feat: add an deployment workflow to AWS

Author: collins-w

.github/actions/oidc/action.yaml

@@ -0,0 +1,45 @@
+---
+name: AWS OIDC Credentials via Role Assume Chaining
+description: Retrieve AWS credentials by chaining role assumes
+inputs:
+  role-for-oidc:
+    description: The role that should be used for GitHub OIDC authentication
+    required: true
+  role-to-assume:
+    description: The role that should be finally assumed
+    required: true
+  role-session-name:
+    description: The session name that should be used when assuming roles
+    required: true
+    default: github-actions
+  role-duration-seconds:
+    description: duration of the credentials validity
+    required: true
+    default: 3600
+  aws-region:
+    description: The AWS region
+    required: false
+    default: us-east-1
+
+runs:
+  using: composite
+  steps:
+    - name: assume oidc role
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
+      with:
+        aws-region: us-east-1
+        role-to-assume: ${{ inputs.role-for-oidc }}
+        role-session-name: ${{ inputs.role-session-name }}
+        role-duration-seconds: 900
+    - name: assume target role
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
+      id: assume-target-role
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+        aws-region: ${{ inputs.aws-region }}
+        role-chaining: true
+        role-to-assume: ${{ inputs.role-to-assume }}
+        role-session-name: ${{ inputs.role-session-name }}
+        role-duration-seconds: ${{ inputs.role-duration-seconds }}

.github/actions/prepare/action.yml

@@ -17,9 +17,28 @@ runs:
       uses: dtolnay/rust-toolchain@1.86.0  # v1.86.0
       with:
         components: ${{ (inputs.components != '') && format('{0}, rustfmt, clippy', inputs.components) || 'rustfmt, clippy' }}
+
     - name: Install libsodium
       run: sudo apt-get update && sudo apt-get install -y libsodium-dev
       shell: bash
+
     - name: Restore cargo dependencies from cache
       uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3  # v2.7.7
       id: cache
+
+    - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      with:
+        run_install: false
+
+    - name: Use node@22
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      with:
+        node-version: 22.18.0
+        cache: 'pnpm'
+
+    - name: Build launchtube plugin example
+      run: |
+        cd examples/launchtube-plugin-example/launchtube
+        pnpm install
+        pnpm run build
+        cd ..

.github/workflows/ecs-deployment.yml

@@ -0,0 +1,131 @@
+
+name: ECS Build
+
+on:
+  # release:
+  #   types: [published]
+  push:
+    branches: [aws-deployment]
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      attestations: write
+      security-events: write
+    env:
+      REGISTRY: ${{ secrets.SOLUTIONS_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com
+      ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-solutions-account-openzeppelin-relayer-oidc-role'
+      ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.SOLUTIONS_ACCOUNT_ID }}:role/GithubOIDCOpenzeppelinRelayerRole'
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Prepare pre-requisites
+        uses: ./.github/actions/prepare
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+
+      - name: Create launchtube fund and sequence accounts
+        run: |
+          cargo run --example create_key -- \
+            --password "$KEYSTORE_PASSPHRASE_FUND" \
+            --output-dir config/keys \
+            --filename launchtube-fund.json
+
+          cargo run --example create_key -- \
+            --password "$KEYSTORE_PASSPHRASE_SEQ_001" \
+            --output-dir config/keys \
+            --filename launchtube-seq-001.json
+
+          cargo run --example create_key -- \
+            --password "$KEYSTORE_PASSPHRASE_SEQ_002" \
+            --output-dir config/keys \
+            --filename launchtube-seq-002.json
+
+        env:
+          KEYSTORE_PASSPHRASE_FUND: ${{ secrets.KEYSTORE_PASSPHRASE_FUND }}
+          KEYSTORE_PASSPHRASE_SEQ_001: ${{ secrets.KEYSTORE_PASSPHRASE_SEQ_001 }}
+          KEYSTORE_PASSPHRASE_SEQ_002: ${{ secrets.KEYSTORE_PASSPHRASE_SEQ_002 }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          platforms: 'arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: push
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/openzeppelin-layer:latest
+            ${{ env.REGISTRY }}/openzeppelin-layer:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # deploy:
+  #   runs-on: ubuntu-latest
+  #   needs: build-and-push
+  #   env:
+  #     ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role'
+  #     ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole'
+  #     ECS_CLUSTER: 'openzeppelin-layer-cluster'
+  #     ECS_SERVICE: 'openzeppelin-layer-service'
+  #     AWS_REGION: ${{ vars.AWS_REGION }}
+  #   permissions:
+  #     contents: read
+  #     id-token: write
+  #   steps:
+  #     - name: Harden the runner (Audit all outbound calls)
+  #       uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+  #       with:
+  #         egress-policy: audit
+
+  #     - name: Checkout code
+  #       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+  #     - name: Set up AWS credentials via OIDC and role chaining
+  #       uses: ./.github/actions/oidc
+  #       with:
+  #         role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+  #         role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+  #     - name: AWS ECS force new deployment
+  #       run: |
+  #         aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION