From f627f7208fe28bbc56fc4707fc99daab2de99eec Mon Sep 17 00:00:00 2001 From: Egor_P Date: Thu, 19 Feb 2026 16:31:08 +0100 Subject: [PATCH 1/5] BACKPORT-CONFLICT --- .../workflows/release-10_branchoff-stable.yml | 42 ++- .../workflows/release-11_rc-automation.yml | 6 +- .github/workflows/release-20_build-rc.yml | 4 +- .../workflows/release-21_build-runtimes.yml | 4 +- ...mbined-rc-runtime-builds-release-draft.yml | 4 +- .../release-30_publish_release_draft.yml | 98 +++++-- .../release-31_promote-rc-to-final.yml | 4 +- .../workflows/release-50_publish-docker.yml | 53 +++- ...ease-60_post-crates-release-activities.yml | 50 +++- .../workflows/release-80_publish-crates.yml | 274 ++++++++++++++++++ .../workflows/release-99_notif-published.yml | 11 +- .github/workflows/release-build-binary.yml | 22 +- .../release-reusable-publish-packages.yml | 30 +- .../workflows/release-reusable-rc-build.yml | 85 +++++- .../workflows/release-reusable-s3-upload.yml | 6 +- .github/workflows/release-srtool.yml | 43 ++- 16 files changed, 661 insertions(+), 75 deletions(-) create mode 100644 .github/workflows/release-80_publish-crates.yml diff --git a/.github/workflows/release-10_branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml index 2fad2dbcf1e73..66a1817df5945 100644 --- a/.github/workflows/release-10_branchoff-stable.yml +++ b/.github/workflows/release-10_branchoff-stable.yml @@ -25,13 +25,23 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_NODE_VERSION: ${{ inputs.node_version }} + INPUT_STABLE_VERSION: ${{ inputs.stable_version }} run: | . ./.github/scripts/common/lib.sh +<<<<<<< HEAD node_version=$(filter_version_from_input "${{ inputs.node_version }}") echo "node_version=${node_version}" >> $GITHUB_OUTPUT - - stable_version=$(validate_stable_tag ${{ inputs.stable_version }}) +======= + if [ -n "$INPUT_NODE_VERSION" ]; then + node_version=$(filter_version_from_input "$INPUT_NODE_VERSION") + echo "node_version=${node_version}" >> $GITHUB_OUTPUT + fi +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) + + stable_version=$(validate_stable_tag "$INPUT_STABLE_VERSION") echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT create-stable-branch: @@ -88,10 +98,14 @@ jobs: - name: Bump versions, reorder prdocs and push stable branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + NODE_VERSION: ${{ needs.validate-inputs.outputs.node_version }} run: | . ./.github/scripts/release/release_lib.sh +<<<<<<< HEAD NODE_VERSION="${{ needs.prepare-tooling.outputs.node_version }}" +======= +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\"" set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "polkadot/node/primitives/src/lib.rs" commit_with_message "Bump node version to $NODE_VERSION in polkadot-cli" @@ -111,3 +125,27 @@ jobs: gh auth setup-git git push origin "$STABLE_BRANCH_NAME" +<<<<<<< HEAD +======= + + - name: Tag RC after branch off + if: ${{ inputs.tag_rc }} + env: + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} # or use a PAT with workflow scope + STABLE_VERSION: ${{ needs.validate-inputs.outputs.stable_version }} + GH_REPOSITORY: ${{ github.repository }} + run: | + stable_tag_base="polkadot-${STABLE_VERSION}" + gh workflow run release-11_rc-automation.yml \ + --repo "$GH_REPOSITORY" \ + --ref "$STABLE_VERSION" \ + --field version="${stable_tag_base}" + + tag-rc-without-branchoff: + if: ${{ !inputs.is_new_stable && inputs.tag_rc }} + needs: [ validate-inputs ] + uses: ./.github/workflows/release-11_rc-automation.yml + with: + version: polkadot-${{ needs.validate-inputs.outputs.stable_version }} + secrets: inherit +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) diff --git a/.github/workflows/release-11_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml index 253c8fa042ea8..5e83db57cbacd 100644 --- a/.github/workflows/release-11_rc-automation.yml +++ b/.github/workflows/release-11_rc-automation.yml @@ -68,14 +68,16 @@ jobs: # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }} id: compute_tag shell: bash + env: + INPUT_VERSION: ${{ inputs.version }} run: | . ./.github/scripts/common/lib.sh # Get last rc tag if exists, else set it to {version}-rc1 - if [[ -z "${{ inputs.version }}" ]]; then + if [[ -z "$INPUT_VERSION" ]]; then version=v$(get_polkadot_node_version_from_code) else - version=$(validate_stable_tag ${{ inputs.version }}) + version=$(validate_stable_tag "$INPUT_VERSION") fi echo "$version" echo "version=$version" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index 88a514c5de8ac..e6a0eb16b0506 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -38,10 +38,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-polkadot-binary: diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index d49a2f6349350..53edf9a6ce113 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -70,10 +70,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index bd35226028a0c..acdc9422ac4b0 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -71,10 +71,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes-flow: diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index 50286bd98a319..ed9459476567e 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -35,10 +35,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: @@ -65,8 +67,29 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +<<<<<<< HEAD - name: Download artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 +======= + - name: Generate content write token for the release automation + id: generate_write_token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }} + private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }} + owner: paritytech + repositories: polkadot-sdk + + - name: Download runtimes artifacts + if: ${{ inputs.no_runtimes == false && inputs.crates_only == false }} + env: + GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} + run: | + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Prepare tooling run: | @@ -86,6 +109,12 @@ jobs: PEOPLE_WESTEND_DIGEST: ${{ github.workspace}}/people-westend-runtime/people-westend-srtool-digest.json WESTEND_DIGEST: ${{ github.workspace}}/westend-runtime/westend-srtool-digest.json RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} +<<<<<<< HEAD +======= + NO_RUNTIMES: ${{ inputs.no_runtimes }} + CRATES_ONLY: ${{ inputs.crates_only }} + GH_REF_NAME: ${{ github.ref_name }} +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) shell: bash run: | . ./.github/scripts/common/lib.sh @@ -94,7 +123,7 @@ jobs: export REF1=$(get_latest_release_tag) if [[ -z "$RELEASE_TAG" ]]; then - export REF2="${{ github.ref_name }}" + export REF2="${GH_REF_NAME}" echo "REF2: ${REF2}" else export REF2="$RELEASE_TAG" @@ -170,14 +199,37 @@ jobs: owner: paritytech repositories: polkadot-sdk +<<<<<<< HEAD +======= + - name: Download runtimes + env: + GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} + run: | + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" + + - name: Get runtime info + env: + CHAIN: ${{ matrix.chain }} + JSON: ${{ github.workspace}}/release-notes-context/runtimes/${{ matrix.chain }}-runtime/${{ matrix.chain }}-srtool-digest.json + run: | + cd "${GITHUB_WORKSPACE}/runtimes" + >>$GITHUB_ENV echo ASSET=$(find "${CHAIN}-runtime" -name '*.compact.compressed.wasm') + >>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion) + +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + CHAIN: ${{ matrix.chain }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} run: | - VERSIONED_ASSET="${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" + VERSIONED_ASSET="${CHAIN}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" mv "${{ env.ASSET }}" "$VERSIONED_ASSET" - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk "$VERSIONED_ASSET" publish-release-artifacts: @@ -195,23 +247,28 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fetch binaries from s3 based on version + env: + VERSION: ${{ needs.validate-inputs.outputs.release_tag }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.release_tag }}" - fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }} + fetch_release_artifacts_from_s3 "$BINARY" "$TARGET" - name: Rename aarch64-apple-darwin binaries if: ${{ matrix.target == 'aarch64-apple-darwin' }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} + env: + BINARY: ${{ matrix.binary }} run: | . ${{ github.workspace}}/.github/scripts/common/lib.sh - mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin - mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc + mv "$BINARY" "${BINARY}-aarch64-apple-darwin" + mv "${BINARY}.asc" "${BINARY}-aarch64-apple-darwin.asc" - sha256sum "${{ matrix.binary }}-aarch64-apple-darwin" | tee "${{ matrix.binary }}-aarch64-apple-darwin.sha256" - check_sha256 "${{ matrix.binary }}-aarch64-apple-darwin" && echo "OK" || echo "ERR" + sha256sum "${BINARY}-aarch64-apple-darwin" | tee "${BINARY}-aarch64-apple-darwin.sha256" + check_sha256 "${BINARY}-aarch64-apple-darwin" && echo "OK" || echo "ERR" - name: Generate content write token for the release automation id: generate_write_token @@ -225,20 +282,23 @@ jobs: - name: Upload ${{ matrix.binary }} binary to release draft env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} run: | - if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + if [[ "$TARGET" == "aarch64-apple-darwin" ]]; then + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }}-aarch64-apple-darwin \ - ${{ matrix.binary }}-aarch64-apple-darwin.asc \ - ${{ matrix.binary }}-aarch64-apple-darwin.sha256 + "${BINARY}-aarch64-apple-darwin" \ + "${BINARY}-aarch64-apple-darwin.asc" \ + "${BINARY}-aarch64-apple-darwin.sha256" else - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }} \ - ${{ matrix.binary }}.asc \ - ${{ matrix.binary }}.sha256 + "$BINARY" \ + "${BINARY}.asc" \ + "${BINARY}.sha256" fi post_to_matrix: diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index 06279307a324d..241728034287f 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -40,10 +40,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT promote-polkadot-rc-to-final: diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index d69a6f664c140..577995046bd47 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -83,13 +83,16 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_VERSION: ${{ inputs.version }} + INPUT_STABLE_TAG: ${{ inputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION=$(filter_version_from_input "${{ inputs.version }}") + VERSION=$(filter_version_from_input "$INPUT_VERSION") echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }}) + STABLE_TAG=$(validate_stable_tag "$INPUT_STABLE_TAG") echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build @@ -102,12 +105,17 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Fetch rc artifacts or release artifacts from s3 based on version +<<<<<<< HEAD # if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}} +======= + if: ${{ inputs.binary == 'polkadot-omni-node' || inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }} + env: + VERSION: ${{ needs.validate-inputs.outputs.stable_tag }} +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.stable_tag }}" - if [[ ${{ inputs.binary }} == 'polkadot' ]]; then + if [[ "$BINARY" == 'polkadot' ]]; then bins=(polkadot polkadot-prepare-worker polkadot-execute-worker) for bin in "${bins[@]}"; do fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu @@ -157,25 +165,31 @@ jobs: if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "tag=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Fetch release tags working-directory: release-artifacts if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh echo "tag=latest" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "stable=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot rc if: ${{ env.BINARY == 'polkadot' }} @@ -184,10 +198,33 @@ jobs: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} +<<<<<<< HEAD run: | ls -al echo "Building container for $BINARY" ./docker/scripts/polkadot/build-injected.sh $ARTIFACTS_FOLDER +======= + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + shell: bash + run: | + ls -al + echo "Building container for $BINARY" + echo "IMAGE_TYPE: $IMAGE_TYPE" + + if [[ "$IMAGE_TYPE" == "rc" ]]; then + echo "Building RC container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + ./docker/scripts/build-injected.sh + else + echo "Building release container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + export POLKADOT_DEB=true + export VERSION="$VALIDATED_VERSION" + ./docker/scripts/build-injected.sh + fi +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Build Injected Container image for polkadot-omni-node/chain-spec-builder if: ${{ env.BINARY == 'polkadot-omni-node' || env.BINARY == 'chain-spec-builder' }} diff --git a/.github/workflows/release-60_post-crates-release-activities.yml b/.github/workflows/release-60_post-crates-release-activities.yml index 8f2f637abc27f..907a11cceaa02 100644 --- a/.github/workflows/release-60_post-crates-release-activities.yml +++ b/.github/workflows/release-60_post-crates-release-activities.yml @@ -168,10 +168,11 @@ jobs: - name: Move prdocs to release folder shell: bash + env: + VERSION: ${{ inputs.version }} run: | . ./.github/scripts/release/release_lib.sh - VERSION="${{ inputs.version }}" echo "Version: $VERSION" reorder_prdocs "$VERSION" @@ -281,11 +282,17 @@ jobs: - name: Create Pull Request to base release branch env: +<<<<<<< HEAD GH_TOKEN: ${{ github.token }} +======= + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + FULL_RELEASE: ${{ inputs.version }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" - FULL_RELEASE="${{ inputs.version }}" echo "Current branch: $BRANCH_NAME" echo "Version: $FULL_RELEASE" @@ -296,8 +303,24 @@ jobs: BASE_RELEASE="$FULL_RELEASE" fi +<<<<<<< HEAD BASE_RELEASE_UPPER=$(echo "$BASE_RELEASE" | tr '[:lower:]' '[:upper:]') echo "Base release branch (upper): $BASE_RELEASE_UPPER" +======= + TARGET_REPO="paritytech/polkadot-sdk" + + # Determine if running from a fork or the main repo + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + # Same-repo PR: head is just the branch name + PR_HEAD="$BRANCH_NAME" + EXTRA_FLAGS="" + else + # Cross-fork PR: head needs the fork owner prefix + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + EXTRA_FLAGS="--no-maintainer-edit" + fi +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) # Check if PR already exists EXISTING_PR=$(gh pr list --head "$BRANCH_NAME" --base "$BASE_RELEASE" --json number --jq '.