vars + id: set_vars + shell: bash + run: | + var_default_image="${{ env.docker_registry }}/${{ github.repository }}" + echo "docker_images=${var_default_image}" >> $GITHUB_ENV + + ## Setup Docker for the builds + - name: Docker setup + id: docker_setup + uses: wileyj/actions/docker@chore/update_docker_comp + with: + registry: ${{ env.docker_registry }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + ## Checkout the code + - name: Checkout the latest code + id: git_checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ github.ref }} + sparse-checkout: | + .github + + - name: Download Artifacts + id: download_artifacts + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + pattern: ${{github.sha}}-* # linux-glibc variants are the only artifacts produced, download for both architectures + path: /tmp/release + merge-multiple: true + + ## Set docker metatdata + - name: Docker Metadata + id: docker_metadata + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 #v5.9.0 + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + with: + images: ${{ env.docker_images }} + labels: | + org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}} + tags: | + type=raw,value=${{ env.BRANCH_NAME }} + type=ref,event=pr + + - name: Build and Push + id: docker_build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + sbom: false + provenance: ${{ env.provenance }} + context: /tmp + file: ./.github/actions/dockerfiles/debian/Dockerfile + platforms: ${{ env.docker_platforms }} + tags: ${{ steps.docker_metadata.outputs.tags }} + labels: ${{ steps.docker_metadata.outputs.labels }} + annotations: ${{ steps.docker_metadata.outputs.annotations }} # annotations are required for multi-architecture images + push: ${{ env.DOCKER_PUSH }} + + ## Generate docker image attestation(s) + - name: Attest Image + if: | + env.provenance != true + id: attest_artifact + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-name: | + ${{ env.docker_images }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: ${{ env.DOCKER_PUSH }} + + ## Sign the images with GitHub OIDC Token + ## https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ + - name: Install Cosign + id: cosign_install + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + + - name: Sign the images OIDC Token + id: cosign_image + shell: bash + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.docker_metadata.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "ref=${{ github.sha }}" \ + --yes \ + ${images} + diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml deleted file mode 100644 index ccff1185fd3..00000000000 --- a/.github/workflows/github-release.yml +++ /dev/null @@ -1,194 +0,0 @@ -## Github workflow to create a github release and upload binary artifacts - -name: Github Release - -on: - workflow_call: - inputs: - node_tag: - description: "Node Release Tag" - required: true - type: string - node_docker_tag: - description: "Node Docker Release Tag" - required: true - type: string - signer_tag: - description: "Signer Release Tag" - required: true - type: string - signer_docker_tag: - description: "Signer Docker Release Tag" - required: true - type: string - is_node_release: - description: "True if it is a node release" - required: true - type: string - is_signer_release: - description: "True if it is a signer release" - required: true - type: string - -concurrency: - group: github-release-${{ github.head_ref || github.ref }} - ## Always cancel duplicate jobs - cancel-in-progress: true - -run-name: ${{ inputs.node_tag || inputs.signer_tag }} - -jobs: - ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. - ## - If this job isn't approved to run, then the subsequent jobs will also not run - for this reason, we always exit 0 - ## - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow. - andon-cord: - if: | - inputs.node_tag != '' || - inputs.signer_tag != '' - name: Andon Cord - runs-on: ubuntu-latest - environment: "Build Release" - steps: - - name: Check Approval - id: check - run: | - exit 0 - ## Build arch dependent binaries from source - ## - ## Runs when the following is true: - ## - either node or signer tag is provided - build-binaries: - if: | - inputs.node_tag != '' || - inputs.signer_tag != '' - name: Build Binaries - runs-on: ubuntu-latest-m - needs: - - andon-cord - permissions: - id-token: write - attestations: write - strategy: - ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch - max-parallel: 10 - matrix: - arch: - - linux-musl - - linux-glibc - - macos - - windows - cpu: - - arm64 - - x86-64 ## defaults to x86-64-v3 variant - intel haswell (2013) and newer - # - x86-64-v2 ## intel nehalem (2008) and newer - # - x86-64-v3 ## intel haswell (2013) and newer - # - x86-64-v4 ## intel skylake (2017) and newer - exclude: - - arch: windows # excludes windows-arm64 - cpu: arm64 - - arch: windows # excludes windows-armv7 - cpu: armv7 - - arch: macos # excludes macos-armv7 - cpu: armv7 - - arch: macos # excludes macos-x64 - cpu: x86-64 - steps: - - name: Build Binary (${{ matrix.arch }}_${{ matrix.cpu }}) - uses: stacks-network/actions/stacks-core/release/create-source-binary@main - with: - arch: ${{ matrix.arch }} - cpu: ${{ matrix.cpu }} - node_tag: ${{ inputs.node_tag }} - signer_tag: ${{ inputs.signer_tag }} - signer_docker_tag: ${{ inputs.signer_docker_tag }} - is_node_release: ${{ inputs.is_node_release }} - - ## Runs when the following is true: - ## - either node or signer tag is provided - create-release: - if: | - inputs.node_tag != '' || - inputs.signer_tag != '' - name: Create Release - runs-on: ubuntu-latest - needs: - - andon-cord - - build-binaries - permissions: - contents: write - steps: - ## Creates releases - - name: Create Release - uses: stacks-network/actions/stacks-core/release/create-releases@main - with: - node_tag: ${{ inputs.node_tag }} - node_docker_tag: ${{ inputs.node_docker_tag }} - signer_tag: ${{ inputs.signer_tag }} - signer_docker_tag: ${{ inputs.signer_docker_tag }} - is_node_release: ${{ inputs.is_node_release }} - is_signer_release: ${{ inputs.is_signer_release }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - ## Builds arch dependent Docker images from binaries - ## - ## Note: this step requires the binaries in the create-release step to be uploaded - ## Runs when the following is true: - ## - either node or signer tag is provided - docker-image: - if: | - inputs.node_tag != '' || - inputs.signer_tag != '' - name: Docker Image (Binary) - runs-on: ubuntu-latest - environment: "Push to Docker" - permissions: - id-token: write - attestations: write - needs: - - andon-cord - - build-binaries - - create-release - strategy: - fail-fast: false - ## Build a maximum of 2 images concurrently based on matrix.dist - max-parallel: 2 - matrix: - dist: - - alpine - - debian - steps: - - name: Create Docker Image - uses: stacks-network/actions/stacks-core/release/docker-images@main - with: - node_tag: ${{ inputs.node_tag }} - node_docker_tag: ${{ inputs.node_docker_tag }} - signer_tag: ${{ inputs.signer_tag }} - signer_docker_tag: ${{ inputs.signer_docker_tag }} - is_node_release: ${{ inputs.is_node_release }} - is_signer_release: ${{ inputs.is_signer_release }} - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} - dist: ${{ matrix.dist }} - - ## Create the downstream PR for the release branch to master,develop - create-pr: - if: | - ( - inputs.node_tag != '' || - inputs.signer_tag != '' - ) - name: Create Downstream PR (${{ github.ref_name }}) - runs-on: ubuntu-latest - needs: - - andon-cord - - build-binaries - - create-release - - docker-image - permissions: - pull-requests: write - steps: - - name: Open Downstream PR - id: create-pr - uses: stacks-network/actions/stacks-core/release/downstream-pr@main - with: - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/image-build-source.yml b/.github/workflows/image-build-source.yml deleted file mode 100644 index 6cf7bd3cd36..00000000000 --- a/.github/workflows/image-build-source.yml +++ /dev/null @@ -1,91 +0,0 @@ -## Github workflow to build a docker image from source - -name: Docker Image (Source) - -on: - workflow_dispatch: - workflow_call: - -## Define which docker arch to build for -env: - docker_platforms: "linux/amd64,linux/arm64" - docker-org: blockstack - -concurrency: - group: docker-image-source-${{ github.head_ref || github.ref || github.run_id }} - ## Always cancel duplicate jobs - cancel-in-progress: true - -jobs: - ## Runs anytime `ci.yml` runs or when manually called - image: - name: Build Image - runs-on: ubuntu-latest - ## Requires the repo environment "Push to Docker", which will trigger a secondary approval step before running this workflow. - environment: "Push to Docker" - permissions: - id-token: write - attestations: write - steps: - ## Setup Docker for the builds - - name: Docker setup - id: docker_setup - uses: stacks-network/actions/docker@main - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - ## if the repo owner is not `stacks-network`, default to a docker-org of the repo owner (i.e. github user id) - ## this allows forks to run the docker push workflows without having to hardcode a dockerhub org (but it does require docker hub user to match github username) - - name: Set Local env vars - id: set_env - if: | - github.repository_owner != 'stacks-network' - run: | - echo "docker-org=${{ github.repository_owner }}" >> "$GITHUB_ENV" - - ## Set docker metatdata - - name: Docker Metadata ( ${{matrix.dist}} ) - id: docker_metadata - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 #v5.6.1 - with: - images: | - ${{env.docker-org}}/${{ github.event.repository.name }} - ${{env.docker-org}}/stacks-blockchain - tags: | - type=raw,value=${{ env.BRANCH_NAME }} - type=ref,event=pr - - ## Build docker image - - name: Build and Push ( ${{matrix.dist}} ) - id: docker_build - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0 - with: - file: ./Dockerfile - platforms: ${{ env.docker_platforms }} - tags: ${{ steps.docker_metadata.outputs.tags }} - labels: ${{ steps.docker_metadata.outputs.labels }} - build-args: | - STACKS_NODE_VERSION=${{ env.GITHUB_SHA_SHORT }} - GIT_BRANCH=${{ env.GITHUB_REF_SHORT }} - GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }} - push: ${{ env.DOCKER_PUSH }} - - ## Generate docker image attestation(s) - - name: Generate artifact attestation (${{ github.event.repository.name }}) - id: attest_primary - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - with: - subject-name: | - index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }} - subject-digest: ${{ steps.docker_build.outputs.digest }} - push-to-registry: true - - - name: Generate artifact attestation (stacks-blockchain) - id: attest_secondary - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - with: - subject-name: | - index.docker.io/${{env.docker-org}}/stacks-blockchain - subject-digest: ${{ steps.docker_build.outputs.digest }} - push-to-registry: true diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml new file mode 100644 index 00000000000..6fa3e65cfe5 --- /dev/null +++ b/.github/workflows/release-build.yml @@ -0,0 +1,302 @@ +## Github workflow to create reusable caches + +name: Build Release Binaries + +on: + workflow_call: + inputs: + node_tag: + description: "Node Release Tag" + required: true + type: string + signer_tag: + description: "Signer Release Tag" + required: true + type: string + +concurrency: + group: release-build-${{ github.head_ref || github.ref }} + ## Always cancel duplicate jobs + cancel-in-progress: true + +run-name: Build Release Binaries + +env: + # set a default command to build. we'll define specific build config options later per arch. + CMD: "cargo build --features monitoring_prom,slog_json --profile release-lite --workspace" + # ensure these env vars have no values since they will be explicitly set later + TARGET_CPU: "" + LINKER: "" +jobs: + build-binaries: + name: Build Binaries + runs-on: ${{ matrix.os }} + permissions: + id-token: write + attestations: write + strategy: + ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch + max-parallel: 10 + matrix: + arch: + - linux-glibc + - linux-musl + - macos + - windows + cpu: + - x86-64 + - arm64 + os: + - ubuntu-latest # update to large for more cpu cores NOTE: need to update excludes below if a different runner is used + - macos-latest # update to large for more cpu cores. NOTE: need to update excludes below if a different runner is used + exclude: + ############################################ + # exclude linux-musl on macos + - arch: linux-musl + os: macos-latest + # os: macos-latest-large + # exclude linux-glibc on macos + - arch: linux-glibc + os: macos-latest + # os: macos-latest-large + ############################################ + # excludes macos on ubuntu + - arch: macos + os: ubuntu-latest + # excludes windows on macos + - arch: windows + os: macos-latest + # os: macos-latest-large + # excludes windows-arm64 + - arch: windows + cpu: arm64 + # excludes macos-x64 + - arch: macos + cpu: x86-64 + steps: + ## Checkout the code + - name: Checkout the latest code + id: git_checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ github.ref }} + + ## Set target env var based on the type of arch build + - name: Configure Target Platform + id: configure_target_platform + shell: bash + run: | + case ${{ matrix.cpu }} in + x86-64*) + ARCHIVE_NAME="$(echo "${{ matrix.cpu }}" | sed -e 's|86-||g')" # if matrix.cpu ever changes to a different x86 version, this will set the archive naming appropriately to `*-x64` + # set the CPU to build for. if the matrix defines x86-64, default to -v3, else use what's defined in the matrix + case ${{ matrix.cpu }} in + x86-64) + TARGET_CPU="${{ matrix.cpu }}-v3" # default to x86-64-v3 if generic x86-64 is used for the build + ;; + *) + TARGET_CPU="${{ matrix.cpu }}" # if matrix.cpu is specifically v3/v4, we should target that + ;; + esac + + # install dependencies for the x86-64 architecture, and set the rust target for the build step + case ${{ matrix.arch }} in + linux-musl) + sudo apt-get update && sudo apt-get install -y musl-tools || exit 1 + TARGET="x86_64-unknown-linux-musl" + ;; + linux-glibc) + sudo apt-get update && sudo apt-get install -y git libclang-dev llvm || exit 1 + TARGET="x86_64-unknown-linux-gnu" + ;; + windows) + sudo apt-get update && sudo apt-get install -y git gcc-mingw-w64-x86-64 || exit 1 + TARGET="x86_64-pc-windows-gnu" + ;; + *) + ;; + esac + ;; + arm64) + ARCHIVE_NAME=${{ matrix.cpu }} + # install dependencies for the arm64 architecture, and set the rust target for the build step + case ${{ matrix.arch }} in + linux-musl) + sudo apt-get update && sudo apt-get install -y gcc-aarch64-linux-gnu musl-dev || exit 1 + # this download is required, and must come from a mirror as musl.cc has aggressive rate limits from azure ips (hosted github runners) + curl -LSf -# https://github.com/musl-cc/musl.cc/releases/download/v0.0.1/aarch64-linux-musl-cross.tgz | tar zxf - -C /tmp || exit 1 + TARGET="aarch64-unknown-linux-musl" + ;; + linux-glibc) + sudo apt-get update && sudo apt-get install -y git gcc-aarch64-linux-gnu libclang-dev llvm || exit 1 + TARGET="aarch64-unknown-linux-gnu" + ;; + macos) + TARGET="aarch64-apple-darwin" + ;; + *) + ;; + esac + ;; + *) + ;; + esac + if [[ -z "$TARGET" ]]; then + echo "[ERROR] TARGET Variable is empty for ${{ matrix.arch }}-${{ matrix.cpu }}"; + exit 1 + fi + ## Add vars to env for later steps + # set the rust target arch for build + echo "TARGET=${TARGET}" >> "$GITHUB_ENV" + # set the target cpu for build + echo "TARGET_CPU=${TARGET_CPU}" >> "$GITHUB_ENV" + # set the zipfile archive name + echo "ZIPFILE_NAME=${{ matrix.arch }}-${ARCHIVE_NAME}" >> "$GITHUB_ENV" + + ## Install rust toolchain for the target being built + - name: Setup Rust Toolchain + id: setup_rust_toolchain + uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10.1 + with: + toolchain: stable + cache: false + target: ${{ env.TARGET }} + + ## Build the release binaries + - name: Build Release + id: build_release + shell: bash + run: | + # + # for each target, we will also echo the command being run so it's easier to see in the logs what command was run + # + BINS="" + # only build the stacks-signer binary if node_tag is not defined - this is a signer only release (reduce time compiling) + if [ "${{ inputs.node_tag }}" == '' ]; then + BINS="--bin stacks-signer" + fi + case "${{ env.TARGET }}" in + # linux glibc aarch64 + aarch64-unknown-linux-gnu) + LINKER=aarch64-linux-gnu-gcc + echo "${CMD} ${BINS} --target $TARGET --config \"target.${TARGET}.linker=\\\"${LINKER}\\\"\" " + ${{ env.CMD }} ${BINS} --target $TARGET --config "target.${{ env.TARGET }}.linker=\"${LINKER}\"" || exit 1 + ;; + # linux glibc x64 + x86_64-unknown-linux-gnu) + # use the default linker + echo "${CMD} ${BINS} --target $TARGET --config build.rustflags=\"\\\"-C target-cpu=${TARGET_CPU}\\\"\" " + ${{ env.CMD }} ${BINS} --target $TARGET --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 + ;; + # windows glibc x64 + x86_64-pc-windows-gnu) + LINKER=x86_64-w64-mingw32-gcc + echo "${CMD} ${BINS} --target $TARGET --config \"target.${TARGET}.linker=\\\"${LINKER}\\\"\" --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" " + ${{ env.CMD }} ${BINS} --target $TARGET --config "target.${{ env.TARGET }}.linker=\"${LINKER}\"" --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 + ;; + # linux musl x64 + x86_64-unknown-linux-musl) + echo "${CMD} ${BINS} --target $TARGET --config build.rustflags=\"\\\"-C target-cpu=${TARGET_CPU}\\\"\" " + ${{ env.CMD }} ${BINS} --target $TARGET --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 + ;; + # linux musl aarch64 + aarch64-unknown-linux-musl) + # use the musl linker installed in previous step + LINKER=/tmp/aarch64-linux-musl-cross/bin/aarch64-linux-musl-gcc + echo "${CMD} ${BINS} --target $TARGET --config \"target.${TARGET}.linker=\\\"${LINKER}\\\"\" " + ${{ env.CMD }} ${BINS} --target $TARGET --config "target.${{ env.TARGET }}.linker=\"${LINKER}\"" || exit 1 + ;; + # macos aarch64 + aarch64-apple-darwin) + TARGET_CPU=native + echo "${CMD} ${BINS}--target $TARGET --config build.rustflags=\"\\\"-C target-cpu=${TARGET_CPU}\\\"\" " + ${{ env.CMD }} ${BINS} --target $TARGET --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 + ;; + # catchall - run the default command if no matching target triple + *) + echo "No matrix match for build target ($TARGET). using defaults" + ${{ env.CMD }} ${BINS} || exit 1 + ;; + esac + exit 0 + + ## For macOS,install the GNU version of sed used in compress_artifacts_stacks_node + ## - Included BSD version of sed returns an error: `sed: first RE may not be empty` + - name: Install GNU sed on macOS + if: | + runner.os == 'macOS' + run: | + brew install gnu-sed + + echo "/usr/local/bin" >> $GITHUB_PATH + echo "$(brew --prefix)/opt/gnu-sed/libexec/gnubin" >> $GITHUB_PATH + + ############################################################################## + ## Stacks core release artifact steps + ## - binary archive includes stacks-signer binary + # - all steps are conditional on if a node_tag input is provided (will not run for signer releases) + + ## Compress the binaries in the target directory + - name: Compress binaries (stacks-core) + if: | + inputs.node_tag != '' + id: compress_artifacts_stacks_node + shell: bash + run: | + # compress all binaries in the target directory for any architecture + file -0 ./target/${{ env.TARGET }}/release-lite/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME }}.zip -@ + + ## Upload the binary archive using the commit sha as the key + - name: Upload Artifact (stacks-core) + if: | + inputs.node_tag != '' + id: upload_artifact_stacks_node + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: ${{ github.sha }}-stacks-core-${{ env.ZIPFILE_NAME }} + path: ${{ env.ZIPFILE_NAME }}.zip + + ## Attest the binary archive + - name: Attest Artifact (stacks-core) + if: | + inputs.node_tag != '' + id: attest_artifact_stacks_node + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-path: ${{ env.ZIPFILE_NAME }}.zip + + ############################################################################## + ## Stacks signer release artifact steps + ## - all steps are conditional on if a signer_tag input is provided + + ## Compress the stacks-signer binary in the target directory + - name: Compress binaries (stacks-signer) + if: | + inputs.signer_tag != '' + id: compress_artifacts_stacks_signer + shell: bash + run: | + # since the archives are named generically and identically for both stacks-core and stacks-signer: + # - remove the stacks-core zipfile and recreate for the signer + [ -e "${{ env.ZIPFILE_NAME}}.zip" ] && rm -f "${{env.ZIPFILE_NAME}}.zip" + # compress all binaries in the target directory for any architecture + file -0 ./target/${{env.TARGET}}/release-lite/stacks-signer* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME}}.zip -@ + + ## Upload the binary archive using the commit sha as the key + - name: Upload Artifact (stacks-signer) + if: | + inputs.signer_tag != '' + id: upload_artifact_stacks_signer + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: ${{ github.sha }}-stacks-signer-${{ env.ZIPFILE_NAME }} + path: ${{ env.ZIPFILE_NAME }}.zip + + ## Attest the binary archive + - name: Attest Artifact (stacks-signer) + if: | + inputs.signer_tag != '' + id: attest_artifact_stacks_signer + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-path: ${{ env.ZIPFILE_NAME }}.zip diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml new file mode 100644 index 00000000000..4f1d454acdb --- /dev/null +++ b/.github/workflows/release-docker.yml @@ -0,0 +1,217 @@ +## Github workflow to create release docker images + +name: + Docker Release Images + + # node_tag: 4.0.0.0.4 + # node_docker_tag: 4.0.0.0.4 + # signer_tag: signer-4.0.0.0.4.0 + # signer_docker_tag: 4.0.0.0.4.0 + # release_type: stacks-core + +on: + workflow_call: + inputs: + # node_tag: + # description: "Node Release Tag" + # required: true + # type: string + node_tag: + description: "Node Docker Release Tag" + required: true + type: string + # signer_tag: + # description: "Signer Release Tag" + # required: true + # type: string + signer_tag: + description: "Signer Docker Release Tag" + required: true + type: string + release_type: + description: "Release type (one of stacks-core, stacks-signer" + required: true + type: string +concurrency: + group: ${{ inputs.release_type }}-${{ github.head_ref || github.ref }} + ## Always cancel duplicate jobs + cancel-in-progress: true + +run-name: ${{ inputs.node_tag || inputs.signer_tag }} + +env: + docker_platforms: "linux/arm64, linux/amd64" + docker_registry: ghcr.io + provenance: false +jobs: + release-images: + if: | + ( inputs.release_type == 'stacks-core' || inputs.release_type == 'stacks-signer') && + ( inputs.signer_tag != '' || inputs.node_tag != '' ) + name: Docker Image (${{ inputs.release_type }}, ${{ matrix.dist }}) + runs-on: ubuntu-latest + permissions: + id-token: write + attestations: write + packages: write + strategy: + fail-fast: false + ## Build a maximum of 2 images concurrently based on matrix.dist + max-parallel: 2 + matrix: + dist: + - alpine + - debian + steps: + - name: Set Local Vars + id: set_vars + shell: bash + run: | + var_dockerfile_name="Dockerfile.release" + if [ "${{ inputs.release_type }}" == "stacks-signer" ]; then + var_dockerfile_name="Dockerfile.release.signer" + fi + if [ "${{ matrix.dist }}" == "alpine" ]; then + var_build_arch=musl + else + var_build_arch=glibc + fi + echo "var_build_arch: ${var_build_arch}" + + # set a default docker image: registry/repo/release_type + var_default_image="${{ env.docker_registry }}/${{ github.repository_owner }}/${{ inputs.release_type }}" + var_artifact_pattern="${{ github.sha }}-${{ inputs.release_type }}-linux-${var_build_arch}*" + if [ "${{ inputs.release_type }}" == "stacks-signer" ]; then + # stacks-signer + var_images="${var_default_image}" # use default, set in conditional to allow for individual changes based on release type + var_docker_tag=${{ inputs.signer_tag }} # use the input signer_tag if this is the stacks-signer build + # var_artifact_pattern="${{ github.sha }}-stacks-signer-linux-$var_build_arch*" + else + # stacks-core + var_images="${var_default_image}" # use default, set in conditional to allow for individual changes based on release type + var_docker_tag=${{ inputs.node_tag }} # use the input node_tag if this is the stacks-node build + # var_artifact_pattern="${{ github.sha }}-${{ inputs.release_type }}-linux-$var_build_arch*" + fi + + ## Add vars to github env for later steps + echo "docker_images=${var_images}" >> $GITHUB_ENV + echo "docker_tag=${var_docker_tag}" >> $GITHUB_ENV + echo "artifact_pattern=${var_artifact_pattern}" >> $GITHUB_ENV + echo "build_arch=${var_build_arch}" >> "$GITHUB_ENV" + echo "dockerfile_name=${var_dockerfile_name}" >> "$GITHUB_ENV" + + - name: Set Docker Tag RC Flag + id: docker_tag_rc_flag + shell: bash + run: | + var_docker_tag_rc=false + if [[ "${docker_tag}" =~ -rc[0-9]*$ ]]; then + # is a release candidate + var_docker_tag_rc=true + fi + # if [[ "${docker_tag}" =~ -rc[0-9]*$ ]]; then + # var_docker_tag="${docker_tag}" + # fi + echo "var_docker_tag_rc: ${var_docker_tag_rc}" + echo "docker_tag_rc=${var_docker_tag_rc}" >> "$GITHUB_ENV" + + - name: Download Artifacts + id: download_artifacts + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 + with: + pattern: ${{ env.artifact_pattern }} + path: /tmp/release + merge-multiple: true + + ## Setup Docker for the builds + - name: Docker setup + id: docker_setup + uses: wileyj/actions/docker@chore/update_docker_comp + with: + registry: ${{ env.docker_registry }} # set the registry to ghcr (default is docker.io) + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + ## Checkout the code + - name: Checkout the latest code + id: git_checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + ref: ${{ env.BRANCH_NAME }} + sparse-checkout: | + .github + + - name: Docker Metadata ( ${{matrix.dist}} ) + id: docker_metadata + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 #v5.9.0 + with: + images: | + ${{ env.docker_images }} + labels: | + org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}} + org.opencontainers.image.version=${{ env.docker_tag }} + tags: | + ## debian tags ## + # latest tag + type=raw,value=latest,enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'debian' }} + # latest-debian tag + type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'debian' }} + # version tag + type=raw,value=${{ env.docker_tag }},enable=${{ env.docker_tag != '' && matrix.dist == 'debian'}} + # version=dist tag + type=raw,value=${{ env.docker_tag }},suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && matrix.dist == 'debian' }} + ## + ## alpine tags ## + # latest-alpine tag + type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'alpine' }} + # version tag + type=raw,value=${{ env.docker_tag }},suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && matrix.dist == 'alpine' }} + + ## Build docker image for release + - name: Build and Push ( ${{matrix.dist}} ) + id: docker_build + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + with: + sbom: false + provenance: ${{ env.provenance }} + context: /tmp + file: ./.github/actions/dockerfiles/${{ matrix.dist }}/${{ env.dockerfile_name}} + platforms: ${{ env.docker_platforms }} + tags: ${{ steps.docker_metadata.outputs.tags }} + labels: ${{ steps.docker_metadata.outputs.labels }} + annotations: ${{ steps.docker_metadata.outputs.annotations }} # Note: annotations are required for multi-architecture images + push: ${{ env.DOCKER_PUSH }} + + ## Generate docker image attestation(s) + - name: Attest Image (${{ github.event.repository.name }}) + id: attest_image + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-name: ${{ env.docker_registry }}/${{ github.repository_owner }}/${{ inputs.release_type }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: ${{ env.DOCKER_PUSH }} + + ## Sign the images with GitHub OIDC Token + ## - https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ + ## - annotations show as null per https://github.com/sigstore/cosign/pull/4508 until a future release (or tagging this specific commit) + - name: Install Cosign + id: cosign_install + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + + - name: Sign the images with OIDC Token + id: cosign_artifact + shell: bash + env: + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.docker_metadata.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "ref=${{ github.sha }}" \ + -a "dist=${{ matrix.dist }}" \ + --yes \ + ${images} diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml new file mode 100644 index 00000000000..dfc187cabd3 --- /dev/null +++ b/.github/workflows/release-github.yml @@ -0,0 +1,143 @@ +## Github workflow to create a github release and upload binary artifacts + +name: Github Release + +on: + workflow_call: + inputs: + # node_tag: + # description: "Node Release Tag" + # required: true + # type: string + node_tag: + description: "Node Docker Release Tag" + required: true + type: string + # signer_tag: + # description: "Signer Release Tag" + # required: true + # type: string + signer_tag: + description: "Signer Docker Release Tag" + required: true + type: string + is_node_release: + description: "True if it is a node release" + required: true + type: string + # is_signer_release: + # description: "True if it is a signer release" + # required: true + # type: string + +concurrency: + group: release-github-${{ github.head_ref || github.ref }} + ## Always cancel duplicate jobs + cancel-in-progress: true + +run-name: ${{ inputs.node_tag || inputs.signer_tag }} + +jobs: + ## Build arch dependent binaries from source + ## + ## Runs when the following is true: + ## - either node or signer tag is provided + andon-cord: + if: | + inputs.node_tag != '' || + inputs.signer_tag != '' + name: Andon Cord + runs-on: ubuntu-latest + environment: "Build Release" + steps: + - name: Check Approval + id: check + run: | + exit 0 + + build-binaries: + if: | + inputs.node_tag != '' || + inputs.signer_tag != '' + name: Build Binaries + needs: + - andon-cord + uses: ./.github/workflows/release-build.yml + with: + node_tag: ${{ inputs.node_tag }} # used to conditionally run step in release-build.yml + signer_tag: ${{ inputs.signer_tag }} # used to conditionally run step in release-build.yml + + docker-images: + if: | + inputs.node_tag != '' || + inputs.signer_tag != '' + name: Build Docker Images + needs: + - andon-cord + - build-binaries + strategy: + fail-fast: false + ## Build a maximum of 2 images concurrently based on matrix.dist + max-parallel: 2 + matrix: + type: + - stacks-core + - stacks-signer + exclude: + - type: ${{ inputs.is_node_release == 'false' && 'stacks-core' }} # exclude stacks-core if node release is false + ## Creates the node docker image + uses: ./.github/workflows/release-docker.yml + with: + # node_tag and node_docker_tag should be identical with the version tag, i.e. 3.3.0.0.0 + # node_tag: ${{ inputs.node_tag }} # node_tag contains only the version, i.e. 3.3.0.0.0 + node_tag: ${{ inputs.node_tag }} # node_tag will contains the 5 char node version, i.e. 3.3.0.0.0 + # signer_tag: ${{ inputs.signer_tag }} # signer_tag contains only the version, i.e. 3.3.0.0.0.1 + signer_tag: ${{ inputs.signer_tag }} # signer_tag contains 6 char signer version, i.e. 3.3.0.0.0.1 + release_type: ${{ matrix.type }} # one of stacks-signer or stacks-core + + #### + # ## Runs when the following is true: + # ## - either node or signer tag is provided + create-release: + if: | + inputs.node_tag != '' || + inputs.signer_tag != '' + name: Create Release + runs-on: ubuntu-latest + needs: + - andon-cord + - build-binaries + - docker-images + permissions: + contents: write + steps: + ## Creates releases + - name: Create Release + id: check + uses: wileyj/actions/stacks-core/release/create-releases@chore/update_docker_comp + # uses: stacks-network/actions/stacks-core/release/create-releases@main + with: + node_tag: ${{ inputs.node_tag }} # name used for release (use the version by itself + signer_tag: signer-${{ inputs.signer_tag }} # name used for release (prefix with 'signer-') + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # ## Create the downstream PR for the release branch to master and develop + create-pr: + if: | + inputs.node_tag != '' || + inputs.signer_tag != '' + name: Create Downstream PR (${{ github.ref_name }}) + runs-on: ubuntu-latest + needs: + - andon-cord + - build-binaries + - create-release + - docker-images + permissions: + pull-requests: write + steps: + - name: Open Downstream PR + id: create-pr + uses: stacks-network/actions/stacks-core/release/downstream-pr@main + with: + token: ${{ secrets.GITHUB_TOKEN }} From 2e11be5acc9be173b8c54701fd5478cc81bde6e7 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 18 Nov 2025 12:24:35 -0800 Subject: [PATCH 02/10] Cleanup and add some more comments --- .github/workflows/ci.yml | 286 +++++++++++++-------------- .github/workflows/docker-image.yml | 49 ++--- .github/workflows/release-build.yml | 32 ++- .github/workflows/release-docker.yml | 39 +--- .github/workflows/release-github.yml | 18 +- 5 files changed, 192 insertions(+), 232 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c8e9335fb9..60479ceeea3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,6 @@ on: branches: - master - develop - - next paths-ignore: - "**.md" - "**.yml" @@ -101,158 +100,155 @@ jobs: secrets: inherit uses: ./.github/workflows/release-github.yml with: - # node_tag: ${{ needs.check-release.outputs.node_tag }} node_tag: ${{ needs.check-release.outputs.node_docker_tag }} # 5 place version format like x.x.x.x.x - # signer_tag: ${{ needs.check-release.outputs.signer_tag }} signer_tag: ${{ needs.check-release.outputs.signer_docker_tag }} # 6 place version format like x.x.x.x.x.x is_node_release: ${{ needs.check-release.outputs.is_node_release }} # used in matrix conitional in release-github.yml - # is_signer_release: ${{ needs.check-release.outputs.is_signer_release }} # not used -## uncomment for PR -# ## Create a reusable cache for tests -# ## -# ## Runs when: -# ## - it is a node release run -# ## or any of: -# ## - this workflow is called manually -# ## - PR is opened -# ## - PR added to merge queue -# create-cache: -# if: | -# needs.check-release.outputs.is_node_release == 'true' || -# github.event_name == 'workflow_dispatch' || -# github.event_name == 'pull_request' || -# github.event_name == 'merge_group' -# name: Create Test Cache -# needs: -# - rustfmt -# - check-release -# uses: ./.github/workflows/create-cache.yml -# ## Tests to run regularly -# ## -# ## Runs when: -# ## - it is a node or signer-only release run -# ## or any of: -# ## - this workflow is called manually -# ## - PR is opened -# ## - PR added to merge queue -# stacks-core-tests: -# if: | -# needs.check-release.outputs.is_node_release == 'true' || -# needs.check-release.outputs.is_signer_release == 'true' || -# github.event_name == 'workflow_dispatch' || -# github.event_name == 'pull_request' || -# github.event_name == 'merge_group' -# name: Stacks Core Tests -# needs: -# - rustfmt -# - create-cache -# - check-release -# uses: ./.github/workflows/stacks-core-tests.yml + ## Create a reusable cache for tests + ## + ## Runs when: + ## - it is a node release run + ## or any of: + ## - this workflow is called manually + ## - PR is opened + ## - PR added to merge queue + create-cache: + if: | + needs.check-release.outputs.is_node_release == 'true' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + github.event_name == 'merge_group' + name: Create Test Cache + needs: + - rustfmt + - check-release + uses: ./.github/workflows/create-cache.yml + + ## Tests to run regularly + ## + ## Runs when: + ## - it is a node or signer-only release run + ## or any of: + ## - this workflow is called manually + ## - PR is opened + ## - PR added to merge queue + stacks-core-tests: + if: | + needs.check-release.outputs.is_node_release == 'true' || + needs.check-release.outputs.is_signer_release == 'true' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + github.event_name == 'merge_group' + name: Stacks Core Tests + needs: + - rustfmt + - create-cache + - check-release + uses: ./.github/workflows/stacks-core-tests.yml -# ## Validate constants dumped by stacks-inspect -# ## -# ## Runs when: -# ## - it is a node or signer-only release run -# ## or any of: -# ## - this workflow is called manually -# ## - PR is opened -# ## - PR added to merge queue -# constants-check: -# if: | -# needs.check-release.outputs.is_node_release == 'true' || -# needs.check-release.outputs.is_signer_release == 'true' || -# github.event_name == 'workflow_dispatch' || -# github.event_name == 'pull_request' || -# github.event_name == 'merge_group' -# name: Constants Check -# needs: -# - rustfmt -# - check-release -# uses: ./.github/workflows/constants-check.yml + ## Validate constants dumped by stacks-inspect + ## + ## Runs when: + ## - it is a node or signer-only release run + ## or any of: + ## - this workflow is called manually + ## - PR is opened + ## - PR added to merge queue + constants-check: + if: | + needs.check-release.outputs.is_node_release == 'true' || + needs.check-release.outputs.is_signer_release == 'true' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + github.event_name == 'merge_group' + name: Constants Check + needs: + - rustfmt + - check-release + uses: ./.github/workflows/constants-check.yml -# ## Checks to run on built binaries -# ## -# ## Runs when: -# ## - it is a node or signer-only release run -# ## or any of: -# ## - this workflow is called manually -# ## - PR is opened -# ## - PR added to merge queue -# cargo-hack-check: -# if: | -# needs.check-release.outputs.is_node_release == 'true' || -# needs.check-release.outputs.is_signer_release == 'true' || -# github.event_name == 'workflow_dispatch' || -# github.event_name == 'pull_request' || -# github.event_name == 'merge_group' -# name: Cargo Hack Check -# needs: -# - rustfmt -# - check-release -# uses: ./.github/workflows/cargo-hack-check.yml + ## Checks to run on built binaries + ## + ## Runs when: + ## - it is a node or signer-only release run + ## or any of: + ## - this workflow is called manually + ## - PR is opened + ## - PR added to merge queue + cargo-hack-check: + if: | + needs.check-release.outputs.is_node_release == 'true' || + needs.check-release.outputs.is_signer_release == 'true' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + github.event_name == 'merge_group' + name: Cargo Hack Check + needs: + - rustfmt + - check-release + uses: ./.github/workflows/cargo-hack-check.yml -# ## Checks to run on built binaries -# ## -# ## Runs when: -# ## - it is a node release run -# ## or any of: -# ## - this workflow is called manually -# ## - PR is opened -# ## - PR added to merge queue -# bitcoin-tests: -# if: | -# needs.check-release.outputs.is_node_release == 'true' || -# github.event_name == 'workflow_dispatch' || -# github.event_name == 'pull_request' || -# github.event_name == 'merge_group' -# name: Bitcoin Tests -# needs: -# - rustfmt -# - create-cache -# - check-release -# uses: ./.github/workflows/bitcoin-tests.yml + ## Checks to run on built binaries + ## + ## Runs when: + ## - it is a node release run + ## or any of: + ## - this workflow is called manually + ## - PR is opened + ## - PR added to merge queue + bitcoin-tests: + if: | + needs.check-release.outputs.is_node_release == 'true' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + github.event_name == 'merge_group' + name: Bitcoin Tests + needs: + - rustfmt + - create-cache + - check-release + uses: ./.github/workflows/bitcoin-tests.yml -# p2p-tests: -# if: | -# needs.check-release.outputs.is_node_release == 'true' || -# github.event_name == 'workflow_dispatch' || -# github.event_name == 'pull_request' || -# github.event_name == 'merge_group' -# name: P2P Tests -# needs: -# - rustfmt -# - create-cache -# - check-release -# uses: ./.github/workflows/p2p-tests.yml + p2p-tests: + if: | + needs.check-release.outputs.is_node_release == 'true' || + github.event_name == 'workflow_dispatch' || + github.event_name == 'pull_request' || + github.event_name == 'merge_group' + name: P2P Tests + needs: + - rustfmt + - create-cache + - check-release + uses: ./.github/workflows/p2p-tests.yml -# ## Test to run on a tagged release -# ## -# ## Runs when: -# ## - it is a node release run -# atlas-tests: -# if: needs.check-release.outputs.is_node_release == 'true' -# name: Atlas Tests -# needs: -# - rustfmt -# - create-cache -# - check-release -# uses: ./.github/workflows/atlas-tests.yml + ## Test to run on a tagged release + ## + ## Runs when: + ## - it is a node release run + atlas-tests: + if: needs.check-release.outputs.is_node_release == 'true' + name: Atlas Tests + needs: + - rustfmt + - create-cache + - check-release + uses: ./.github/workflows/atlas-tests.yml -# epoch-tests: -# if: needs.check-release.outputs.is_node_release == 'true' -# name: Epoch Tests -# needs: -# - rustfmt -# - create-cache -# - check-release -# uses: ./.github/workflows/epoch-tests.yml + epoch-tests: + if: needs.check-release.outputs.is_node_release == 'true' + name: Epoch Tests + needs: + - rustfmt + - create-cache + - check-release + uses: ./.github/workflows/epoch-tests.yml -# slow-tests: -# if: needs.check-release.outputs.is_node_release == 'true' -# name: Slow Tests -# needs: -# - rustfmt -# - create-cache -# - check-release -# uses: ./.github/workflows/slow-tests.yml + slow-tests: + if: needs.check-release.outputs.is_node_release == 'true' + name: Slow Tests + needs: + - rustfmt + - create-cache + - check-release + uses: ./.github/workflows/slow-tests.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index d8870cf4333..c05ac0fd5aa 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,4 +1,6 @@ ## Github workflow to build a docker image from source +# - first builds the binaries from source for x86_64 and arm64 +# - then builds the docker image from the binary artifacts name: Docker Image @@ -10,10 +12,11 @@ env: docker_registry: "ghcr.io" # set a default command to build. we'll define specific build config options later per arch. CMD: "cargo build --features monitoring_prom,slog_json --profile release-lite --workspace" + # do not generate provenance from the docker build step, instead attest the image specifically + provenance: false # ensure these env vars have no values since they will be explicitly set later TARGET_CPU: "" LINKER: "" - provenance: false concurrency: group: docker-image-${{ github.head_ref || github.ref || github.run_id }} @@ -44,7 +47,7 @@ jobs: ref: ${{ github.ref }} ## Set target env var based on the type of arch build - ## - simplified from ./release-build.yml configure_target_platform step + ## - simplified from ./release-build.yml configure_target_platform step (only 2 target triples to build in this workflow) - name: Configure Target Platform id: configure_target_platform shell: bash @@ -126,8 +129,8 @@ jobs: id: compress_artifacts shell: bash run: | - # compress all binaries in the target directory for any architecture - file -0 ./target/${{env.TARGET}}/release-lite/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{env.ZIPFILE_NAME}}.zip -@ + # compress all binaries in the target directory for any architecture + file -0 ./target/${{env.TARGET}}/release-lite/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{env.ZIPFILE_NAME}}.zip -@ ## Upload the binary archive using the commit sha as the key - name: Upload Artifact @@ -158,8 +161,8 @@ jobs: id: set_vars shell: bash run: | - var_default_image="${{ env.docker_registry }}/${{ github.repository }}" - echo "docker_images=${var_default_image}" >> $GITHUB_ENV + var_default_image="${{ env.docker_registry }}/${{ github.repository }}" + echo "docker_images=${var_default_image}" >> $GITHUB_ENV ## Setup Docker for the builds - name: Docker setup @@ -183,7 +186,7 @@ jobs: id: download_artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: - pattern: ${{github.sha}}-* # linux-glibc variants are the only artifacts produced, download for both architectures + pattern: ${{github.sha}}-* # linux-glibc variants are the only artifacts produced, download for both architectures (Dockerfile will choose specific architecture arhive) path: /tmp/release merge-multiple: true @@ -192,7 +195,7 @@ jobs: id: docker_metadata uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 #v5.9.0 env: - DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index with: images: ${{ env.docker_images }} labels: | @@ -212,13 +215,13 @@ jobs: platforms: ${{ env.docker_platforms }} tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} - annotations: ${{ steps.docker_metadata.outputs.annotations }} # annotations are required for multi-architecture images + annotations: ${{ steps.docker_metadata.outputs.annotations }} # Note: annotations are used for multi-architecture ghcr images push: ${{ env.DOCKER_PUSH }} ## Generate docker image attestation(s) - name: Attest Image if: | - env.provenance != true + env.provenance != true id: attest_artifact uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: @@ -228,7 +231,8 @@ jobs: push-to-registry: ${{ env.DOCKER_PUSH }} ## Sign the images with GitHub OIDC Token - ## https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ + ## - https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/ + ## - annotations show as null per https://github.com/sigstore/cosign/pull/4508 until a future release (or tagging this specific commit) - name: Install Cosign id: cosign_install uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 @@ -237,16 +241,15 @@ jobs: id: cosign_image shell: bash env: - DIGEST: ${{ steps.docker_build.outputs.digest }} - TAGS: ${{ steps.docker_metadata.outputs.tags }} + DIGEST: ${{ steps.docker_build.outputs.digest }} + TAGS: ${{ steps.docker_metadata.outputs.tags }} run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - cosign sign \ - -a "repo=${{ github.repository }}" \ - -a "ref=${{ github.sha }}" \ - --yes \ - ${images} - + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign \ + -a "repo=${{ github.repository }}" \ + -a "ref=${{ github.sha }}" \ + --yes \ + ${images} diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 6fa3e65cfe5..8ef82f01a17 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -35,7 +35,7 @@ jobs: id-token: write attestations: write strategy: - ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch + ## Run a maximum of 10 builds concurrently max-parallel: 10 matrix: arch: @@ -47,30 +47,25 @@ jobs: - x86-64 - arm64 os: - - ubuntu-latest # update to large for more cpu cores NOTE: need to update excludes below if a different runner is used - - macos-latest # update to large for more cpu cores. NOTE: need to update excludes below if a different runner is used + - ubuntu-latest + - macos-latest-large exclude: - ############################################ - # exclude linux-musl on macos + ## exclude linux-musl on macos - arch: linux-musl - os: macos-latest - # os: macos-latest-large - # exclude linux-glibc on macos + os: macos-latest-large + ## exclude linux-glibc on macos - arch: linux-glibc - os: macos-latest - # os: macos-latest-large - ############################################ - # excludes macos on ubuntu + os: macos-latest-large + ## excludes macos on ubuntu - arch: macos os: ubuntu-latest - # excludes windows on macos + ## excludes windows on macos - arch: windows - os: macos-latest - # os: macos-latest-large - # excludes windows-arm64 + os: macos-latest-large + ## excludes windows-arm64 - arch: windows cpu: arm64 - # excludes macos-x64 + ## excludes macos-x64 - arch: macos cpu: x86-64 steps: @@ -88,7 +83,8 @@ jobs: run: | case ${{ matrix.cpu }} in x86-64*) - ARCHIVE_NAME="$(echo "${{ matrix.cpu }}" | sed -e 's|86-||g')" # if matrix.cpu ever changes to a different x86 version, this will set the archive naming appropriately to `*-x64` + # if matrix.cpu ever changes to a different x86 version, this will set the archive naming appropriately to `*-x64` + ARCHIVE_NAME="$(echo "${{ matrix.cpu }}" | sed -e 's|86-||g')" # set the CPU to build for. if the matrix defines x86-64, default to -v3, else use what's defined in the matrix case ${{ matrix.cpu }} in x86-64) diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml index 4f1d454acdb..9ea2f9101b8 100644 --- a/.github/workflows/release-docker.yml +++ b/.github/workflows/release-docker.yml @@ -1,29 +1,15 @@ ## Github workflow to create release docker images +## - uses binary archives produced by the ./release-build.yml workflow -name: - Docker Release Images - - # node_tag: 4.0.0.0.4 - # node_docker_tag: 4.0.0.0.4 - # signer_tag: signer-4.0.0.0.4.0 - # signer_docker_tag: 4.0.0.0.4.0 - # release_type: stacks-core +name: Docker Release Images on: workflow_call: inputs: - # node_tag: - # description: "Node Release Tag" - # required: true - # type: string node_tag: description: "Node Docker Release Tag" required: true type: string - # signer_tag: - # description: "Signer Release Tag" - # required: true - # type: string signer_tag: description: "Signer Docker Release Tag" required: true @@ -85,15 +71,13 @@ jobs: # stacks-signer var_images="${var_default_image}" # use default, set in conditional to allow for individual changes based on release type var_docker_tag=${{ inputs.signer_tag }} # use the input signer_tag if this is the stacks-signer build - # var_artifact_pattern="${{ github.sha }}-stacks-signer-linux-$var_build_arch*" else # stacks-core var_images="${var_default_image}" # use default, set in conditional to allow for individual changes based on release type var_docker_tag=${{ inputs.node_tag }} # use the input node_tag if this is the stacks-node build - # var_artifact_pattern="${{ github.sha }}-${{ inputs.release_type }}-linux-$var_build_arch*" fi - ## Add vars to github env for later steps + # Add vars to github env for later steps echo "docker_images=${var_images}" >> $GITHUB_ENV echo "docker_tag=${var_docker_tag}" >> $GITHUB_ENV echo "artifact_pattern=${var_artifact_pattern}" >> $GITHUB_ENV @@ -109,9 +93,6 @@ jobs: # is a release candidate var_docker_tag_rc=true fi - # if [[ "${docker_tag}" =~ -rc[0-9]*$ ]]; then - # var_docker_tag="${docker_tag}" - # fi echo "var_docker_tag_rc: ${var_docker_tag_rc}" echo "docker_tag_rc=${var_docker_tag_rc}" >> "$GITHUB_ENV" @@ -126,7 +107,7 @@ jobs: ## Setup Docker for the builds - name: Docker setup id: docker_setup - uses: wileyj/actions/docker@chore/update_docker_comp + uses: stacks-network/actions/docker@main with: registry: ${{ env.docker_registry }} # set the registry to ghcr (default is docker.io) username: ${{ github.actor }} @@ -151,20 +132,20 @@ jobs: org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}} org.opencontainers.image.version=${{ env.docker_tag }} tags: | - ## debian tags ## + # debian tags # # latest tag type=raw,value=latest,enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'debian' }} # latest-debian tag type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'debian' }} # version tag type=raw,value=${{ env.docker_tag }},enable=${{ env.docker_tag != '' && matrix.dist == 'debian'}} - # version=dist tag + # version-dist tag type=raw,value=${{ env.docker_tag }},suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && matrix.dist == 'debian' }} - ## - ## alpine tags ## + # + # alpine tags # # latest-alpine tag type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'alpine' }} - # version tag + # version-dist tag type=raw,value=${{ env.docker_tag }},suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && matrix.dist == 'alpine' }} ## Build docker image for release @@ -179,7 +160,7 @@ jobs: platforms: ${{ env.docker_platforms }} tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} - annotations: ${{ steps.docker_metadata.outputs.annotations }} # Note: annotations are required for multi-architecture images + annotations: ${{ steps.docker_metadata.outputs.annotations }} # Note: annotations are used for multi-architecture ghcr images push: ${{ env.DOCKER_PUSH }} ## Generate docker image attestation(s) diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index dfc187cabd3..e938a3894f6 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -5,18 +5,10 @@ name: Github Release on: workflow_call: inputs: - # node_tag: - # description: "Node Release Tag" - # required: true - # type: string node_tag: description: "Node Docker Release Tag" required: true type: string - # signer_tag: - # description: "Signer Release Tag" - # required: true - # type: string signer_tag: description: "Signer Docker Release Tag" required: true @@ -25,10 +17,6 @@ on: description: "True if it is a node release" required: true type: string - # is_signer_release: - # description: "True if it is a signer release" - # required: true - # type: string concurrency: group: release-github-${{ github.head_ref || github.ref }} @@ -88,10 +76,7 @@ jobs: ## Creates the node docker image uses: ./.github/workflows/release-docker.yml with: - # node_tag and node_docker_tag should be identical with the version tag, i.e. 3.3.0.0.0 - # node_tag: ${{ inputs.node_tag }} # node_tag contains only the version, i.e. 3.3.0.0.0 node_tag: ${{ inputs.node_tag }} # node_tag will contains the 5 char node version, i.e. 3.3.0.0.0 - # signer_tag: ${{ inputs.signer_tag }} # signer_tag contains only the version, i.e. 3.3.0.0.0.1 signer_tag: ${{ inputs.signer_tag }} # signer_tag contains 6 char signer version, i.e. 3.3.0.0.0.1 release_type: ${{ matrix.type }} # one of stacks-signer or stacks-core @@ -114,8 +99,7 @@ jobs: ## Creates releases - name: Create Release id: check - uses: wileyj/actions/stacks-core/release/create-releases@chore/update_docker_comp - # uses: stacks-network/actions/stacks-core/release/create-releases@main + uses: stacks-network/actions/stacks-core/release/create-releases@main with: node_tag: ${{ inputs.node_tag }} # name used for release (use the version by itself signer_tag: signer-${{ inputs.signer_tag }} # name used for release (prefix with 'signer-') From 5416a519001f416395bc343dde2164eecb4423b0 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 18 Nov 2025 12:28:22 -0800 Subject: [PATCH 03/10] remove forked composite for docker --- .github/workflows/docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index c05ac0fd5aa..a767f90a48f 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -167,7 +167,7 @@ jobs: ## Setup Docker for the builds - name: Docker setup id: docker_setup - uses: wileyj/actions/docker@chore/update_docker_comp + uses: stacks-network/actions/docker@main with: registry: ${{ env.docker_registry }} username: ${{ github.actor }} From 764115a1462afa406ff9dbbfbb5682489d7fb368 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 18 Nov 2025 12:34:19 -0800 Subject: [PATCH 04/10] use the release profile, not release-lite --- .github/workflows/docker-image.yml | 4 ++-- .github/workflows/release-build.