Merge remote-tracking branch 'origin/merge-train/barretenberg' into mm/fix-op-queue

Author: maramihali

.github/.gitignore

@@ -1 +1,2 @@
-.secrets
+.secrets
+.act-tool-cache

.github/actions/setup-k8s-terraform/action.yml

@@ -0,0 +1,154 @@
+name: "Setup K8s and Terraform"
+description: "Common setup for Kubernetes cluster access and Terraform initialization"
+
+inputs:
+  cluster:
+    description: "The cluster to deploy to (e.g., aztec-gke-private or kind)"
+    required: true
+  namespace:
+    description: "The namespace to deploy to"
+    required: true
+  ref:
+    description: "The branch name to deploy from"
+    required: false
+    default: "next"
+  region:
+    description: "GCP region"
+    required: false
+    default: "us-west1-a"
+  gcp_sa_key:
+    description: "GCP service account JSON key"
+    required: true
+  kubeconfig_b64:
+    description: "Base64 encoded kubeconfig for kind clusters"
+    required: false
+  terraform_dir:
+    description: "Terraform working directory"
+    required: true
+  tf_state_bucket:
+    description: "Terraform state bucket for GCS backend"
+    required: false
+    default: "aztec-terraform"
+  tf_state_prefix:
+    description: "Terraform state prefix for GCS backend"
+    required: true
+  additional_state_path:
+    description: "Additional path component for state (e.g., salt value)"
+    required: false
+    default: ""
+  run_terraform_destroy:
+    description: "Whether to run terraform destroy"
+    required: false
+    default: "false"
+
+outputs:
+  kubectl_context:
+    description: "The current kubectl context"
+    value: ${{ steps.setup_vars.outputs.kubectl_context }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check if directory exists
+      id: check_dir
+      shell: bash
+      run: |
+        if [ -d ".git" ]; then
+          echo "exists=true" >> $GITHUB_OUTPUT
+        else
+          echo "exists=false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Checkout code
+      if: ${{ steps.check_dir.outputs.exists != 'true' }}
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        ref: ${{ inputs.ref }}
+
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f
+      with:
+        credentials_json: ${{ inputs.gcp_sa_key }}
+
+    - name: Set up Cloud SDK
+      uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a
+
+    - name: Install GKE Auth Plugin
+      shell: bash
+      run: |
+        gcloud components install gke-gcloud-auth-plugin --quiet
+
+    - name: Configure kubectl with GKE cluster
+      if: ${{ inputs.cluster != 'kind' }}
+      shell: bash
+      run: |
+        gcloud container clusters get-credentials ${{ inputs.cluster }} --region ${{ inputs.region }}
+
+    - name: Configure kubectl with kind cluster
+      if: ${{ inputs.cluster == 'kind' }}
+      shell: bash
+      run: |
+        if [ -z "${{ inputs.kubeconfig_b64 }}" ]; then
+          echo "KUBECONFIG_B64 is not set"
+          exit 1
+        fi
+        mkdir -p $HOME/.kube
+        echo "${{ inputs.kubeconfig_b64 }}" | base64 -d > $HOME/.kube/config
+        kubectl config use-context kind-kind
+
+    - name: Set up kubectl context
+      id: setup_vars
+      shell: bash
+      run: |
+        CLUSTER_CONTEXT=$(kubectl config current-context)
+        echo "kubectl_context=${CLUSTER_CONTEXT}" >> $GITHUB_OUTPUT
+        echo "TF_VAR_K8S_CLUSTER_CONTEXT=${CLUSTER_CONTEXT}" >> $GITHUB_ENV
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: "1.5.0"
+
+    - name: Terraform Init
+      shell: bash
+      working-directory: ${{ inputs.terraform_dir }}
+      run: |
+        # Clean up any previous backend overrides
+        rm -f backend_override.tf
+
+        # Build the state path
+        STATE_PATH="${{ inputs.cluster }}/${{ inputs.namespace }}"
+        if [ -n "${{ inputs.additional_state_path }}" ]; then
+          STATE_PATH="${STATE_PATH}/${{ inputs.additional_state_path }}"
+        fi
+
+        if [ "${{ inputs.cluster }}" == "kind" ]; then
+          # For kind, use local backend
+          cat > backend_override.tf << EOF
+        terraform {
+          backend "local" {
+            path = "state/${STATE_PATH}/terraform.tfstate"
+          }
+        }
+        EOF
+        else
+          # For GKE, use GCS backend
+          cat > backend_override.tf << EOF
+        terraform {
+          backend "gcs" {
+            bucket = "${{ inputs.tf_state_bucket }}"
+            prefix = "${{ inputs.tf_state_prefix }}/${{ inputs.region }}/${STATE_PATH}/terraform.tfstate"
+          }
+        }
+        EOF
+        fi
+
+        terraform init -reconfigure
+
+    - name: Terraform Destroy
+      if: ${{ inputs.run_terraform_destroy == 'true' }}
+      shell: bash
+      working-directory: ${{ inputs.terraform_dir }}
+      continue-on-error: true
+      run: |
+        terraform destroy -auto-approve

