ci: improve deployment workflows and fix release-please compatibility

.github/workflows/dapp-deploy.yml

@@ -1,4 +1,4 @@
-name: Deploy DApp Contract
+name: deploy-dapp
 
 on:
   workflow_dispatch:
@@ -8,77 +8,60 @@ on:
         required: true
         type: choice
         options:
-          - dapp-dev
-          - dapp-prod
-      sconify-version:
-        description: 'Version of the sconify image to use'
+          - bellecour-dev
+          - arbitrum-sepolia-dev
+      price:
+        description: 'Sell order price (optionnel)'
         type: string
-        default: '5.9.0-v15'
-
-env:
-  DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
+        required: false
+        default: ''
+      volume:
+        description: 'Sell order volume (optionnel)'
+        type: string
+        required: false
+        default: ''
 
 jobs:
-  build-and-push:
+  extract-tag:
     runs-on: ubuntu-latest
     outputs:
-      image-name: ${{ steps.set-outputs.outputs.image-name }}
-      image-tag: ${{ steps.set-outputs.outputs.image-tag }}
+      clean_tag: ${{ steps.tag.outputs.clean_tag }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PAT }}
-
-      - name: Get dapp version
-        id: version
-        run: |
-          VERSION=$(node -p "require('./dapp/package.json').version")
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "dapp-version=$VERSION"
-
-      - name: Set image tag
-        id: image-tag
+      - name: Extract tag
+        id: tag
         run: |
-          if [ "${{ inputs.environment }}" = "dapp-dev" ]; then
-            echo "image-tag=dev-${{ steps.version.outputs.version }}" >> $GITHUB_OUTPUT
-          else
-            echo "image-tag=${{ steps.version.outputs.version }}" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build and push Docker image
-        id: build
-        uses: docker/build-push-action@v5
-        with:
-          context: ./dapp
-          push: true
-          tags: iexechub/web3telegram-dapp:${{ steps.image-tag.outputs.image-tag }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          echo "clean_tag=dev" | tee -a $GITHUB_OUTPUT
 
-      - name: Set outputs
-        id: set-outputs
-        run: |
-          echo "image-name=iexechub/web3telegram-dapp" >> $GITHUB_OUTPUT
-          echo "image-tag=${{ steps.image-tag.outputs.image-tag }}" >> $GITHUB_OUTPUT
+  docker-publish:
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    needs: [extract-tag]
+    with:
+      image-name: 'iexechub/web3telegram-dapp'
+      registry: 'docker.io'
+      dockerfile: 'dapp/Dockerfile'
+      context: 'dapp'
+      security-scan: true
+      security-report: 'sarif'
+      hadolint: true
+      push: true
+      image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
+    secrets:
+      username: ${{ secrets.DOCKERHUB_USERNAME }}
+      password: ${{ secrets.DOCKERHUB_PAT }}
 
   sconify:
-    needs: build-and-push
     uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    needs: [docker-publish, extract-tag]
     with:
-      image-name: ${{ needs.build-and-push.outputs.image-name }}
-      image-tag: ${{ needs.build-and-push.outputs.image-tag }}
+      image-name: 'iexechub/web3telegram-dapp'
+      image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
       sconify-debug: false
       sconify-prod: true
       docker-registry: docker.io
-      sconify-version: ${{ inputs.sconify-version }}
+      sconify-version: '5.9.0-v15'
       binary: /usr/local/bin/node
       command: node /app/src/app.js
       host-path: |
@@ -90,41 +73,24 @@ jobs:
       dlopen: 1
       mprotect: 1
     secrets:
+      docker-username: ${{ secrets.DOCKERHUB_USERNAME }}
       docker-password: ${{ secrets.DOCKERHUB_PAT }}
+      scontain-username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
       scontain-password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
       scone-signing-key: ${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}
-      docker-username: ${{ secrets.DOCKERHUB_USERNAME }}
-      scontain-username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
-
-  display-sconify-results:
-    runs-on: ubuntu-latest
-    needs: sconify
-    steps:
-      - name: Display Sconify Results
-        run: |
-          echo "## Sconify Results" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-
-          echo "### Production Image" >> $GITHUB_STEP_SUMMARY
-          echo "- **Image Tag**: ${{ needs.sconify.outputs.prod-image-tag }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Checksum**: ${{ needs.sconify.outputs.prod-checksum }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **MrEnclave**: ${{ needs.sconify.outputs.prod-mrenclave }}" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-
-          echo "### Summary" >> $GITHUB_STEP_SUMMARY
-          echo "Sconification completed successfully!" >> $GITHUB_STEP_SUMMARY
 