[0].number') @@ -322,6 +345,7 @@ jobs: - name: Add comment about spec_version env: +<<<<<<< HEAD GH_TOKEN: ${{ github.token }} shell: bash run: | @@ -329,6 +353,26 @@ jobs: # Find the PR number for this branch PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[0].number') +======= + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} + shell: bash + run: | + TARGET_REPO="paritytech/polkadot-sdk" + + # Match the head format used when creating the PR + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + PR_HEAD="$BRANCH_NAME" + else + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + fi + + # Find the PR number for this branch in the upstream repo + PR_NUMBER=$(gh pr list --repo "$TARGET_REPO" --head "$PR_HEAD" --json number --jq '.[0].number') +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) if [ -n "$PR_NUMBER" ]; then echo "Adding comment to PR #$PR_NUMBER..." diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml new file mode 100644 index 0000000000000..b72493eb92567 --- /dev/null +++ b/.github/workflows/release-80_publish-crates.yml @@ -0,0 +1,274 @@ +name: Release - Publish Crates + +on: + workflow_dispatch: + inputs: + release_name: + description: 'Release name (e.g., stable2509-3). Base branch is derived by removing the last -N suffix.' + required: true + type: string + registry: + description: 'Registry to publish crates to' + required: true + type: choice + options: + - staging.crates.io + - crates.io + default: staging.crates.io + is_patch: + description: 'Is this a patch release? (Set to false for new stable releases)' + required: true + type: boolean + default: true + dry_run: + description: 'Dry run - do not actually publish crates' + required: true + type: boolean + default: true + +permissions: + contents: write + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + set-image: + needs: [ check-synchronization ] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + IMAGE: ${{ steps.set_image.outputs.IMAGE }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - id: set_image + run: cat .github/env >> $GITHUB_OUTPUT + + publish-crates: + needs: set-image + runs-on: ubuntu-latest + environment: release + env: + PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }} + PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + container: + image: ${{ needs.set-image.outputs.IMAGE }} + + steps: + - name: Install pgpkms + run: | + # Install pgpkms that is used to sign commits + pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151 + + - name: Derive stable branch from release name + id: derive_branch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + echo "Release name: $RELEASE_NAME" + + # Extract stable branch by removing the last -N suffix + # e.g., stable2509-3 -> stable2509 + if [[ "$RELEASE_NAME" =~ ^(.+)-[0-9]+$ ]]; then + STABLE_BRANCH="${BASH_REMATCH[1]}" + else + # If no suffix, use the release name as-is (first release) + STABLE_BRANCH="$RELEASE_NAME" + fi + + echo "Stable branch: $STABLE_BRANCH" + echo "STABLE_BRANCH=$STABLE_BRANCH" >> $GITHUB_OUTPUT + + echo "CRATES_RELEASE_BRANCH=post-crates-release-$RELEASE_NAME" >> $GITHUB_OUTPUT + + - name: Checkout stable branch + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ steps.derive_branch.outputs.STABLE_BRANCH }} + fetch-depth: 0 + + - name: Import GPG keys + shell: bash + run: | + . ./.github/scripts/common/lib.sh + import_gpg_keys + + - name: Configure git + shell: bash + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" + git config --global commit.gpgsign true + PGPKMS_PATH=$(which pgpkms-git) + echo "Using pgpkms-git at: $PGPKMS_PATH" + git config --global gpg.program "$PGPKMS_PATH" + git config --global user.name "ParityReleases" + git config --global user.email "release-team@parity.io" + git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51" + + - name: Create or switch to release branch + shell: bash + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + + if git rev-parse --verify -q "$CRATES_RELEASE_BRANCH" &>/dev/null; then + echo "Branch $CRATES_RELEASE_BRANCH already exists, switching to it" + git checkout "$CRATES_RELEASE_BRANCH" + else + echo "Creating branch: $CRATES_RELEASE_BRANCH" + git checkout -b "$CRATES_RELEASE_BRANCH" + fi + echo "On branch $CRATES_RELEASE_BRANCH" + + - name: Install Rust 1.93 + shell: bash + run: | + rustup install 1.93 + rustup default 1.93 + echo "Rust version:" + rustc --version + cargo --version + + - name: Rust Cache + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + with: + cache-on-failure: true + + - name: Install parity-publish + run: | + apt-get update && apt-get install -y --no-install-recommends libcurl4-openssl-dev pkg-config + cargo install parity-publish@0.10.10 --locked -q + + - name: Run parity-publish plan + run: | + echo "Running parity-publish plan..." + parity-publish plan --prdoc prdoc + + - name: Save Plan.toml diff + if: inputs.is_patch + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + mkdir -p release-artifacts + + echo "Saving Plan.toml diff..." + git diff Plan.toml > "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + echo "Plan.toml changes:" + cat "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + - name: Parse crate names for release notes + if: inputs.is_patch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + + echo "Parsing crate names..." + python3 scripts/release/parse-crates-names.py \ + "release-artifacts/changed_crates_${RELEASE_NAME}.txt" \ + scripts/release/templates/crates_list.md.tera + + echo "Crates list:" + cat scripts/release/templates/crates_list.md.tera + + - name: Commit Plan.toml and crates list + shell: bash + env: + IS_PATCH: ${{ inputs.is_patch }} + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add Plan.toml + if [ "$IS_PATCH" = true ]; then + git add scripts/release/templates/crates_list.md.tera + fi + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: update Plan.toml and crates list for $RELEASE_NAME" + echo "Committed Plan.toml and crates list" + else + echo "No changes to commit" + fi + + - name: Run parity-publish apply + run: | + echo "Running parity-publish apply..." + parity-publish apply + + - name: Update Cargo.lock + run: | + echo "Updating Cargo.lock..." + cargo update --workspace --offline || cargo update --workspace + echo "Cargo.lock updated" + + - name: Commit version bumps + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add -A + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: apply version bumps for $RELEASE_NAME" + echo "Committed version bumps" + else + echo "No changes to commit" + fi + + - name: Push release branch + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + echo "Pushing branch $CRATES_RELEASE_BRANCH..." + git push origin "$CRATES_RELEASE_BRANCH" + echo "Successfully pushed $CRATES_RELEASE_BRANCH" + + - name: Configure cargo registry + shell: bash + env: + REGISTRY: ${{ inputs.registry }} + run: | + echo "Configuring cargo for $REGISTRY..." + mkdir -p ~/.cargo + + if [ "$REGISTRY" = "staging.crates.io" ]; then + cat >> ~/.cargo/config.toml << 'EOF' + [registries.crates-io] + index = "sparse+https://index.staging.crates.io/" + EOF + else + echo "Using default crates.io registry" + fi + + echo "Cargo config:" + cat ~/.cargo/config.toml || echo "(using defaults)" + + - name: Publish crates + shell: bash + env: + PARITY_PUBLISH_CRATESIO_TOKEN: ${{ inputs.registry == 'staging.crates.io' && secrets.STAGING_CRATES_IO_API_TOKEN || secrets.CRATES_IO_API_TOKEN }} + DRY_RUN: ${{ inputs.dry_run }} + REGISTRY: ${{ inputs.registry }} + run: | + + if [ "$DRY_RUN" = true ]; then + echo "DRY RUN - Not actually publishing crates" + echo "Target registry: $REGISTRY" + parity-publish apply -p -d + else + echo "Publishing crates to $REGISTRY..." + parity-publish apply -p + echo "Crates published successfully to $REGISTRY!" + fi diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml index d0b274e302191..2beebbc87f459 100644 --- a/.github/workflows/release-99_notif-published.yml +++ b/.github/workflows/release-99_notif-published.yml @@ -14,25 +14,30 @@ jobs: id: fetch_latest_release_tag env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPOSITORY: ${{ github.repository }} run: | TAG_NAME=$(curl -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - -sL "https://api.github.com/repos/${{ github.repository }}/releases/latest" \ + -sL "https://api.github.com/repos/${GH_REPOSITORY}/releases/latest" \ | jq -r '.tag_name') echo "Latest release tag: $TAG_NAME" echo "latest_tag_name=$TAG_NAME" >> $GITHUB_OUTPUT - name: Fetch current release tag name id: fetch_curent_release_tag + env: + CURRENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - CURRENT_RELEASE_TAG_NAME=${{github.event.release.tag_name}} echo "Current release tag: $CURRENT_RELEASE_TAG_NAME" echo "current_tag_name=$CURRENT_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Check if release is latest id: check_is_latest + env: + LATEST_TAG: ${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }} + CURRENT_TAG: ${{ steps.fetch_curent_release_tag.outputs.current_tag_name }} run: | - if [[ "${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }}" == "${{ steps.fetch_curent_release_tag.outputs.current_tag_name }}" ]]; then + if [[ "$LATEST_TAG" == "$CURRENT_TAG" ]]; then echo "Release is latest" echo "is_latest=true" >> $GITHUB_OUTPUT else diff --git a/.github/workflows/release-build-binary.yml b/.github/workflows/release-build-binary.yml index a5adab421a8a4..364263d9f181d 100644 --- a/.github/workflows/release-build-binary.yml +++ b/.github/workflows/release-build-binary.yml @@ -44,8 +44,10 @@ jobs: - name: Set runner id: set_runner shell: bash + env: + INPUT_BINARY: ${{ inputs.binary }} run: | - if [[ "${{ inputs.binary }}" == "polkadot-parachain" ]]; then + if [[ "$INPUT_BINARY" == "polkadot-parachain" ]]; then echo "RUNNER=parity-large" >> $GITHUB_OUTPUT else echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT @@ -61,16 +63,30 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build binary + env: + INPUT_BINARY: ${{ inputs.binary }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - PROFILE=${{ inputs.profile }} - if [ "${{ inputs.binary }}" = "polkadot" ]; then + PROFILE="$INPUT_PROFILE" + if [ "$INPUT_BINARY" = "polkadot" ]; then for binary in polkadot polkadot-prepare-worker polkadot-execute-worker; do +<<<<<<< HEAD echo "Building $binary..." ./.github/scripts/release/build-linux-release.sh $binary ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} done else ./.github/scripts/release/build-linux-release.sh ${{ inputs.binary }} ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} +======= + echo "Building $binary with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$binary" "$INPUT_PACKAGE" "$INPUT_FEATURES" + done + else + echo "Building $INPUT_BINARY with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$INPUT_BINARY" "$INPUT_PACKAGE" "$INPUT_FEATURES" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) fi - name: Upload ${{ inputs.binary }} artifacts diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml index 03ff1e1b28965..5ceb36b0ae0d2 100644 --- a/.github/workflows/release-reusable-publish-packages.yml +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -47,10 +47,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_TAG: ${{ inputs.tag }} run: | # Source common library for helper functions . