From f12b1fd8e80b9ceff1c13d9356fca33be92cee29 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 12 Nov 2025 15:32:04 +0200 Subject: [PATCH 01/19] feat: semantic release Signed-off-by: PavelSBorisov --- .../workflows/000-user-official-release.yaml | 87 +++++++++++++++ ...mages.yaml => 300-flow-docker-images.yaml} | 18 +-- .releaserc | 104 ++++++++++++++++++ 3 files changed, 200 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/000-user-official-release.yaml rename .github/workflows/{publish-docker-images.yaml => 300-flow-docker-images.yaml} (90%) create mode 100644 .releaserc diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml new file mode 100644 index 0000000000..3cf8fefa50 --- /dev/null +++ b/.github/workflows/000-user-official-release.yaml @@ -0,0 +1,87 @@ +# SPDX-License-Identifier: Apache-2.0 +name: "000: [USER] Official Release" + +on: + workflow_dispatch: + inputs: + dry-run-enabled: + description: "Perform Dry Run" + type: boolean + required: false + default: false + +defaults: + run: + shell: bash + +permissions: + contents: read + + +jobs: + publish: + name: Publish Official Release of Hedera Transaction Tool + runs-on: macos-latest + + steps: + - name: Harden Runner + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Install GnuPG Tools + run: brew install gnupg + + - name: Import GPG Key + id: gpg + uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 + with: + git_commit_gpgsign: true + git_user_signingkey: true + git_tag_gpgsign: false + git_config_globa: true + gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 22 + + - name: Setup pnpm + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 + with: + version: latest + + - name: Install Semantic Release + if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }} + run: | + npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 + npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 + npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 + + # Both actual and dry-run semantic-release will output the new version + # in the logs but actual release should also publish a tag&release on GitHub + # The helm charts are published to the GitHub artifact registry + # as part of the release process (configured in .releaserc) + - name: Run Semantic Release + if: ${{ !cancelled() && !failure() }} + env: + GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + GIT_AUTHOR_NAME: ${{ steps.gpg.outputs.name}} + GIT_AUTHOR_EMAIL: ${{ steps.gpg.outputs.email}} + GIT_COMMITTER_NAME: ${{ steps.gpg.outputs.name}} + GIT_COMMITTER_EMAIL: ${{ steps.gpg.outputs.email}} + run: | + if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then + echo "Dry Running semantic-release now..." + npx semantic-release --dry-run + else + echo "Running semantic-release now..." + npx semantic-release --debug + fi diff --git a/.github/workflows/publish-docker-images.yaml b/.github/workflows/300-flow-docker-images.yaml similarity index 90% rename from .github/workflows/publish-docker-images.yaml rename to .github/workflows/300-flow-docker-images.yaml index 3f115a58f2..a866baf65f 100644 --- a/.github/workflows/publish-docker-images.yaml +++ b/.github/workflows/300-flow-docker-images.yaml @@ -1,16 +1,16 @@ -name: Create and publish Transaction Tool Docker images +name: '300: [FLOW] Docker Images' on: - push: - tags: - - 'v*' - workflow_dispatch: + push: + tags: + - 'v*' + workflow_dispatch: permissions: - contents: read - packages: write - attestations: write - id-token: write + contents: read + packages: write + attestations: write + id-token: write env: REGISTRY: ghcr.io diff --git a/.releaserc b/.releaserc new file mode 100644 index 0000000000..481a9466c9 --- /dev/null +++ b/.releaserc @@ -0,0 +1,104 @@ +{ + "plugins": [ + [ + "@semantic-release/commit-analyzer", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/release-notes-generator", + { + "preset": "conventionalcommits" + } + ], + [ + "semantic-release-helm3", + { + "chartPath": "./charts/transaction-tool" + } + ], + "@semantic-release/git", + "@semantic-release/github" + ], + "verifyRelease": [ + [ + "@semantic-release/exec", + { "cmd": "echo 'Release version: ${nextRelease.version}'" } + ] + ], + "prepare": [ + [ + "semantic-release-helm3", + { + "chartPath": "./charts/transaction-tool" + } + ], + [ + "@semantic-release/git", + { + "assets": [ + "charts/transaction-tool/Chart.yaml" + ], + "message": "chore(release): ${nextRelease.version} [skip ci]\n\nSigned-off-by: Hedera Automation " + } + ] + ], + "publish": [ + [ + "@semantic-release/exec", + { "cmd": "helm dependency update charts/transaction-tool" } + ], + [ + "@semantic-release/exec", + { "cmd": "helm package charts/transaction-tool" } + ], + [ + "@semantic-release/exec", + { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph/transaction-tool" } + ], + [ + "@semantic-release/github", + { + "assets": [ + { + "path": "transaction-tool-*.tgz" + } + ] + } + ] + ], + "branches":[ + { + "name": "main" + }, + { + "name": "release/([0-9]+).