release-reproducible #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow is for building and pushing reproducible artifacts for releases | |
| name: release-reproducible | |
| on: | |
| workflow_run: | |
| workflows: [release] | |
| types: [completed] | |
| env: | |
| DOCKER_REPRODUCIBLE_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/reth-reproducible | |
| jobs: | |
| extract-version: | |
| name: extract version | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Extract version | |
| run: echo "VERSION=$(echo ${GITHUB_REF#refs/tags/})" >> $GITHUB_OUTPUT | |
| id: extract_version | |
| outputs: | |
| VERSION: ${{ steps.extract_version.outputs.VERSION }} | |
| wait-for-release: | |
| name: wait for main release workflow | |
| runs-on: ubuntu-latest | |
| needs: extract-version | |
| steps: | |
| - name: Wait for release workflow to complete | |
| uses: fountainhead/action-wait-for-check@v1.2.0 | |
| id: wait-for-release | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| checkName: draft release | |
| ref: ${{ github.sha }} | |
| - name: Check if release workflow succeeded | |
| if: steps.wait-for-release.outputs.conclusion != 'success' | |
| run: | | |
| echo "Release workflow failed or was cancelled" | |
| exit 1 | |
| build-reproducible: | |
| name: build and push reproducible image and binaries | |
| runs-on: warp-ubuntu-2404-x64-32x #TODO | |
| needs: [extract-version, wait-for-release] | |
| permissions: | |
| packages: write | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract Rust version | |
| id: rust_version | |
| run: | | |
| RUST_TOOLCHAIN=$(rustc --version | cut -d' ' -f2) | |
| echo "RUST_TOOLCHAIN=$RUST_TOOLCHAIN" >> $GITHUB_OUTPUT | |
| - name: Build reproducible artifacts | |
| uses: docker/build-push-action@v6 | |
| id: docker_build | |
| with: | |
| context: . | |
| file: ./Dockerfile.reproducible | |
| build-args: | | |
| RUST_TOOLCHAIN=${{ steps.rust_version.outputs.RUST_TOOLCHAIN }} | |
| VERSION=${{ needs.extract-version.outputs.VERSION }} | |
| target: artifacts | |
| outputs: type=local,dest=./docker-artifacts | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| env: | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| - name: Build and push final image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: ./Dockerfile.reproducible | |
| push: true | |
| build-args: | | |
| RUST_TOOLCHAIN=${{ steps.rust_version.outputs.RUST_TOOLCHAIN }} | |
| VERSION=${{ needs.extract-version.outputs.VERSION }} | |
| tags: | | |
| ${{ env.DOCKER_REPRODUCIBLE_IMAGE_NAME }}:${{ needs.extract-version.outputs.VERSION }} | |
| ${{ env.DOCKER_REPRODUCIBLE_IMAGE_NAME }}:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: false | |
| env: | |
| DOCKER_BUILD_RECORD_UPLOAD: false | |
| - name: Prepare artifacts from Docker build | |
| run: | | |
| mkdir reproducible-artifacts | |
| cp docker-artifacts/reth reproducible-artifacts/reth-reproducible-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu | |
| cp docker-artifacts/*.deb reproducible-artifacts/reth-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu-reproducible.deb | |
| - name: Configure GPG and create artifacts | |
| env: | |
| GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| run: | | |
| export GPG_TTY=$(tty) | |
| #echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --batch --import | |
| #TODO | |
| echo -n "$GPG_SIGNING_KEY" | gpg --batch --import | |
| cd reproducible-artifacts | |
| tar -czf reth-reproducible-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu.tar.gz reth-reproducible-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu | |
| echo "$GPG_PASSPHRASE" | gpg --passphrase-fd 0 --pinentry-mode loopback --batch -ab reth-reproducible-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu.tar.gz | |
| echo "$GPG_PASSPHRASE" | gpg --passphrase-fd 0 --pinentry-mode loopback --batch -ab reth-${{ needs.extract-version.outputs.VERSION }}-x86_64-unknown-linux-gnu-reproducible.deb | |
| - name: Upload reproducible artifacts to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh release upload ${{ needs.extract-version.outputs.VERSION }} \ | |
| reproducible-artifacts/* | |