diff --git a/.github/workflows/deploy-staging-network.yml b/.github/workflows/deploy-staging-network.yml index 65f69a803f9d..25a217930bf9 100644 --- a/.github/workflows/deploy-staging-network.yml +++ b/.github/workflows/deploy-staging-network.yml @@ -13,6 +13,10 @@ on: description: 'Semver version (e.g., 2.3.4)' required: true type: string + ref: + description: 'Git ref to checkout' + required: false + type: string workflow_dispatch: inputs: network: @@ -41,10 +45,9 @@ jobs: - name: Determine checkout ref id: checkout-ref run: | - if [[ -n "${{ github.ref }}" ]]; then - echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT - elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then - echo "ref=${{ github.ref_name }}" >> $GITHUB_OUTPUT + # Use inputs.ref if provided (workflow_call), otherwise use github.ref + if [[ -n "${{ inputs.ref }}" ]]; then + echo "ref=${{ inputs.ref }}" >> $GITHUB_OUTPUT else echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT fi @@ -55,6 +58,7 @@ jobs: ref: ${{ steps.checkout-ref.outputs.ref }} fetch-depth: 0 persist-credentials: false + submodules: recursive # Initialize git submodules for l1-contracts dependencies - name: Validate inputs run: | @@ -92,6 +96,20 @@ jobs: run: | gcloud auth activate-service-account --key-file="$GOOGLE_APPLICATION_CREDENTIALS" + - name: Setup gcloud and install GKE auth plugin + uses: google-github-actions/setup-gcloud@v2 + with: + install_components: 'gke-gcloud-auth-plugin' + + - name: Setup Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 + with: + terraform_version: "1.7.5" + terraform_wrapper: false # Disable the wrapper that adds debug output, this messes with reading terraform output + + - name: Install Foundry + uses: foundry-rs/foundry-toolchain@v1 + - name: Deploy network if: env.MAJOR_VERSION == '2' env: @@ -110,7 +128,8 @@ jobs: echo "Using branch/ref: ${{ steps.checkout-ref.outputs.ref }}" cd spartan - ./bootstrap.sh network_deploy "${{ inputs.network }}" + ./scripts/install_deps.sh + ./scripts/network_deploy.sh "${{ inputs.network }}" - name: Update testnet monitoring (testnet only) if: env.MAJOR_VERSION == '2' && inputs.network == 'testnet' && !contains(inputs.semver, '-') diff --git a/spartan/bootstrap.sh b/spartan/bootstrap.sh index 4a6b18c9d0d9..b467e612f232 100755 --- a/spartan/bootstrap.sh +++ b/spartan/bootstrap.sh @@ -7,70 +7,15 @@ hash=$(hash_str $(cache_content_hash .rebuild_patterns) $(../yarn-project/bootst dump_fail "flock scripts/logs/install_deps.lock retry scripts/install_deps.sh >&2" +source ./scripts/source_env_basic.sh +source ./scripts/source_network_env.sh +source ./scripts/gcp_auth.sh + function build { denoise "helm lint ./aztec-network/" denoise ./spartan/scripts/check_env_vars.sh } -function resolve_env_file_path { - local env_file_input="$1" - if [[ "$env_file_input" = /* ]]; then - echo "$env_file_input" - else - echo "environments/$env_file_input.env" - fi -} - -function source_env_basic { - local env_file="$1" - local actual_env_file=$(resolve_env_file_path "$env_file") - - if [[ -f "$actual_env_file" ]]; then - echo "Loading basic environment variables from $actual_env_file" - set -a - # shellcheck disable=SC1090 - source "$actual_env_file" - set +a - else - echo "Env file not found: $actual_env_file" >&2 - exit 1 - fi -} - -function source_network_env { - local env_file - # Check if the argument is an absolute path - if [[ "$1" = /* ]]; then - env_file="$1" - else - env_file="environments/$1.env" - fi - # Optionally source an env file passed as first argument - if [[ -n "${env_file:-}" ]]; then - if [[ -f "$env_file" ]]; then - - # Standard behavior for files without GCP secrets - set -a - # shellcheck disable=SC1090 - source "$env_file" - set +a - - # Check if we need to process GCP secrets and if we have gcloud auth - if grep -q "REPLACE_WITH_GCP_SECRET" "$env_file" && command -v gcloud &> /dev/null; then - echo "Environment file contains GCP secret placeholders. Processing secrets..." - - # Process GCP