([0-9]+)", + "channel": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x", + "range": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x" + }, + { + "name": "alpha/*", + "prerelease": "alpha", + "channel": "alpha" + }, + { + "name": "ci/*", + "prerelease": "alpha", + "channel": "alpha" + }, + { + "name": "beta/*", + "prerelease": "beta", + "channel": "beta" + }, + { + "name": "rc/*", + "prerelease": "rc", + "channel": "rc" + }, + { + "name": "resd-455" + } + ] +} \ No newline at end of file From b55cb3062bd866711ecf511d6f59c4f9930eb306 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 12 Nov 2025 16:27:40 +0200 Subject: [PATCH 02/19] chore: add missing steps and semantic release plugins Signed-off-by: PavelSBorisov --- .../workflows/000-user-official-release.yaml | 28 +++++++++++++++---- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 3cf8fefa50..511c5ae29b 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -17,20 +17,24 @@ defaults: permissions: contents: read +env: + REGISTRY: ghcr.io + jobs: publish: name: Publish Official Release of Hedera Transaction Tool + # MacOS runner for future compatibility (when frontend builds get added to semantic release) runs-on: macos-latest steps: - name: Harden Runner - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: token: ${{ secrets.GH_ACCESS_TOKEN }} @@ -58,12 +62,26 @@ jobs: with: version: latest + - name: Setup Helm + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 + with: + version: "v3.12.3" + + - name: Log in to the Container registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Install Semantic Release if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }} run: | - npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 - npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 - npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 + npm install -g semantic-release@24.2.0 @semantic-release/git@10.0.1 @semantic-release/github@11.0.1 \ + @semantic-release/exec@6.0.3 semantic-release-helm3@2.9.3 \ + conventional-changelog-conventionalcommits@8.0.0 \ + @commitlint/cli@19.5.0 @commitlint/config-conventional@19.5.0 \ + marked-mangle@1.1.10 marked-gfm-heading-id@4.1.1 semantic-release-conventional-commits@3.0.0 # Both actual and dry-run semantic-release will output the new version # in the logs but actual release should also publish a tag&release on GitHub From 067cc05451686361ef72a3c0387bbbdf5ddb9780 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 12 Nov 2025 16:35:42 +0200 Subject: [PATCH 03/19] chore: fix typo Signed-off-by: PavelSBorisov --- .github/workflows/000-user-official-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 511c5ae29b..779f88c394 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -48,7 +48,7 @@ jobs: git_commit_gpgsign: true git_user_signingkey: true git_tag_gpgsign: false - git_config_globa: true + git_config_global: true gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} From a41c70738db229f5bed08f7d349ee3307539e3be Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Thu, 13 Nov 2025 15:29:09 +0200 Subject: [PATCH 04/19] feat: pr formatting workflow and renaming Signed-off-by: PavelSBorisov --- .../001-flow-pull-request-formatting.yaml | 57 +++++++++++++++++++ ...ackend.yaml => 301-flow-test-backend.yaml} | 2 +- ...ntend.yaml => 302-flow-test-frontend.yaml} | 2 +- 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/001-flow-pull-request-formatting.yaml rename .github/workflows/{test-backend.yaml => 301-flow-test-backend.yaml} (98%) rename .github/workflows/{test-frontend.yaml => 302-flow-test-frontend.yaml} (99%) diff --git a/.github/workflows/001-flow-pull-request-formatting.yaml b/.github/workflows/001-flow-pull-request-formatting.yaml