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts-from-s3: @@ -71,15 +73,17 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version id: fetch_artifacts_from_s3 + env: + PACKAGE_TYPE: ${{ inputs.package_type }} run: | . ./.github/scripts/common/lib.sh NODE_VERSION="$(get_polkadot_node_version_from_code)" echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT # Fetch specific package type artifact (deb or rpm) - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then fetch_debian_package_from_s3 polkadot - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then fetch_rpm_package_from_s3 polkadot fi @@ -134,14 +138,15 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | # --- Sync Local Repo from S3 --- mkdir -p "$LOCAL_REPO_PATH" - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true fi @@ -151,16 +156,18 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + PACKAGE_TYPE: ${{ inputs.package_type }} + DISTRIBUTION: ${{ inputs.distribution }} run: | . ./.github/scripts/common/lib.sh import_gpg_keys # --- Add Package to Repo and Sign --- - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then debname=$(find release-artifacts/ -name 'polkadot_*.deb' | head -n 1) - reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname" + reprepro -b "$LOCAL_REPO_PATH" includedeb "$DISTRIBUTION" "$debname" - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then rpmname=$(find release-artifacts/ -name 'polkadot-*.rpm' | head -n 1) echo "Signing package with pgpkms (via AWS KMS)..." @@ -184,10 +191,13 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + DISTRIBUTION: ${{ inputs.distribution }} + CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | - if [[ "${{ inputs.distribution }}" == "release" ]]; then + if [[ "$DISTRIBUTION" == "release" ]]; then aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read else aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" fi - aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*' + aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/${PACKAGE_TYPE}/*" diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index 7b128fed99960..c9e981a7a62b6 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -104,9 +104,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-linux-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 @@ -115,25 +119,31 @@ jobs: - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -242,14 +252,26 @@ jobs: echo "Checking binary ${{ matrix.binaries }}" check_sha256 ${{ matrix.binaries }} +<<<<<<< HEAD - name: Check GPG ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh +======= + - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error + ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) check_gpg ${{ matrix.binaries }} +<<<<<<< HEAD - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: @@ -257,6 +279,43 @@ jobs: path: ${{ env.ARTIFACTS_PATH }} build-polkadot-deb-package: +======= + - name: Sign artifacts + working-directory: ${{ env.ARTIFACTS_PATH }} + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" + + - name: Check sha256 ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" + + - name: Check GPG ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + check_gpg "$BINARY_NAME" + + - name: Upload ${{ matrix.binaries }} artifacts + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: ${{ matrix.binaries }}_${{ inputs.target }} + path: ${{ env.ARTIFACTS_PATH }} + + build-polkadot-deb-and-rpm-package: +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) if: ${{ inputs.package == 'polkadot' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] runs-on: ubuntu-latest @@ -291,11 +350,25 @@ jobs: - name: Build polkadot deb package shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + VERSION=$(get_polkadot_node_version_from_code) + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh "$INPUT_PACKAGE" "${VERSION}" + +<<<<<<< HEAD +======= + - name: Build polkadot rpm package + shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh "$INPUT_PACKAGE" "${VERSION}" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: diff --git a/.github/workflows/release-reusable-s3-upload.yml b/.github/workflows/release-reusable-s3-upload.yml index 37d0dd489bcba..c9d24aa29c2f9 100644 --- a/.github/workflows/release-reusable-s3-upload.yml +++ b/.github/workflows/release-reusable-s3-upload.yml @@ -53,6 +53,10 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload ${{ inputs.package }} artifacts to s3 + env: + PACKAGE: ${{ inputs.package }} + RELEASE_TAG: ${{ inputs.release_tag }} + TARGET: ${{ inputs.target }} run: | . ./.github/scripts/release/release_lib.sh - upload_s3_release ${{ inputs.package }} ${{ inputs.release_tag }} ${{ inputs.target }} + upload_s3_release "$PACKAGE" "$RELEASE_TAG" "$TARGET" diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml index 9a0ed84e39871..18593e303caa1 100644 --- a/.github/workflows/release-srtool.yml +++ b/.github/workflows/release-srtool.yml @@ -48,7 +48,7 @@ jobs: run: | . ./.github/scripts/common/lib.sh - echo "Github workspace: ${{ github.workspace }}" + echo "Github workspace: ${GITHUB_WORKSPACE}" echo "Current folder: $(pwd)"; ls -al ls -al @@ -81,11 +81,16 @@ jobs: tag: "1.84.1" - name: Summary + env: + SRTOOL_JSON: ${{ steps.srtool_build.outputs.json }} + CHAIN: ${{ matrix.chain }} + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} run: | - echo '${{ steps.srtool_build.outputs.json }}' | jq > ${{ matrix.chain }}-srtool-digest.json - cat ${{ matrix.chain }}-srtool-digest.json - echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}" - echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}" + echo "$SRTOOL_JSON" | jq > "${CHAIN}-srtool-digest.json" + cat "${CHAIN}-srtool-digest.json" + echo "Compact Runtime: $WASM_PATH" + echo "Compressed Runtime: $WASM_COMPRESSED_PATH" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 @@ -101,25 +106,35 @@ jobs: - name: Show Runtime information shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} + CHAIN: ${{ matrix.chain }} run: | - subwasm info ${{ steps.srtool_build.outputs.wasm }} - subwasm info ${{ steps.srtool_build.outputs.wasm_compressed }} - subwasm --json info ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-info.json - subwasm --json info ${{ steps.srtool_build.outputs.wasm_compressed }} > ${{ matrix.chain }}-compressed-info.json + subwasm info "$WASM_PATH" + subwasm info "$WASM_COMPRESSED_PATH" + subwasm --json info "$WASM_PATH" > "${CHAIN}-info.json" + subwasm --json info "$WASM_COMPRESSED_PATH" > "${CHAIN}-compressed-info.json" - name: Extract the metadata shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} run: | - subwasm meta ${{ steps.srtool_build.outputs.wasm }} - subwasm --json meta ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-metadata.json + subwasm meta "$WASM_PATH" + subwasm --json meta "$WASM_PATH" > "${CHAIN}-metadata.json" - name: Check the metadata diff shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} # the following subwasm call will error for chains that are not known and/or live, that includes shell for instance run: | - subwasm diff ${{ steps.srtool_build.outputs.wasm }} --chain-b ${{ matrix.chain }} || \ - echo "Subwasm call failed, check the logs. This is likely because ${{ matrix.chain }} is not known by subwasm" | \ - tee ${{ matrix.chain }}-diff.txt + subwasm diff "$WASM_PATH" --chain-b "$CHAIN" || \ + echo "Subwasm call failed, check the logs. This is likely because $CHAIN is not known by subwasm" | \ + tee "${CHAIN}-diff.txt" - name: Archive Subwasm results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 From dad6fce4194416dc5f7be48ad7b7007100c042a2 Mon Sep 17 00:00:00 2001 From: EgorPopelyaev Date: Fri, 20 Feb 2026 09:55:54 +0100 Subject: [PATCH 2/5] Revert " BACKPORT-CONFLICT" This reverts commit f627f7208fe28bbc56fc4707fc99daab2de99eec. --- .../workflows/release-10_branchoff-stable.yml | 42 +-- .../workflows/release-11_rc-automation.yml | 6 +- .github/workflows/release-20_build-rc.yml | 4 +- .../workflows/release-21_build-runtimes.yml | 4 +- ...mbined-rc-runtime-builds-release-draft.yml | 4 +- .../release-30_publish_release_draft.yml | 98 ++----- .../release-31_promote-rc-to-final.yml | 4 +- .../workflows/release-50_publish-docker.yml | 53 +--- ...ease-60_post-crates-release-activities.yml | 50 +--- .../workflows/release-80_publish-crates.yml | 274 ------------------ .../workflows/release-99_notif-published.yml | 11 +- .github/workflows/release-build-binary.yml | 22 +- .../release-reusable-publish-packages.yml | 30 +- .../workflows/release-reusable-rc-build.yml | 85 +----- .../workflows/release-reusable-s3-upload.yml | 6 +- .github/workflows/release-srtool.yml | 43 +-- 16 files changed, 75 insertions(+), 661 deletions(-) delete mode 100644 .github/workflows/release-80_publish-crates.yml diff --git a/.github/workflows/release-10_branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml index 66a1817df5945..2fad2dbcf1e73 100644 --- a/.github/workflows/release-10_branchoff-stable.yml +++ b/.github/workflows/release-10_branchoff-stable.yml @@ -25,23 +25,13 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_NODE_VERSION: ${{ inputs.node_version }} - INPUT_STABLE_VERSION: ${{ inputs.stable_version }} run: | . ./.github/scripts/common/lib.sh -<<<<<<< HEAD node_version=$(filter_version_from_input "${{ inputs.node_version }}") echo "node_version=${node_version}" >> $GITHUB_OUTPUT -======= - if [ -n "$INPUT_NODE_VERSION" ]; then - node_version=$(filter_version_from_input "$INPUT_NODE_VERSION") - echo "node_version=${node_version}" >> $GITHUB_OUTPUT - fi ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - - stable_version=$(validate_stable_tag "$INPUT_STABLE_VERSION") + + stable_version=$(validate_stable_tag ${{ inputs.stable_version }}) echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT create-stable-branch: @@ -98,14 +88,10 @@ jobs: - name: Bump versions, reorder prdocs and push stable branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} - NODE_VERSION: ${{ needs.validate-inputs.outputs.node_version }} run: | . ./.github/scripts/release/release_lib.sh -<<<<<<< HEAD NODE_VERSION="${{ needs.prepare-tooling.outputs.node_version }}" -======= ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\"" set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "polkadot/node/primitives/src/lib.rs" commit_with_message "Bump node version to $NODE_VERSION in polkadot-cli" @@ -125,27 +111,3 @@ jobs: gh auth setup-git git push origin "$STABLE_BRANCH_NAME" -<<<<<<< HEAD -======= - - - name: Tag RC after branch off - if: ${{ inputs.tag_rc }} - env: - GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} # or use a PAT with workflow scope - STABLE_VERSION: ${{ needs.validate-inputs.outputs.stable_version }} - GH_REPOSITORY: ${{ github.repository }} - run: | - stable_tag_base="polkadot-${STABLE_VERSION}" - gh workflow run release-11_rc-automation.yml \ - --repo "$GH_REPOSITORY" \ - --ref "$STABLE_VERSION" \ - --field version="${stable_tag_base}" - - tag-rc-without-branchoff: - if: ${{ !inputs.is_new_stable && inputs.tag_rc }} - needs: [ validate-inputs ] - uses: ./.github/workflows/release-11_rc-automation.yml - with: - version: polkadot-${{ needs.validate-inputs.outputs.stable_version }} - secrets: inherit ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) diff --git a/.github/workflows/release-11_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml index 5e83db57cbacd..253c8fa042ea8 100644 --- a/.github/workflows/release-11_rc-automation.yml +++ b/.github/workflows/release-11_rc-automation.yml @@ -68,16 +68,14 @@ jobs: # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }} id: compute_tag shell: bash - env: - INPUT_VERSION: ${{ inputs.version }} run: | . ./.github/scripts/common/lib.sh # Get last rc tag if exists, else set it to {version}-rc1 - if [[ -z "$INPUT_VERSION" ]]; then + if [[ -z "${{ inputs.version }}" ]]; then version=v$(get_polkadot_node_version_from_code) else - version=$(validate_stable_tag "$INPUT_VERSION") + version=$(validate_stable_tag ${{ inputs.version }}) fi echo "$version" echo "version=$version" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index e6a0eb16b0506..88a514c5de8ac 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -38,12 +38,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-polkadot-binary: diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index 53edf9a6ce113..d49a2f6349350 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -70,12 +70,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index acdc9422ac4b0..bd35226028a0c 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -71,12 +71,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes-flow: diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index ed9459476567e..50286bd98a319 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -35,12 +35,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: @@ -67,29 +65,8 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 -<<<<<<< HEAD - name: Download artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 -======= - - name: Generate content write token for the release automation - id: generate_write_token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }} - private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }} - owner: paritytech - repositories: polkadot-sdk - - - name: Download runtimes artifacts - if: ${{ inputs.no_runtimes == false && inputs.crates_only == false }} - env: - GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} - BUILD_RUN_ID: ${{ inputs.build_run_id }} - run: | - mkdir -p "${GITHUB_WORKSPACE}/runtimes/" - gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" - ls -la "${GITHUB_WORKSPACE}/runtimes" ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Prepare tooling run: | @@ -109,12 +86,6 @@ jobs: PEOPLE_WESTEND_DIGEST: ${{ github.workspace}}/people-westend-runtime/people-westend-srtool-digest.json WESTEND_DIGEST: ${{ github.workspace}}/westend-runtime/westend-srtool-digest.json RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} -<<<<<<< HEAD -======= - NO_RUNTIMES: ${{ inputs.no_runtimes }} - CRATES_ONLY: ${{ inputs.crates_only }} - GH_REF_NAME: ${{ github.ref_name }} ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) shell: bash run: | . ./.github/scripts/common/lib.sh @@ -123,7 +94,7 @@ jobs: export REF1=$(get_latest_release_tag) if [[ -z "$RELEASE_TAG" ]]; then - export REF2="${GH_REF_NAME}" + export REF2="${{ github.ref_name }}" echo "REF2: ${REF2}" else export REF2="$RELEASE_TAG" @@ -199,37 +170,14 @@ jobs: owner: paritytech repositories: polkadot-sdk -<<<<<<< HEAD -======= - - name: Download runtimes - env: - GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} - BUILD_RUN_ID: ${{ inputs.build_run_id }} - run: | - mkdir -p "${GITHUB_WORKSPACE}/runtimes/" - gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" - ls -la "${GITHUB_WORKSPACE}/runtimes" - - - name: Get runtime info - env: - CHAIN: ${{ matrix.chain }} - JSON: ${{ github.workspace}}/release-notes-context/runtimes/${{ matrix.chain }}-runtime/${{ matrix.chain }}-srtool-digest.json - run: | - cd "${GITHUB_WORKSPACE}/runtimes" - >>$GITHUB_ENV echo ASSET=$(find "${CHAIN}-runtime" -name '*.compact.compressed.wasm') - >>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion) - ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} - CHAIN: ${{ matrix.chain }} - VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} run: | - VERSIONED_ASSET="${CHAIN}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" + VERSIONED_ASSET="${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" mv "${{ env.ASSET }}" "$VERSIONED_ASSET" - gh release upload "$VALIDATED_RELEASE_TAG" \ + gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ --repo paritytech/polkadot-sdk "$VERSIONED_ASSET" publish-release-artifacts: @@ -247,28 +195,23 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fetch binaries from s3 based on version - env: - VERSION: ${{ needs.validate-inputs.outputs.release_tag }} - BINARY: ${{ matrix.binary }} - TARGET: ${{ matrix.target }} run: | . ./.github/scripts/common/lib.sh - fetch_release_artifacts_from_s3 "$BINARY" "$TARGET" + VERSION="${{ needs.validate-inputs.outputs.release_tag }}" + fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }} - name: Rename aarch64-apple-darwin binaries if: ${{ matrix.target == 'aarch64-apple-darwin' }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} - env: - BINARY: ${{ matrix.binary }} run: | . ${{ github.workspace}}/.github/scripts/common/lib.sh - mv "$BINARY" "${BINARY}-aarch64-apple-darwin" - mv "${BINARY}.asc" "${BINARY}-aarch64-apple-darwin.asc" + mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin + mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc - sha256sum "${BINARY}-aarch64-apple-darwin" | tee "${BINARY}-aarch64-apple-darwin.sha256" - check_sha256 "${BINARY}-aarch64-apple-darwin" && echo "OK" || echo "ERR" + sha256sum "${{ matrix.binary }}-aarch64-apple-darwin" | tee "${{ matrix.binary }}-aarch64-apple-darwin.sha256" + check_sha256 "${{ matrix.binary }}-aarch64-apple-darwin" && echo "OK" || echo "ERR" - name: Generate content write token for the release automation id: generate_write_token @@ -282,23 +225,20 @@ jobs: - name: Upload ${{ matrix.binary }} binary to release draft env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} - BINARY: ${{ matrix.binary }} - TARGET: ${{ matrix.target }} - VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} run: | - if [[ "$TARGET" == "aarch64-apple-darwin" ]]; then - gh release upload "$VALIDATED_RELEASE_TAG" \ + if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then + gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ --repo paritytech/polkadot-sdk \ - "${BINARY}-aarch64-apple-darwin" \ - "${BINARY}-aarch64-apple-darwin.asc" \ - "${BINARY}-aarch64-apple-darwin.sha256" + ${{ matrix.binary }}-aarch64-apple-darwin \ + ${{ matrix.binary }}-aarch64-apple-darwin.asc \ + ${{ matrix.binary }}-aarch64-apple-darwin.sha256 else - gh release upload "$VALIDATED_RELEASE_TAG" \ + gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ --repo paritytech/polkadot-sdk \ - "$BINARY" \ - "${BINARY}.asc" \ - "${BINARY}.sha256" + ${{ matrix.binary }} \ + ${{ matrix.binary }}.asc \ + ${{ matrix.binary }}.sha256 fi post_to_matrix: diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index 241728034287f..06279307a324d 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -40,12 +40,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT promote-polkadot-rc-to-final: diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index 577995046bd47..d69a6f664c140 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -83,16 +83,13 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_VERSION: ${{ inputs.version }} - INPUT_STABLE_TAG: ${{ inputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION=$(filter_version_from_input "$INPUT_VERSION") + VERSION=$(filter_version_from_input "${{ inputs.version }}") echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - STABLE_TAG=$(validate_stable_tag "$INPUT_STABLE_TAG") + STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }}) echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build @@ -105,17 +102,12 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Fetch rc artifacts or release artifacts from s3 based on version -<<<<<<< HEAD # if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}} -======= - if: ${{ inputs.binary == 'polkadot-omni-node' || inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }} - env: - VERSION: ${{ needs.validate-inputs.outputs.stable_tag }} ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) run: | . ./.github/scripts/common/lib.sh - if [[ "$BINARY" == 'polkadot' ]]; then + VERSION="${{ needs.validate-inputs.outputs.stable_tag }}" + if [[ ${{ inputs.binary }} == 'polkadot' ]]; then bins=(polkadot polkadot-prepare-worker polkadot-execute-worker) for bin in "${bins[@]}"; do fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu @@ -165,31 +157,25 @@ jobs: if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs shell: bash - env: - VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} - VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT - echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT - echo "tag=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT + echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT + echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT - name: Fetch release tags working-directory: release-artifacts if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs shell: bash - env: - VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} - VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh echo "tag=latest" >> $GITHUB_OUTPUT - echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT - echo "stable=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT + echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT + echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot rc if: ${{ env.BINARY == 'polkadot' }} @@ -198,33 +184,10 @@ jobs: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} -<<<<<<< HEAD run: | ls -al echo "Building container for $BINARY" ./docker/scripts/polkadot/build-injected.sh $ARTIFACTS_FOLDER -======= - VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} - shell: bash - run: | - ls -al - echo "Building container for $BINARY" - echo "IMAGE_TYPE: $IMAGE_TYPE" - - if [[ "$IMAGE_TYPE" == "rc" ]]; then - echo "Building RC container for polkadot" - export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" - export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" - ./docker/scripts/build-injected.sh - else - echo "Building release container for polkadot" - export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" - export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" - export POLKADOT_DEB=true - export VERSION="$VALIDATED_VERSION" - ./docker/scripts/build-injected.sh - fi ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Build Injected Container image for polkadot-omni-node/chain-spec-builder if: ${{ env.BINARY == 'polkadot-omni-node' || env.BINARY == 'chain-spec-builder' }} diff --git a/.github/workflows/release-60_post-crates-release-activities.yml b/.github/workflows/release-60_post-crates-release-activities.yml index 907a11cceaa02..8f2f637abc27f 100644 --- a/.github/workflows/release-60_post-crates-release-activities.yml +++ b/.github/workflows/release-60_post-crates-release-activities.yml @@ -168,11 +168,10 @@ jobs: - name: Move prdocs to release folder shell: bash - env: - VERSION: ${{ inputs.version }} run: | . ./.github/scripts/release/release_lib.sh + VERSION="${{ inputs.version }}" echo "Version: $VERSION" reorder_prdocs "$VERSION" @@ -282,17 +281,11 @@ jobs: - name: Create Pull Request to base release branch env: -<<<<<<< HEAD GH_TOKEN: ${{ github.token }} -======= - GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} - BRANCH_NAME: ${{ github.ref_name }} - FULL_RELEASE: ${{ inputs.version }} - GH_REPOSITORY: ${{ github.repository }} - GH_REPOSITORY_OWNER: ${{ github.repository_owner }} ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) shell: bash run: | + BRANCH_NAME="${{ github.ref_name }}" + FULL_RELEASE="${{ inputs.version }}" echo "Current branch: $BRANCH_NAME" echo "Version: $FULL_RELEASE" @@ -303,24 +296,8 @@ jobs: BASE_RELEASE="$FULL_RELEASE" fi -<<<<<<< HEAD BASE_RELEASE_UPPER=$(echo "$BASE_RELEASE" | tr '[:lower:]' '[:upper:]') echo "Base release branch (upper): $BASE_RELEASE_UPPER" -======= - TARGET_REPO="paritytech/polkadot-sdk" - - # Determine if running from a fork or the main repo - if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then - # Same-repo PR: head is just the branch name - PR_HEAD="$BRANCH_NAME" - EXTRA_FLAGS="" - else - # Cross-fork PR: head needs the fork owner prefix - FORK_OWNER="$GH_REPOSITORY_OWNER" - PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" - EXTRA_FLAGS="--no-maintainer-edit" - fi ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) # Check if PR already exists EXISTING_PR=$(gh pr list --head "$BRANCH_NAME" --base "$BASE_RELEASE" --json number --jq '.[0].number') @@ -345,7 +322,6 @@ jobs: - name: Add comment about spec_version env: -<<<<<<< HEAD GH_TOKEN: ${{ github.token }} shell: bash run: | @@ -353,26 +329,6 @@ jobs: # Find the PR number for this branch PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[0].number') -======= - GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} - BRANCH_NAME: ${{ github.ref_name }} - GH_REPOSITORY: ${{ github.repository }} - GH_REPOSITORY_OWNER: ${{ github.repository_owner }} - shell: bash - run: | - TARGET_REPO="paritytech/polkadot-sdk" - - # Match the head format used when creating the PR - if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then - PR_HEAD="$BRANCH_NAME" - else - FORK_OWNER="$GH_REPOSITORY_OWNER" - PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" - fi - - # Find the PR number for this branch in the upstream repo - PR_NUMBER=$(gh pr list --repo "$TARGET_REPO" --head "$PR_HEAD" --json number --jq '.[0].number') ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) if [ -n "$PR_NUMBER" ]; then echo "Adding comment to PR #$PR_NUMBER..." diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml deleted file mode 100644 index b72493eb92567..0000000000000 --- a/.github/workflows/release-80_publish-crates.yml +++ /dev/null @@ -1,274 +0,0 @@ -name: Release - Publish Crates - -on: - workflow_dispatch: - inputs: - release_name: - description: 'Release name (e.g., stable2509-3). Base branch is derived by removing the last -N suffix.' - required: true - type: string - registry: - description: 'Registry to publish crates to' - required: true - type: choice - options: - - staging.crates.io - - crates.io - default: staging.crates.io - is_patch: - description: 'Is this a patch release? (Set to false for new stable releases)' - required: true - type: boolean - default: true - dry_run: - description: 'Dry run - do not actually publish crates' - required: true - type: boolean - default: true - -permissions: - contents: write - -jobs: - check-synchronization: - uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main - secrets: - fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} - - set-image: - needs: [ check-synchronization ] - if: needs.check-synchronization.outputs.checks_passed == 'true' - runs-on: ubuntu-latest - outputs: - IMAGE: ${{ steps.set_image.outputs.IMAGE }} - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - id: set_image - run: cat .github/env >> $GITHUB_OUTPUT - - publish-crates: - needs: set-image - runs-on: ubuntu-latest - environment: release - env: - PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }} - PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} - container: - image: ${{ needs.set-image.outputs.IMAGE }} - - steps: - - name: Install pgpkms - run: | - # Install pgpkms that is used to sign commits - pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151 - - - name: Derive stable branch from release name - id: derive_branch - shell: bash - env: - RELEASE_NAME: ${{ inputs.release_name }} - run: | - echo "Release name: $RELEASE_NAME" - - # Extract stable branch by removing the last -N suffix - # e.g., stable2509-3 -> stable2509 - if [[ "$RELEASE_NAME" =~ ^(.