secrets - source ./scripts/setup_gcp_secrets.sh "$env_file" - - echo "Successfully loaded environment with GCP secrets" - fi - else - echo "Env file not found: $env_file" >&2 - exit 1 - fi - fi -} - function network_shaping { namespace="$1" chaos_values="$2" @@ -147,17 +92,6 @@ function stop_env { fi } -function gcp_auth { - # if the GCP_PROJECT_ID is set, activate the service account - if [[ -n "${GCP_PROJECT_ID:-}" && "${CLUSTER}" != "kind" ]]; then - echo "Activating service account" - if [ "$CI" -eq 1 ]; then - gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS - fi - gcloud config set project "$GCP_PROJECT_ID" - gcloud container clusters get-credentials ${CLUSTER} --region=${GCP_REGION} --project=${GCP_PROJECT_ID} - fi -} function test { echo_header "spartan test (deprecated)" @@ -211,17 +145,8 @@ case "$cmd" in shift env_file="$1" - # First pass: source environment for basic variables like CLUSTER (skip GCP secret processing) - source_env_basic "$env_file" - - # Perform GCP auth (needs CLUSTER and other basic vars) - gcp_auth - - # Second pass: source environment with GCP secret processing - source_network_env "$env_file" - - ./scripts/deploy_network.sh - echo "Deployed network" + # Run the network deploy script + ./scripts/network_deploy.sh "$env_file" if [[ "${RUN_TESTS:-}" == "true" ]]; then echo "Running tests" diff --git a/spartan/environments/staging-ignition.env b/spartan/environments/staging-ignition.env index f4dcb2bf087b..90dab3a2994c 100644 --- a/spartan/environments/staging-ignition.env +++ b/spartan/environments/staging-ignition.env @@ -1,7 +1,7 @@ CREATE_ETH_DEVNET=false GCP_REGION=us-west1-a CLUSTER=aztec-gke-private -SALT=1175732591 +SALT=1175732592 NAMESPACE=staging-ignition TRANSACTIONS_DISABLED=true TEST_ACCOUNTS=false diff --git a/spartan/environments/staging-public.env b/spartan/environments/staging-public.env index ee382b7e63ea..021f3f85fef8 100644 --- a/spartan/environments/staging-public.env +++ b/spartan/environments/staging-public.env @@ -1,7 +1,7 @@ CREATE_ETH_DEVNET=false GCP_REGION=us-west1-a CLUSTER=aztec-gke-private -SALT=1757376707 +SALT=1757376708 NETWORK=staging-public NAMESPACE=staging-public ETHEREUM_CHAIN_ID=11155111 diff --git a/spartan/scripts/deploy_network.sh b/spartan/scripts/deploy_network.sh index 813eb227d3be..6adc9017af7a 100755 --- a/spartan/scripts/deploy_network.sh +++ b/spartan/scripts/deploy_network.sh @@ -208,6 +208,13 @@ fi DEPLOY_ROLLUP_CONTRACTS_DIR="${SCRIPT_DIR}/../terraform/deploy-rollup-contracts" "${SCRIPT_DIR}/override_terraform_backend.sh" "${DEPLOY_ROLLUP_CONTRACTS_DIR}" "${CLUSTER}" "${BASE_STATE_PATH}/deploy-rollup-contracts/${SALT}" +# Handle NETWORK variable - needs quotes for string values, null for unset +if [[ -n "${NETWORK:-}" ]]; then + NETWORK_TF="\"${NETWORK}\"" +else + NETWORK_TF=null +fi + cat > "${DEPLOY_ROLLUP_CONTRACTS_DIR}/terraform.tfvars" << EOF K8S_CLUSTER_CONTEXT = "${K8S_CLUSTER_CONTEXT}" NAMESPACE = "${NAMESPACE}" @@ -242,7 +249,7 @@ AZTEC_GOVERNANCE_PROPOSER_ROUND_SIZE = ${AZTEC_GOVERNANCE_PROPOSER_ROUND_SIZE:-n AZTEC_MANA_TARGET = ${AZTEC_MANA_TARGET:-null} AZTEC_PROVING_COST_PER_MANA = ${AZTEC_PROVING_COST_PER_MANA:-null} AZTEC_EXIT_DELAY_SECONDS = ${AZTEC_EXIT_DELAY_SECONDS:-null} -NETWORK = ${NETWORK:-null} +NETWORK = ${NETWORK_TF} JOB_NAME = "deploy-rollup-contracts" JOB_BACKOFF_LIMIT = 3 JOB_TTL_SECONDS_AFTER_FINISHED = 3600 @@ -317,7 +324,7 @@ OTEL_COLLECTOR_ENDPOINT = "${OTEL_COLLECTOR_ENDPOINT}" DEPLOY_INTERNAL_BOOTNODE = ${DEPLOY_INTERNAL_BOOTNODE:-true} PROVER_REAL_PROOFS = ${PROVER_REAL_PROOFS} TRANSACTIONS_DISABLED = ${TRANSACTIONS_DISABLED:-null} -NETWORK = "${NETWORK:-null}" +NETWORK = ${NETWORK_TF} STORE_SNAPSHOT_URL = "${STORE_SNAPSHOT_URL}" BOT_RESOURCE_PROFILE = "${BOT_RESOURCE_PROFILE}" BOT_MNEMONIC = "${LABS_INFRA_MNEMONIC}" diff --git a/spartan/scripts/gcp_auth.sh b/spartan/scripts/gcp_auth.sh new file mode 100755 index 000000000000..d8ab6a1f14bd --- /dev/null +++ b/spartan/scripts/gcp_auth.