diff --git a/.github/workflows/release-10_branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml index dfe0a998056f3..eb14e29775c3a 100644 --- a/.github/workflows/release-10_branchoff-stable.yml +++ b/.github/workflows/release-10_branchoff-stable.yml @@ -37,15 +37,18 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_NODE_VERSION: ${{ inputs.node_version }} + INPUT_STABLE_VERSION: ${{ inputs.stable_version }} run: | . ./.github/scripts/common/lib.sh - if [ -n "${{ inputs.node_version }}" ]; then - node_version=$(filter_version_from_input "${{ inputs.node_version }}") + if [ -n "$INPUT_NODE_VERSION" ]; then + node_version=$(filter_version_from_input "$INPUT_NODE_VERSION") echo "node_version=${node_version}" >> $GITHUB_OUTPUT fi - stable_version=$(validate_stable_tag ${{ inputs.stable_version }}) + stable_version=$(validate_stable_tag "$INPUT_STABLE_VERSION") echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT create-stable-branch: @@ -103,10 +106,10 @@ jobs: - name: Bump versions, reorder prdocs and push stable branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + NODE_VERSION: ${{ needs.validate-inputs.outputs.node_version }} run: | . ./.github/scripts/release/release_lib.sh - NODE_VERSION="${{ needs.validate-inputs.outputs.node_version }}" NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\"" set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "polkadot/node/primitives/src/lib.rs" commit_with_message "Bump node version to $NODE_VERSION in polkadot-cli" @@ -127,12 +130,14 @@ jobs: if: ${{ inputs.tag_rc }} env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} # or use a PAT with workflow scope + STABLE_VERSION: ${{ needs.validate-inputs.outputs.stable_version }} + GH_REPOSITORY: ${{ github.repository }} run: | - stable_tag_base=polkadot-${{ needs.validate-inputs.outputs.stable_version }} + stable_tag_base="polkadot-${STABLE_VERSION}" gh workflow run release-11_rc-automation.yml \ - --repo ${{ github.repository }} \ - --ref ${{ needs.validate-inputs.outputs.stable_version }} \ - --field version=${stable_tag_base} + --repo "$GH_REPOSITORY" \ + --ref "$STABLE_VERSION" \ + --field version="${stable_tag_base}" tag-rc-without-branchoff: if: ${{ !inputs.is_new_stable && inputs.tag_rc }} diff --git a/.github/workflows/release-11_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml index c7da57f08e17f..da05f9627ecf0 100644 --- a/.github/workflows/release-11_rc-automation.yml +++ b/.github/workflows/release-11_rc-automation.yml @@ -64,14 +64,16 @@ jobs: # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }} id: compute_tag shell: bash + env: + INPUT_VERSION: ${{ inputs.version }} run: | . ./.github/scripts/common/lib.sh # Get last rc tag if exists, else set it to {version}-rc1 - if [[ -z "${{ inputs.version }}" ]]; then + if [[ -z "$INPUT_VERSION" ]]; then version=v$(get_polkadot_node_version_from_code) else - version=$(validate_stable_tag ${{ inputs.version }}) + version=$(validate_stable_tag "$INPUT_VERSION") fi echo "$version" echo "version=$version" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index 88a514c5de8ac..e6a0eb16b0506 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -38,10 +38,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-polkadot-binary: diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml index d49a2f6349350..8967a09e8377a 100644 --- a/.github/workflows/release-21_build-runtimes.yml +++ b/.github/workflows/release-21_build-runtimes.yml @@ -70,10 +70,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: @@ -83,8 +85,6 @@ jobs: excluded_runtimes: "rococo asset-hub-rococo bridge-hub-rococo rococo substrate-test bp cumulus-test kitchensink minimal-template parachain-template penpal polkadot-test seedling shell frame-try sp solochain-template polkadot-sdk-docs-first pallet-staking-async-parachain pallet-staking-async-rc frame-storage-access-test yet-another-parachain revive-dev" build_opts: "--features on-chain-release-build" profile: production - chain: ${{ inputs.chain }} - runtime_dir: ${{ inputs.runtime_dir }} permissions: id-token: write attestations: write diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml index 76c6d7b9fd540..33bfa8a4365d0 100644 --- a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -71,10 +71,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes-flow: diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index 0ec665dcec80b..953bf2757ba42 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -74,10 +74,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT @@ -106,10 +108,11 @@ jobs: if: ${{ inputs.no_runtimes == false && inputs.crates_only == false }} env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} run: | - mkdir -p ${{ github.workspace}}/runtimes/ - gh run download ${{ inputs.build_run_id }} --dir ${{ github.workspace}}/runtimes - ls -la ${{ github.workspace}}/runtimes + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" - name: Prepare tooling run: | @@ -131,6 +134,7 @@ jobs: RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} NO_RUNTIMES: ${{ inputs.no_runtimes }} CRATES_ONLY: ${{ inputs.crates_only }} + GH_REF_NAME: ${{ github.ref_name }} shell: bash run: | . ./.github/scripts/common/lib.sh @@ -139,7 +143,7 @@ jobs: export REF1=$(get_latest_release_tag) if [[ -z "$RELEASE_TAG" ]]; then - export REF2="${{ github.ref_name }}" + export REF2="${GH_REF_NAME}" echo "REF2: ${REF2}" else export REF2="$RELEASE_TAG" @@ -203,28 +207,32 @@ jobs: - name: Download runtimes env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} run: | - mkdir -p ${{ github.workspace}}/runtimes/ - gh run download ${{ inputs.build_run_id }} --dir ${{ github.workspace}}/runtimes - ls -la ${{ github.workspace}}/runtimes + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" - name: Get runtime info env: + CHAIN: ${{ matrix.chain }} JSON: ${{ github.workspace}}/release-notes-context/runtimes/${{ matrix.chain }}-runtime/${{ matrix.chain }}-srtool-digest.json run: | - cd ${{ github.workspace}}/runtimes - >>$GITHUB_ENV echo ASSET=$(find ${{ matrix.chain }}-runtime -name '*.compact.compressed.wasm') + cd "${GITHUB_WORKSPACE}/runtimes" + >>$GITHUB_ENV echo ASSET=$(find "${CHAIN}-runtime" -name '*.compact.compressed.wasm') >>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion) - name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm working-directory: ${{ github.workspace}}/runtimes env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + CHAIN: ${{ matrix.chain }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} run: | - VERSIONED_ASSET="${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" + VERSIONED_ASSET="${CHAIN}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" mv "${{ env.ASSET }}" "$VERSIONED_ASSET" - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk "$VERSIONED_ASSET" publish-release-artifacts: @@ -243,23 +251,28 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Fetch binaries from s3 based on version + env: + VERSION: ${{ needs.validate-inputs.outputs.release_tag }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.release_tag }}" - fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }} + fetch_release_artifacts_from_s3 "$BINARY" "$TARGET" - name: Rename aarch64-apple-darwin binaries if: ${{ matrix.target == 'aarch64-apple-darwin' }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} + env: + BINARY: ${{ matrix.binary }} run: | . ../../../.github/scripts/common/lib.sh - mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin - mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc + mv "$BINARY" "${BINARY}-aarch64-apple-darwin" + mv "${BINARY}.asc" "${BINARY}-aarch64-apple-darwin.asc" - sha256sum "${{ matrix.binary }}-aarch64-apple-darwin" | tee "${{ matrix.binary }}-aarch64-apple-darwin.sha256" - check_sha256 "${{ matrix.binary }}-aarch64-apple-darwin" && echo "OK" || echo "ERR" + sha256sum "${BINARY}-aarch64-apple-darwin" | tee "${BINARY}-aarch64-apple-darwin.sha256" + check_sha256 "${BINARY}-aarch64-apple-darwin" && echo "OK" || echo "ERR" - name: Generate content write token for the release automation id: generate_write_token @@ -273,20 +286,23 @@ jobs: - name: Upload ${{ matrix.binary }} binary to release draft env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} run: | - if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + if [[ "$TARGET" == "aarch64-apple-darwin" ]]; then + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }}-aarch64-apple-darwin \ - ${{ matrix.binary }}-aarch64-apple-darwin.asc \ - ${{ matrix.binary }}-aarch64-apple-darwin.sha256 + "${BINARY}-aarch64-apple-darwin" \ + "${BINARY}-aarch64-apple-darwin.asc" \ + "${BINARY}-aarch64-apple-darwin.sha256" else - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }} \ - ${{ matrix.binary }}.asc \ - ${{ matrix.binary }}.sha256 + "$BINARY" \ + "${BINARY}.asc" \ + "${BINARY}.sha256" fi post_to_matrix: diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index 