chore: Streamline staging deployments

.github/workflows/deploy-staging-network.yml

@@ -13,6 +13,10 @@ on:
         description: 'Semver version (e.g., 2.3.4)'
         required: true
         type: string
+      ref:
+        description: 'Git ref to checkout'
+        required: false
+        type: string
   workflow_dispatch:
     inputs:
       network:
@@ -41,10 +45,9 @@ jobs:
       - name: Determine checkout ref
         id: checkout-ref
         run: |
-          if [[ -n "${{ github.ref }}" ]]; then
-            echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT
-          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "ref=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          # Use inputs.ref if provided (workflow_call), otherwise use github.ref
+          if [[ -n "${{ inputs.ref }}" ]]; then
+            echo "ref=${{ inputs.ref }}" >> $GITHUB_OUTPUT
           else
             echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT
           fi
@@ -55,6 +58,7 @@ jobs:
           ref: ${{ steps.checkout-ref.outputs.ref }}
           fetch-depth: 0
           persist-credentials: false
+          submodules: recursive  # Initialize git submodules for l1-contracts dependencies
 
       - name: Validate inputs
         run: |
@@ -92,6 +96,20 @@ jobs:
         run: |
           gcloud auth activate-service-account --key-file="$GOOGLE_APPLICATION_CREDENTIALS"
 
+      - name: Setup gcloud and install GKE auth plugin
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          install_components: 'gke-gcloud-auth-plugin'
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
+        with:
+          terraform_version: "1.7.5"
+          terraform_wrapper: false  # Disable the wrapper that adds debug output, this messes with reading terraform output
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
       - name: Deploy network
         if: env.MAJOR_VERSION == '2'
         env:
@@ -110,7 +128,8 @@ jobs:
           echo "Using branch/ref: ${{ steps.checkout-ref.outputs.ref }}"
 
           cd spartan
-          ./bootstrap.sh network_deploy "${{ inputs.network }}"
+          ./scripts/install_deps.sh
+          ./scripts/network_deploy.sh "${{ inputs.network }}"
 
       - name: Update testnet monitoring (testnet only)
         if: env.MAJOR_VERSION == '2' && inputs.network == 'testnet' && !contains(inputs.semver, '-')

spartan/bootstrap.sh

@@ -7,70 +7,15 @@ hash=$(hash_str $(cache_content_hash .rebuild_patterns) $(../yarn-project/bootst
 
 dump_fail "flock scripts/logs/install_deps.lock retry scripts/install_deps.sh >&2"
 
+source ./scripts/source_env_basic.sh
+source ./scripts/source_network_env.sh
+source ./scripts/gcp_auth.sh
+
 function build {
   denoise "helm lint ./aztec-network/"
   denoise ./spartan/scripts/check_env_vars.sh
 }
 
-function resolve_env_file_path {
-  local env_file_input="$1"
-  if [[ "$env_file_input" = /* ]]; then
-    echo "$env_file_input"
-  else
-    echo "environments/$env_file_input.env"
-  fi
-}
-
-function source_env_basic {
-  local env_file="$1"
-  local actual_env_file=$(resolve_env_file_path "$env_file")
-
-  if [[ -f "$actual_env_file" ]]; then
-    echo "Loading basic environment variables from $actual_env_file"
-    set -a
-    # shellcheck disable=SC1090
-    source "$actual_env_file"
-    set +a
-  else
-    echo "Env file not found: $actual_env_file" >&2
-    exit 1
-  fi
-}
-
-function source_network_env {
-  local env_file
-  # Check if the argument is an absolute path
-  if [[ "$1" = /* ]]; then
-    env_file="$1"
-  else
-    env_file="environments/$1.env"
-  fi
-  # Optionally source an env file passed as first argument
-  if [[ -n "${env_file:-}" ]]; then
-    if [[ -f "$env_file" ]]; then
-
-      # Standard behavior for files without GCP secrets
-      set -a
-      # shellcheck disable=SC1090
-      source "$env_file"
-      set +a
-
-      # Check if we need to process GCP secrets and if we have gcloud auth
-      if grep -q "REPLACE_WITH_GCP_SECRET" "$env_file" && command -v gcloud &> /dev/null; then
-        echo "Environment file contains GCP secret placeholders. Processing secrets..."
-
-        # Process GCP secrets
-        source ./scripts/setup_gcp_secrets.sh "$env_file"
-
-        echo "Successfully loaded environment with GCP secrets"
-      fi
-    else
-      echo "Env file not found: $env_file" >&2
-      exit 1
-    fi
-  fi
-}
-
 function network_shaping {
   namespace="$1"
   chaos_values="$2"
@@ -147,17 +92,6 @@ function stop_env {
   fi
 }
 