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +function gcp_auth { + # if the GCP_PROJECT_ID is set, activate the service account + if [[ -n "${GCP_PROJECT_ID:-}" && "${CLUSTER}" != "kind" ]]; then + echo "Activating service account" + if [[ "${CI:-}" == "1" || "${CI:-}" == "true" ]]; then + gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS + fi + gcloud config set project "$GCP_PROJECT_ID" + gcloud container clusters get-credentials ${CLUSTER} --region=${GCP_REGION} --project=${GCP_PROJECT_ID} + fi +} + +# If script is run directly, execute the function +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + gcp_auth +fi diff --git a/spartan/scripts/network_deploy.sh b/spartan/scripts/network_deploy.sh new file mode 100755 index 000000000000..c5c9a5df142e --- /dev/null +++ b/spartan/scripts/network_deploy.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + + +echo "Deploying network..." +spartan=$(git rev-parse --show-toplevel)/spartan +scripts_dir=$spartan/scripts + +# Source the required scripts +source "$scripts_dir/source_env_basic.sh" +source "$scripts_dir/source_network_env.sh" +source "$scripts_dir/gcp_auth.sh" + +# Main execution +if [[ $# -lt 1 ]]; then + echo "Usage: $0 " >&2 + exit 1 +fi + +env_file="$1" + +# First pass: source environment for basic variables like CLUSTER (skip GCP secret processing) +source_env_basic "$env_file" + +# Perform GCP auth (needs CLUSTER and other basic vars) +gcp_auth + +# Second pass: source environment with GCP secret processing +source_network_env "$env_file" + + +$scripts_dir/deploy_network.sh +echo "Deployed network" diff --git a/spartan/scripts/source_env_basic.sh b/spartan/scripts/source_env_basic.sh new file mode 100755 index 000000000000..00bc0f6e9767 --- /dev/null +++ b/spartan/scripts/source_env_basic.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +spartan=$(git rev-parse --show-toplevel)/spartan + +function resolve_env_file_path { + local env_file_input="$1" + if [[ "$env_file_input" = /* ]]; then + echo "$env_file_input" + else + echo "$spartan/environments/$env_file_input.env" + fi +} + +function source_env_basic { + local env_file="$1" + local actual_env_file=$(resolve_env_file_path "$env_file") + + if [[ -f "$actual_env_file" ]]; then + echo "Loading basic environment variables from $actual_env_file" + set -a + # shellcheck disable=SC1090 + source "$actual_env_file" + set +a + else + echo "Env file not found: $actual_env_file" >&2 + exit 1 + fi +} + +# If script is run directly with an argument, source the env file +if [[ "${BASH_SOURCE[0]}" == "${0}" ]] && [[ -n "$1" ]]; then + source_env_basic "$1" +fi diff --git a/spartan/scripts/source_network_env.sh b/spartan/scripts/source_network_env.sh new file mode 100755 index 000000000000..9a99c22c5481 --- /dev/null +++ b/spartan/scripts/source_network_env.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +spartan=$(git rev-parse --show-toplevel)/spartan + +function source_network_env { + local env_file + # Check if the argument is an absolute path + if [[ "$1" = /* ]]; then + env_file="$1" + else + env_file="$spartan/environments/$1.env" + fi + # Optionally source an env file passed as first argument + if [[ -n "${env_file:-}" ]]; then + if [[ -f "$env_file" ]]; then + + # Standard behavior for files without GCP secrets + set -a + # shellcheck disable=SC1090 + source "$env_file" + set +a + + # Check if we need to process GCP secrets and if we have gcloud auth + if grep -q "REPLACE_WITH_GCP_SECRET" "$env_file" && command -v gcloud &> /dev/null; then + echo "Environment file contains GCP secret placeholders. Processing secrets..." + + # Process GCP secrets + source $spartan/scripts/setup_gcp_secrets.sh "$env_file" + + echo "Successfully loaded environment with GCP secrets" + fi + else + echo "Env file not found: $env_file" >&2 + exit 1 + fi + fi +} + +# If script is run directly with an argument, source the env file +if [[ "${BASH_SOURCE[0]}" == "${0}" ]] && [[ -n "$1" ]]; then + source_network_env "$1" +fi