From 070ffef1d189b0fb5eb8f84f9abca8813d27b78f Mon Sep 17 00:00:00 2001 From: falcorocks <14293929+falcorocks@users.noreply.github.com> Date: Thu, 4 Dec 2025 15:03:34 +0100 Subject: [PATCH] ci(GHA): fix tag builds & reduce permissions around forks --- .github/actions/docker-build-prep/action.yml | 40 ++++++ .github/workflows/branches.yaml | 122 +++++++++++++++++++ .github/workflows/protected.yaml | 82 ------------- .github/workflows/tags.yaml | 53 ++++++++ .github/workflows/unprotected.yaml | 87 ------------- 5 files changed, 215 insertions(+), 169 deletions(-) create mode 100644 .github/actions/docker-build-prep/action.yml create mode 100644 .github/workflows/branches.yaml delete mode 100644 .github/workflows/protected.yaml create mode 100644 .github/workflows/tags.yaml delete mode 100644 .github/workflows/unprotected.yaml diff --git a/.github/actions/docker-build-prep/action.yml b/.github/actions/docker-build-prep/action.yml new file mode 100644 index 00000000000..8f44ee69ea2 --- /dev/null +++ b/.github/actions/docker-build-prep/action.yml @@ -0,0 +1,40 @@ +name: 'Docker Build Prep' +description: 'Prepare environment for docker builds (checkout, kona version, git versions)' + +outputs: + versions: + description: 'JSON object mapping image names to their GIT_VERSION' + value: ${{ steps.compute_versions.outputs.versions }} + kona_version: + description: 'KONA_VERSION from kona/version.json' + value: ${{ steps.kona.outputs.version }} + date: + description: 'Current date in YYYYMMDD format' + value: ${{ steps.date.outputs.date }} + +runs: + using: 'composite' + steps: + - name: Get date + id: date + shell: bash + run: | + DATE=$(date +%Y%m%d) + echo "date=$DATE" >> $GITHUB_OUTPUT + + - name: Read KONA_VERSION from kona/version.json + id: kona + shell: bash + run: | + KONA_VERSION=$(jq -r .version kona/version.json) + echo "version=$KONA_VERSION" >> $GITHUB_OUTPUT + echo "KONA_VERSION: $KONA_VERSION" + + - name: Compute GIT_VERSION for all images + id: compute_versions + shell: bash + run: | + VERSIONS=$(GIT_COMMIT="${{ github.sha }}" make compute-git-versions) + echo "versions=$VERSIONS" >> $GITHUB_OUTPUT + echo "Computed versions: $VERSIONS" + diff --git a/.github/workflows/branches.yaml b/.github/workflows/branches.yaml new file mode 100644 index 00000000000..ff1b7de0306 --- /dev/null +++ b/.github/workflows/branches.yaml @@ -0,0 +1,122 @@ +name: branch build + +on: + push: + branches: + - 'develop' + pull_request: + branches: + - 'develop' + paths: + - 'ops/docker/**' + - 'packages/contracts-bedrock/**' + - 'docker-bake.hcl' + - '.github/workflows/branches.yaml' + - 'ops/scripts/compute-git-versions.sh' + +jobs: + prep: + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + versions: ${{ steps.prep.outputs.versions }} + kona_version: ${{ steps.prep.outputs.kona_version }} + date: ${{ steps.prep.outputs.date }} + steps: + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2 + with: + egress-policy: audit + - name: Checkout + uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6 + with: + fetch-depth: 0 + - uses: ./.github/actions/docker-build-prep + id: prep + + local: + needs: prep + # only build if push to develop, or PR from a local branch (not a fork) + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) + strategy: + fail-fast: false + matrix: + image_name: + - op-node + - op-batcher + - op-deployer + - op-faucet + - op-program + - op-proposer + - op-challenger + - op-dispute-mon + - op-conductor + - da-server + - op-supervisor + - op-supernode + - op-test-sequencer + - cannon + - op-dripper + - op-interop-mon + uses: ethereum-optimism/factory/.github/workflows/docker.yaml@d04222c229c50320f513afe678b3264869ea11a9 + with: + mode: bake + image_name: ${{ matrix.image_name }} + bake_file: docker-bake.hcl + target: ${{ matrix.image_name }} + tag: ${{ github.event_name == 'push' && 'develop' || format('pr-{0}', github.event.pull_request.number) }} + gcp_project_id: ${{ vars.GCP_PROJECT_ID_OPLABS_TOOLS_ARTIFACTS }} + registry: us-docker.pkg.dev/oplabs-tools-artifacts/oss + env: | + GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[matrix.image_name] }} + KONA_VERSION=${{ needs.prep.outputs.kona_version }} + set: | + *.args.GIT_COMMIT=${{ github.sha }} + *.args.GIT_DATE=${{ needs.prep.outputs.date }} + permissions: + contents: read + id-token: write + attestations: write + + fork: + needs: prep + # only build if PR from a fork + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository + strategy: + fail-fast: false + matrix: + image_name: + - op-node + - op-batcher + - op-deployer + - op-faucet + - op-program + - op-proposer + - op-challenger + - op-dispute-mon + - op-conductor + - da-server + - op-supervisor + - op-supernode + - op-test-sequencer + - cannon + - op-dripper + - op-interop-mon + uses: ethereum-optimism/factory/.github/workflows/docker.yaml@d04222c229c50320f513afe678b3264869ea11a9 + with: + mode: bake + image_name: ${{ matrix.image_name }} + bake_file: docker-bake.hcl + target: ${{ matrix.image_name }} + tag: 24h + registry: ttl.sh/${{ github.sha }} + env: | + GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[matrix.image_name] }} + KONA_VERSION=${{ needs.prep.outputs.kona_version }} + set: | + *.args.GIT_COMMIT=${{ github.sha }} + *.args.GIT_DATE=${{ needs.prep.outputs.date }} + permissions: + contents: read + diff --git a/.github/workflows/protected.yaml b/.github/workflows/protected.yaml deleted file mode 100644 index d4bb7ebedb9..00000000000 --- a/.github/workflows/protected.yaml +++ /dev/null @@ -1,82 +0,0 @@ -name: bake - -on: - push: - tags: - - '*' - branches: - - 'develop' - -jobs: - prep: - runs-on: ubuntu-latest - outputs: - sanitised_ref_name: ${{ steps.sanitize.outputs.ref_name }} - versions: ${{ steps.compute_versions.outputs.versions }} - kona_version: ${{ steps.kona.outputs.version }} - steps: - - name: harden-runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2 - with: - egress-policy: audit - - name: Checkout - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6 - with: - fetch-depth: 0 # Need full history for git tag operations - - name: Sanitize ref_name - id: sanitize - run: echo "ref_name=$(echo ${{ github.ref_name }} | sed 's/[^a-zA-Z0-9.]/-/g')" >> $GITHUB_OUTPUT - - name: Read KONA_VERSION from kona/version.json - id: kona - run: | - KONA_VERSION=$(jq -r .version kona/version.json) - echo "version=$KONA_VERSION" >> $GITHUB_OUTPUT - echo "KONA_VERSION: $KONA_VERSION" - - name: Compute GIT_VERSION for all images - id: compute_versions - run: | - VERSIONS=$(GIT_COMMIT="${{ github.sha }}" make compute-git-versions) - echo "versions=$VERSIONS" >> $GITHUB_OUTPUT - echo "Computed versions: $VERSIONS" - - build: - needs: prep - strategy: - fail-fast: false - matrix: - image_name: - - op-node - - op-batcher - - op-deployer - - op-faucet - - op-program - - op-proposer - - op-challenger - - op-dispute-mon - - op-conductor - - da-server - - op-supervisor - - op-supernode - - op-test-sequencer - - cannon - - op-dripper - - op-interop-mon - uses: ethereum-optimism/factory/.github/workflows/docker-bake.yaml@f08b1f0c47f15b3c95dc9811fb09c1d8ed3436bd - with: - image_name: ${{ matrix.image_name }} - bake_file: docker-bake.hcl - target: ${{ matrix.image_name }} - tag: ${{ needs.prep.outputs.sanitised_ref_name }} - gcp_project_id: ${{ vars.GCP_PROJECT_ID_OPLABS_TOOLS_ARTIFACTS }} - registry: us-docker.pkg.dev/oplabs-tools-artifacts/oss - attest: true - env: | - GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[matrix.image_name] }} - KONA_VERSION=${{ needs.prep.outputs.kona_version }} - set: | - *.args.GIT_COMMIT=${{ github.sha }} - *.args.GIT_DATE=${{ github.event.head_commit.timestamp }} - permissions: - contents: read - id-token: write - attestations: write diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml new file mode 100644 index 00000000000..dc5dd5984e8 --- /dev/null +++ b/.github/workflows/tags.yaml @@ -0,0 +1,53 @@ +name: tag build + +on: + push: + tags: + - '*/v*' # Match tags like op-node/v1.2.3 + +jobs: + prep: + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + image_name: ${{ steps.parse-tag.outputs.image_name }} + version: ${{ steps.parse-tag.outputs.version }} + versions: ${{ steps.prep.outputs.versions }} + kona_version: ${{ steps.prep.outputs.kona_version }} + steps: + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2 + with: + egress-policy: audit + - name: Checkout + uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6 + with: + fetch-depth: 0 + - uses: ./.github/actions/docker-build-prep + id: prep + - name: Parse tag + uses: ethereum-optimism/factory/actions/parse-tag@240b16167a5f5aa789270fa9c0efbfa9f010b7e7 + id: parse-tag + + release: + needs: prep + uses: ethereum-optimism/factory/.github/workflows/docker.yaml@d04222c229c50320f513afe678b3264869ea11a9 + with: + mode: bake + image_name: ${{ needs.prep.outputs.image_name }} + bake_file: docker-bake.hcl + target: ${{ needs.prep.outputs.image_name }} + tag: ${{ needs.prep.outputs.version }} + gcp_project_id: ${{ vars.GCP_PROJECT_ID_OPLABS_TOOLS_ARTIFACTS }} + registry: us-docker.pkg.dev/oplabs-tools-artifacts/oss + env: | + GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[needs.prep.outputs.image_name] }} + KONA_VERSION=${{ needs.prep.outputs.kona_version }} + set: | + *.args.GIT_COMMIT=${{ github.sha }} + *.args.GIT_DATE=${{ github.event.head_commit.timestamp }} + permissions: + contents: read + id-token: write + attestations: write diff --git a/.github/workflows/unprotected.yaml b/.github/workflows/unprotected.yaml deleted file mode 100644 index 5deae0eff19..00000000000 --- a/.github/workflows/unprotected.yaml +++ /dev/null @@ -1,87 +0,0 @@ -name: bake (PR) - -on: - pull_request: - branches: - - 'develop' - paths: - - 'ops/docker/**' - - 'packages/contracts-bedrock/**' - - 'docker-bake.hcl' - - '.github/workflows/unprotected.yaml' - - 'ops/scripts/compute-git-versions.sh' - -jobs: - prep: - runs-on: ubuntu-latest - outputs: - versions: ${{ steps.compute_versions.outputs.versions }} - kona_version: ${{ steps.kona.outputs.version }} - date: ${{ steps.date.outputs.date }} - steps: - - name: Get date - id: date - run: | - DATE=$(date +%Y%m%d) - echo "date=$DATE" >> $GITHUB_OUTPUT - - name: harden-runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2 - with: - egress-policy: audit - - name: Checkout - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6 - with: - fetch-depth: 0 # Need full history for git tag operations - - name: Read KONA_VERSION from kona/version.json - id: kona - run: | - KONA_VERSION=$(jq -r .version kona/version.json) - echo "version=$KONA_VERSION" >> $GITHUB_OUTPUT - echo "KONA_VERSION: $KONA_VERSION" - - name: Compute GIT_VERSION for all images - id: compute_versions - run: | - VERSIONS=$(GIT_COMMIT="${{ github.sha }}" make compute-git-versions) - echo "versions=$VERSIONS" >> $GITHUB_OUTPUT - echo "Computed versions: $VERSIONS" - - build: - needs: prep - strategy: - fail-fast: false - matrix: - image_name: - - op-node - - op-batcher - - op-deployer - - op-faucet - - op-program - - op-proposer - - op-challenger - - op-dispute-mon - - op-conductor - - da-server - - op-supervisor - - op-supernode - - op-test-sequencer - - cannon - - op-dripper - - op-interop-mon - uses: ethereum-optimism/factory/.github/workflows/docker-bake.yaml@f08b1f0c47f15b3c95dc9811fb09c1d8ed3436bd - with: - image_name: ${{ matrix.image_name }} - bake_file: docker-bake.hcl - target: ${{ matrix.image_name }} - tag: 24h - registry: ttl.sh/${{ github.sha }} - attest: false - env: | - GIT_VERSION=${{ fromJson(needs.prep.outputs.versions)[matrix.image_name] }} - KONA_VERSION=${{ needs.prep.outputs.kona_version }} - set: | - *.args.GIT_COMMIT=${{ github.sha }} - *.args.GIT_DATE=${{ needs.prep.outputs.date }} - permissions: - contents: read - id-token: write - attestations: write