06279307a324d..241728034287f 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -40,10 +40,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT promote-polkadot-rc-to-final: diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index d69a6f664c140..0f05aec3efc7a 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -83,13 +83,16 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_VERSION: ${{ inputs.version }} + INPUT_STABLE_TAG: ${{ inputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION=$(filter_version_from_input "${{ inputs.version }}") + VERSION=$(filter_version_from_input "$INPUT_VERSION") echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }}) + STABLE_TAG=$(validate_stable_tag "$INPUT_STABLE_TAG") echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build @@ -103,11 +106,12 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version # if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}} + env: + VERSION: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.stable_tag }}" - if [[ ${{ inputs.binary }} == 'polkadot' ]]; then + if [[ "$BINARY" == 'polkadot' ]]; then bins=(polkadot polkadot-prepare-worker polkadot-execute-worker) for bin in "${bins[@]}"; do fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu @@ -157,25 +161,31 @@ jobs: if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "tag=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Fetch release tags working-directory: release-artifacts if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh echo "tag=latest" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "stable=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot rc if: ${{ env.BINARY == 'polkadot' }} @@ -184,10 +194,26 @@ jobs: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + shell: bash run: | ls -al echo "Building container for $BINARY" - ./docker/scripts/polkadot/build-injected.sh $ARTIFACTS_FOLDER + echo "IMAGE_TYPE: $IMAGE_TYPE" + + if [[ "$IMAGE_TYPE" == "rc" ]]; then + echo "Building RC container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + ./docker/scripts/build-injected.sh + else + echo "Building release container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + export POLKADOT_DEB=true + export VERSION="$VALIDATED_VERSION" + ./docker/scripts/build-injected.sh + fi - name: Build Injected Container image for polkadot-omni-node/chain-spec-builder if: ${{ env.BINARY == 'polkadot-omni-node' || env.BINARY == 'chain-spec-builder' }} diff --git a/.github/workflows/release-60_post-crates-release-activities.yml b/.github/workflows/release-60_post-crates-release-activities.yml index 8f2f637abc27f..f36ba4b875092 100644 --- a/.github/workflows/release-60_post-crates-release-activities.yml +++ b/.github/workflows/release-60_post-crates-release-activities.yml @@ -168,10 +168,11 @@ jobs: - name: Move prdocs to release folder shell: bash + env: + VERSION: ${{ inputs.version }} run: | . ./.github/scripts/release/release_lib.sh - VERSION="${{ inputs.version }}" echo "Version: $VERSION" reorder_prdocs "$VERSION" @@ -281,11 +282,13 @@ jobs: - name: Create Pull Request to base release branch env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + FULL_RELEASE: ${{ inputs.version }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" - FULL_RELEASE="${{ inputs.version }}" echo "Current branch: $BRANCH_NAME" echo "Version: $FULL_RELEASE" @@ -296,8 +299,19 @@ jobs: BASE_RELEASE="$FULL_RELEASE" fi - BASE_RELEASE_UPPER=$(echo "$BASE_RELEASE" | tr '[:lower:]' '[:upper:]') - echo "Base release branch (upper): $BASE_RELEASE_UPPER" + TARGET_REPO="paritytech/polkadot-sdk" + + # Determine if running from a fork or the main repo + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + # Same-repo PR: head is just the branch name + PR_HEAD="$BRANCH_NAME" + EXTRA_FLAGS="" + else + # Cross-fork PR: head needs the fork owner prefix + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + EXTRA_FLAGS="--no-maintainer-edit" + fi # Check if PR already exists EXISTING_PR=$(gh pr list --head "$BRANCH_NAME" --base "$BASE_RELEASE" --json number --jq '.[0].number') @@ -322,13 +336,24 @@ jobs: - name: Add comment about spec_version env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} shell: bash run: | - BRANCH_NAME="${{ github.ref_name }}" + TARGET_REPO="paritytech/polkadot-sdk" + + # Match the head format used when creating the PR + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + PR_HEAD="$BRANCH_NAME" + else + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + fi - # Find the PR number for this branch - PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[0].number') + # Find the PR number for this branch in the upstream repo + PR_NUMBER=$(gh pr list --repo "$TARGET_REPO" --head "$PR_HEAD" --json number --jq '.