new file mode 100644 index 0000000000..2bcf8da222 --- /dev/null +++ b/.github/workflows/001-flow-pull-request-formatting.yaml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: Apache-2.0 +name: "001: [FLOW] PR Formatting" +on: + pull_request_target: + types: + - assigned + - unassigned + - labeled + - unlabeled + - opened + - reopened + - edited + - converted_to_draft + - ready_for_review + - review_requested + - review_request_removed + - locked + - unlocked + - synchronize + +defaults: + run: + shell: bash + +permissions: + statuses: write + +jobs: + title-check: + name: Title Check + runs-on: network-node-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Check PR Title + uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + + assignee-check: + name: Assignee Check + runs-on: network-node-linux-medium + + steps: + - name: Harden Runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Check Assignee + if: ${{ github.event.pull_request.assignees == null || github.event.pull_request.assignees[0] == null }} + run: | + echo "Assignee is not set. Failing the workflow." + exit 1 \ No newline at end of file diff --git a/.github/workflows/test-backend.yaml b/.github/workflows/301-flow-test-backend.yaml similarity index 98% rename from .github/workflows/test-backend.yaml rename to .github/workflows/301-flow-test-backend.yaml index 9f76804e2f..661fbb4f37 100644 --- a/.github/workflows/test-backend.yaml +++ b/.github/workflows/301-flow-test-backend.yaml @@ -1,4 +1,4 @@ -name: Test Backend +name: "301: [FLOW] Test Backend" on: push: diff --git a/.github/workflows/test-frontend.yaml b/.github/workflows/302-flow-test-frontend.yaml similarity index 99% rename from .github/workflows/test-frontend.yaml rename to .github/workflows/302-flow-test-frontend.yaml index 688aecd328..c9dd3ca78f 100644 --- a/.github/workflows/test-frontend.yaml +++ b/.github/workflows/302-flow-test-frontend.yaml @@ -1,4 +1,4 @@ -name: Test Frontend +name: "302: [FLOW] Test Frontend" on: push: From dc1128a0cfb2a203c5ccf54bab750a20b46b7611 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Thu, 13 Nov 2025 15:30:50 +0200 Subject: [PATCH 05/19] chore: fix quotes Signed-off-by: PavelSBorisov --- .github/workflows/300-flow-docker-images.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/300-flow-docker-images.yaml b/.github/workflows/300-flow-docker-images.yaml index e323a5115a..264bba32fa 100644 --- a/.github/workflows/300-flow-docker-images.yaml +++ b/.github/workflows/300-flow-docker-images.yaml @@ -1,4 +1,4 @@ -name: '300: [FLOW] Docker Images' +name: "300: [FLOW] Docker Images" on: push: From 1ec38b41028415f4644df00f2ce53e530fd62fc0 Mon Sep 17 00:00:00 2001 From: Pavel Borisov <37436896+PavelSBorisov@users.noreply.github.com> Date: Mon, 17 Nov 2025 15:46:23 +0200 Subject: [PATCH 06/19] chore: small fixes Co-authored-by: Andrew Brandt Co-authored-by: Roger Barker Signed-off-by: Pavel Borisov <37436896+PavelSBorisov@users.noreply.github.com> --- .github/workflows/000-user-official-release.yaml | 3 +-- .github/workflows/001-flow-pull-request-formatting.yaml | 3 +-- .releaserc | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 779f88c394..b8e9bb77a8 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -26,7 +26,6 @@ jobs: name: Publish Official Release of Hedera Transaction Tool # MacOS runner for future compatibility (when frontend builds get added to semantic release) runs-on: macos-latest - steps: - name: Harden Runner uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 @@ -43,7 +42,7 @@ jobs: - name: Import GPG Key id: gpg - uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 + uses: step-security/ghaction-import-gpg@69c854a83c7f79463f8bdf46772ab09826c560cd # v6.3.1 with: git_commit_gpgsign: true git_user_signingkey: true diff --git a/.github/workflows/001-flow-pull-request-formatting.yaml b/.github/workflows/001-flow-pull-request-formatting.yaml index 2bcf8da222..070df952ab 100644 --- a/.github/workflows/001-flow-pull-request-formatting.yaml +++ b/.github/workflows/001-flow-pull-request-formatting.yaml @@ -43,7 +43,6 @@ jobs: assignee-check: name: Assignee Check runs-on: network-node-linux-medium - steps: - name: Harden Runner uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 @@ -54,4 +53,4 @@ jobs: if: ${{ github.event.pull_request.assignees == null || github.event.pull_request.assignees[0] == null }} run: | echo "Assignee is not set. Failing the workflow." - exit 1 \ No newline at end of file + exit 1 diff --git a/.releaserc b/.releaserc index 481a9466c9..b32ecbc5f2 100644 --- a/.releaserc +++ b/.releaserc @@ -101,4 +101,4 @@ "name": "resd-455" } ] -} \ No newline at end of file +} From 88087b9f7aa8990b3318fb5a9536edba920f4789 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Tue, 18 Nov 2025 13:58:30 +0200 Subject: [PATCH 07/19] fix: fix docker in macos runner Signed-off-by: PavelSBorisov --- .github/workflows/000-user-official-release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index b8e9bb77a8..ca7e0e3e2c 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -66,6 +66,11 @@ jobs: with: version: "v3.12.3" + - name: Install Docker + run: | + brew install docker + colima start + - name: Log in to the Container registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0 with: From ac9f6c47d9ce1d59a99420d91a2c07d6183371c7 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Tue, 18 Nov 2025 14:01:14 +0200 Subject: [PATCH 08/19] fix: move to using helm registry login instead Signed-off-by: PavelSBorisov --- .github/workflows/000-user-official-release.yaml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index ca7e0e3e2c..098ce6144f 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -66,17 +66,9 @@ jobs: with: version: "v3.12.3" - - name: Install Docker - run: | - brew install docker - colima start - - name: Log in to the Container registry - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin - name: Install Semantic Release if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }} From a6c9373717f2ca927761f10955164bd900101b56 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 19 Nov 2025 16:30:39 +0200 Subject: [PATCH 09/19] fix: fix github token var Signed-off-by: PavelSBorisov --- .github/workflows/000-user-official-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 098ce6144f..0f2ee081a4 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -68,7 +68,7 @@ jobs: - name: Log in to the Container registry run: | - echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin + echo "${{ secrets.GH_ACCESS_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin - name: Install Semantic Release if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }} From fc28252ec353ea4dd60d179a9a966406753e4d0a Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 19 Nov 2025 16:45:43 +0200 Subject: [PATCH 10/19] fix: fix commit signoff Signed-off-by: PavelSBorisov --- .releaserc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.releaserc b/.releaserc index b32ecbc5f2..dadbbf8b8b 100644 --- a/.releaserc +++ b/.releaserc @@ -40,7 +40,7 @@ "assets": [ "charts/transaction-tool/Chart.yaml" ], - "message": "chore(release): ${nextRelease.version} [skip ci]\n\nSigned-off-by: Hedera Automation " + "message": "chore(release): ${nextRelease.version} [skip ci]\n\nSigned-off-by: swirlds-automation " } ] ], From 28b990145d7ba3430c7ecda2f53cb91e59b44a5d Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 19 Nov 2025 17:16:50 +0200 Subject: [PATCH 11/19] fix: modify workflow permissions Signed-off-by: PavelSBorisov --- .github/workflows/000-user-official-release.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 0f2ee081a4..b89d5ffb9d 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -15,7 +15,11 @@ defaults: shell: bash permissions: + id-token: write + packages: write contents: read + pull-requests: read + issues: read env: REGISTRY: ghcr.io @@ -68,7 +72,7 @@ jobs: - name: Log in to the Container registry run: | - echo "${{ secrets.GH_ACCESS_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin - name: Install Semantic Release if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }} From bfa14d74b22c9ac96d82686211557fba3e5c9b02 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 19 Nov 2025 17:35:46 +0200 Subject: [PATCH 12/19] fix: fix package name Signed-off-by: PavelSBorisov --- .releaserc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.releaserc b/.releaserc index dadbbf8b8b..c153e8728b 100644 --- a/.releaserc +++ b/.releaserc @@ -55,7 +55,7 @@ ], [ "@semantic-release/exec", - { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph/transaction-tool" } + { "cmd": "helm push hedera-transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph" } ], [ "@semantic-release/github", From cbe50e382b0349f240999b95d3ed75cabc565977 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Thu, 20 Nov 2025 16:04:06 +0200 Subject: [PATCH 13/19] fix: fix helm chart name again Signed-off-by: PavelSBorisov --- .releaserc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.releaserc b/.releaserc index c153e8728b..4909e38c7a 100644 --- a/.releaserc +++ b/.releaserc @@ -55,7 +55,7 @@ ], [ "@semantic-release/exec", - { "cmd": "helm push hedera-transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph" } + { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph" } ], [ "@semantic-release/github", From 7259f0edef8846c92460dbabe06c1032c9b63865 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Thu, 20 Nov 2025 16:13:56 +0200 Subject: [PATCH 14/19] fix: more helm package name fixes Signed-off-by: PavelSBorisov --- .releaserc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.releaserc b/.releaserc index 4909e38c7a..d81d054d18 100644 --- a/.releaserc +++ b/.releaserc @@ -55,7 +55,7 @@ ], [ "@semantic-release/exec", - { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph" } + { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph/hedera-transaction-tool" } ], [ "@semantic-release/github", From ebc261af98d8488b786b03826d7b169e19d0a688 Mon Sep 17 00:00:00 2001 From: Pavel Borisov <37436896+PavelSBorisov@users.noreply.github.com> Date: Mon, 24 Nov 2025 15:03:31 +0200 Subject: [PATCH 15/19] chore: apply suggestion Co-authored-by: Roger Barker Signed-off-by: Pavel Borisov <37436896+PavelSBorisov@users.noreply.github.com> --- .github/workflows/000-user-official-release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index b89d5ffb9d..3ec9c34946 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -24,7 +24,6 @@ permissions: env: REGISTRY: ghcr.io - jobs: publish: name: Publish Official Release of Hedera Transaction Tool From 05d1008fb1283a5a3e9a54f91f8190c693d0e178 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Wed, 3 Dec 2025 16:31:41 +0200 Subject: [PATCH 16/19] chore(deps): bump checkout action to latest Signed-off-by: PavelSBorisov --- .github/workflows/000-user-official-release.yaml | 2 +- .github/workflows/300-flow-docker-images.yaml | 2 +- .github/workflows/301-flow-test-backend.yaml | 2 +- .github/workflows/302-flow-test-frontend.yaml | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 3ec9c34946..469cfd0004 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -36,7 +36,7 @@ jobs: egress-policy: audit - name: Checkout Code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: token: ${{ secrets.GH_ACCESS_TOKEN }} diff --git a/.github/workflows/300-flow-docker-images.yaml b/.github/workflows/300-flow-docker-images.yaml index 32c3795182..679b9be6c8 100644 --- a/.github/workflows/300-flow-docker-images.yaml +++ b/.github/workflows/300-flow-docker-images.yaml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Log in to the Container registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0 diff --git a/.github/workflows/301-flow-test-backend.yaml b/.github/workflows/301-flow-test-backend.yaml index 661fbb4f37..7e1269610c 100644 --- a/.github/workflows/301-flow-test-backend.yaml +++ b/.github/workflows/301-flow-test-backend.yaml @@ -41,7 +41,7 @@ jobs: egress-policy: audit - name: Checkout code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install pnpm uses: step-security/action-setup@3d419c73e38e670dbffe349ffff26dd13c164640 # v4.2.0 diff --git a/.github/workflows/302-flow-test-frontend.yaml b/.github/workflows/302-flow-test-frontend.yaml index c9dd3ca78f..3b69250b02 100644 --- a/.github/workflows/302-flow-test-frontend.yaml +++ b/.github/workflows/302-flow-test-frontend.yaml @@ -32,7 +32,7 @@ jobs: egress-policy: audit - name: Checkout Code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -89,7 +89,7 @@ jobs: egress-policy: audit - name: Checkout Code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -190,7 +190,7 @@ jobs: egress-policy: audit - name: Checkout Code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 From 90bf5694eba50bf1de9f107aff6069693e465d1b Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Thu, 4 Dec 2025 11:44:00 +0200 Subject: [PATCH 17/19] chore: let release commit trigger ci so docker push workflow triggers Signed-off-by: PavelSBorisov --- .releaserc | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.releaserc b/.releaserc index d81d054d18..48538bfe1a 100644 --- a/.releaserc +++ b/.releaserc @@ -40,7 +40,7 @@ "assets": [ "charts/transaction-tool/Chart.yaml" ], - "message": "chore(release): ${nextRelease.version} [skip ci]\n\nSigned-off-by: swirlds-automation " + "message": "chore(release): ${nextRelease.version} \n\nSigned-off-by: swirlds-automation " } ] ], @@ -96,9 +96,6 @@ "name": "rc/*", "prerelease": "rc", "channel": "rc" - }, - { - "name": "resd-455" } ] } From ea26dc9c24cd9efb7f842c67d8fca806b9608130 Mon Sep 17 00:00:00 2001 From: PavelSBorisov Date: Mon, 22 Dec 2025 14:59:16 +0200 Subject: [PATCH 18/19] fix: rework release workflow to publish in the correct order Signed-off-by: PavelSBorisov --- .../workflows/000-user-official-release.yaml | 99 +++++++++++++++---- .github/workflows/300-flow-docker-images.yaml | 67 ++++++++++++- .releaserc | 41 ++++---- 3 files changed, 161 insertions(+), 46 deletions(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 469cfd0004..88bd24c8bf 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -25,13 +25,15 @@ env: REGISTRY: ghcr.io jobs: - publish: + semantic-release: name: Publish Official Release of Hedera Transaction Tool - # MacOS runner for future compatibility (when frontend builds get added to semantic release) - runs-on: macos-latest + runs-on: transaction-tools-linux-medium + outputs: + # We extract the version from the VERSION file created by .releaserc + version: ${{ steps.extract-version.outputs.version }} steps: - name: Harden Runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit @@ -41,7 +43,15 @@ jobs: token: ${{ secrets.GH_ACCESS_TOKEN }} - name: Install GnuPG Tools - run: brew install gnupg + run: | + if ! command -v gpg2 >/dev/null 2>&1; then + echo "::group::Updating APT Repository Indices" + sudo apt update + echo "::endgroup::" + echo "::group::Installing GnuPG Tools" + sudo apt install -y gnupg2 + echo "::endgroup::" + fi - name: Import GPG Key id: gpg @@ -55,24 +65,10 @@ jobs: passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22 - - name: Setup pnpm - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - with: - version: latest - - - name: Setup Helm - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 - with: - version: "v3.12.3" - - - name: Log in to the Container registry - run: | - echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin - - name: Install Semantic Release if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }} run: | @@ -102,3 +98,66 @@ jobs: echo "Running semantic-release now..." npx semantic-release --debug fi + + - name: Extract Version Output + id: extract-version + run: | + # The .releaserc 'verifyRelease' step writes the version to a file named VERSION + if [[ -f VERSION ]]; then + VER=$(cat VERSION | tr -d '[:space:]') + echo "::notice::New version is: $VER" + echo "version=$VER" >> $GITHUB_OUTPUT + else + echo "::warning::No new version file output by semantic release." + fi + + build-and-push-docker: + name: Build and Push Docker Images + if: ${{ inputs.dry-run-enabled != true && needs.semantic-release.outputs.version != '' }} + needs: semantic-release + uses: ./.github/workflows/300-flow-docker-images.yaml + with: + ref: v${{ needs.semantic-release.outputs.version }} + + helm-publish: + name: Helm Chart Publish + needs: [semantic-release, build-and-push-docker] + if: ${{ inputs.dry-run-enabled != true && needs.semantic-release.outputs.version != '' }} + runs-on: transaction-tools-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Setup Helm + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 + with: + version: "v3.12.3" + + - name: Helm Registry Login + run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin + + - name: Package and Push Chart + run: | + # 1. Update dependencies + helm dependency update charts/transaction-tool + + # 2. Package + helm package charts/transaction-tool + + # 3. Push + CHART_FILE="transaction-tool-${{ needs.semantic-release.outputs.version }}.tgz" + + if [[ -f "$CHART_FILE" ]]; then + echo "Pushing $CHART_FILE to GitHub Registry..." + helm push "$CHART_FILE" oci://${{ env.REGISTRY }}/hashgraph/hedera-transaction-tool + else + echo "::error::Chart file $CHART_FILE was not found." + exit 1 + fi \ No newline at end of file diff --git a/.github/workflows/300-flow-docker-images.yaml