   deploy-dapp:
+    needs: [extract-tag, sconify]
     runs-on: ubuntu-latest
-    needs: [build-and-push, sconify]
+    environment: ${{ inputs.environment }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18.19'
+          node-version: '20.19.0'
           cache: 'npm'
 
       - name: Install dependencies
@@ -135,76 +101,49 @@ jobs:
           cd ../../deployment-dapp
           npm ci
 
-      - name: Create scone fingerprint file
-        run: |
-          MRENCLAVE="${{ needs.sconify.outputs.prod-mrenclave }}"
-          echo "$MRENCLAVE" > deployment-dapp/.scone-fingerprint
-
       - name: Deploy dapp contract
         env:
-          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
-          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
-          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
-          DOCKER_IMAGE_CHECKSUM_DEV: ${{ needs.sconify.outputs.prod-checksum }}
-          DOCKER_IMAGE_CHECKSUM_PROD: ${{ needs.sconify.outputs.prod-checksum }}
-          SCONIFIED_IMAGE_TAG: ${{ needs.sconify.outputs.prod-image-tag }}
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          DOCKER_IMAGE_TAG: ${{ needs.sconify.outputs.prod-image-tag }}
+          CHECKSUM: ${{  needs.sconify.outputs.prod-checksum }}
+          FINGERPRINT: ${{ needs.sconify.outputs.prod-mrenclave }}
+          RPC_URL: ${{ secrets.RPC_URL }}
         run: |
           cd deployment-dapp
           npm run deploy-dapp
 
       - name: Push dapp secret
         env:
-          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
-          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
-          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
-          TELEGRAM_BOT_TOKEN_DEV: ${{ secrets.TELEGRAM_BOT_TOKEN_DEV }}
-          TELEGRAM_BOT_TOKEN_PROD: ${{ secrets.TELEGRAM_BOT_TOKEN_PROD }}
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN_DEV }}
+          RPC_URL: ${{ secrets.RPC_URL }}
         run: |
           cd deployment-dapp
           npm run push-dapp-secret
 
       - name: Publish free sell order
         env:
-          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
-          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
-          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
-          PRICE: '0'
-          VOLUME: '1000000000'
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          PRICE: ${{ inputs.price || vars.SELL_ORDER_PRICE }}
+          VOLUME: ${{ inputs.volume || vars.SELL_ORDER_VOLUME }}
+          RPC_URL: ${{ secrets.RPC_URL }}
         run: |
           cd deployment-dapp
           npm run publish-sell-order
 
-      - name: Add resource to whitelist (dev)
-        if: inputs.environment == 'dapp-dev'
+      - name: Add resource to whitelist
         env:
-          WALLET_PRIVATE_KEY: ${{ secrets.DEPLOYER_DEV_PRIVATEKEY }}
-          CONTRACT_ADDRESS: ${{ secrets.WEB3TELEGRAM_WHITELIST_DEV_ADDRESS }}
-        run: |
-          cd node_modules/whitelist-smart-contract
-          export ADDRESS_TO_ADD=$(cat ../../deployment-dapp/.app-address) && npm run addResourceToWhitelist
-
-      - name: Add resource to whitelist (prod)
-        if: inputs.environment == 'dapp-prod'
-        env:
-          WALLET_PRIVATE_KEY: ${{ secrets.DEPLOYER_PROD_PRIVATEKEY }}
-          CONTRACT_ADDRESS: ${{ secrets.WEB3TELEGRAM_WHITELIST_PROD_ADDRESS }}
+          CONTRACT_ADDRESS: ${{ secrets.WEB3TELEGRAM_WHITELIST_CONTRACT_ADDRESS }}
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
         run: |
           cd node_modules/whitelist-smart-contract
           export ADDRESS_TO_ADD=$(cat ../../deployment-dapp/.app-address) && npm run addResourceToWhitelist
 
