diff --git a/.github/workflows/release-10_branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml index 7182feba48793..c5893db5af11b 100644 --- a/.github/workflows/release-10_branchoff-stable.yml +++ b/.github/workflows/release-10_branchoff-stable.yml @@ -37,15 +37,18 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_NODE_VERSION: ${{ inputs.node_version }} + INPUT_STABLE_VERSION: ${{ inputs.stable_version }} run: | . ./.github/scripts/common/lib.sh - if [ -n "${{ inputs.node_version }}" ]; then - node_version=$(filter_version_from_input "${{ inputs.node_version }}") + if [ -n "$INPUT_NODE_VERSION" ]; then + node_version=$(filter_version_from_input "$INPUT_NODE_VERSION") echo "node_version=${node_version}" >> $GITHUB_OUTPUT fi - stable_version=$(validate_stable_tag ${{ inputs.stable_version }}) + stable_version=$(validate_stable_tag "$INPUT_STABLE_VERSION") echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT create-stable-branch: @@ -103,10 +106,10 @@ jobs: - name: Bump versions, reorder prdocs and push stable branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + NODE_VERSION: ${{ needs.validate-inputs.outputs.node_version }} run: | . ./.github/scripts/release/release_lib.sh - NODE_VERSION="${{ needs.validate-inputs.outputs.node_version }}" NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\"" set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "polkadot/node/primitives/src/lib.rs" commit_with_message "Bump node version to $NODE_VERSION in polkadot-cli" @@ -127,12 +130,14 @@ jobs: if: ${{ inputs.tag_rc }} env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} # or use a PAT with workflow scope + STABLE_VERSION: ${{ needs.validate-inputs.outputs.stable_version }} + GH_REPOSITORY: ${{ github.repository }} run: | - stable_tag_base=polkadot-${{ needs.validate-inputs.outputs.stable_version }} + stable_tag_base="polkadot-${STABLE_VERSION}" gh workflow run release-11_rc-automation.yml \ - --repo ${{ github.repository }} \ - --ref ${{ needs.validate-inputs.outputs.stable_version }} \ - --field version=${stable_tag_base} + --repo "$GH_REPOSITORY" \ + --ref "$STABLE_VERSION" \ + --field version="${stable_tag_base}" tag-rc-without-branchoff: if: ${{ !inputs.is_new_stable && inputs.tag_rc }} diff --git a/.github/workflows/release-11_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml index 459f80a103081..3ef1baa616d9b 100644 --- a/.github/workflows/release-11_rc-automation.yml +++ b/.github/workflows/release-11_rc-automation.yml @@ -64,14 +64,16 @@ jobs: # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }} id: compute_tag shell: bash + env: + INPUT_VERSION: ${{ inputs.version }} run: | . ./.github/scripts/common/lib.sh # Get last rc tag if exists, else set it to {version}-rc1 - if [[ -z "${{ inputs.version }}" ]]; then + if [[ -z "$INPUT_VERSION" ]]; then version=v$(get_polkadot_node_version_from_code) else - version=$(validate_stable_tag ${{ inputs.version }}) + version=$(validate_stable_tag "$INPUT_VERSION") fi echo "$version" echo "version=$version" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index a53b3b2a3a6a7..f98ec9359df84 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -51,10 +51,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-polkadot-binary: diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index 6e6d5ebd3ba67..764e7e2657b22 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -70,10 +70,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index 6537ad5d5af0e..a82df10ff212b 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -71,10 +71,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes-flow: diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index 783e2b35ae478..230de26607cf3 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -74,10 +74,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT @@ -106,10 +108,11 @@ jobs: if: ${{ inputs.no_runtimes == false && inputs.crates_only == false }} env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} run: | - mkdir -p ${{ github.workspace}}/runtimes/ - gh run download ${{ inputs.build_run_id }} --dir ${{ github.workspace}}/runtimes - ls -la ${{ github.workspace}}/runtimes + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" - name: Prepare tooling run: | @@ -131,6 +134,7 @@ jobs: RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} NO_RUNTIMES: ${{ inputs.no_runtimes }} CRATES_ONLY: ${{ inputs.crates_only }} + GH_REF_NAME: ${{ github.ref_name }} shell: bash run: | . ./.github/scripts/common/lib.sh @@ -139,7 +143,7 @@ jobs: export REF1=$(get_latest_release_tag) if [[ -z "$RELEASE_TAG" ]]; then - export REF2="${{ github.ref_name }}" + export REF2="${GH_REF_NAME}" echo "REF2: ${REF2}" else export REF2="$RELEASE_TAG" @@ -203,28 +207,32 @@ jobs: - name: Download runtimes env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} run: | - mkdir -p ${{ github.workspace}}/runtimes/ - gh run download ${{ inputs.build_run_id }} --dir ${{ github.workspace}}/runtimes - ls -la ${{ github.workspace}}/runtimes + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" - name: Get runtime info env: + CHAIN: ${{ matrix.chain }} JSON: ${{ github.workspace}}/release-notes-context/runtimes/${{ matrix.chain }}-runtime/${{ matrix.chain }}-srtool-digest.json run: | - cd ${{ github.workspace}}/runtimes - >>$GITHUB_ENV echo ASSET=$(find ${{ matrix.chain }}-runtime -name '*.compact.compressed.wasm') + cd "${GITHUB_WORKSPACE}/runtimes" + >>$GITHUB_ENV echo ASSET=$(find "${CHAIN}-runtime" -name '*.compact.compressed.wasm') >>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion) - name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm working-directory: ${{ github.workspace}}/runtimes env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + CHAIN: ${{ matrix.chain }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} run: | - VERSIONED_ASSET="${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" + VERSIONED_ASSET="${CHAIN}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" mv "${{ env.ASSET }}" "$VERSIONED_ASSET" - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk "$VERSIONED_ASSET" publish-release-artifacts: @@ -243,23 +251,28 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Fetch binaries from s3 based on version + env: + VERSION: ${{ needs.validate-inputs.outputs.release_tag }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.release_tag }}" - fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }} + fetch_release_artifacts_from_s3 "$BINARY" "$TARGET" - name: Rename aarch64-apple-darwin binaries if: ${{ matrix.target == 'aarch64-apple-darwin' }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} + env: + BINARY: ${{ matrix.binary }} run: | . ../../../.github/scripts/common/lib.sh - mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin - mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc + mv "$BINARY" "${BINARY}-aarch64-apple-darwin" + mv "${BINARY}.asc" "${BINARY}-aarch64-apple-darwin.asc" - sha256sum "${{ matrix.binary }}-aarch64-apple-darwin" | tee "${{ matrix.binary }}-aarch64-apple-darwin.sha256" - check_sha256 "${{ matrix.binary }}-aarch64-apple-darwin" && echo "OK" || echo "ERR" + sha256sum "${BINARY}-aarch64-apple-darwin" | tee "${BINARY}-aarch64-apple-darwin.sha256" + check_sha256 "${BINARY}-aarch64-apple-darwin" && echo "OK" || echo "ERR" - name: Generate content write token for the release automation id: generate_write_token @@ -273,20 +286,23 @@ jobs: - name: Upload ${{ matrix.binary }} binary to release draft env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} run: | - if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + if [[ "$TARGET" == "aarch64-apple-darwin" ]]; then + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }}-aarch64-apple-darwin \ - ${{ matrix.binary }}-aarch64-apple-darwin.asc \ - ${{ matrix.binary }}-aarch64-apple-darwin.sha256 + "${BINARY}-aarch64-apple-darwin" \ + "${BINARY}-aarch64-apple-darwin.asc" \ + "${BINARY}-aarch64-apple-darwin.sha256" else - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }} \ - ${{ matrix.binary }}.asc \ - ${{ matrix.binary }}.sha256 + "$BINARY" \ + "${BINARY}.asc" \ + "${BINARY}.sha256" fi post_to_matrix: diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index 2938fdf513f59..3e3e9b7a39b48 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -55,10 +55,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT # Calculate final tag by removing -rc suffix diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index 8cfed4cf2fbba..ec772c9b241ec 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -119,13 +119,16 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_VERSION: ${{ inputs.version }} + INPUT_STABLE_TAG: ${{ inputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION=$(filter_version_from_input "${{ inputs.version }}") + VERSION=$(filter_version_from_input "$INPUT_VERSION") echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }}) + STABLE_TAG=$(validate_stable_tag "$INPUT_STABLE_TAG") echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build @@ -139,11 +142,12 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version if: ${{ inputs.binary == 'polkadot-omni-node' || inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }} + env: + VERSION: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.stable_tag }}" - if [[ ${{ inputs.binary }} == 'polkadot' ]]; then + if [[ "$BINARY" == 'polkadot' ]]; then bins=(polkadot polkadot-prepare-worker polkadot-execute-worker) for bin in "${bins[@]}"; do fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu @@ -197,24 +201,30 @@ jobs: if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "tag=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Fetch release tags if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . .github/scripts/common/lib.sh echo "tag=latest" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "stable=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot if: ${{ env.BINARY == 'polkadot' }} @@ -223,13 +233,14 @@ jobs: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} shell: bash run: | ls -al echo "Building container for $BINARY" - echo "IMAGE_TYPE: ${{ inputs.image_type }}" + echo "IMAGE_TYPE: $IMAGE_TYPE" - if [[ "${{ inputs.image_type }}" == "rc" ]]; then + if [[ "$IMAGE_TYPE" == "rc" ]]; then echo "Building RC container for polkadot" export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" @@ -239,7 +250,7 @@ jobs: export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" export POLKADOT_DEB=true - export VERSION=${{ needs.validate-inputs.outputs.version }} + export VERSION="$VALIDATED_VERSION" ./docker/scripts/build-injected.sh fi diff --git a/.github/workflows/release-60_post-crates-release-activities.yml b/.github/workflows/release-60_post-crates-release-activities.yml index c600a6e0fa7d3..e9ac2ec5460c2 100644 --- a/.github/workflows/release-60_post-crates-release-activities.yml +++ b/.github/workflows/release-60_post-crates-release-activities.yml @@ -175,10 +175,11 @@ jobs: - name: Move prdocs to release folder shell: bash + env: + VERSION: ${{ inputs.version }} run: | . ./.github/scripts/release/release_lib.sh - VERSION="${{ inputs.version }}" echo "Version: $VERSION" reorder_prdocs "$VERSION" @@ -302,10 +303,12 @@ jobs: - name: Create Pull Request to base release branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + FULL_RELEASE: ${{ inputs.version }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" - FULL_RELEASE="${{ inputs.version }}" echo "Current branch: $BRANCH_NAME" echo "Version: $FULL_RELEASE" @@ -319,13 +322,13 @@ jobs: TARGET_REPO="paritytech/polkadot-sdk" # Determine if running from a fork or the main repo - if [ "${{ github.repository }}" = "$TARGET_REPO" ]; then + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then # Same-repo PR: head is just the branch name PR_HEAD="$BRANCH_NAME" EXTRA_FLAGS="" else # Cross-fork PR: head needs the fork owner prefix - FORK_OWNER="${{ github.repository_owner }}" + FORK_OWNER="$GH_REPOSITORY_OWNER" PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" EXTRA_FLAGS="--no-maintainer-edit" fi @@ -356,16 +359,18 @@ jobs: - name: Add comment about spec_version env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" TARGET_REPO="paritytech/polkadot-sdk" # Match the head format used when creating the PR - if [ "${{ github.repository }}" = "$TARGET_REPO" ]; then + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then PR_HEAD="$BRANCH_NAME" else - FORK_OWNER="${{ github.repository_owner }}" + FORK_OWNER="$GH_REPOSITORY_OWNER" PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" fi diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml index 382e0f3d4bde6..b72493eb92567 100644 --- a/.github/workflows/release-80_publish-crates.yml +++ b/.github/workflows/release-80_publish-crates.yml @@ -70,8 +70,9 @@ jobs: - name: Derive stable branch from release name id: derive_branch shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} run: | - RELEASE_NAME="${{ inputs.release_name }}" echo "Release name: $RELEASE_NAME" # Extract stable branch by removing the last -N suffix @@ -114,8 +115,9 @@ jobs: - name: Create or switch to