Skip to content

chore: add AWS deployment release workflow #441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
collins-w wants to merge 25 commits into from
Closed

chore: add AWS deployment release workflow #441

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
7d71544
feat: add an deployment workflow to AWS
collins-w Aug 29, 2025
5e7e24f
feat: add an deployment workflow to AWS
collins-w Aug 29, 2025
75b0240
feat: specify pnpm version
collins-w Aug 29, 2025
bf88354
chore: fix cache
collins-w Aug 29, 2025
8debe47
chore: fix docker context
collins-w Aug 29, 2025
1f1513a
chore: separate fund and sequence accounts commands
collins-w Aug 29, 2025
59045d6
chore: separate fund and sequence accounts commands
collins-w Aug 29, 2025
0f3e716
chore: fix the docker context
collins-w Aug 29, 2025
1a26c68
chore: fix the plugin path
collins-w Aug 29, 2025
2e53cae
chore: fix the ecr name
collins-w Aug 29, 2025
b219cfa
chore: refactor workflow
collins-w Aug 29, 2025
6138f4f
chore: fix the exec format error on arm64
collins-w Sep 1, 2025
509b498
chore: fix the exec format error
collins-w Sep 1, 2025
8f1f7bc
chore: fix the exec format error
collins-w Sep 1, 2025
068aa05
chore: remove the ecs deployment workflow
collins-w Sep 1, 2025
f2bba50
chore: revert docker changes
collins-w Sep 1, 2025
5d27dce
chore: copy the config file in dockerfile
collins-w Sep 1, 2025
1c9d27a
chore: optionally bake the config files
collins-w Sep 3, 2025
0fe824a
chore: optionally bake the config files
collins-w Sep 3, 2025
fbc6dae
chore: optionally bake the config files
collins-w Sep 4, 2025
24f81ef
chore: optionally bake the config files
collins-w Sep 4, 2025
478ad7f
chore: add missing configs
collins-w Sep 4, 2025
7ff9d0f
chore: optionally include launchtube
collins-w Sep 7, 2025
03d882f
chore: optionally include launchtube
collins-w Sep 7, 2025
6fb4dfb
chore: optionally include launchtube
collins-w Sep 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions .github/actions/oidc/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
name: AWS OIDC Credentials via Role Assume Chaining
description: Retrieve AWS credentials by chaining role assumes
inputs:
role-for-oidc:
description: The role that should be used for GitHub OIDC authentication
required: true
role-to-assume:
description: The role that should be finally assumed
required: true
role-session-name:
description: The session name that should be used when assuming roles
required: true
default: github-actions
role-duration-seconds:
description: duration of the credentials validity
required: true
default: 3600
aws-region:
description: The AWS region
required: false
default: us-east-1

runs:
using: composite
steps:
- name: assume oidc role
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
aws-region: us-east-1
role-to-assume: ${{ inputs.role-for-oidc }}
role-session-name: ${{ inputs.role-session-name }}
role-duration-seconds: 900
Comment on lines +30 to +33
Copy link

@coderabbitai coderabbitai bot Aug 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Don’t hardcode region; use the input across both steps.

Using us-east-1 here while allowing a region input elsewhere causes inconsistent AWS_REGION in jobs.

-        aws-region: us-east-1
+        aws-region: ${{ inputs.aws-region }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
aws-region: us-east-1
role-to-assume: ${{ inputs.role-for-oidc }}
role-session-name: ${{ inputs.role-session-name }}
role-duration-seconds: 900
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.role-for-oidc }}
role-session-name: ${{ inputs.role-session-name }}
role-duration-seconds: 900
🤖 Prompt for AI Agents 
.github/actions/oidc/action.yaml around lines 30 to 33: the action hardcodes
aws-region as "us-east-1" causing inconsistent AWS_REGION; change the aws-region
field to use the action input (e.g. aws-region: ${{ inputs.aws-region }}) so the
provided region input is used here as well, and verify the corresponding input
is defined in the action metadata and consumed consistently in any other steps
that expect the same region.

- name: assume target role
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
id: assume-target-role
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
aws-region: ${{ inputs.aws-region }}
role-chaining: true
role-to-assume: ${{ inputs.role-to-assume }}
role-session-name: ${{ inputs.role-session-name }}
role-duration-seconds: ${{ inputs.role-duration-seconds }}
Comment on lines +35 to +45
Copy link

@coderabbitai coderabbitai bot Aug 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Mask account IDs and align duration defaults.

Add masking to reduce info disclosure in logs; optionally make the first-step duration configurable for consistency.