.github/local_workflow.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# Runs a github workflow locally.
+#
+# Needs `act`. See https://nektosact.com/installation/index.html
+#
+# Bind-mounts the local directory into the container, which executes as the current user.
+# Attempts to use a GCP service account, which you can download from
+# https://console.cloud.google.com/iam-admin/serviceaccounts
+
+# Your workflow may not need a GCP service account, nor a kubeconfig, etc.
+# Feel free to send a PR to tweak the script ;)
+
+# example usage:
+# export GOOGLE_APPLICATION_CREDENTIALS=/your/path/to/testnet-helm-sa.json
+# alias lwfl=/your/path/to/aztec-clones/alpha/.github/local_workflow.sh
+# lwfl deploy_eth_devnet --input cluster=kind --input resource_profile=dev --input namespace=mitch-eth-devnet --input create_static_ips=false
+# lwfl deploy_eth_devnet --input cluster=aztec-gke-private --input resource_profile=prod --input namespace=mitch-eth-devnet --input create_static_ips=false
+
+workflow_name=$1
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+
+if [ -z "$workflow_name" ]; then
+  echo "Usage: $0 <workflow_name> [args ...]"
+  exit 1
+fi
+
+# get the rest of the args (skip the first one which is the workflow name)
+shift
+args=("$@")
+
+SA_KEY_JSON=$(cat "$GOOGLE_APPLICATION_CREDENTIALS")
+
+mkdir -p $REPO_ROOT/.github/.act-tool-cache
+
+act workflow_dispatch -j $workflow_name \
+  --env RUNNER_TOOL_CACHE=/work/toolcache \
+  -s GITHUB_TOKEN="$(gh auth token)" \
+  -s GCP_SA_KEY="$SA_KEY_JSON" \
+  -s KUBECONFIG_B64="$(cat $HOME/.kube/config | base64 -w0)" \
+  --container-options "-v $REPO_ROOT/.github/.act-tool-cache:/work/toolcache --user $(id -u):$(id -g)" \
+  --bind \
+  --directory $REPO_ROOT "${args[@]}"

.github/workflows/canary-release-tag.yml

@@ -0,0 +1,43 @@
+name: Canary Release Tag
+
+on:
+  workflow_dispatch:
+
+# Add permissions for the GitHub Actions bot to push tags
+permissions:
+  contents: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  nightly-release-tag:
+    runs-on: ubuntu-latest
+    steps:
+      # Check out the repository so we can read files and create tags.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+
+      # Extract the current release version from the manifest.
+      # Then, create a canary tag using the current version and the current UTC date.
+      - name: Create Canary Tag
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "AztecBot"
+          current_version=$(jq -r '."."' .release-please-manifest.json)
+          # Compute the next major version. e.g. if current version is 1.2.3, next major version is 2.0.0.
+          if [[ "$current_version" =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            major=$(( ${BASH_REMATCH[1]} + 1 ))
+            next_major_version="${major}.0.0"
+          else
+            echo "Error: Current version format is invalid: $current_version"
+            exit 1
+          fi
+          echo "Current version: $current_version"
+          echo "Next version: $next_major_version"
+          canary_tag="v${next_major_version}-canary.$(git rev-parse --short HEAD)"
+          echo "Canary tag: $canary_tag"
+          # Tag and push.
+          git tag -a "$canary_tag" -m "$canary_tag"
+          git push origin "$canary_tag"

.github/workflows/ci3.yml

@@ -149,6 +149,25 @@ jobs:
         if: steps.ci_cache.outputs.cache-hit != 'true'
         run: echo "success" > ci-success.txt
 
+      - name: Get Semver from Tag
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        id: semver
+        run: |
+          semver="${{ github.ref_name }}"
+          # Remove 'v' prefix if present (e.g., v1.2.3 -> 1.2.3)
+          semver=${semver#v}
+          # Extract major version (e.g., 1.2.3 -> 1)
+          major_version=${semver%%.*}
+          echo "semver=$semver" >> $GITHUB_OUTPUT
+          echo "major_version=$major_version" >> $GITHUB_OUTPUT
+
+      - name: Trigger Network Deployments
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        uses: peter-evans/repository-dispatch@0ee9de00feb82e6165438c503f0bc29f628b8317
+        with:
+          event-type: network-deployments
+          client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "semver": "${{ steps.semver.outputs.semver }}", "major_version": "${{ steps.semver.outputs.major_version }}"}'
+
       # If we have passed CI and labelled with ci-squash-and-merge, squash the PR.
       # This will rerun CI on the squash commit - but is intended to be a no-op due to caching.
       - name: CI Squash and Merge