[0].number') if [ -n "$PR_NUMBER" ]; then echo "Adding comment to PR #$PR_NUMBER..." diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml new file mode 100644 index 0000000000000..b72493eb92567 --- /dev/null +++ b/.github/workflows/release-80_publish-crates.yml @@ -0,0 +1,274 @@ +name: Release - Publish Crates + +on: + workflow_dispatch: + inputs: + release_name: + description: 'Release name (e.g., stable2509-3). Base branch is derived by removing the last -N suffix.' + required: true + type: string + registry: + description: 'Registry to publish crates to' + required: true + type: choice + options: + - staging.crates.io + - crates.io + default: staging.crates.io + is_patch: + description: 'Is this a patch release? (Set to false for new stable releases)' + required: true + type: boolean + default: true + dry_run: + description: 'Dry run - do not actually publish crates' + required: true + type: boolean + default: true + +permissions: + contents: write + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + set-image: + needs: [ check-synchronization ] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + IMAGE: ${{ steps.set_image.outputs.IMAGE }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - id: set_image + run: cat .github/env >> $GITHUB_OUTPUT + + publish-crates: + needs: set-image + runs-on: ubuntu-latest + environment: release + env: + PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }} + PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + container: + image: ${{ needs.set-image.outputs.IMAGE }} + + steps: + - name: Install pgpkms + run: | + # Install pgpkms that is used to sign commits + pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151 + + - name: Derive stable branch from release name + id: derive_branch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + echo "Release name: $RELEASE_NAME" + + # Extract stable branch by removing the last -N suffix + # e.g., stable2509-3 -> stable2509 + if [[ "$RELEASE_NAME" =~ ^(.+)-[0-9]+$ ]]; then + STABLE_BRANCH="${BASH_REMATCH[1]}" + else + # If no suffix, use the release name as-is (first release) + STABLE_BRANCH="$RELEASE_NAME" + fi + + echo "Stable branch: $STABLE_BRANCH" + echo "STABLE_BRANCH=$STABLE_BRANCH" >> $GITHUB_OUTPUT + + echo "CRATES_RELEASE_BRANCH=post-crates-release-$RELEASE_NAME" >> $GITHUB_OUTPUT + + - name: Checkout stable branch + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ steps.derive_branch.outputs.STABLE_BRANCH }} + fetch-depth: 0 + + - name: Import GPG keys + shell: bash + run: | + . ./.github/scripts/common/lib.sh + import_gpg_keys + + - name: Configure git + shell: bash + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" + git config --global commit.gpgsign true + PGPKMS_PATH=$(which pgpkms-git) + echo "Using pgpkms-git at: $PGPKMS_PATH" + git config --global gpg.program "$PGPKMS_PATH" + git config --global user.name "ParityReleases" + git config --global user.email "release-team@parity.io" + git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51" + + - name: Create or switch to release branch + shell: bash + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + + if git rev-parse --verify -q "$CRATES_RELEASE_BRANCH" &>/dev/null; then + echo "Branch $CRATES_RELEASE_BRANCH already exists, switching to it" + git checkout "$CRATES_RELEASE_BRANCH" + else + echo "Creating branch: $CRATES_RELEASE_BRANCH" + git checkout -b "$CRATES_RELEASE_BRANCH" + fi + echo "On branch $CRATES_RELEASE_BRANCH" + + - name: Install Rust 1.93 + shell: bash + run: | + rustup install 1.93 + rustup default 1.93 + echo "Rust version:" + rustc --version + cargo --version + + - name: Rust Cache + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + with: + cache-on-failure: true + + - name: Install parity-publish + run: | + apt-get update && apt-get install -y --no-install-recommends libcurl4-openssl-dev pkg-config + cargo install parity-publish@0.10.10 --locked -q + + - name: Run parity-publish plan + run: | + echo "Running parity-publish plan..." + parity-publish plan --prdoc prdoc + + - name: Save Plan.toml diff + if: inputs.is_patch + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + mkdir -p release-artifacts + + echo "Saving Plan.toml diff..." + git diff Plan.toml > "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + echo "Plan.toml changes:" + cat "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + - name: Parse crate names for release notes + if: inputs.is_patch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + + echo "Parsing crate names..." + python3 scripts/release/parse-crates-names.py \ + "release-artifacts/changed_crates_${RELEASE_NAME}.txt" \ + scripts/release/templates/crates_list.md.tera + + echo "Crates list:" + cat scripts/release/templates/crates_list.md.tera + + - name: Commit Plan.toml and crates list + shell: bash + env: + IS_PATCH: ${{ inputs.is_patch }} + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add Plan.toml + if [ "$IS_PATCH" = true ]; then + git add scripts/release/templates/crates_list.md.tera + fi + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: update Plan.toml and crates list for $RELEASE_NAME" + echo "Committed Plan.toml and crates list" + else + echo "No changes to commit" + fi + + - name: Run parity-publish apply + run: | + echo "Running parity-publish apply..." + parity-publish apply + + - name: Update Cargo.lock + run: | + echo "Updating Cargo.lock..." + cargo update --workspace --offline || cargo update --workspace + echo "Cargo.lock updated" + + - name: Commit version bumps + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add -A + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: apply version bumps for $RELEASE_NAME" + echo "Committed version bumps" + else + echo "No changes to commit" + fi + + - name: Push release branch + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + echo "Pushing branch $CRATES_RELEASE_BRANCH..." + git push origin "$CRATES_RELEASE_BRANCH" + echo "Successfully pushed $CRATES_RELEASE_BRANCH" + + - name: Configure cargo registry + shell: bash + env: + REGISTRY: ${{ inputs.registry }} + run: | + echo "Configuring cargo for $REGISTRY..." + mkdir -p ~/.cargo + + if [ "$REGISTRY" = "staging.crates.io" ]; then + cat >> ~/.cargo/config.toml << 'EOF' + [registries.crates-io] + index = "sparse+https://index.staging.crates.io/" + EOF + else + echo "Using default crates.io registry" + fi + + echo "Cargo config:" + cat ~/.cargo/config.toml || echo "(using defaults)" + + - name: Publish crates + shell: bash + env: + PARITY_PUBLISH_CRATESIO_TOKEN: ${{ inputs.registry == 'staging.crates.io' && secrets.STAGING_CRATES_IO_API_TOKEN || secrets.CRATES_IO_API_TOKEN }} + DRY_RUN: ${{ inputs.dry_run }} + REGISTRY: ${{ inputs.registry }} + run: | + + if [ "$DRY_RUN" = true ]; then + echo "DRY RUN - Not actually publishing crates" + echo "Target registry: $REGISTRY" + parity-publish apply -p -d + else + echo "Publishing crates to $REGISTRY..." + parity-publish apply -p + echo "Crates published successfully to $REGISTRY!" + fi diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml index f48fc0c0cc963..60e793659e28f 100644 --- a/.github/workflows/release-99_notif-published.yml +++ b/.github/workflows/release-99_notif-published.yml @@ -14,25 +14,30 @@ jobs: id: fetch_latest_release_tag env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPOSITORY: ${{ github.repository }} run: | TAG_NAME=$(curl -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - -sL "https://api.github.com/repos/${{ github.repository }}/releases/latest" \ + -sL "https://api.github.com/repos/${GH_REPOSITORY}/releases/latest" \ | jq -r '.tag_name') echo "Latest release tag: $TAG_NAME" echo "latest_tag_name=$TAG_NAME" >> $GITHUB_OUTPUT - name: Fetch current release tag name id: fetch_curent_release_tag + env: + CURRENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - CURRENT_RELEASE_TAG_NAME=${{github.event.release.tag_name}} echo "Current release tag: $CURRENT_RELEASE_TAG_NAME" echo "current_tag_name=$CURRENT_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT - name: Check if release is latest id: check_is_latest + env: + LATEST_TAG: ${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }} + CURRENT_TAG: ${{ steps.fetch_curent_release_tag.outputs.current_tag_name }} run: | - if [[ "${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }}" == "${{ steps.fetch_curent_release_tag.outputs.current_tag_name }}" ]]; then + if [[ "$LATEST_TAG" == "$CURRENT_TAG" ]]; then echo "Release is latest" echo "is_latest=true" >> $GITHUB_OUTPUT else diff --git a/.github/workflows/release-build-binary.yml