     - name: assume oidc role
       uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
       with:
-        aws-region: us-east-1
+        aws-region: ${{ inputs.aws-region }}
         role-to-assume: ${{ inputs.role-for-oidc }}
         role-session-name: ${{ inputs.role-session-name }}
-        role-duration-seconds: 900
+        role-duration-seconds: 900
+        mask-aws-account-id: true
     - name: assume target role
       uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
       id: assume-target-role
       with:
         aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
         aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
         aws-region: ${{ inputs.aws-region }}
         role-chaining: true
         role-to-assume: ${{ inputs.role-to-assume }}
         role-session-name: ${{ inputs.role-session-name }}
         role-duration-seconds: ${{ inputs.role-duration-seconds }}
+        mask-aws-account-id: true

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
.github/actions/oidc/action.yaml around lines 35 to 45: add masking of sensitive
account/role identifiers prior to calling aws-actions/configure-aws-credentials
by invoking the GitHub Actions mask command (echo ::add-mask::${{
inputs.ACCOUNT_ID }} and any other account/role inputs you expose) so those
values never appear in logs, and expose a configurable input for the first-step
duration (e.g., first-step-duration-seconds) with a sensible default and wire
that input into the initial role-duration-seconds parameter (keeping
role-chaining behavior intact) so the initial assume duration can be
aligned/configured.

20 changes: 20 additions & 0 deletions .github/actions/prepare/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,29 @@ runs:
uses: dtolnay/[email protected] # v1.86.0
with:
components: ${{ (inputs.components != '') && format('{0}, rustfmt, clippy', inputs.components) || 'rustfmt, clippy' }}

- name: Install libsodium
run: sudo apt-get update && sudo apt-get install -y libsodium-dev
shell: bash

- name: Restore cargo dependencies from cache
uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
id: cache

- uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
with:
run_install: false
version: 10

- name: Use node@22
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 22.18.0

- name: Build launchtube plugin example
run: |
cd examples/launchtube-plugin-example/launchtube
pnpm install
pnpm run build
cd ../..
shell: bash
36 changes: 36 additions & 0 deletions Dockerfile.production
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,25 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
FROM --platform=${BUILDPLATFORM} cgr.dev/chainguard/wolfi-base

WORKDIR /app
COPY --chown=nonroot:nonroot ./config /app/config
# COPY --chown=nonroot:nonroot ./examples/launchtube-plugin-example/launchtube /app/plugins/launchtube
COPY --chown=nonroot:nonroot ./config/networks /app/config/networks
COPY --from=base --chown=nonroot:nonroot /usr/app/bin/openzeppelin-relayer /app/openzeppelin-relayer
COPY --from=base /usr/lib/libssl.so.3 /usr/lib/libssl.so.3
COPY --from=base /usr/lib/libcrypto.so.3 /usr/lib/libcrypto.so.3

ARG INCLUDE_LAUNCHTUBE=false

RUN --mount=type=bind,source=examples/launchtube-plugin-example/launchtube,target=/mnt/launchtube,ro \
set -eux; \
if [ "${INCLUDE_LAUNCHTUBE}" = "true" ] && [ -d /mnt/launchtube ]; then \
mkdir -p /app/plugins/launchtube; \
cp -a /mnt/launchtube/. /app/plugins/launchtube/; \
echo "✅ Launchtube copied"; \
else \
echo "⏭ Skipping launchtube"; \
fi

# Install plugin dependencies
ARG TARGETARCH
ARG NODE_VERSION=20.19
Expand All @@ -43,6 +58,27 @@ USER nonroot
WORKDIR /app/plugins
RUN pnpm install --frozen-lockfile

# # Optional baking of config/networks/launchtube from the source tree
# ARG BAKE_CONFIGS=false

# # Paths inside the build stage (we copied the whole repo to /usr/app in the base stage)
# # Adjust if your tree differs.
# RUN set -eux; \
# if [ "${BAKE_CONFIGS}" = "true" ]; then \
# if [ -d /usr/app/examples/launchtube-plugin-example/config ]; then \
# mkdir -p /app/config; \
# cp -a /usr/app/examples/launchtube-plugin-example/config/. /app/config/; \
# fi; \
# if [ -d /usr/app/config/networks ]; then \
# mkdir -p /app/config/networks; \
# cp -a /usr/app/config/networks/. /app/config/networks/; \
# fi; \
# if [ -d /usr/app/examples/launchtube-plugin-example/launchtube ]; then \
# mkdir -p /app/plugins/launchtube; \
# cp -a /usr/app/examples/launchtube-plugin-example/launchtube/. /app/plugins/launchtube/; \
# fi; \
# fi

# Return to app root
WORKDIR /app

Expand Down
Loading