-function gcp_auth {
-  # if the GCP_PROJECT_ID is set, activate the service account
-  if [[ -n "${GCP_PROJECT_ID:-}" && "${CLUSTER}" != "kind" ]]; then
-    echo "Activating service account"
-    if [ "$CI" -eq 1 ]; then
-      gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS
-    fi
-    gcloud config set project "$GCP_PROJECT_ID"
-    gcloud container clusters get-credentials ${CLUSTER} --region=${GCP_REGION} --project=${GCP_PROJECT_ID}
-  fi
-}
 
 function test {
   echo_header "spartan test (deprecated)"
@@ -211,17 +145,8 @@ case "$cmd" in
     shift
     env_file="$1"
 
-    # First pass: source environment for basic variables like CLUSTER (skip GCP secret processing)
-    source_env_basic "$env_file"
-
-    # Perform GCP auth (needs CLUSTER and other basic vars)
-    gcp_auth
-
-    # Second pass: source environment with GCP secret processing
-    source_network_env "$env_file"
-
-    ./scripts/deploy_network.sh
-    echo "Deployed network"
+    # Run the network deploy script
+    ./scripts/network_deploy.sh "$env_file"
 
     if [[ "${RUN_TESTS:-}" == "true" ]]; then
       echo "Running tests"

spartan/environments/staging-ignition.env

@@ -1,7 +1,7 @@
 CREATE_ETH_DEVNET=false
 GCP_REGION=us-west1-a
 CLUSTER=aztec-gke-private
-SALT=1175732591
+SALT=1175732592
 NAMESPACE=staging-ignition
 TRANSACTIONS_DISABLED=true
 TEST_ACCOUNTS=false

spartan/environments/staging-public.env

@@ -1,7 +1,7 @@
 CREATE_ETH_DEVNET=false
 GCP_REGION=us-west1-a
 CLUSTER=aztec-gke-private
-SALT=1757376707
+SALT=1757376708
 NETWORK=staging-public
 NAMESPACE=staging-public
 ETHEREUM_CHAIN_ID=11155111

spartan/scripts/deploy_network.sh

@@ -208,6 +208,13 @@ fi
 DEPLOY_ROLLUP_CONTRACTS_DIR="${SCRIPT_DIR}/../terraform/deploy-rollup-contracts"
 "${SCRIPT_DIR}/override_terraform_backend.sh" "${DEPLOY_ROLLUP_CONTRACTS_DIR}" "${CLUSTER}" "${BASE_STATE_PATH}/deploy-rollup-contracts/${SALT}"
 
+# Handle NETWORK variable - needs quotes for string values, null for unset
+if [[ -n "${NETWORK:-}" ]]; then
+  NETWORK_TF="\"${NETWORK}\""
+else
+  NETWORK_TF=null
+fi
+
 cat > "${DEPLOY_ROLLUP_CONTRACTS_DIR}/terraform.tfvars" << EOF
 K8S_CLUSTER_CONTEXT = "${K8S_CLUSTER_CONTEXT}"
 NAMESPACE = "${NAMESPACE}"
@@ -242,7 +249,7 @@ AZTEC_GOVERNANCE_PROPOSER_ROUND_SIZE = ${AZTEC_GOVERNANCE_PROPOSER_ROUND_SIZE:-n
 AZTEC_MANA_TARGET = ${AZTEC_MANA_TARGET:-null}
 AZTEC_PROVING_COST_PER_MANA = ${AZTEC_PROVING_COST_PER_MANA:-null}
 AZTEC_EXIT_DELAY_SECONDS = ${AZTEC_EXIT_DELAY_SECONDS:-null}
-NETWORK = ${NETWORK:-null}
+NETWORK = ${NETWORK_TF}
 JOB_NAME = "deploy-rollup-contracts"
 JOB_BACKOFF_LIMIT = 3
 JOB_TTL_SECONDS_AFTER_FINISHED = 3600
@@ -317,7 +324,7 @@ OTEL_COLLECTOR_ENDPOINT = "${OTEL_COLLECTOR_ENDPOINT}"
 DEPLOY_INTERNAL_BOOTNODE = ${DEPLOY_INTERNAL_BOOTNODE:-true}
 PROVER_REAL_PROOFS = ${PROVER_REAL_PROOFS}
 TRANSACTIONS_DISABLED = ${TRANSACTIONS_DISABLED:-null}
-NETWORK = "${NETWORK:-null}"
+NETWORK = ${NETWORK_TF}
 STORE_SNAPSHOT_URL = "${STORE_SNAPSHOT_URL}"
 BOT_RESOURCE_PROFILE = "${BOT_RESOURCE_PROFILE}"
 BOT_MNEMONIC = "${LABS_INFRA_MNEMONIC}"