release branch shell: bash + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} run: | - CRATES_RELEASE_BRANCH="${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }}" if git rev-parse --verify -q "$CRATES_RELEASE_BRANCH" &>/dev/null; then echo "Branch $CRATES_RELEASE_BRANCH already exists, switching to it" @@ -152,8 +154,9 @@ jobs: - name: Save Plan.toml diff if: inputs.is_patch + env: + RELEASE_NAME: ${{ inputs.release_name }} run: | - RELEASE_NAME="${{ inputs.release_name }}" mkdir -p release-artifacts echo "Saving Plan.toml diff..." @@ -165,8 +168,9 @@ jobs: - name: Parse crate names for release notes if: inputs.is_patch shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} run: | - RELEASE_NAME="${{ inputs.release_name }}" echo "Parsing crate names..." python3 scripts/release/parse-crates-names.py \ @@ -178,16 +182,19 @@ jobs: - name: Commit Plan.toml and crates list shell: bash + env: + IS_PATCH: ${{ inputs.is_patch }} + RELEASE_NAME: ${{ inputs.release_name }} run: | . ./.github/scripts/release/release_lib.sh git add Plan.toml - if [ "${{ inputs.is_patch }}" = true ]; then + if [ "$IS_PATCH" = true ]; then git add scripts/release/templates/crates_list.md.tera fi if [[ -n $(git status --porcelain) ]]; then - commit_with_message "chore: update Plan.toml and crates list for ${{ inputs.release_name }}" + commit_with_message "chore: update Plan.toml and crates list for $RELEASE_NAME" echo "Committed Plan.toml and crates list" else echo "No changes to commit" @@ -206,29 +213,33 @@ jobs: - name: Commit version bumps shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} run: | . ./.github/scripts/release/release_lib.sh git add -A if [[ -n $(git status --porcelain) ]]; then - commit_with_message "chore: apply version bumps for ${{ inputs.release_name }}" + commit_with_message "chore: apply version bumps for $RELEASE_NAME" echo "Committed version bumps" else echo "No changes to commit" fi - name: Push release branch + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} run: | - CRATES_RELEASE_BRANCH="${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }}" echo "Pushing branch $CRATES_RELEASE_BRANCH..." git push origin "$CRATES_RELEASE_BRANCH" echo "Successfully pushed $CRATES_RELEASE_BRANCH" - name: Configure cargo registry shell: bash + env: + REGISTRY: ${{ inputs.registry }} run: | - REGISTRY="${{ inputs.registry }}" echo "Configuring cargo for $REGISTRY..." mkdir -p ~/.cargo @@ -248,9 +259,9 @@ jobs: shell: bash env: PARITY_PUBLISH_CRATESIO_TOKEN: ${{ inputs.registry == 'staging.crates.io' && secrets.STAGING_CRATES_IO_API_TOKEN || secrets.CRATES_IO_API_TOKEN }} + DRY_RUN: ${{ inputs.dry_run }} + REGISTRY: ${{ inputs.registry }} run: | - DRY_RUN="${{ inputs.dry_run }}" - REGISTRY="${{ inputs.registry }}" if [ "$DRY_RUN" = true ]; then echo "DRY RUN - Not actually publishing crates" diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml index c419b92199ee9..986361f47c564 100644 --- a/.github/workflows/release-99_notif-published.yml +++ b/.github/workflows/release-99_notif-published.yml @@ -14,25 +14,30 @@ jobs: id: fetch_latest_release_tag env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPOSITORY: ${{ github.repository }} run: | TAG_NAME=$(curl -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - -sL "https://api.github.com/repos/${{ github.repository }}/releases/latest" \ + -sL "https://api.github.com/repos/${GH_REPOSITORY}/releases/latest" \ | jq -r '.tag_name') echo "Latest release tag: $TAG_NAME" echo "latest_tag_name=$TAG_NAME" >> $GITHUB_OUTPUT - name: Fetch current release tag name id: fetch_curent_release_tag + env: + CURRENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - CURRENT_RELEASE_TAG_NAME=${{github.event.release.tag_name}} echo "Current release tag: $CURRENT_RELEASE_TAG_NAME" echo "current_tag_name=$CURRENT_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Check if release is latest id: check_is_latest + env: + LATEST_TAG: ${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }} + CURRENT_TAG: ${{ steps.fetch_curent_release_tag.outputs.current_tag_name }} run: | - if [[ "${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }}" == "${{ steps.fetch_curent_release_tag.outputs.current_tag_name }}" ]]; then + if [[ "$LATEST_TAG" == "$CURRENT_TAG" ]]; then echo "Release is latest" echo "is_latest=true" >> $GITHUB_OUTPUT else diff --git