b/.github/workflows/300-flow-docker-images.yaml index 679b9be6c8..f83c8cf9d4 100644 --- a/.github/workflows/300-flow-docker-images.yaml +++ b/.github/workflows/300-flow-docker-images.yaml @@ -1,9 +1,15 @@ name: "300: [FLOW] Docker Images" on: + workflow_call: + inputs: + ref: + required: true + type: string + description: 'Git ref to checkout (tag or sha)' push: - tags: - - 'v*' + branches: + - main workflow_dispatch: permissions: @@ -16,7 +22,61 @@ env: REGISTRY: ghcr.io jobs: - build-and-push-image: + # Runs on workflow_call (used by semantic release) + build-and-push-release-images: + if: github.event_name == 'workflow_call' + runs-on: transaction-tools-linux-medium + strategy: + fail-fast: false + matrix: + image: [api, chain, notifications] + defaults: + run: + working-directory: back-end/apps/${{ matrix.image }} + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + ref: ${{ inputs.ref }} + + - name: Log in to the Container registry + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # 5.9.0 + with: + images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }} + + - name: Build and push Docker image + id: push + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # 6.18.0 + with: + context: back-end/ + file: back-end/apps/${{ matrix.image }}/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + with: + subject-name: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true + + # Runs on push to main or manual trigger - only publishes latest tag + build-and-push-latest-image: + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' runs-on: transaction-tools-linux-medium strategy: fail-fast: false @@ -46,6 +106,7 @@ jobs: uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # 5.9.0 with: images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }} + tags: type=raw,value=latest - name: Build and push Docker image id: push diff --git a/.releaserc b/.releaserc index 48538bfe1a..a896a753fb 100644 --- a/.releaserc +++ b/.releaserc @@ -24,10 +24,16 @@ "verifyRelease": [ [ "@semantic-release/exec", - { "cmd": "echo 'Release version: ${nextRelease.version}'" } + { "cmd": "echo ${nextRelease.version} > VERSION" } ] ], "prepare": [ + [ + "@semantic-release/exec", + { + "prepareCmd": "for dir in back-end back-end/apps/api back-end/apps/chain back-end/apps/notifications front-end; do (cd $dir && npm version ${nextRelease.version} --no-git-tag-version --allow-same-version); done" + } + ], [ "semantic-release-helm3", { @@ -38,34 +44,20 @@ "@semantic-release/git", { "assets": [ - "charts/transaction-tool/Chart.yaml" + "charts/transaction-tool/Chart.yaml", + "back-end/package.json", + "back-end/apps/api/package.json", + "back-end/apps/chain/package.json", + "back-end/apps/notifications/package.json", + "front-end/package.json" ], - "message": "chore(release): ${nextRelease.version} \n\nSigned-off-by: swirlds-automation " + "message": "chore(release): ${nextRelease.version} [skip ci]\n\nSigned-off-by: swirlds-automation " } ] ], "publish": [ [ - "@semantic-release/exec", - { "cmd": "helm dependency update charts/transaction-tool" } - ], - [ - "@semantic-release/exec", - { "cmd": "helm package charts/transaction-tool" } - ], - [ - "@semantic-release/exec", - { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph/hedera-transaction-tool" } - ], - [ - "@semantic-release/github", - { - "assets": [ - { - "path": "transaction-tool-*.tgz" - } - ] - } + "@semantic-release/github" ] ], "branches":[ @@ -96,6 +88,9 @@ "name": "rc/*", "prerelease": "rc", "channel": "rc" + }, + { + "name": "resd-455" } ] } From 58d32a498153af7ca6121e57e3d66b646b173a5d Mon Sep 17 00:00:00 2001 From: Pavel Borisov <37436896+PavelSBorisov@users.noreply.github.com> Date: Thu, 29 Jan 2026 13:10:15 +0200 Subject: [PATCH 19/19] chore: add newline Co-authored-by: Andrew Brandt Signed-off-by: Pavel Borisov <37436896+PavelSBorisov@users.noreply.github.com> --- .github/workflows/000-user-official-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/000-user-official-release.yaml b/.github/workflows/000-user-official-release.yaml index 88bd24c8bf..3cc52d2c34 100644 --- a/.github/workflows/000-user-official-release.yaml +++ b/.github/workflows/000-user-official-release.yaml @@ -160,4 +160,4 @@ jobs: else echo "::error::Chart file $CHART_FILE was not found." exit 1 - fi \ No newline at end of file + fi