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index a767f90a48f..05051300da1 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -11,7 +11,7 @@ env: docker_platforms: "linux/amd64,linux/arm64" docker_registry: "ghcr.io" # set a default command to build. we'll define specific build config options later per arch. - CMD: "cargo build --features monitoring_prom,slog_json --profile release-lite --workspace" + CMD: "cargo build --features monitoring_prom,slog_json --profile release --workspace" # do not generate provenance from the docker build step, instead attest the image specifically provenance: false # ensure these env vars have no values since they will be explicitly set later @@ -130,7 +130,7 @@ jobs: shell: bash run: | # compress all binaries in the target directory for any architecture - file -0 ./target/${{env.TARGET}}/release-lite/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{env.ZIPFILE_NAME}}.zip -@ + file -0 ./target/${{env.TARGET}}/release/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{env.ZIPFILE_NAME}}.zip -@ ## Upload the binary archive using the commit sha as the key - name: Upload Artifact diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 8ef82f01a17..dec9f407317 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -23,7 +23,7 @@ run-name: Build Release Binaries env: # set a default command to build. we'll define specific build config options later per arch. - CMD: "cargo build --features monitoring_prom,slog_json --profile release-lite --workspace" + CMD: "cargo build --features monitoring_prom,slog_json --profile release --workspace" # ensure these env vars have no values since they will be explicitly set later TARGET_CPU: "" LINKER: "" @@ -240,7 +240,7 @@ jobs: shell: bash run: | # compress all binaries in the target directory for any architecture - file -0 ./target/${{ env.TARGET }}/release-lite/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME }}.zip -@ + file -0 ./target/${{ env.TARGET }}/release/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME }}.zip -@ ## Upload the binary archive using the commit sha as the key - name: Upload Artifact (stacks-core) @@ -276,7 +276,7 @@ jobs: # - remove the stacks-core zipfile and recreate for the signer [ -e "${{ env.ZIPFILE_NAME}}.zip" ] && rm -f "${{env.ZIPFILE_NAME}}.zip" # compress all binaries in the target directory for any architecture - file -0 ./target/${{env.TARGET}}/release-lite/stacks-signer* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME}}.zip -@ + file -0 ./target/${{env.TARGET}}/release/stacks-signer* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME}}.zip -@ ## Upload the binary archive using the commit sha as the key - name: Upload Artifact (stacks-signer) From b3662a886a43d899f6ab6f4ad715bad1bd2305a2 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Wed, 19 Nov 2025 09:02:25 -0800 Subject: [PATCH 05/10] disable PR creation with recent change to settings this will not work --- .github/workflows/release-github.yml | 44 ++++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index e938a3894f6..7dac176dbb6 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -80,9 +80,9 @@ jobs: signer_tag: ${{ inputs.signer_tag }} # signer_tag contains 6 char signer version, i.e. 3.3.0.0.0.1 release_type: ${{ matrix.type }} # one of stacks-signer or stacks-core - #### - # ## Runs when the following is true: - # ## - either node or signer tag is provided + ## + ## Runs when the following is true: + ## - either node or signer tag is provided create-release: if: | inputs.node_tag != '' || @@ -106,22 +106,22 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # ## Create the downstream PR for the release branch to master and develop - create-pr: - if: | - inputs.node_tag != '' || - inputs.signer_tag != '' - name: Create Downstream PR (${{ github.ref_name }}) - runs-on: ubuntu-latest - needs: - - andon-cord - - build-binaries - - create-release - - docker-images - permissions: - pull-requests: write - steps: - - name: Open Downstream PR - id: create-pr - uses: stacks-network/actions/stacks-core/release/downstream-pr@main - with: - token: ${{ secrets.GITHUB_TOKEN }} + # create-pr: + # if: | + # inputs.node_tag != '' || + # inputs.signer_tag != '' + # name: Create Downstream PR (${{ github.ref_name }}) + # runs-on: ubuntu-latest + # needs: + # - andon-cord + # - build-binaries + # - create-release + # - docker-images + # permissions: + # pull-requests: write + # steps: + # - name: Open Downstream PR + # id: create-pr + # uses: stacks-network/actions/stacks-core/release/downstream-pr@main + # with: + # token: ${{ secrets.GITHUB_TOKEN }} From 542b898ee880e99d6402a0cb378fa3ab1c3551bb Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Wed, 19 Nov 2025 10:18:22 -0800 Subject: [PATCH 06/10] fix inconsistent var formatting --- .github/workflows/docker-image.yml | 20 ++++++++++---------- .github/workflows/release-build.yml | 6 +++--- .github/workflows/release-docker.yml | 4 ++-- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 05051300da1..95330716323 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -54,7 +54,7 @@ jobs: run: | case ${{ matrix.cpu }} in x86-64*) - ARCHIVE_NAME="$(echo "${{matrix.cpu}}" | sed -e 's|86-||g')" # if matrix.cpu ever changes to a different x86 version, this will set the archive naming appropriately. + ARCHIVE_NAME="$(echo "${{ matrix.cpu }}" | sed -e 's|86-||g')" # if matrix.cpu ever changes to a different x86 version, this will set the archive naming appropriately. # set the CPU to build for. if the matrix defines x86-64, default to -v3, else use what's defined in the matrix case ${{ matrix.cpu }} in x86-64) @@ -70,7 +70,7 @@ jobs: ;; arm64) # install dependencies for the arm64 architecture, and set the rust target for the build step - ARCHIVE_NAME=${{matrix.cpu}} + ARCHIVE_NAME=${{ matrix.cpu }} sudo apt-get update && sudo apt-get install -y git gcc-aarch64-linux-gnu libclang-dev llvm || exit 1 TARGET="aarch64-unknown-linux-gnu" ;; @@ -85,7 +85,7 @@ jobs: fi echo "TARGET=${TARGET}" >> "$GITHUB_ENV" echo "TARGET_CPU=${TARGET_CPU}" >> "$GITHUB_ENV" - echo "ZIPFILE_NAME=${{matrix.arch}}-${ARCHIVE_NAME}" >> "$GITHUB_ENV" + echo "ZIPFILE_NAME=${{ matrix.arch }}-${ARCHIVE_NAME}" >> "$GITHUB_ENV" ## Install rust toolchain for the target being built - name: Setup Rust Toolchain @@ -104,22 +104,22 @@ jobs: # # for each target, we will also echo the command being run so it's easier to see in the logs what command was run # - case "${{env.TARGET}}" in + case "${{ env.TARGET }}" in # linux glibc aarch64 aarch64-unknown-linux-gnu) LINKER=aarch64-linux-gnu-gcc echo "$CMD --target $TARGET --config \"target.${TARGET}.linker=\\\"${LINKER}\\\"\" " - ${{env.CMD}} --target $TARGET --config "target.${{env.TARGET}}.linker=\"${LINKER}\"" || exit 1 + ${{ env.CMD }} --target $TARGET --config "target.${{ env.TARGET }}.linker=\"${LINKER}\"" || exit 1 ;; # linux glibc x64 x86_64-unknown-linux-gnu) # use the default linker echo "$CMD --target $TARGET --config build.rustflags=\"\\\"-C target-cpu=${TARGET_CPU}\\\"\" " - ${{env.CMD}} --target $TARGET --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 + ${{ env.CMD }} --target $TARGET --config build.rustflags="\"-C target-cpu=${TARGET_CPU}\"" || exit 1 ;; *) echo "No matrix match for build target ($TARGET). using defaults" - ${{env.CMD}} || exit 1 + ${{ env.CMD }} || exit 1 ;; esac exit 0 @@ -130,14 +130,14 @@ jobs: shell: bash run: | # compress all binaries in the target directory for any architecture - file -0 ./target/${{env.TARGET}}/release/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{env.ZIPFILE_NAME}}.zip -@ + file -0 ./target/${{ env.TARGET }}/release/* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME }}.zip -@ ## Upload the binary archive using the commit sha as the key - name: Upload Artifact id: upload_artifact uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: - name: ${{github.sha}}-${{ env.ZIPFILE_NAME }} + name: ${{ github.sha }}-${{ env.ZIPFILE_NAME }} path: ${{ env.ZIPFILE_NAME }}.zip ## Attest the binary archive @@ -186,7 +186,7 @@ jobs: id: download_artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: - pattern: ${{github.sha}}-* # linux-glibc variants are the only artifacts produced, download for both architectures (Dockerfile will choose specific architecture arhive) + pattern: ${{ github.sha }}-* # linux-glibc variants are the only artifacts produced, download for both architectures (Dockerfile will choose specific architecture arhive) path: /tmp/release merge-multiple: true diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index dec9f407317..389b2714702 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -171,7 +171,7 @@ jobs: if [ "${{ inputs.node_tag }}" == '' ]; then BINS="--bin stacks-signer" fi - case "${{ env.TARGET }}" in + case "${{ env.TARGET }}" in # linux glibc aarch64 aarch64-unknown-linux-gnu) LINKER=aarch64-linux-gnu-gcc @@ -274,9 +274,9 @@ jobs: run: | # since the archives are named generically and identically for both stacks-core and stacks-signer: # - remove the stacks-core zipfile and recreate for the signer - [ -e "${{ env.ZIPFILE_NAME}}.zip" ] && rm -f "${{env.ZIPFILE_NAME}}.zip" + [ -e "${{ env.ZIPFILE_NAME }}.zip" ] && rm -f "${{ env.ZIPFILE_NAME }}.zip" # compress all binaries in the target directory for any architecture - file -0 ./target/${{env.TARGET}}/release/stacks-signer* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME}}.zip -@ + file -0 ./target/${{ env.TARGET }}/release/stacks-signer* | sed -nE 's/\x0:\s*(ELF|PE32+|Mach).