a/.github/workflows/release-build-binary.yml b/.github/workflows/release-build-binary.yml index 271b4f3a770f0..eea5c389e15bb 100644 --- a/.github/workflows/release-build-binary.yml +++ b/.github/workflows/release-build-binary.yml @@ -44,8 +44,10 @@ jobs: - name: Set runner id: set_runner shell: bash + env: + INPUT_BINARY: ${{ inputs.binary }} run: | - if [[ "${{ inputs.binary }}" == "polkadot-parachain" ]]; then + if [[ "$INPUT_BINARY" == "polkadot-parachain" ]]; then echo "RUNNER=parity-large" >> $GITHUB_OUTPUT else echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT @@ -61,17 +63,22 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build binary + env: + INPUT_BINARY: ${{ inputs.binary }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - PROFILE=${{ inputs.profile }} - if [ "${{ inputs.binary }}" = "polkadot" ]; then + PROFILE="$INPUT_PROFILE" + if [ "$INPUT_BINARY" = "polkadot" ]; then for binary in polkadot polkadot-prepare-worker polkadot-execute-worker; do - echo "Building $binary with profile $PROFILE and features ${{ inputs.features }}" - ./.github/scripts/release/build-linux-release.sh $binary ${{ inputs.package }} ${{ inputs.features }} + echo "Building $binary with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$binary" "$INPUT_PACKAGE" "$INPUT_FEATURES" done else - echo "Building ${{ inputs.binary }} with profile $PROFILE and features ${{ inputs.features }}" - ./.github/scripts/release/build-linux-release.sh ${{ inputs.binary }} ${{ inputs.package }} ${{ inputs.features }} + echo "Building $INPUT_BINARY with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$INPUT_BINARY" "$INPUT_PACKAGE" "$INPUT_FEATURES" fi - name: Upload ${{ inputs.binary }} artifacts diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml index 9d593e6f5debe..3d8bd8292618c 100644 --- a/.github/workflows/release-reusable-publish-packages.yml +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -47,10 +47,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_TAG: ${{ inputs.tag }} run: | # Source common library for helper functions . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts-from-s3: @@ -71,15 +73,17 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version id: fetch_artifacts_from_s3 + env: + PACKAGE_TYPE: ${{ inputs.package_type }} run: | . ./.github/scripts/common/lib.sh NODE_VERSION="$(get_polkadot_node_version_from_code)" echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT # Fetch specific package type artifact (deb or rpm) - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then fetch_debian_package_from_s3 polkadot - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then fetch_rpm_package_from_s3 polkadot fi @@ -134,14 +138,15 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | # --- Sync Local Repo from S3 --- mkdir -p "$LOCAL_REPO_PATH" - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true fi @@ -151,16 +156,18 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + PACKAGE_TYPE: ${{ inputs.package_type }} + DISTRIBUTION: ${{ inputs.distribution }} run: | . ./.github/scripts/common/lib.sh import_gpg_keys # --- Add Package to Repo and Sign --- - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then debname=$(find release-artifacts/ -name 'polkadot_*.deb' | head -n 1) - reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname" + reprepro -b "$LOCAL_REPO_PATH" includedeb "$DISTRIBUTION" "$debname" - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then rpmname=$(find release-artifacts/ -name 'polkadot-*.rpm' | head -n 1) echo "Signing package with pgpkms (via AWS KMS)..." @@ -184,10 +191,13 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + DISTRIBUTION: ${{ inputs.distribution }} + CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | - if [[ "${{ inputs.distribution }}" == "release" ]]; then + if [[ "$DISTRIBUTION" == "release" ]]; then aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read else aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" fi - aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*' + aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/${PACKAGE_TYPE}/*" diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index fa4b71bacca63..91bae0bb00972 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -90,9 +90,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-linux-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 @@ -101,25 +105,31 @@ jobs: - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 @@ -231,9 +241,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-macos-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 @@ -242,25 +256,31 @@ jobs: - name: Sign artifacts working-directory: ${{ env.ARTIFACTS_PATH }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 @@ -314,17 +334,21 @@ jobs: - name: Build polkadot deb package shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh "$INPUT_PACKAGE" "${VERSION}" - name: Build polkadot rpm package shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh ${{ inputs.package }} ${VERSION} + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh "$INPUT_PACKAGE" "${VERSION}" - name: Generate artifact attestation uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 diff --git a/.github/workflows/release-reusable-s3-upload.yml b/.github/workflows/release-reusable-s3-upload.yml index 492c07ac24d17..4320eaf5cf7d5 100644 --- a/.github/workflows/release-reusable-s3-upload.yml +++ b/.github/workflows/release-reusable-s3-upload.yml @@ -45,6 +45,10 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload ${{ inputs.package }} artifacts to s3 + env: + PACKAGE: ${{ inputs.package }} + RELEASE_TAG: ${{ inputs.release_tag }} + TARGET: ${{ inputs.target }} run: | . ./.github/scripts/release/release_lib.sh - upload_s3_release ${{ inputs.package }} ${{ inputs.release_tag }} ${{ inputs.target }} + upload_s3_release "$PACKAGE" "$RELEASE_TAG" "$TARGET" diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml index 27fe1d445dc7e..6f57a1c2ecd81 100644 --- a/.github/workflows/release-srtool.yml +++ b/.github/workflows/release-srtool.yml @@ -54,7 +54,7 @@ jobs: run: | . ./.github/scripts/common/lib.sh - echo "Github workspace: ${{ github.workspace }}" + echo "Github workspace: ${GITHUB_WORKSPACE}" echo "Current folder: $(pwd)"; ls -al ls -al @@ -98,11 +98,16 @@ jobs: profile: ${{ inputs.profile }} - name: Summary + env: + SRTOOL_JSON: ${{ steps.srtool_build.outputs.json }} + CHAIN: ${{ matrix.chain }} + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} run: | - echo '${{ steps.srtool_build.outputs.json }}' | jq > ${{ matrix.chain }}-srtool-digest.json - cat ${{ matrix.chain }}-srtool-digest.json - echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}" - echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}" + echo "$SRTOOL_JSON" | jq > "${CHAIN}-srtool-digest.json" + cat "${CHAIN}-srtool-digest.json" + echo "Compact Runtime: $WASM_PATH" + echo "Compressed Runtime: $WASM_COMPRESSED_PATH" - name: Generate artifact attestation uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 @@ -118,25 +123,35 @@ jobs: - name: Show Runtime information shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} + CHAIN: ${{ matrix.chain }} run: | - subwasm info ${{ steps.srtool_build.outputs.wasm }} - subwasm info ${{ steps.srtool_build.outputs.wasm_compressed }} - subwasm --json info ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-info.json - subwasm --json info ${{ steps.srtool_build.outputs.wasm_compressed }} > ${{ matrix.chain }}-compressed-info.json + subwasm info "$WASM_PATH" + subwasm info "$WASM_COMPRESSED_PATH" + subwasm --json info "$WASM_PATH" > "${CHAIN}-info.json" + subwasm --json info "$WASM_COMPRESSED_PATH" > "${CHAIN}-compressed-info.json" - name: Extract the metadata shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} run: | - subwasm meta ${{ steps.srtool_build.outputs.wasm }} - subwasm --json meta ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-metadata.json + subwasm meta "$WASM_PATH" + subwasm --json meta "$WASM_PATH" > "${CHAIN}-metadata.json" - name: Check the metadata diff shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} # the following subwasm call will error for chains that are not known and/or live, that includes shell for instance run: | - subwasm diff ${{ steps.srtool_build.outputs.wasm }} --chain-b ${{ matrix.chain }} || \ - echo "Subwasm call failed, check the logs. This is likely because ${{ matrix.chain }} is not known by subwasm" | \ - tee ${{ matrix.chain }}-diff.txt + subwasm diff "$WASM_PATH" --chain-b "$CHAIN" || \ + echo "Subwasm call failed, check the logs. This is likely because $CHAIN is not known by subwasm" | \ + tee "${CHAIN}-diff.txt" - name: Archive Subwasm results uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0