+)-[0-9]+$ ]]; then - STABLE_BRANCH="${BASH_REMATCH[1]}" - else - # If no suffix, use the release name as-is (first release) - STABLE_BRANCH="$RELEASE_NAME" - fi - - echo "Stable branch: $STABLE_BRANCH" - echo "STABLE_BRANCH=$STABLE_BRANCH" >> $GITHUB_OUTPUT - - echo "CRATES_RELEASE_BRANCH=post-crates-release-$RELEASE_NAME" >> $GITHUB_OUTPUT - - - name: Checkout stable branch - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{ steps.derive_branch.outputs.STABLE_BRANCH }} - fetch-depth: 0 - - - name: Import GPG keys - shell: bash - run: | - . ./.github/scripts/common/lib.sh - import_gpg_keys - - - name: Configure git - shell: bash - run: | - git config --global --add safe.directory "${GITHUB_WORKSPACE}" - git config --global commit.gpgsign true - PGPKMS_PATH=$(which pgpkms-git) - echo "Using pgpkms-git at: $PGPKMS_PATH" - git config --global gpg.program "$PGPKMS_PATH" - git config --global user.name "ParityReleases" - git config --global user.email "release-team@parity.io" - git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51" - - - name: Create or switch to release branch - shell: bash - env: - CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} - run: | - - if git rev-parse --verify -q "$CRATES_RELEASE_BRANCH" &>/dev/null; then - echo "Branch $CRATES_RELEASE_BRANCH already exists, switching to it" - git checkout "$CRATES_RELEASE_BRANCH" - else - echo "Creating branch: $CRATES_RELEASE_BRANCH" - git checkout -b "$CRATES_RELEASE_BRANCH" - fi - echo "On branch $CRATES_RELEASE_BRANCH" - - - name: Install Rust 1.93 - shell: bash - run: | - rustup install 1.93 - rustup default 1.93 - echo "Rust version:" - rustc --version - cargo --version - - - name: Rust Cache - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 - with: - cache-on-failure: true - - - name: Install parity-publish - run: | - apt-get update && apt-get install -y --no-install-recommends libcurl4-openssl-dev pkg-config - cargo install parity-publish@0.10.10 --locked -q - - - name: Run parity-publish plan - run: | - echo "Running parity-publish plan..." - parity-publish plan --prdoc prdoc - - - name: Save Plan.toml diff - if: inputs.is_patch - env: - RELEASE_NAME: ${{ inputs.release_name }} - run: | - mkdir -p release-artifacts - - echo "Saving Plan.toml diff..." - git diff Plan.toml > "release-artifacts/changed_crates_${RELEASE_NAME}.txt" - - echo "Plan.toml changes:" - cat "release-artifacts/changed_crates_${RELEASE_NAME}.txt" - - - name: Parse crate names for release notes - if: inputs.is_patch - shell: bash - env: - RELEASE_NAME: ${{ inputs.release_name }} - run: | - - echo "Parsing crate names..." - python3 scripts/release/parse-crates-names.py \ - "release-artifacts/changed_crates_${RELEASE_NAME}.txt" \ - scripts/release/templates/crates_list.md.tera - - echo "Crates list:" - cat scripts/release/templates/crates_list.md.tera - - - name: Commit Plan.toml and crates list - shell: bash - env: - IS_PATCH: ${{ inputs.is_patch }} - RELEASE_NAME: ${{ inputs.release_name }} - run: | - . ./.github/scripts/release/release_lib.sh - - git add Plan.toml - if [ "$IS_PATCH" = true ]; then - git add scripts/release/templates/crates_list.md.tera - fi - - if [[ -n $(git status --porcelain) ]]; then - commit_with_message "chore: update Plan.toml and crates list for $RELEASE_NAME" - echo "Committed Plan.toml and crates list" - else - echo "No changes to commit" - fi - - - name: Run parity-publish apply - run: | - echo "Running parity-publish apply..." - parity-publish apply - - - name: Update Cargo.lock - run: | - echo "Updating Cargo.lock..." - cargo update --workspace --offline || cargo update --workspace - echo "Cargo.lock updated" - - - name: Commit version bumps - shell: bash - env: - RELEASE_NAME: ${{ inputs.release_name }} - run: | - . ./.github/scripts/release/release_lib.sh - - git add -A - - if [[ -n $(git status --porcelain) ]]; then - commit_with_message "chore: apply version bumps for $RELEASE_NAME" - echo "Committed version bumps" - else - echo "No changes to commit" - fi - - - name: Push release branch - env: - CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} - run: | - echo "Pushing branch $CRATES_RELEASE_BRANCH..." - git push origin "$CRATES_RELEASE_BRANCH" - echo "Successfully pushed $CRATES_RELEASE_BRANCH" - - - name: Configure cargo registry - shell: bash - env: - REGISTRY: ${{ inputs.registry }} - run: | - echo "Configuring cargo for $REGISTRY..." - mkdir -p ~/.cargo - - if [ "$REGISTRY" = "staging.crates.io" ]; then - cat >> ~/.cargo/config.toml << 'EOF' - [registries.crates-io] - index = "sparse+https://index.staging.crates.io/" - EOF - else - echo "Using default crates.io registry" - fi - - echo "Cargo config:" - cat ~/.cargo/config.toml || echo "(using defaults)" - - - name: Publish crates - shell: bash - env: - PARITY_PUBLISH_CRATESIO_TOKEN: ${{ inputs.registry == 'staging.crates.io' && secrets.STAGING_CRATES_IO_API_TOKEN || secrets.CRATES_IO_API_TOKEN }} - DRY_RUN: ${{ inputs.dry_run }} - REGISTRY: ${{ inputs.registry }} - run: | - - if [ "$DRY_RUN" = true ]; then - echo "DRY RUN - Not actually publishing crates" - echo "Target registry: $REGISTRY" - parity-publish apply -p -d - else - echo "Publishing crates to $REGISTRY..." - parity-publish apply -p - echo "Crates published successfully to $REGISTRY!" - fi diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml index 2beebbc87f459..d0b274e302191 100644 --- a/.github/workflows/release-99_notif-published.yml +++ b/.github/workflows/release-99_notif-published.yml @@ -14,30 +14,25 @@ jobs: id: fetch_latest_release_tag env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPOSITORY: ${{ github.repository }} run: | TAG_NAME=$(curl -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - -sL "https://api.github.com/repos/${GH_REPOSITORY}/releases/latest" \ + -sL "https://api.github.com/repos/${{ github.repository }}/releases/latest" \ | jq -r '.tag_name') echo "Latest release tag: $TAG_NAME" echo "latest_tag_name=$TAG_NAME" >> $GITHUB_OUTPUT - name: Fetch current release tag name id: fetch_curent_release_tag - env: - CURRENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | + CURRENT_RELEASE_TAG_NAME=${{github.event.release.tag_name}} echo "Current release tag: $CURRENT_RELEASE_TAG_NAME" echo "current_tag_name=$CURRENT_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Check if release is latest id: check_is_latest - env: - LATEST_TAG: ${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }} - CURRENT_TAG: ${{ steps.fetch_curent_release_tag.outputs.current_tag_name }} run: | - if [[ "$LATEST_TAG" == "$CURRENT_TAG" ]]; then + if [[ "${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }}" == "${{ steps.fetch_curent_release_tag.outputs.current_tag_name }}" ]]; then echo "Release is latest" echo "is_latest=true" >> $GITHUB_OUTPUT else diff --git a/.github/workflows/release-build-binary.yml b/.github/workflows/release-build-binary.yml index 364263d9f181d..a5adab421a8a4 100644 --- a/.github/workflows/release-build-binary.yml +++ b/.github/workflows/release-build-binary.yml @@ -44,10 +44,8 @@ jobs: - name: Set runner id: set_runner shell: bash - env: - INPUT_BINARY: ${{ inputs.binary }} run: | - if [[ "$INPUT_BINARY" == "polkadot-parachain" ]]; then + if [[ "${{ inputs.binary }}" == "polkadot-parachain" ]]; then echo "RUNNER=parity-large" >> $GITHUB_OUTPUT else echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT @@ -63,30 +61,16 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build binary - env: - INPUT_BINARY: ${{ inputs.binary }} - INPUT_PACKAGE: ${{ inputs.package }} - INPUT_PROFILE: ${{ inputs.profile }} - INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - PROFILE="$INPUT_PROFILE" - if [ "$INPUT_BINARY" = "polkadot" ]; then + PROFILE=${{ inputs.profile }} + if [ "${{ inputs.binary }}" = "polkadot" ]; then for binary in polkadot polkadot-prepare-worker polkadot-execute-worker; do -<<<<<<< HEAD echo "Building $binary..." ./.github/scripts/release/build-linux-release.sh $binary ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} done else ./.github/scripts/release/build-linux-release.sh ${{ inputs.binary }} ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} -======= - echo "Building $binary with profile $PROFILE and features $INPUT_FEATURES" - ./.github/scripts/release/build-linux-release.sh "$binary" "$INPUT_PACKAGE" "$INPUT_FEATURES" - done - else - echo "Building $INPUT_BINARY with profile $PROFILE and features $INPUT_FEATURES" - ./.github/scripts/release/build-linux-release.sh "$INPUT_BINARY" "$INPUT_PACKAGE" "$INPUT_FEATURES" ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) fi - name: Upload ${{ inputs.binary }} artifacts diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml index 5ceb36b0ae0d2..03ff1e1b28965 100644 --- a/.github/workflows/release-reusable-publish-packages.yml +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -47,12 +47,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_TAG: ${{ inputs.tag }} run: | # Source common library for helper functions . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts-from-s3: @@ -73,17 +71,15 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version id: fetch_artifacts_from_s3 - env: - PACKAGE_TYPE: ${{ inputs.package_type }} run: | . ./.github/scripts/common/lib.sh NODE_VERSION="$(get_polkadot_node_version_from_code)" echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT # Fetch specific package type artifact (deb or rpm) - if [[ "$PACKAGE_TYPE" == "deb" ]]; then + if [[ "${{ inputs.package_type }}" == "deb" ]]; then fetch_debian_package_from_s3 polkadot - elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then + elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then fetch_rpm_package_from_s3 polkadot fi @@ -138,15 +134,14 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} - PACKAGE_TYPE: ${{ inputs.package_type }} run: | # --- Sync Local Repo from S3 --- mkdir -p "$LOCAL_REPO_PATH" - if [[ "$PACKAGE_TYPE" == "deb" ]]; then + if [[ "${{ inputs.package_type }}" == "deb" ]]; then aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true - elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then + elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true fi @@ -156,18 +151,16 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} - PACKAGE_TYPE: ${{ inputs.package_type }} - DISTRIBUTION: ${{ inputs.distribution }} run: | . ./.github/scripts/common/lib.sh import_gpg_keys # --- Add Package to Repo and Sign --- - if [[ "$PACKAGE_TYPE" == "deb" ]]; then + if [[ "${{ inputs.package_type }}" == "deb" ]]; then debname=$(find release-artifacts/ -name 'polkadot_*.deb' | head -n 1) - reprepro -b "$LOCAL_REPO_PATH" includedeb "$DISTRIBUTION" "$debname" + reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname" - elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then + elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then rpmname=$(find release-artifacts/ -name 'polkadot-*.rpm' | head -n 1) echo "Signing package with pgpkms (via AWS KMS)..." @@ -191,13 +184,10 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} - DISTRIBUTION: ${{ inputs.distribution }} - CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }} - PACKAGE_TYPE: ${{ inputs.package_type }} run: | - if [[ "$DISTRIBUTION" == "release" ]]; then + if [[ "${{ inputs.distribution }}" == "release" ]]; then aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read else aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" fi - aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/${PACKAGE_TYPE}/*" + aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*' diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index c9e981a7a62b6..7b128fed99960 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -104,13 +104,9 @@ jobs: import_gpg_keys - name: Build binary - env: - BINARY_NAME: ${{ matrix.binaries }} - INPUT_PACKAGE: ${{ inputs.package }} - INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-linux-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 @@ -119,31 +115,25 @@ jobs: - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} - env: - BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" + python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash - env: - BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary $BINARY_NAME" - check_sha256 "$BINARY_NAME" + echo "Checking binary ${{ matrix.binaries }}" + check_sha256 ${{ matrix.binaries }} - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash - env: - BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg "$BINARY_NAME" + check_gpg ${{ matrix.binaries }} - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -252,26 +242,14 @@ jobs: echo "Checking binary ${{ matrix.binaries }}" check_sha256 ${{ matrix.binaries }} -<<<<<<< HEAD - name: Check GPG ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh -======= - - name: Build binary - env: - BINARY_NAME: ${{ matrix.binaries }} - INPUT_PACKAGE: ${{ inputs.package }} - INPUT_FEATURES: ${{ inputs.features }} - run: | - git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) check_gpg ${{ matrix.binaries }} -<<<<<<< HEAD - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: @@ -279,43 +257,6 @@ jobs: path: ${{ env.ARTIFACTS_PATH }} build-polkadot-deb-package: -======= - - name: Sign artifacts - working-directory: ${{ env.ARTIFACTS_PATH }} - env: - BINARY_NAME: ${{ matrix.binaries }} - run: | - python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - - - name: Check sha256 ${{ matrix.binaries }} - working-directory: ${{ env.ARTIFACTS_PATH }} - shell: bash - env: - BINARY_NAME: ${{ matrix.binaries }} - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - - echo "Checking binary $BINARY_NAME" - check_sha256 "$BINARY_NAME" - - - name: Check GPG ${{ matrix.binaries }} - working-directory: ${{ env.ARTIFACTS_PATH }} - shell: bash - env: - BINARY_NAME: ${{ matrix.binaries }} - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - - check_gpg "$BINARY_NAME" - - - name: Upload ${{ matrix.binaries }} artifacts - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 - with: - name: ${{ matrix.binaries }}_${{ inputs.target }} - path: ${{ env.ARTIFACTS_PATH }} - - build-polkadot-deb-and-rpm-package: ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) if: ${{ inputs.package == 'polkadot' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] runs-on: ubuntu-latest @@ -350,25 +291,11 @@ jobs: - name: Build polkadot deb package shell: bash - env: - INPUT_PACKAGE: ${{ inputs.package }} - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh "$INPUT_PACKAGE" "${VERSION}" - -<<<<<<< HEAD -======= - - name: Build polkadot rpm package - shell: bash - env: - INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh "$INPUT_PACKAGE" "${VERSION}" + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} ->>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: diff --git a/.github/workflows/release-reusable-s3-upload.yml b/.github/workflows/release-reusable-s3-upload.yml index c9d24aa29c2f9..37d0dd489bcba 100644 --- a/.github/workflows/release-reusable-s3-upload.yml +++ b/.github/workflows/release-reusable-s3-upload.yml @@ -53,10 +53,6 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload ${{ inputs.package }} artifacts to s3 - env: - PACKAGE: ${{ inputs.package }} - RELEASE_TAG: ${{ inputs.release_tag }} - TARGET: ${{ inputs.target }} run: | . ./.github/scripts/release/release_lib.sh - upload_s3_release "$PACKAGE" "$RELEASE_TAG" "$TARGET" + upload_s3_release ${{ inputs.package }} ${{ inputs.release_tag }} ${{ inputs.target }} diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml index 18593e303caa1..9a0ed84e39871 100644 --- a/.github/workflows/release-srtool.yml +++ b/.github/workflows/release-srtool.yml @@ -48,7 +48,7 @@ jobs: run: | . ./.github/scripts/common/lib.sh - echo "Github workspace: ${GITHUB_WORKSPACE}" + echo "Github workspace: ${{ github.workspace }}" echo "Current folder: $(pwd)"; ls -al ls -al @@ -81,16 +81,11 @@ jobs: tag: "1.84.1" - name: Summary - env: - SRTOOL_JSON: ${{ steps.srtool_build.outputs.json }} - CHAIN: ${{ matrix.chain }} - WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} - WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} run: | - echo "$SRTOOL_JSON" | jq > "${CHAIN}-srtool-digest.json" - cat "${CHAIN}-srtool-digest.json" - echo "Compact Runtime: $WASM_PATH" - echo "Compressed Runtime: $WASM_COMPRESSED_PATH" + echo '${{ steps.srtool_build.outputs.json }}' | jq > ${{ matrix.chain }}-srtool-digest.json + cat ${{ matrix.chain }}-srtool-digest.json + echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}" + echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 @@ -106,35 +101,25 @@ jobs: - name: Show Runtime information shell: bash - env: - WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} - WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} - CHAIN: ${{ matrix.chain }} run: | - subwasm info "$WASM_PATH" - subwasm info "$WASM_COMPRESSED_PATH" - subwasm --json info "$WASM_PATH" > "${CHAIN}-info.json" - subwasm --json info "$WASM_COMPRESSED_PATH" > "${CHAIN}-compressed-info.json" + subwasm info ${{ steps.srtool_build.outputs.wasm }} + subwasm info ${{ steps.srtool_build.outputs.wasm_compressed }} + subwasm --json info ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-info.json + subwasm --json info ${{ steps.srtool_build.outputs.wasm_compressed }} > ${{ matrix.chain }}-compressed-info.json - name: Extract the metadata shell: bash - env: - WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} - CHAIN: ${{ matrix.chain }} run: | - subwasm meta "$WASM_PATH" - subwasm --json meta "$WASM_PATH" > "${CHAIN}-metadata.json" + subwasm meta ${{ steps.srtool_build.outputs.wasm }} + subwasm --json meta ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-metadata.json - name: Check the metadata diff shell: bash - env: - WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} - CHAIN: ${{ matrix.chain }} # the following subwasm call will error for chains that are not known and/or live, that includes shell for instance run: | - subwasm diff "$WASM_PATH" --chain-b "$CHAIN" || \ - echo "Subwasm call failed, check the logs. This is likely because $CHAIN is not known by subwasm" | \ - tee "${CHAIN}-diff.txt" + subwasm diff ${{ steps.srtool_build.outputs.wasm }} --chain-b ${{ matrix.chain }} || \ + echo "Subwasm call failed, check the logs. This is likely because ${{ matrix.chain }} is not known by subwasm" | \ + tee ${{ matrix.chain }}-diff.txt - name: Archive Subwasm results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 From 454a518cc97453f6dcbdfdf7865058ff476d6896 Mon Sep 17 00:00:00 2001 From: Egor_P Date: Thu, 19 Feb 2026 16:31:08 +0100 Subject: [PATCH 3/5] [Release|CI/CD] Replace direct use of inputs with ENVs (#11116) Replace direct use of inputs with ENVs in release pieplines cc: https://github.com/paritytech/release-engineering/issues/284 --- .../workflows/release-10_branchoff-stable.yml | 13 +- .../workflows/release-11_rc-automation.yml | 6 +- .github/workflows/release-20_build-rc.yml | 4 +- .../workflows/release-21_build-runtimes.yml | 4 +- ...mbined-rc-runtime-builds-release-draft.yml | 4 +- .../release-30_publish_release_draft.yml | 69 +++-- .../release-31_promote-rc-to-final.yml | 4 +- .../workflows/release-50_publish-docker.yml | 43 ++- ...ease-60_post-crates-release-activities.yml | 45 ++- .../workflows/release-80_publish-crates.yml | 274 ++++++++++++++++++ .../workflows/release-99_notif-published.yml | 11 +- .github/workflows/release-build-binary.yml | 20 +- .../release-reusable-publish-packages.yml | 30 +- .../workflows/release-reusable-rc-build.yml | 93 ++++-- .../workflows/release-reusable-s3-upload.yml | 6 +- .github/workflows/release-srtool.yml | 43 ++- 16 files changed, 556 insertions(+), 113 deletions(-) create mode 100644 .github/workflows/release-80_publish-crates.yml diff --git a/.github/workflows/release-10_branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml index 2fad2dbcf1e73..5de9d45e3416c 100644 --- a/.github/workflows/release-10_branchoff-stable.yml +++ b/.github/workflows/release-10_branchoff-stable.yml @@ -25,13 +25,18 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_NODE_VERSION: ${{ inputs.node_version }} + INPUT_STABLE_VERSION: ${{ inputs.stable_version }} run: | . ./.github/scripts/common/lib.sh - node_version=$(filter_version_from_input "${{ inputs.node_version }}") - echo "node_version=${node_version}" >> $GITHUB_OUTPUT + if [ -n "$INPUT_NODE_VERSION" ]; then + node_version=$(filter_version_from_input "$INPUT_NODE_VERSION") + echo "node_version=${node_version}" >> $GITHUB_OUTPUT + fi - stable_version=$(validate_stable_tag ${{ inputs.stable_version }}) + stable_version=$(validate_stable_tag "$INPUT_STABLE_VERSION") echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT create-stable-branch: @@ -88,10 +93,10 @@ jobs: - name: Bump versions, reorder prdocs and push stable branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + NODE_VERSION: ${{ needs.validate-inputs.outputs.node_version }} run: | . ./.github/scripts/release/release_lib.sh - NODE_VERSION="${{ needs.prepare-tooling.outputs.node_version }}" NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\"" set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "polkadot/node/primitives/src/lib.rs" commit_with_message "Bump node version to $NODE_VERSION in polkadot-cli" diff --git a/.github/workflows/release-11_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml index 253c8fa042ea8..5e83db57cbacd 100644 --- a/.github/workflows/release-11_rc-automation.yml +++ b/.github/workflows/release-11_rc-automation.yml @@ -68,14 +68,16 @@ jobs: # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }} id: compute_tag shell: bash + env: + INPUT_VERSION: ${{ inputs.version }} run: | . ./.github/scripts/common/lib.sh # Get last rc tag if exists, else set it to {version}-rc1 - if [[ -z "${{ inputs.version }}" ]]; then + if [[ -z "$INPUT_VERSION" ]]; then version=v$(get_polkadot_node_version_from_code) else - version=$(validate_stable_tag ${{ inputs.version }}) + version=$(validate_stable_tag "$INPUT_VERSION") fi echo "$version" echo "version=$version" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index 88a514c5de8ac..e6a0eb16b0506 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -38,10 +38,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-polkadot-binary: diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index d49a2f6349350..53edf9a6ce113 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -70,10 +70,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index bd35226028a0c..acdc9422ac4b0 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -71,10 +71,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes-flow: diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index 50286bd98a319..e111f7537a22a 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -35,10 +35,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: @@ -86,6 +88,7 @@ jobs: PEOPLE_WESTEND_DIGEST: ${{ github.workspace}}/people-westend-runtime/people-westend-srtool-digest.json WESTEND_DIGEST: ${{ github.workspace}}/westend-runtime/westend-srtool-digest.json RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} + GH_REF_NAME: ${{ github.ref_name }} shell: bash run: | . ./.github/scripts/common/lib.sh @@ -94,7 +97,7 @@ jobs: export REF1=$(get_latest_release_tag) if [[ -z "$RELEASE_TAG" ]]; then - export REF2="${{ github.ref_name }}" + export REF2="${GH_REF_NAME}" echo "REF2: ${REF2}" else export REF2="$RELEASE_TAG" @@ -170,14 +173,34 @@ jobs: owner: paritytech repositories: polkadot-sdk + - name: Download runtimes + env: + GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} + run: | + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" + + - name: Get runtime info + env: + CHAIN: ${{ matrix.chain }} + JSON: ${{ github.workspace}}/release-notes-context/runtimes/${{ matrix.chain }}-runtime/${{ matrix.chain }}-srtool-digest.json + run: | + cd "${GITHUB_WORKSPACE}/runtimes" + >>$GITHUB_ENV echo ASSET=$(find "${CHAIN}-runtime" -name '*.compact.compressed.wasm') + >>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion) + - name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + CHAIN: ${{ matrix.chain }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} run: | - VERSIONED_ASSET="${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" + VERSIONED_ASSET="${CHAIN}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" mv "${{ env.ASSET }}" "$VERSIONED_ASSET" - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk "$VERSIONED_ASSET" publish-release-artifacts: @@ -195,23 +218,28 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fetch binaries from s3 based on version + env: + VERSION: ${{ needs.validate-inputs.outputs.release_tag }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.release_tag }}" - fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }} + fetch_release_artifacts_from_s3 "$BINARY" "$TARGET" - name: Rename aarch64-apple-darwin binaries if: ${{ matrix.target == 'aarch64-apple-darwin' }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} + env: + BINARY: ${{ matrix.binary }} run: | . ${{ github.workspace}}/.github/scripts/common/lib.sh - mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin - mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc + mv "$BINARY" "${BINARY}-aarch64-apple-darwin" + mv "${BINARY}.asc" "${BINARY}-aarch64-apple-darwin.asc" - sha256sum "${{ matrix.binary }}-aarch64-apple-darwin" | tee "${{ matrix.binary }}-aarch64-apple-darwin.sha256" - check_sha256 "${{ matrix.binary }}-aarch64-apple-darwin" && echo "OK" || echo "ERR" + sha256sum "${BINARY}-aarch64-apple-darwin" | tee "${BINARY}-aarch64-apple-darwin.sha256" + check_sha256 "${BINARY}-aarch64-apple-darwin" && echo "OK" || echo "ERR" - name: Generate content write token for the release automation id: generate_write_token @@ -225,20 +253,23 @@ jobs: - name: Upload ${{ matrix.binary }} binary to release draft env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} run: | - if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + if [[ "$TARGET" == "aarch64-apple-darwin" ]]; then + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }}-aarch64-apple-darwin \ - ${{ matrix.binary }}-aarch64-apple-darwin.asc \ - ${{ matrix.binary }}-aarch64-apple-darwin.sha256 + "${BINARY}-aarch64-apple-darwin" \ + "${BINARY}-aarch64-apple-darwin.asc" \ + "${BINARY}-aarch64-apple-darwin.sha256" else - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }} \ - ${{ matrix.binary }}.asc \ - ${{ matrix.binary }}.sha256 + "$BINARY" \ + "${BINARY}.asc" \ + "${BINARY}.sha256" fi post_to_matrix: diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index 06279307a324d..241728034287f 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -40,10 +40,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT promote-polkadot-rc-to-final: diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index d69a6f664c140..2a53290668697 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -83,13 +83,16 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_VERSION: ${{ inputs.version }} + INPUT_STABLE_TAG: ${{ inputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION=$(filter_version_from_input "${{ inputs.version }}") + VERSION=$(filter_version_from_input "$INPUT_VERSION") echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }}) + STABLE_TAG=$(validate_stable_tag "$INPUT_STABLE_TAG") echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build @@ -103,11 +106,12 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version # if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}} + env: + VERSION: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.stable_tag }}" - if [[ ${{ inputs.binary }} == 'polkadot' ]]; then + if [[ "$BINARY" == 'polkadot' ]]; then bins=(polkadot polkadot-prepare-worker polkadot-execute-worker) for bin in "${bins[@]}"; do fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu @@ -157,25 +161,31 @@ jobs: if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "tag=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Fetch release tags working-directory: release-artifacts if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh echo "tag=latest" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "stable=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot rc if: ${{ env.BINARY == 'polkadot' }} @@ -184,10 +194,25 @@ jobs: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} run: | ls -al echo "Building container for $BINARY" - ./docker/scripts/polkadot/build-injected.sh $ARTIFACTS_FOLDER + echo "IMAGE_TYPE: $IMAGE_TYPE" + + if [[ "$IMAGE_TYPE" == "rc" ]]; then + echo "Building RC container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + ./docker/scripts/build-injected.sh + else + echo "Building release container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + export POLKADOT_DEB=true + export VERSION="$VALIDATED_VERSION" + ./docker/scripts/build-injected.sh + fi - name: Build Injected Container image for polkadot-omni-node/chain-spec-builder if: ${{ env.BINARY == 'polkadot-omni-node' || env.BINARY == 'chain-spec-builder' }} diff --git a/.github/workflows/release-60_post-crates-release-activities.yml b/.github/workflows/release-60_post-crates-release-activities.yml index 8f2f637abc27f..f36ba4b875092 100644 --- a/.github/workflows/release-60_post-crates-release-activities.yml +++ b/.github/workflows/release-60_post-crates-release-activities.yml @@ -168,10 +168,11 @@ jobs: - name: Move prdocs to release folder shell: bash + env: + VERSION: ${{ inputs.version }} run: | . ./.github/scripts/release/release_lib.sh - VERSION="${{ inputs.version }}" echo "Version: $VERSION" reorder_prdocs "$VERSION" @@ -281,11 +282,13 @@ jobs: - name: Create Pull Request to base release branch env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + FULL_RELEASE: ${{ inputs.version }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" - FULL_RELEASE="${{ inputs.version }}" echo "Current branch: $BRANCH_NAME" echo "Version: $FULL_RELEASE" @@ -296,8 +299,19 @@ jobs: BASE_RELEASE="$FULL_RELEASE" fi - BASE_RELEASE_UPPER=$(echo "$BASE_RELEASE" | tr '[:lower:]' '[:upper:]') - echo "Base release branch (upper): $BASE_RELEASE_UPPER" + TARGET_REPO="paritytech/polkadot-sdk" + + # Determine if running from a fork or the main repo + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + # Same-repo PR: head is just the branch name + PR_HEAD="$BRANCH_NAME" + EXTRA_FLAGS="" + else + # Cross-fork PR: head needs the fork owner prefix + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + EXTRA_FLAGS="--no-maintainer-edit" + fi # Check if PR already exists EXISTING_PR=$(gh pr list --head "$BRANCH_NAME" --base "$BASE_RELEASE" --json number --jq '.[0].number') @@ -322,13 +336,24 @@ jobs: - name: Add comment about spec_version env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" + TARGET_REPO="paritytech/polkadot-sdk" + + # Match the head format used when creating the PR + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + PR_HEAD="$BRANCH_NAME" + else + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + fi - # Find the PR number for this branch - PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[0].number') + # Find the PR number for this branch in the upstream repo + PR_NUMBER=$(gh pr list --repo "$TARGET_REPO" --head "$PR_HEAD" --json number --jq '.[0].number') if [ -n "$PR_NUMBER" ]; then echo "Adding comment to PR #$PR_NUMBER..." diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml new file mode 100644 index 0000000000000..b72493eb92567 --- /dev/null +++ b/.github/workflows/release-80_publish-crates.yml @@ -0,0 +1,274 @@ +name: Release - Publish Crates + +on: + workflow_dispatch: + inputs: + release_name: + description: 'Release name (e.g., stable2509-3). Base branch is derived by removing the last -N suffix.' + required: true + type: string + registry: + description: 'Registry to publish crates to' + required: true + type: choice + options: + - staging.crates.io + - crates.io + default: staging.crates.io + is_patch: + description: 'Is this a patch release? (Set to false for new stable releases)' + required: true + type: boolean + default: true + dry_run: + description: 'Dry run - do not actually publish crates' + required: true + type: boolean + default: true + +permissions: + contents: write + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + set-image: + needs: [ check-synchronization ] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + IMAGE: ${{ steps.set_image.outputs.IMAGE }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - id: set_image + run: cat .github/env >> $GITHUB_OUTPUT + + publish-crates: + needs: set-image + runs-on: ubuntu-latest + environment: release + env: + PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }} + PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + container: + image: ${{ needs.set-image.outputs.IMAGE }} + + steps: + - name: Install pgpkms + run: | + # Install pgpkms that is used to sign commits + pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151 + + - name: Derive stable branch from release name + id: derive_branch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + echo "Release name: $RELEASE_NAME" + + # Extract stable branch by removing the last -N suffix + # e.g., stable2509-3 -> stable2509 + if [[ "$RELEASE_NAME" =~ ^(.+)-[0-9]+$ ]]; then + STABLE_BRANCH="${BASH_REMATCH[1]}" + else + # If no suffix, use the release name as-is (first release) + STABLE_BRANCH="$RELEASE_NAME" + fi + + echo "Stable branch: $STABLE_BRANCH" + echo "STABLE_BRANCH=$STABLE_BRANCH" >> $GITHUB_OUTPUT + + echo "CRATES_RELEASE_BRANCH=post-crates-release-$RELEASE_NAME" >> $GITHUB_OUTPUT + + - name: Checkout stable branch + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ steps.derive_branch.outputs.STABLE_BRANCH }} + fetch-depth: 0 + + - name: Import GPG keys + shell: bash + run: | + . ./.github/scripts/common/lib.sh + import_gpg_keys + + - name: Configure git + shell: bash + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" + git config --global commit.gpgsign true + PGPKMS_PATH=$(which pgpkms-git) + echo "Using pgpkms-git at: $PGPKMS_PATH" + git config --global gpg.program "$PGPKMS_PATH" + git config --global user.name "ParityReleases" + git config --global user.email "release-team@parity.io" + git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51" + + - name: Create or switch to release branch + shell: bash + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + + if git rev-parse --verify -q "$CRATES_RELEASE_BRANCH" &>/dev/null; then + echo "Branch $CRATES_RELEASE_BRANCH already exists, switching to it" + git checkout "$CRATES_RELEASE_BRANCH" + else + echo "Creating branch: $CRATES_RELEASE_BRANCH" + git checkout -b "$CRATES_RELEASE_BRANCH" + fi + echo "On branch $CRATES_RELEASE_BRANCH" + + - name: Install Rust 1.93 + shell: bash + run: | + rustup install 1.93 + rustup default 1.93 + echo "Rust version:" + rustc --version + cargo --version + + - name: Rust Cache + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + with: + cache-on-failure: true + + - name: Install parity-publish + run: | + apt-get update && apt-get install -y --no-install-recommends libcurl4-openssl-dev pkg-config + cargo install parity-publish@0.10.10 --locked -q + + - name: Run parity-publish plan + run: | + echo "Running parity-publish plan..." + parity-publish plan --prdoc prdoc + + - name: Save Plan.toml diff + if: inputs.is_patch + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + mkdir -p release-artifacts + + echo "Saving Plan.toml diff..." + git diff Plan.toml > "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + echo "Plan.toml changes:" + cat "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + - name: Parse crate names for release notes + if: inputs.is_patch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + + echo "Parsing crate names..." + python3 scripts/release/parse-crates-names.py \ + "release-artifacts/changed_crates_${RELEASE_NAME}.txt" \ + scripts/release/templates/crates_list.md.tera + + echo "Crates list:" + cat scripts/release/templates/crates_list.md.tera + + - name: Commit Plan.toml and crates list + shell: bash + env: + IS_PATCH: ${{ inputs.is_patch }} + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add Plan.toml + if [ "$IS_PATCH" = true ]; then + git add scripts/release/templates/crates_list.md.tera + fi + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: update Plan.toml and crates list for $RELEASE_NAME" + echo "Committed Plan.toml and crates list" + else + echo "No changes to commit" + fi + + - name: Run parity-publish apply + run: | + echo "Running parity-publish apply..." + parity-publish apply + + - name: Update Cargo.lock + run: | + echo "Updating Cargo.lock..." + cargo update --workspace --offline || cargo update --workspace + echo "Cargo.lock updated" + + - name: Commit version bumps + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add -A + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: apply version bumps for $RELEASE_NAME" + echo "Committed version bumps" + else + echo "No changes to commit" + fi + + - name: Push release branch + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + echo "Pushing branch $CRATES_RELEASE_BRANCH..." + git push origin "$CRATES_RELEASE_BRANCH" + echo "Successfully pushed $CRATES_RELEASE_BRANCH" + + - name: Configure cargo registry + shell: bash + env: + REGISTRY: ${{ inputs.registry }} + run: | + echo "Configuring cargo for $REGISTRY..." + mkdir -p ~/.cargo + + if [ "$REGISTRY" = "staging.crates.io" ]; then + cat >> ~/.cargo/config.toml << 'EOF' + [registries.crates-io] + index = "sparse+https://index.staging.crates.io/" + EOF + else + echo "Using default crates.io registry" + fi + + echo "Cargo config:" + cat ~/.cargo/config.toml || echo "(using defaults)" + + - name: Publish crates + shell: bash + env: + PARITY_PUBLISH_CRATESIO_TOKEN: ${{ inputs.registry == 'staging.crates.io' && secrets.STAGING_CRATES_IO_API_TOKEN || secrets.CRATES_IO_API_TOKEN }} + DRY_RUN: ${{ inputs.dry_run }} + REGISTRY: ${{ inputs.registry }} + run: | + + if [ "$DRY_RUN" = true ]; then + echo "DRY RUN - Not actually publishing crates" + echo "Target registry: $REGISTRY" + parity-publish apply -p -d + else + echo "Publishing crates to $REGISTRY..." + parity-publish apply -p + echo "Crates published successfully to $REGISTRY!" + fi diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml index d0b274e302191..2beebbc87f459 100644 --- a/.github/workflows/release-99_notif-published.yml +++ b/.github/workflows/release-99_notif-published.yml @@ -14,25 +14,30 @@ jobs: id: fetch_latest_release_tag env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPOSITORY: ${{ github.repository }} run: | TAG_NAME=$(curl -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - -sL "https://api.github.com/repos/${{ github.repository }}/releases/latest" \ + -sL "https://api.github.com/repos/${GH_REPOSITORY}/releases/latest" \ | jq -r '.tag_name') echo "Latest release tag: $TAG_NAME" echo "latest_tag_name=$TAG_NAME" >> $GITHUB_OUTPUT - name: Fetch current release tag name id: fetch_curent_release_tag + env: + CURRENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - CURRENT_RELEASE_TAG_NAME=${{github.event.release.tag_name}} echo "Current release tag: $CURRENT_RELEASE_TAG_NAME" echo "current_tag_name=$CURRENT_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Check if release is latest id: check_is_latest + env: + LATEST_TAG: ${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }} + CURRENT_TAG: ${{ steps.fetch_curent_release_tag.outputs.current_tag_name }} run: | - if [[ "${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }}" == "${{ steps.fetch_curent_release_tag.outputs.current_tag_name }}" ]]; then + if [[ "$LATEST_TAG" == "$CURRENT_TAG" ]]; then echo "Release is latest" echo "is_latest=true" >> $GITHUB_OUTPUT else diff --git a/.github/workflows/release-build-binary.yml b/.github/workflows/release-build-binary.yml index a5adab421a8a4..8ee31606aa8ec 100644 --- a/.github/workflows/release-build-binary.yml +++ b/.github/workflows/release-build-binary.yml @@ -44,8 +44,10 @@ jobs: - name: Set runner id: set_runner shell: bash + env: + INPUT_BINARY: ${{ inputs.binary }} run: | - if [[ "${{ inputs.binary }}" == "polkadot-parachain" ]]; then + if [[ "$INPUT_BINARY" == "polkadot-parachain" ]]; then echo "RUNNER=parity-large" >> $GITHUB_OUTPUT else echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT @@ -61,16 +63,22 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build binary + env: + INPUT_BINARY: ${{ inputs.binary }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - PROFILE=${{ inputs.profile }} - if [ "${{ inputs.binary }}" = "polkadot" ]; then + PROFILE="$INPUT_PROFILE" + if [ "$INPUT_BINARY" = "polkadot" ]; then for binary in polkadot polkadot-prepare-worker polkadot-execute-worker; do - echo "Building $binary..." - ./.github/scripts/release/build-linux-release.sh $binary ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} + echo "Building $binary with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$binary" "$INPUT_PACKAGE" "$INPUT_FEATURES" done else - ./.github/scripts/release/build-linux-release.sh ${{ inputs.binary }} ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} + echo "Building $INPUT_BINARY with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$INPUT_BINARY" "$INPUT_PACKAGE" "$INPUT_FEATURES" fi - name: Upload ${{ inputs.binary }} artifacts diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml index 03ff1e1b28965..5ceb36b0ae0d2 100644 --- a/.github/workflows/release-reusable-publish-packages.yml +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -47,10 +47,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_TAG: ${{ inputs.tag }} run: | # Source common library for helper functions . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts-from-s3: @@ -71,15 +73,17 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version id: fetch_artifacts_from_s3 + env: + PACKAGE_TYPE: ${{ inputs.package_type }} run: | . ./.github/scripts/common/lib.sh NODE_VERSION="$(get_polkadot_node_version_from_code)" echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT # Fetch specific package type artifact (deb or rpm) - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then fetch_debian_package_from_s3 polkadot - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then fetch_rpm_package_from_s3 polkadot fi @@ -134,14 +138,15 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | # --- Sync Local Repo from S3 --- mkdir -p "$LOCAL_REPO_PATH" - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true fi @@ -151,16 +156,18 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + PACKAGE_TYPE: ${{ inputs.package_type }} + DISTRIBUTION: ${{ inputs.distribution }} run: | . ./.github/scripts/common/lib.sh import_gpg_keys # --- Add Package to Repo and Sign --- - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then debname=$(find release-artifacts/ -name 'polkadot_*.deb' | head -n 1) - reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname" + reprepro -b "$LOCAL_REPO_PATH" includedeb "$DISTRIBUTION" "$debname" - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then rpmname=$(find release-artifacts/ -name 'polkadot-*.rpm' | head -n 1) echo "Signing package with pgpkms (via AWS KMS)..." @@ -184,10 +191,13 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + DISTRIBUTION: ${{ inputs.distribution }} + CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | - if [[ "${{ inputs.distribution }}" == "release" ]]; then + if [[ "$DISTRIBUTION" == "release" ]]; then aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read else aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" fi - aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*' + aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/${PACKAGE_TYPE}/*" diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index 7b128fed99960..5ba4b5f1b336d 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -104,9 +104,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-linux-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 @@ -115,25 +119,31 @@ jobs: - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -218,37 +228,47 @@ jobs: import_gpg_keys - - name: Build binary - run: | - git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-macos-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error + ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: subject-path: ${{ env.ARTIFACTS_PATH }}/${{ matrix.binaries }} - - name: Sign artifacts - working-directory: ${{ env.ARTIFACTS_PATH }} - run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc - - - name: Check sha256 ${{ matrix.binaries }} - working-directory: ${{ env.ARTIFACTS_PATH }} - shell: bash - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} - - - name: Check GPG ${{ matrix.binaries }} - working-directory: ${{ env.ARTIFACTS_PATH }} - shell: bash - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - - check_gpg ${{ matrix.binaries }} + - name: Sign artifacts + working-directory: ${{ env.ARTIFACTS_PATH }} + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" + + - name: Check sha256 ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" + + - name: Check GPG ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -291,10 +311,21 @@ jobs: - name: Build polkadot deb package shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + VERSION=$(get_polkadot_node_version_from_code) + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh "$INPUT_PACKAGE" "${VERSION}" + + - name: Build polkadot rpm package + shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh "$INPUT_PACKAGE" "${VERSION}" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 diff --git a/.github/workflows/release-reusable-s3-upload.yml b/.github/workflows/release-reusable-s3-upload.yml index 37d0dd489bcba..c9d24aa29c2f9 100644 --- a/.github/workflows/release-reusable-s3-upload.yml +++ b/.github/workflows/release-reusable-s3-upload.yml @@ -53,6 +53,10 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload ${{ inputs.package }} artifacts to s3 + env: + PACKAGE: ${{ inputs.package }} + RELEASE_TAG: ${{ inputs.release_tag }} + TARGET: ${{ inputs.target }} run: | . ./.github/scripts/release/release_lib.sh - upload_s3_release ${{ inputs.package }} ${{ inputs.release_tag }} ${{ inputs.target }} + upload_s3_release "$PACKAGE" "$RELEASE_TAG" "$TARGET" diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml index 9a0ed84e39871..18593e303caa1 100644 --- a/.github/workflows/release-srtool.yml +++ b/.github/workflows/release-srtool.yml @@ -48,7 +48,7 @@ jobs: run: | . ./.github/scripts/common/lib.sh - echo "Github workspace: ${{ github.workspace }}" + echo "Github workspace: ${GITHUB_WORKSPACE}" echo "Current folder: $(pwd)"; ls -al ls -al @@ -81,11 +81,16 @@ jobs: tag: "1.84.1" - name: Summary + env: + SRTOOL_JSON: ${{ steps.srtool_build.outputs.json }} + CHAIN: ${{ matrix.chain }} + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} run: | - echo '${{ steps.srtool_build.outputs.json }}' | jq > ${{ matrix.chain }}-srtool-digest.json - cat ${{ matrix.chain }}-srtool-digest.json - echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}" - echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}" + echo "$SRTOOL_JSON" | jq > "${CHAIN}-srtool-digest.json" + cat "${CHAIN}-srtool-digest.json" + echo "Compact Runtime: $WASM_PATH" + echo "Compressed Runtime: $WASM_COMPRESSED_PATH" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 @@ -101,25 +106,35 @@ jobs: - name: Show Runtime information shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} + CHAIN: ${{ matrix.chain }} run: | - subwasm info ${{ steps.srtool_build.outputs.wasm }} - subwasm info ${{ steps.srtool_build.outputs.wasm_compressed }} - subwasm --json info ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-info.json - subwasm --json info ${{ steps.srtool_build.outputs.wasm_compressed }} > ${{ matrix.chain }}-compressed-info.json + subwasm info "$WASM_PATH" + subwasm info "$WASM_COMPRESSED_PATH" + subwasm --json info "$WASM_PATH" > "${CHAIN}-info.json" + subwasm --json info "$WASM_COMPRESSED_PATH" > "${CHAIN}-compressed-info.json" - name: Extract the metadata shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} run: | - subwasm meta ${{ steps.srtool_build.outputs.wasm }} - subwasm --json meta ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-metadata.json + subwasm meta "$WASM_PATH" + subwasm --json meta "$WASM_PATH" > "${CHAIN}-metadata.json" - name: Check the metadata diff shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} # the following subwasm call will error for chains that are not known and/or live, that includes shell for instance run: | - subwasm diff ${{ steps.srtool_build.outputs.wasm }} --chain-b ${{ matrix.chain }} || \ - echo "Subwasm call failed, check the logs. This is likely because ${{ matrix.chain }} is not known by subwasm" | \ - tee ${{ matrix.chain }}-diff.txt + subwasm diff "$WASM_PATH" --chain-b "$CHAIN" || \ + echo "Subwasm call failed, check the logs. This is likely because $CHAIN is not known by subwasm" | \ + tee "${CHAIN}-diff.txt" - name: Archive Subwasm results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 From 5a399d7a4be766748638a58b0b9f24c0bcf72295 Mon Sep 17 00:00:00 2001 From: Francisco Aguirre Date: Thu, 19 Feb 2026 18:22:35 -0300 Subject: [PATCH 4/5] fix(xcm-executor): transactional macro --- polkadot/xcm/xcm-executor/src/lib.rs | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/polkadot/xcm/xcm-executor/src/lib.rs b/polkadot/xcm/xcm-executor/src/lib.rs index 38d02809e5584..b890bc3d597ac 100644 --- a/polkadot/xcm/xcm-executor/src/lib.rs +++ b/polkadot/xcm/xcm-executor/src/lib.rs @@ -903,6 +903,18 @@ impl XcmExecutor { // Macro to deduplicate the transactional holding-backup pattern. macro_rules! process_holding_transaction { + // Use this variant for instructions that don't touch storage. + // Since storage is unaffected, the holding register must always be + // rolled back on error regardless of the `TransactionalProcessor` + // config item. + (always, $self:ident, $body:expr) => {{ + let old_holding = $self.holding.clone(); + let result = Config::TransactionalProcessor::process(|| $body); + if result.is_err() { + $self.holding = old_holding; + } + result + }}; ($self:ident, $body:expr) => { process_holding_transaction!($self, $body, {}) }; @@ -1371,7 +1383,7 @@ impl XcmExecutor { target: "xcm::executor::BuyExecution", asset_used_in_buy_execution = ?self.asset_used_in_buy_execution ); - process_holding_transaction!(self, { + process_holding_transaction!(always, self, { // pay for `weight` using up to `fees` of the holding register. let max_fee = self.holding.try_take(fees.clone().into()).map_err(|e| { @@ -1643,7 +1655,10 @@ impl XcmExecutor { &want, maximal, ) - .map_err(|_| XcmError::NoDeal)?; + .map_err(|unspent| { + self.holding.subsume_assets(unspent); + XcmError::NoDeal + })?; self.holding.subsume_assets(received); Ok(()) }) From 14f7cc864b59c3506ff552a01da665db4c57c886 Mon Sep 17 00:00:00 2001 From: EgorPopelyaev Date: Fri, 20 Feb 2026 10:16:43 +0100 Subject: [PATCH 5/5] Fix flows --- .../workflows/release-21_build-runtimes.yml | 2 - ...mbined-rc-runtime-builds-release-draft.yml | 4 +- .../workflows/release-reusable-rc-build.yml | 70 +++++++++---------- 3 files changed, 36 insertions(+), 40 deletions(-) diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index 53edf9a6ce113..8967a09e8377a 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -85,8 +85,6 @@ jobs: excluded_runtimes: "rococo asset-hub-rococo bridge-hub-rococo rococo substrate-test bp cumulus-test kitchensink minimal-template parachain-template penpal polkadot-test seedling shell frame-try sp solochain-template polkadot-sdk-docs-first pallet-staking-async-parachain pallet-staking-async-rc frame-storage-access-test yet-another-parachain revive-dev" build_opts: "--features on-chain-release-build" profile: production - chain: ${{ inputs.chain }} - runtime_dir: ${{ inputs.runtime_dir }} permissions: id-token: write attestations: write diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index acdc9422ac4b0..bd35226028a0c 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -71,12 +71,10 @@ jobs: - name: Validate inputs id: validate_inputs - env: - INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes-flow: diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index 5ba4b5f1b336d..9d36177623542 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -228,47 +228,47 @@ jobs: import_gpg_keys - - name: Build binary - env: - BINARY_NAME: ${{ matrix.binaries }} - INPUT_PACKAGE: ${{ inputs.package }} - INPUT_FEATURES: ${{ inputs.features }} - run: | - git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" + - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error + ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: subject-path: ${{ env.ARTIFACTS_PATH }}/${{ matrix.binaries }} - - name: Sign artifacts - working-directory: ${{ env.ARTIFACTS_PATH }} - env: - BINARY_NAME: ${{ matrix.binaries }} - run: | - python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - - - name: Check sha256 ${{ matrix.binaries }} - working-directory: ${{ env.ARTIFACTS_PATH }} - shell: bash - env: - BINARY_NAME: ${{ matrix.binaries }} - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - - echo "Checking binary $BINARY_NAME" - check_sha256 "$BINARY_NAME" - - - name: Check GPG ${{ matrix.binaries }} - working-directory: ${{ env.ARTIFACTS_PATH }} - shell: bash - env: - BINARY_NAME: ${{ matrix.binaries }} - run: | - . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - - check_gpg "$BINARY_NAME" + - name: Sign artifacts + working-directory: ${{ env.ARTIFACTS_PATH }} + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" + + - name: Check sha256 ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" + + - name: Check GPG ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1