*//p' | zip --junk-paths ${{ env.ZIPFILE_NAME }}.zip -@ ## Upload the binary archive using the commit sha as the key - name: Upload Artifact (stacks-signer) diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml index 9ea2f9101b8..6270dfd3975 100644 --- a/.github/workflows/release-docker.yml +++ b/.github/workflows/release-docker.yml @@ -122,7 +122,7 @@ jobs: sparse-checkout: | .github - - name: Docker Metadata ( ${{matrix.dist}} ) + - name: Docker Metadata ( ${{ matrix.dist }} ) id: docker_metadata uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 #v5.9.0 with: @@ -156,7 +156,7 @@ jobs: sbom: false provenance: ${{ env.provenance }} context: /tmp - file: ./.github/actions/dockerfiles/${{ matrix.dist }}/${{ env.dockerfile_name}} + file: ./.github/actions/dockerfiles/${{ matrix.dist }}/${{ env.dockerfile_name }} platforms: ${{ env.docker_platforms }} tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} From 52d0ba36fa05fc327d830da59881fcf3f224c50d Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 25 Nov 2025 12:31:43 -0800 Subject: [PATCH 07/10] remove commented step --- .github/workflows/release-github.yml | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/.github/workflows/release-github.yml b/.github/workflows/release-github.yml index 7dac176dbb6..66e815a35c6 100644 --- a/.github/workflows/release-github.yml +++ b/.github/workflows/release-github.yml @@ -105,23 +105,3 @@ jobs: signer_tag: signer-${{ inputs.signer_tag }} # name used for release (prefix with 'signer-') GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ## Create the downstream PR for the release branch to master and develop - # create-pr: - # if: | - # inputs.node_tag != '' || - # inputs.signer_tag != '' - # name: Create Downstream PR (${{ github.ref_name }}) - # runs-on: ubuntu-latest - # needs: - # - andon-cord - # - build-binaries - # - create-release - # - docker-images - # permissions: - # pull-requests: write - # steps: - # - name: Open Downstream PR - # id: create-pr - # uses: stacks-network/actions/stacks-core/release/downstream-pr@main - # with: - # token: ${{ secrets.GITHUB_TOKEN }} From c3fb53fde32dde9cc859528f3fa1ce5a5690d7a6 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Wed, 26 Nov 2025 10:25:47 -0800 Subject: [PATCH 08/10] addressing PR comments and adding consistency to env vars --- .github/workflows/docker-image.yml | 33 ++++++++--------- .github/workflows/release-docker.yml | 54 +++++++++++++++------------- 2 files changed, 46 insertions(+), 41 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 95330716323..39bcfcb5a0e 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -8,15 +8,16 @@ on: workflow_dispatch: env: - docker_platforms: "linux/amd64,linux/arm64" - docker_registry: "ghcr.io" + # build for both x64 and arm64 arch + DOCKER_PLATFORMS: "linux/amd64,linux/arm64" + # publish images to ghcr + DOCKER_REGISTRY: "ghcr.io" # set a default command to build. we'll define specific build config options later per arch. CMD: "cargo build --features monitoring_prom,slog_json --profile release --workspace" # do not generate provenance from the docker build step, instead attest the image specifically - provenance: false - # ensure these env vars have no values since they will be explicitly set later - TARGET_CPU: "" - LINKER: "" + PROVENANCE: false + # set the build target statically, since we only need to build for linux-glibc + ARCH: linux-glibc concurrency: group: docker-image-${{ github.head_ref || github.ref || github.run_id }} @@ -80,12 +81,12 @@ jobs: ;; esac if [[ -z "$TARGET" ]]; then - echo "[ERROR] TARGET Variable is empty for ${{ matrix.arch }}-${{ matrix.cpu }}"; + echo "[ERROR] TARGET Variable is empty for ${{ env.ARCH }}-${{ matrix.cpu }}"; exit 1 fi echo "TARGET=${TARGET}" >> "$GITHUB_ENV" echo "TARGET_CPU=${TARGET_CPU}" >> "$GITHUB_ENV" - echo "ZIPFILE_NAME=${{ matrix.arch }}-${ARCHIVE_NAME}" >> "$GITHUB_ENV" + echo "ZIPFILE_NAME=${{ env.ARCH }}-${ARCHIVE_NAME}" >> "$GITHUB_ENV" ## Install rust toolchain for the target being built - name: Setup Rust Toolchain @@ -161,15 +162,15 @@ jobs: id: set_vars shell: bash run: | - var_default_image="${{ env.docker_registry }}/${{ github.repository }}" - echo "docker_images=${var_default_image}" >> $GITHUB_ENV + var_default_image="${{ env.DOCKER_REGISTRY }}/${{ github.repository }}" + echo "DOCKER_IMAGES=${var_default_image}" >> $GITHUB_ENV ## Setup Docker for the builds - name: Docker setup id: docker_setup uses: stacks-network/actions/docker@main with: - registry: ${{ env.docker_registry }} + registry: ${{ env.DOCKER_REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -197,7 +198,7 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index with: - images: ${{ env.docker_images }} + images: ${{ env.DOCKER_IMAGES }} labels: | org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}} tags: | @@ -209,10 +210,10 @@ jobs: uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: sbom: false - provenance: ${{ env.provenance }} + provenance: ${{ env.PROVENANCE }} context: /tmp file: ./.github/actions/dockerfiles/debian/Dockerfile - platforms: ${{ env.docker_platforms }} + platforms: ${{ env.DOCKER_PLATFORMS }} tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} annotations: ${{ steps.docker_metadata.outputs.annotations }} # Note: annotations are used for multi-architecture ghcr images @@ -221,12 +222,12 @@ jobs: ## Generate docker image attestation(s) - name: Attest Image if: | - env.provenance != true + env.PROVENANCE != true id: attest_artifact uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-name: | - ${{ env.docker_images }} + ${{ env.DOCKER_IMAGES }} subject-digest: ${{ steps.docker_build.outputs.digest }} push-to-registry: ${{ env.DOCKER_PUSH }} diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml index 6270dfd3975..92a8f981044 100644 --- a/.github/workflows/release-docker.yml +++ b/.github/workflows/release-docker.yml @@ -26,9 +26,13 @@ concurrency: run-name: ${{ inputs.node_tag || inputs.signer_tag }} env: - docker_platforms: "linux/arm64, linux/amd64" - docker_registry: ghcr.io - provenance: false + # build for both x64 and arm64 arch + DOCKER_PLATFORMS: "linux/amd64,linux/arm64" + # publish images to ghcr + DOCKER_REGISTRY: "ghcr.io" + # do not generate provenance from the docker build step, instead attest the image specifically + PROVENANCE: false + jobs: release-images: if: | @@ -65,7 +69,7 @@ jobs: echo "var_build_arch: ${var_build_arch}" # set a default docker image: registry/repo/release_type - var_default_image="${{ env.docker_registry }}/${{ github.repository_owner }}/${{ inputs.release_type }}" + var_default_image="${{ env.DOCKER_REGISTRY }}/${{ github.repository_owner }}/${{ inputs.release_type }}" var_artifact_pattern="${{ github.sha }}-${{ inputs.release_type }}-linux-${var_build_arch}*" if [ "${{ inputs.release_type }}" == "stacks-signer" ]; then # stacks-signer @@ -78,11 +82,10 @@ jobs: fi # Add vars to github env for later steps - echo "docker_images=${var_images}" >> $GITHUB_ENV - echo "docker_tag=${var_docker_tag}" >> $GITHUB_ENV - echo "artifact_pattern=${var_artifact_pattern}" >> $GITHUB_ENV - echo "build_arch=${var_build_arch}" >> "$GITHUB_ENV" - echo "dockerfile_name=${var_dockerfile_name}" >> "$GITHUB_ENV" + echo "DOCKER_IMAGES=${var_images}" >> $GITHUB_ENV + echo "DOCKER_TAG=${var_docker_tag}" >> $GITHUB_ENV + echo "ARTIFACT_PATTERN=${var_artifact_pattern}" >> $GITHUB_ENV + echo "DOCKERFILE_NAME=${var_dockerfile_name}" >> "$GITHUB_ENV" - name: Set Docker Tag RC Flag id: docker_tag_rc_flag @@ -93,14 +96,13 @@ jobs: # is a release candidate var_docker_tag_rc=true fi - echo "var_docker_tag_rc: ${var_docker_tag_rc}" - echo "docker_tag_rc=${var_docker_tag_rc}" >> "$GITHUB_ENV" + echo "DOCKER_TAG_RC=${var_docker_tag_rc}" >> "$GITHUB_ENV" - name: Download Artifacts id: download_artifacts uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: - pattern: ${{ env.artifact_pattern }} + pattern: ${{ env.ARTIFACT_PATTERN }} path: /tmp/release merge-multiple: true @@ -109,7 +111,7 @@ jobs: id: docker_setup uses: stacks-network/actions/docker@main with: - registry: ${{ env.docker_registry }} # set the registry to ghcr (default is docker.io) + registry: ${{ env.DOCKER_REGISTRY }} # set the registry to ghcr (default is docker.io) username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} @@ -127,26 +129,26 @@ jobs: uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 #v5.9.0 with: images: | - ${{ env.docker_images }} + ${{ env.DOCKER_IMAGES }} labels: | org.opencontainers.image.created={{commit_date 'YYYY-MM-DDTHH:mm:ss.SSS[Z]'}} - org.opencontainers.image.version=${{ env.docker_tag }} + org.opencontainers.image.version=${{ env.DOCKER_TAG }} tags: | # debian tags # # latest tag - type=raw,value=latest,enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'debian' }} + type=raw,value=latest,enable=${{ env.DOCKER_TAG != '' && env.DOCKER_TAG_RC != 'true' && matrix.dist == 'debian' }} # latest-debian tag - type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'debian' }} + type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.DOCKER_TAG != '' && env.DOCKER_TAG_RC != 'true' && matrix.dist == 'debian' }} # version tag - type=raw,value=${{ env.docker_tag }},enable=${{ env.docker_tag != '' && matrix.dist == 'debian'}} + type=raw,value=${{ env.DOCKER_TAG }},enable=${{ env.DOCKER_TAG != '' && matrix.dist == 'debian'}} # version-dist tag - type=raw,value=${{ env.docker_tag }},suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && matrix.dist == 'debian' }} + type=raw,value=${{ env.DOCKER_TAG }},suffix=-${{ matrix.dist }},enable=${{ env.DOCKER_TAG != '' && matrix.dist == 'debian' }} # # alpine tags # # latest-alpine tag - type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && env.docker_tag_rc != 'true' && matrix.dist == 'alpine' }} + type=raw,value=latest,suffix=-${{ matrix.dist }},enable=${{ env.DOCKER_TAG != '' && env.DOCKER_TAG_RC != 'true' && matrix.dist == 'alpine' }} # version-dist tag - type=raw,value=${{ env.docker_tag }},suffix=-${{ matrix.dist }},enable=${{ env.docker_tag != '' && matrix.dist == 'alpine' }} + type=raw,value=${{ env.DOCKER_TAG }},suffix=-${{ matrix.dist }},enable=${{ env.DOCKER_TAG != '' && matrix.dist == 'alpine' }} ## Build docker image for release - name: Build and Push ( ${{matrix.dist}} ) @@ -154,10 +156,10 @@ jobs: uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: sbom: false - provenance: ${{ env.provenance }} + provenance: ${{ env.PROVENANCE }} context: /tmp - file: ./.github/actions/dockerfiles/${{ matrix.dist }}/${{ env.dockerfile_name }} - platforms: ${{ env.docker_platforms }} + file: ./.github/actions/dockerfiles/${{ matrix.dist }}/${{ env.DOCKERFILE_NAME }} + platforms: ${{ env.DOCKER_PLATFORMS }} tags: ${{ steps.docker_metadata.outputs.tags }} labels: ${{ steps.docker_metadata.outputs.labels }} annotations: ${{ steps.docker_metadata.outputs.annotations }} # Note: annotations are used for multi-architecture ghcr images @@ -165,10 +167,12 @@ jobs: ## Generate docker image attestation(s) - name: Attest Image (${{ github.event.repository.name }}) + if: | + env.PROVENANCE != true id: attest_image uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: - subject-name: ${{ env.docker_registry }}/${{ github.repository_owner }}/${{ inputs.release_type }} + subject-name: ${{ env.DOCKER_REGISTRY }}/${{ github.repository_owner }}/${{ inputs.release_type }} subject-digest: ${{ steps.docker_build.outputs.digest }} push-to-registry: ${{ env.DOCKER_PUSH }} From eb9f28329c65ddc7805e1efc9003142bb583f180 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Wed, 26 Nov 2025 12:55:29 -0800 Subject: [PATCH 09/10] - removed atlas_test, slow_test workflows and adjusted the standalone-test workflow - update ci.yml to no longer call atlas, slow workflows on release - remove test from