spartan/scripts/gcp_auth.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+function gcp_auth {
+  # if the GCP_PROJECT_ID is set, activate the service account
+  if [[ -n "${GCP_PROJECT_ID:-}" && "${CLUSTER}" != "kind" ]]; then
+    echo "Activating service account"
+    if [[ "${CI:-}" == "1" || "${CI:-}" == "true" ]]; then
+      gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS
+    fi
+    gcloud config set project "$GCP_PROJECT_ID"
+    gcloud container clusters get-credentials ${CLUSTER} --region=${GCP_REGION} --project=${GCP_PROJECT_ID}
+  fi
+}
+
+# If script is run directly, execute the function
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+  gcp_auth
+fi

spartan/scripts/network_deploy.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+
+echo "Deploying network..."
+spartan=$(git rev-parse --show-toplevel)/spartan
+scripts_dir=$spartan/scripts
+
+# Source the required scripts
+source "$scripts_dir/source_env_basic.sh"
+source "$scripts_dir/source_network_env.sh"
+source "$scripts_dir/gcp_auth.sh"
+
+# Main execution
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <env_file>" >&2
+  exit 1
+fi
+
+env_file="$1"
+
+# First pass: source environment for basic variables like CLUSTER (skip GCP secret processing)
+source_env_basic "$env_file"
+
+# Perform GCP auth (needs CLUSTER and other basic vars)
+gcp_auth
+
+# Second pass: source environment with GCP secret processing
+source_network_env "$env_file"
+
+
+$scripts_dir/deploy_network.sh
+echo "Deployed network"

spartan/scripts/source_env_basic.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+spartan=$(git rev-parse --show-toplevel)/spartan
+
+function resolve_env_file_path {
+  local env_file_input="$1"
+  if [[ "$env_file_input" = /* ]]; then
+    echo "$env_file_input"
+  else
+    echo "$spartan/environments/$env_file_input.env"
+  fi
+}
+
+function source_env_basic {
+  local env_file="$1"
+  local actual_env_file=$(resolve_env_file_path "$env_file")
+
+  if [[ -f "$actual_env_file" ]]; then
+    echo "Loading basic environment variables from $actual_env_file"
+    set -a
+    # shellcheck disable=SC1090
+    source "$actual_env_file"
+    set +a
+  else
+    echo "Env file not found: $actual_env_file" >&2
+    exit 1
+  fi
+}
+
+# If script is run directly with an argument, source the env file
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]] && [[ -n "$1" ]]; then
+  source_env_basic "$1"
+fi

spartan/scripts/source_network_env.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+spartan=$(git rev-parse --show-toplevel)/spartan
+
+function source_network_env {
+  local env_file
+  # Check if the argument is an absolute path
+  if [[ "$1" = /* ]]; then
+    env_file="$1"
+  else
+    env_file="$spartan/environments/$1.env"
+  fi
+  # Optionally source an env file passed as first argument
+  if [[ -n "${env_file:-}" ]]; then
+    if [[ -f "$env_file" ]]; then
+
+      # Standard behavior for files without GCP secrets
+      set -a
+      # shellcheck disable=SC1090
+      source "$env_file"
+      set +a
+
+      # Check if we need to process GCP secrets and if we have gcloud auth
+      if grep -q "REPLACE_WITH_GCP_SECRET" "$env_file" && command -v gcloud &> /dev/null; then
+        echo "Environment file contains GCP secret placeholders. Processing secrets..."
+
+        # Process GCP secrets
+        source $spartan/scripts/setup_gcp_secrets.sh "$env_file"
+
+        echo "Successfully loaded environment with GCP secrets"
+      fi
+    else
+      echo "Env file not found: $env_file" >&2
+      exit 1
+    fi
+  fi
+}
+
+# If script is run directly with an argument, source the env file
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]] && [[ -n "$1" ]]; then
+  source_network_env "$1"
+fi