From ad21b2e369062765c005d84eb761803b2f25b656 Mon Sep 17 00:00:00 2001 From: Mario Apra Date: Tue, 25 Jun 2024 16:12:22 +0100 Subject: [PATCH] Start using Artifactory for CI/CD in favour of Docker Registry (#1917) Due security reasons, we had to stop using the dispatch token and start using the GitHub App in order to trigger the deployment in argo. Because argo is a private repository, we can't trigger from a public one (juno), so then we start to change the approach to first push the docker images to jFrog Artifactory, then argo will be notified that a new image was pushed, then it will trigger the deployment Extra Tasks: - Run YAML formatter on build-and-deploy workflow: Having a well formated file makes it easier to read and for people to contribute - Remove unnecessary IMAGE_TAG from build-and-deploy.yml: Instead of using both env.DOCKER_IMAGE_TAG and output.IMAGE_TAG, only use one of them. - Improve readability of stages in build-and-deploy.yml: Rename stages to make it easier to understand what's going on. For example from 'deploy_to_dev' to 'validate_dev' in order to include that some tests will be run on the environment - Set common env var in the root of the file: Some of the env vars are being used in multiple stages, so instead of having to hard-code some small differences in multiple places, bring it all back to a root level where it's easier to see what changes for what environment. --- .github/workflows/build-and-deploy.yml | 154 ++++++++++--------------- 1 file changed, 63 insertions(+), 91 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index cdd37ab00c..cab2c5c192 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -1,9 +1,17 @@ name: Docker Build, Publish and Deploy +env: + DOCKER_REGISTRY: nethermind.jfrog.io + + REPO_DEV: angkor-docker-local-dev + REPO_STAGING: angkor-docker-local-staging + REPO_PROD: angkor-docker-local-prod + + on: push: branches: [main] - tags: ['v*'] + tags: ["v*"] workflow_dispatch: permissions: @@ -11,156 +19,120 @@ permissions: contents: write jobs: - docker_build_and_publish: + build_docker_image: runs-on: ubuntu-latest - outputs: - IMAGE_TAG: ${{ steps.image_tag.outputs.IMAGE_TAG }} + steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - - - name: Define_docker_image_tag - id: image_tag + + - name: Define image tag run: | echo "DOCKER_IMAGE_TAG=$(git describe --tags)" >> $GITHUB_ENV - echo "IMAGE_TAG=$(git describe --tags)" >> "$GITHUB_OUTPUT" - + - name: Setup Docker Buildx uses: docker/setup-buildx-action@v3 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - + + - name: Login to registry + run: | + docker login ${{ env.DOCKER_REGISTRY }} -u ${{ vars.ARTIFACTORY_ANGKOR_USER }} -p ${{ secrets.ARTIFACTORY_ANGKOR_CONTRIBUTOR }} + - name: Build and Push uses: docker/build-push-action@v5 with: context: . - platforms: 'linux/amd64' + platforms: "linux/amd64" push: true - tags: nethermindeth/juno:${{ env.DOCKER_IMAGE_TAG }} - - deploy_to_dev: + tags: ${{ env.DOCKER_REGISTRY }}/${{ env.REPO_DEV }}/juno:${{ env.DOCKER_IMAGE_TAG }} + + + validate_dev: permissions: id-token: write contents: write - needs: [docker_build_and_publish] + needs: [build_docker_image] runs-on: ubuntu-latest - environment: + environment: name: Development steps: - name: Checkout uses: actions/checkout@v4 - - name: Repository Dispatch Dev - env: - EVENT_NAME: juno-dev - IMAGE_TAG: ${{ needs.docker_build_and_publish.outputs.IMAGE_TAG }} - SEPOLIA: apps/juno-dev/overlays/dev-sepolia/config.yaml - run: | - curl -L \ - -X POST \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - https://api.github.com/repos/NethermindEth/argo/dispatches \ - -d '{"event_type": "${{ env.EVENT_NAME }}", "client_payload":{"name": "${{ env.EVENT_NAME }}", "sepolia_config": "${{ env.SEPOLIA }}", "tag": "${{ env.IMAGE_TAG }}"}}' - - name: Verify Deployment Version (Dev) - run: bash .github/workflow-scripts/verify_deployment.sh ${{ secrets.DEV_SEPOLIA_URL }} ${{ needs.docker_build_and_publish.outputs.IMAGE_TAG }} - + run: bash .github/workflow-scripts/verify_deployment.sh ${{ secrets.DEV_SEPOLIA_URL }} ${{ env.DOCKER_IMAGE_TAG }} + dev-starknet-rs-tests: - needs: [deploy_to_dev] + needs: [validate_dev] uses: ./.github/workflows/starknet-rs-tests.yml secrets: STARKNET_RPC: ${{ secrets.DEV_SEPOLIA_URL }}/v0_6 - + dev-starknet-js-tests: - needs: [deploy_to_dev] + needs: [validate_dev] uses: ./.github/workflows/starknet-js-tests.yml secrets: TEST_RPC_URL: ${{ secrets.DEV_SEPOLIA_URL }}/v0_7 TEST_ACCOUNT_ADDRESS: ${{ secrets.TEST_ACCOUNT_ADDRESS }} TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }} - - deploy_to_staging: - needs: [docker_build_and_publish, deploy_to_dev] + + promote_to_staging: + needs: [build_docker_image, validate_dev] runs-on: ubuntu-latest - environment: + environment: name: Staging - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Repository Dispatch Staging - env: - EVENT_NAME: juno-staging - IMAGE_TAG: ${{ needs.docker_build_and_publish.outputs.IMAGE_TAG }} - MAINNET: apps/juno-staging/overlays/staging-mainnet/config.yaml - SEPOLIA: apps/juno-staging/overlays/staging-sepolia/config.yaml - SEPOLIA_INTEGRATION: apps/juno-staging/overlays/staging-sepolia-integration/config.yaml - run: | - curl -L \ - -X POST \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - https://api.github.com/repos/NethermindEth/argo/dispatches \ - -d '{"event_type": "${{ env.EVENT_NAME }}", "client_payload":{"name": "${{ env.EVENT_NAME }}", "mainnet_config": "${{ env.MAINNET }}", "sepolia_config": "${{ env.SEPOLIA }}", "sepolia_integration_config": "${{ env.SEPOLIA_INTEGRATION}}", "tag": "${{ env.IMAGE_TAG }}"}}' - - - name: Verify Deployment Version (Staging) - run: bash .github/workflow-scripts/verify_deployment.sh ${{ secrets.STAGING_SEPOLIA_URL }} ${{ needs.docker_build_and_publish.outputs.IMAGE_TAG }} + steps: + - name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.JFROG_URL}} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ANGKOR_CONTRIBUTOR }} + + - name: Promote to Staging + run: | + jf rt dpr juno/${{ env.DOCKER_IMAGE_TAG }} ${{ env.REPO_DEV }} ${{ env.REPO_STAGING }} staging-starknet-rs-tests: - needs: [deploy_to_staging] + needs: [promote_to_staging] uses: ./.github/workflows/starknet-rs-tests.yml secrets: STARKNET_RPC: ${{ secrets.STAGING_SEPOLIA_URL }}/v0_6 - + staging-starknet-js-tests: - needs: [deploy_to_staging] + needs: [promote_to_staging] uses: ./.github/workflows/starknet-js-tests.yml secrets: TEST_RPC_URL: ${{ secrets.STAGING_SEPOLIA_URL }}/v0_7 TEST_ACCOUNT_ADDRESS: ${{ secrets.TEST_ACCOUNT_ADDRESS }} TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }} - deploy_to_production: - needs: [docker_build_and_publish, deploy_to_staging] + promote_to_production: + needs: [build_docker_image, promote_to_staging] runs-on: ubuntu-latest environment: name: Production steps: - - name: Repository Dispatch Prod - env: - EVENT_NAME: juno-prod - IMAGE_TAG: ${{ needs.docker_build_and_publish.outputs.IMAGE_TAG }} - MAINNET: apps/juno-prod/overlays/prod-mainnet/config.yaml - SEPOLIA: apps/juno-prod/overlays/prod-sepolia/config.yaml - SEPOLIA_INTEGRATION: apps/juno-prod/overlays/prod-sepolia-integration/config.yaml + - name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.JFROG_URL}} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ANGKOR_CONTRIBUTOR }} + + - name: Promote to Production run: | - curl -L \ - -X POST \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: token ${{ secrets.ACCESS_TOKEN }}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - https://api.github.com/repos/NethermindEth/argo/dispatches \ - -d '{"event_type": "${{ env.EVENT_NAME }}", "client_payload":{"name": "${{ env.EVENT_NAME }}", "mainnet_config": "${{ env.MAINNET }}", "sepolia_config": "${{ env.SEPOLIA }}", "sepolia_integration_config": "${{ env.SEPOLIA_INTEGRATION }}", "tag": "${{ env.IMAGE_TAG }}"}}' - + jf rt dpr juno/${{ env.DOCKER_IMAGE_TAG }} ${{ env.REPO_STAGING }} ${{ env.REPO_PROD }} + prod-starknet-rs-tests: - needs: [deploy_to_production] + needs: [promote_to_production] uses: ./.github/workflows/starknet-rs-tests.yml secrets: STARKNET_RPC: ${{ secrets.PROD_SEPOLIA_URL }}/v0_6 - + prod-starknet-js-tests: - needs: [deploy_to_production] + needs: [promote_to_production] uses: ./.github/workflows/starknet-js-tests.yml secrets: TEST_RPC_URL: ${{ secrets.PROD_SEPOLIA_URL }}/v0_7 TEST_ACCOUNT_ADDRESS: ${{ secrets.TEST_ACCOUNT_ADDRESS }} - TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }} \ No newline at end of file + TEST_ACCOUNT_PRIVATE_KEY: ${{ secrets.TEST_ACCOUNT_PRIVATE_KEY }}