sbtc and epoch workflows that no longer exist - moved last remaining test from slow_test to bitcoin_test workflow --- .github/workflows/atlas-tests.yml | 70 ------------------------ .github/workflows/bitcoin-tests.yml | 1 + .github/workflows/ci.yml | 18 ------- .github/workflows/epoch-tests.yml | 7 +-- .github/workflows/sbtc-tests.yml | 3 -- .github/workflows/slow-tests.yml | 73 -------------------------- .github/workflows/standalone-tests.yml | 34 ------------ 7 files changed, 2 insertions(+), 204 deletions(-) delete mode 100644 .github/workflows/atlas-tests.yml delete mode 100644 .github/workflows/slow-tests.yml diff --git a/.github/workflows/atlas-tests.yml b/.github/workflows/atlas-tests.yml deleted file mode 100644 index 1ea78e54112..00000000000 --- a/.github/workflows/atlas-tests.yml +++ /dev/null @@ -1,70 +0,0 @@ -## Github workflow to run atlas tests - -name: Tests::Atlas - -on: - workflow_call: - -## env vars are transferred to composite action steps -env: - BITCOIND_TEST: 1 - RUST_BACKTRACE: full - SEGMENT_DOWNLOAD_TIMEOUT_MINS: 15 - TEST_TIMEOUT: 30 - -concurrency: - group: atlas-tests-${{ github.head_ref || github.ref || github.run_id}} - ## Only cancel in progress if this is for a PR - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - -jobs: - # Atlas integration tests with code coverage - atlas-tests: - name: Atlas Test - runs-on: ubuntu-latest - strategy: - ## Continue with the test matrix even if we've had a failure - fail-fast: false - ## Run a maximum of 2 concurrent tests from the test matrix - max-parallel: 2 - matrix: - test-name: - - tests::neon_integrations::atlas_integration_test - - tests::neon_integrations::atlas_stress_integration_test - steps: - ## Setup test environment - - name: Setup Test Environment - id: setup_tests - uses: stacks-network/actions/stacks-core/testenv@main - with: - btc-version: "25.0" - - ## Run test matrix using restored cache of archive file - ## - Test will timeout after env.TEST_TIMEOUT minutes - - name: Run Tests - id: run_tests - timeout-minutes: ${{ fromJSON(env.TEST_TIMEOUT) }} - uses: stacks-network/actions/stacks-core/run-tests@main - with: - test-name: ${{ matrix.test-name }} - - ## Create and upload code coverage file - - name: Code Coverage - id: codecov - uses: stacks-network/actions/codecov@main - with: - test-name: ${{ matrix.test-name }} - - check-tests: - name: Check Tests - runs-on: ubuntu-latest - if: always() - needs: - - atlas-tests - steps: - - name: Check Tests Status - id: check_tests_status - uses: stacks-network/actions/check-jobs-status@main - with: - jobs: ${{ toJson(needs) }} - summary_print: "true" diff --git a/.github/workflows/bitcoin-tests.yml b/.github/workflows/bitcoin-tests.yml index 9571af8ed3c..93072351a83 100644 --- a/.github/workflows/bitcoin-tests.yml +++ b/.github/workflows/bitcoin-tests.yml @@ -105,6 +105,7 @@ jobs: tests::nakamoto_integrations::large_mempool_next_constant_fee tests::nakamoto_integrations::large_mempool_next_random_fee tests::nakamoto_integrations::larger_mempool + tests::nakamoto_integrations::check_block_info_rewards tests::signer::v0::larger_mempool EOF diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 60479ceeea3..fc3f00cb6a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -226,15 +226,6 @@ jobs: ## ## Runs when: ## - it is a node release run - atlas-tests: - if: needs.check-release.outputs.is_node_release == 'true' - name: Atlas Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/atlas-tests.yml - epoch-tests: if: needs.check-release.outputs.is_node_release == 'true' name: Epoch Tests @@ -243,12 +234,3 @@ jobs: - create-cache - check-release uses: ./.github/workflows/epoch-tests.yml - - slow-tests: - if: needs.check-release.outputs.is_node_release == 'true' - name: Slow Tests - needs: - - rustfmt - - create-cache - - check-release - uses: ./.github/workflows/slow-tests.yml diff --git a/.github/workflows/epoch-tests.yml b/.github/workflows/epoch-tests.yml index bccedf7056e..ba2e75c6547 100644 --- a/.github/workflows/epoch-tests.yml +++ b/.github/workflows/epoch-tests.yml @@ -33,9 +33,6 @@ jobs: - tests::epoch_205::test_dynamic_db_method_costs - tests::epoch_205::test_exact_block_costs - tests::epoch_205::transition_empty_blocks - - tests::epoch_21::test_pox_missing_five_anchor_blocks - - tests::epoch_21::test_pox_reorg_one_flap - - tests::epoch_21::test_pox_reorgs_three_flaps - tests::epoch_21::test_sortition_divergence_pre_21 - tests::epoch_21::test_v1_unlock_height_with_current_stackers - tests::epoch_21::test_v1_unlock_height_with_delay_and_current_stackers @@ -43,13 +40,11 @@ jobs: - tests::epoch_21::transition_adds_burn_block_height - tests::epoch_21::transition_adds_get_pox_addr_recipients - tests::epoch_21::transition_adds_mining_from_segwit - - tests::epoch_21::transition_adds_pay_to_contract - tests::epoch_21::transition_empty_blocks - tests::epoch_21::transition_fixes_bitcoin_rigidity - tests::epoch_21::transition_removes_pox_sunset - tests::epoch_22::disable_pox - tests::epoch_22::pox_2_unlock_all - - tests::epoch_22::test_pox_reorg_one_flap - tests::epoch_23::trait_invocation_behavior - tests::epoch_24::fix_to_pox_contract - tests::epoch_24::verify_auto_unlock_behavior @@ -60,7 +55,7 @@ jobs: uses: stacks-network/actions/stacks-core/testenv@main with: btc-version: "25.0" - + ## Run test matrix using restored cache of archive file ## - Test will timeout after env.TEST_TIMEOUT minutes - name: Run Tests diff --git a/.github/workflows/sbtc-tests.yml b/.github/workflows/sbtc-tests.yml index 7d9e7abbdfa..82466f77c42 100644 --- a/.github/workflows/sbtc-tests.yml +++ b/.github/workflows/sbtc-tests.yml @@ -29,8 +29,6 @@ jobs: max-parallel: 32 matrix: test-name: - - tests::neon_integrations::test_submit_and_observe_sbtc_ops - - tests::signer::test_stackerdb_dkg - tests::stackerdb::test_stackerdb_event_observer - tests::stackerdb::test_stackerdb_load_store steps: @@ -54,4 +52,3 @@ jobs: uses: stacks-network/actions/codecov@main with: test-name: ${{ matrix.test-name }} - diff --git a/.github/workflows/slow-tests.yml b/.github/workflows/slow-tests.yml deleted file mode 100644 index 02c5bdf552d..00000000000 --- a/.github/workflows/slow-tests.yml +++ /dev/null @@ -1,73 +0,0 @@ -## Github workflow to run slow tests - -name: Tests::Slow - -on: - workflow_call: - -## env vars are transferred to composite action steps -env: - BITCOIND_TEST: 1 - RUST_BACKTRACE: full - SEGMENT_DOWNLOAD_TIMEOUT_MINS: 15 - TEST_TIMEOUT: 30 - -concurrency: - group: slow-tests-${{ github.head_ref || github.ref || github.run_id }} - ## Only cancel in progress if this is for a PR - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - -jobs: - # Slow integration tests with code coverage - slow-tests: - name: Slow Tests - runs-on: ubuntu-latest - strategy: - ## Continue with the test matrix even if we've had a failure - fail-fast: false - ## Run a maximum of 2 concurrent tests from the test matrix - max-parallel: 2 - matrix: - ## Each of these tests should take ~20 minutes if they are successful - test-name: - - tests::epoch_21::test_pox_reorg_flap_duel - - tests::epoch_21::test_pox_reorg_flap_reward_cycles - - tests::nakamoto_integrations::check_block_info_rewards - steps: - ## Setup test environment - - name: Setup Test Environment - id: setup_tests - uses: stacks-network/actions/stacks-core/testenv@main - with: - btc-version: "25.0" - - ## Run test matrix using restored cache of archive file - ## - Test will timeout after env.TEST_TIMEOUT minutes - - name: Run Tests - id: run_tests - timeout-minutes: ${{ fromJSON(env.TEST_TIMEOUT) }} - uses: stacks-network/actions/stacks-core/run-tests@main - with: - test-name: ${{ matrix.test-name }} - threads: 1 - - ## Create and upload code coverage file - - name: Code Coverage - id: codecov - uses: stacks-network/actions/codecov@main - with: - test-name: ${{ matrix.test-name }} - - check-tests: - name: Check Tests - runs-on: ubuntu-latest - if: always() - needs: - - slow-tests - steps: - - name: Check Tests Status - id: check_tests_status - uses: stacks-network/actions/check-jobs-status@main - with: - jobs: ${{ toJson(needs) }} - summary_print: "true" diff --git a/.github/workflows/standalone-tests.yml b/.github/workflows/standalone-tests.yml index 8a56acc3ec6..38eec941366 100644 --- a/.github/workflows/standalone-tests.yml +++ b/.github/workflows/standalone-tests.yml @@ -18,11 +18,9 @@ on: options: - Release Tests - CI Tests - - Atlas Tests - Bitcoin Tests - Epoch Tests - P2P Tests - - Slow Tests - Stacks-Core Tests - SBTC Tests @@ -87,22 +85,6 @@ jobs: - create-cache uses: ./.github/workflows/p2p-tests.yml - ##################################################### - ## Runs when: - ## either or of the following: - ## - workflow is 'Release Tests' - ## - workflow is 'Atlas Tests' - atlas-tests: - if: | - ( - inputs.workflow == 'Release Tests' || - inputs.workflow == 'Atlas Tests' - ) - name: Atlas Tests - needs: - - create-cache - uses: ./.github/workflows/atlas-tests.yml - ## Runs when: ## either or of the following: ## - workflow is 'Release Tests' @@ -118,21 +100,6 @@ jobs: - create-cache uses: ./.github/workflows/epoch-tests.yml - ## Runs when: - ## either or of the following: - ## - workflow is 'Release Tests' - ## - workflow is 'Slow Tests' - slow-tests: - if: | - ( - inputs.workflow == 'Release Tests' || - inputs.workflow == 'Slow Tests' - ) - name: Slow Tests - needs: - - create-cache - uses: ./.github/workflows/slow-tests.yml - ## Runs when: ## either or of the following: ## - workflow is 'Release Tests' @@ -147,4 +114,3 @@ jobs: needs: - create-cache uses: ./.github/workflows/sbtc-tests.yml - From 52a47273bd54d6e99a1008b180e840960158bbad Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 2 Dec 2025 18:01:00 -0800 Subject: [PATCH 10/10] Updating default stacks-node CMD for release dockerfiles --- .github/actions/dockerfiles/alpine/Dockerfile.release | 2 +- .github/actions/dockerfiles/debian/Dockerfile.release | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/dockerfiles/alpine/Dockerfile.release b/.github/actions/dockerfiles/alpine/Dockerfile.release index a925ed7de54..935881b547e 100644 --- a/.github/actions/dockerfiles/alpine/Dockerfile.release +++ b/.github/actions/dockerfiles/alpine/Dockerfile.release @@ -15,4 +15,4 @@ RUN case ${TARGETPLATFORM} in \ FROM alpine COPY --from=builder /out/* /bin/ -CMD ["/bin/stacks-node run --config /signer-config.toml"] +CMD ["/bin/stacks-node mainnet"] diff --git a/.github/actions/dockerfiles/debian/Dockerfile.release b/.github/actions/dockerfiles/debian/Dockerfile.release index 61f7a260bac..1ec84e10552 100644 --- a/.github/actions/dockerfiles/debian/Dockerfile.release +++ b/.github/actions/dockerfiles/debian/Dockerfile.release @@ -15,4 +15,4 @@ RUN case ${TARGETPLATFORM} in \ FROM debian:stable-slim COPY --from=builder /out/* /bin/ -CMD ["/bin/stacks-signer run --config /signer-config.toml"] +CMD ["/bin/stacks-node mainnet"]