       - name: Configure ENS
+        if: ${{ vars.DAPP_ENS_NAME }}
         env:
-          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
-          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
-          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          DAPP_ENS_NAME: ${{ vars.DAPP_ENS_NAME }}
         run: |
           cd deployment-dapp
           npm run configure-ens
-
-      - name: Upload deployment artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: deployment-artifacts
-          path: |
-            deployment-dapp/.app-address
-            deployment-dapp/.scone-fingerprint

.github/workflows/dapp-release.yml

@@ -0,0 +1,134 @@
+name: dapp-release
+
+on:
+  push:
+    tags:
+      - 'dapp-v*'
+
+jobs:
+  extract-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      clean_tag: ${{ steps.tag.outputs.clean_tag }}
+    steps:
+      - name: Extract tag
+        id: tag
+        run: |
+          TAG=${GITHUB_REF#refs/tags/dapp-v}
+          echo "clean_tag=${TAG}" >> $GITHUB_OUTPUT
+
+  docker-publish:
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    with:
+      image-name: 'iexechub/web3telegram-dapp'
+      registry: 'docker.io'
+      dockerfile: 'dapp/Dockerfile'
+      context: 'dapp'
+      security-scan: true
+      security-report: 'sarif'
+      hadolint: true
+      push: true
+      image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
+    secrets:
+      username: ${{ secrets.DOCKERHUB_USERNAME }}
+      password: ${{ secrets.DOCKERHUB_PAT }}
+
+  sconify:
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    needs: [docker-publish]
+    with:
+      image-name: 'iexechub/web3telegram-dapp'
+      image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
+      sconify-debug: false
+      sconify-prod: true
+      docker-registry: docker.io
+      sconify-version: '5.9.0-v15'
+      binary: /usr/local/bin/node
+      command: node /app/src/app.js
+      host-path: |
+        /etc/hosts
+        /etc/resolv.conf
+      binary-fs: true
+      fs-dir: /app
+      heap: 1G
+      dlopen: 1
+      mprotect: 1
+    secrets:
+      docker-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      docker-password: ${{ secrets.DOCKERHUB_PAT }}
+      scontain-username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
+      scontain-password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
+      scone-signing-key: ${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}
+
+  deploy-multi-env-prod:
+    strategy:
+      matrix:
+        # TODO: bellecour-prod already deployed add it back for next release
+        environment: [arbitrum-sepolia-prod, arbitrum-mainnet-prod]
+    needs: [extract-tag, sconify]
+    runs-on: ubuntu-latest
+    environment: ${{ matrix.environment }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.19.0'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          cd node_modules/whitelist-smart-contract
+          npm install --save-dev ts-node
+          cd ../../deployment-dapp
+          npm ci
+
+      - name: Deploy dapp contract
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          DOCKER_IMAGE_TAG: ${{ needs.sconify.outputs.prod-image-tag }}
+          CHECKSUM: ${{  needs.sconify.outputs.prod-checksum }}
+          FINGERPRINT: ${{ needs.sconify.outputs.prod-mrenclave }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd deployment-dapp
+          npm run deploy-dapp
+
+      - name: Push dapp secret
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN_PROD }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd deployment-dapp
+          npm run push-dapp-secret
+
+      - name: Publish free sell order
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          PRICE: ${{ vars.SELL_ORDER_PRICE }}
+          VOLUME: ${{ vars.SELL_ORDER_VOLUME }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd deployment-dapp
+          npm run publish-sell-order
+
+      - name: Add resource to whitelist
+        env:
+          CONTRACT_ADDRESS: ${{ secrets.WEB3TELEGRAM_WHITELIST_CONTRACT_ADDRESS }}
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+        run: |
+          cd node_modules/whitelist-smart-contract
+          export ADDRESS_TO_ADD=$(cat ../../deployment-dapp/.app-address) && npm run addResourceToWhitelist
+
+      - name: Configure ENS
+        if: ${{ vars.DAPP_ENS_NAME }}
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PRIVATEKEY }}
+          DAPP_ENS_NAME: ${{ vars.DAPP_ENS_NAME }}
+        run: |
+          cd deployment-dapp
+          npm run configure-ens