b/.github/workflows/release-build-binary.yml index a5adab421a8a4..8ee31606aa8ec 100644 --- a/.github/workflows/release-build-binary.yml +++ b/.github/workflows/release-build-binary.yml @@ -44,8 +44,10 @@ jobs: - name: Set runner id: set_runner shell: bash + env: + INPUT_BINARY: ${{ inputs.binary }} run: | - if [[ "${{ inputs.binary }}" == "polkadot-parachain" ]]; then + if [[ "$INPUT_BINARY" == "polkadot-parachain" ]]; then echo "RUNNER=parity-large" >> $GITHUB_OUTPUT else echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT @@ -61,16 +63,22 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build binary + env: + INPUT_BINARY: ${{ inputs.binary }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - PROFILE=${{ inputs.profile }} - if [ "${{ inputs.binary }}" = "polkadot" ]; then + PROFILE="$INPUT_PROFILE" + if [ "$INPUT_BINARY" = "polkadot" ]; then for binary in polkadot polkadot-prepare-worker polkadot-execute-worker; do - echo "Building $binary..." - ./.github/scripts/release/build-linux-release.sh $binary ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} + echo "Building $binary with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$binary" "$INPUT_PACKAGE" "$INPUT_FEATURES" done else - ./.github/scripts/release/build-linux-release.sh ${{ inputs.binary }} ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} + echo "Building $INPUT_BINARY with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$INPUT_BINARY" "$INPUT_PACKAGE" "$INPUT_FEATURES" fi - name: Upload ${{ inputs.binary }} artifacts diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml index 03ff1e1b28965..5ceb36b0ae0d2 100644 --- a/.github/workflows/release-reusable-publish-packages.yml +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -47,10 +47,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_TAG: ${{ inputs.tag }} run: | # Source common library for helper functions . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts-from-s3: @@ -71,15 +73,17 @@ jobs: - name: Fetch rc artifacts or release artifacts from s3 based on version id: fetch_artifacts_from_s3 + env: + PACKAGE_TYPE: ${{ inputs.package_type }} run: | . ./.github/scripts/common/lib.sh NODE_VERSION="$(get_polkadot_node_version_from_code)" echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT # Fetch specific package type artifact (deb or rpm) - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then fetch_debian_package_from_s3 polkadot - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then fetch_rpm_package_from_s3 polkadot fi @@ -134,14 +138,15 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | # --- Sync Local Repo from S3 --- mkdir -p "$LOCAL_REPO_PATH" - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true fi @@ -151,16 +156,18 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + PACKAGE_TYPE: ${{ inputs.package_type }} + DISTRIBUTION: ${{ inputs.distribution }} run: | . ./.github/scripts/common/lib.sh import_gpg_keys # --- Add Package to Repo and Sign --- - if [[ "${{ inputs.package_type }}" == "deb" ]]; then + if [[ "$PACKAGE_TYPE" == "deb" ]]; then debname=$(find release-artifacts/ -name 'polkadot_*.deb' | head -n 1) - reprepro -b "$LOCAL_REPO_PATH" includedeb "${{ inputs.distribution }}" "$debname" + reprepro -b "$LOCAL_REPO_PATH" includedeb "$DISTRIBUTION" "$debname" - elif [[ "${{ inputs.package_type }}" == "rpm" ]]; then + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then rpmname=$(find release-artifacts/ -name 'polkadot-*.rpm' | head -n 1) echo "Signing package with pgpkms (via AWS KMS)..." @@ -184,10 +191,13 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + DISTRIBUTION: ${{ inputs.distribution }} + CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }} + PACKAGE_TYPE: ${{ inputs.package_type }} run: | - if [[ "${{ inputs.distribution }}" == "release" ]]; then + if [[ "$DISTRIBUTION" == "release" ]]; then aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read else aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" fi - aws cloudfront create-invalidation --distribution-id ${{ inputs.cloudfront_distribution_id }} --paths '/${{ inputs.package_type }}/*' + aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/${PACKAGE_TYPE}/*" diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index 7838869e7a2f7..500541dd3333e 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -104,9 +104,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-linux-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 @@ -115,25 +119,31 @@ jobs: - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -219,9 +229,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-macos-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 @@ -230,25 +244,31 @@ jobs: - name: Sign artifacts working-directory: ${{ env.ARTIFACTS_PATH }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -291,10 +311,21 @@ jobs: - name: Build polkadot deb package shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh "$INPUT_PACKAGE" "${VERSION}" + + - name: Build polkadot rpm package + shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + VERSION=$(get_polkadot_node_version_from_code) + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh "$INPUT_PACKAGE" "${VERSION}" - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 diff --git a/.github/workflows/release-reusable-s3-upload.yml b/.github/workflows/release-reusable-s3-upload.yml index b4c7b5d77bb53..45ff51f59aa56 100644 --- a/.github/workflows/release-reusable-s3-upload.yml +++ b/.github/workflows/release-reusable-s3-upload.yml @@ -53,6 +53,10 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload ${{ inputs.package }} artifacts to s3 + env: + PACKAGE: ${{ inputs.package }} + RELEASE_TAG: ${{ inputs.release_tag }} + TARGET: ${{ inputs.target }} run: | . ./.github/scripts/release/release_lib.sh - upload_s3_release ${{ inputs.package }} ${{ inputs.release_tag }} ${{ inputs.target }} + upload_s3_release "$PACKAGE" "$RELEASE_TAG" "$TARGET" diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml index 65f2b77601768..33d45562163fe 100644 --- a/.github/workflows/release-srtool.yml +++ b/.github/workflows/release-srtool.yml @@ -48,7 +48,7 @@ jobs: run: | . ./.github/scripts/common/lib.sh - echo "Github workspace: ${{ github.workspace }}" + echo "Github workspace: ${GITHUB_WORKSPACE}" echo "Current folder: $(pwd)"; ls -al ls -al @@ -81,11 +81,16 @@ jobs: tag: "1.84.1" - name: Summary + env: + SRTOOL_JSON: ${{ steps.srtool_build.outputs.json }} + CHAIN: ${{ matrix.chain }} + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} run: | - echo '${{ steps.srtool_build.outputs.json }}' | jq > ${{ matrix.chain }}-srtool-digest.json - cat ${{ matrix.chain }}-srtool-digest.json - echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}" - echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}" + echo "$SRTOOL_JSON" | jq > "${CHAIN}-srtool-digest.json" + cat "${CHAIN}-srtool-digest.json" + echo "Compact Runtime: $WASM_PATH" + echo "Compressed Runtime: $WASM_COMPRESSED_PATH" - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 @@ -101,25 +106,35 @@ jobs: - name: Show Runtime information shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} + CHAIN: ${{ matrix.chain }} run: | - subwasm info ${{ steps.srtool_build.outputs.wasm }} - subwasm info ${{ steps.srtool_build.outputs.wasm_compressed }} - subwasm --json info ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-info.json - subwasm --json info ${{ steps.srtool_build.outputs.wasm_compressed }} > ${{ matrix.chain }}-compressed-info.json + subwasm info "$WASM_PATH" + subwasm info "$WASM_COMPRESSED_PATH" + subwasm --json info "$WASM_PATH" > "${CHAIN}-info.json" + subwasm --json info "$WASM_COMPRESSED_PATH" > "${CHAIN}-compressed-info.json" - name: Extract the metadata shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} run: | - subwasm meta ${{ steps.srtool_build.outputs.wasm }} - subwasm --json meta ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-metadata.json + subwasm meta "$WASM_PATH" + subwasm --json meta "$WASM_PATH" > "${CHAIN}-metadata.json" - name: Check the metadata diff shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} # the following subwasm call will error for chains that are not known and/or live, that includes shell for instance run: | - subwasm diff ${{ steps.srtool_build.outputs.wasm }} --chain-b ${{ matrix.chain }} || \ - echo "Subwasm call failed, check the logs. This is likely because ${{ matrix.chain }} is not known by subwasm" | \ - tee ${{ matrix.chain }}-diff.txt + subwasm diff "$WASM_PATH" --chain-b "$CHAIN" || \ + echo "Subwasm call failed, check the logs. This is likely because $CHAIN is not known by subwasm" | \ + tee "${CHAIN}-diff.txt" - name: Archive Subwasm results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 diff --git a/polkadot/xcm/xcm-executor/src/lib.rs b/polkadot/xcm/xcm-executor/src/lib.rs index 763c4e83ecb19..9530dbae57531 100644 --- a/polkadot/xcm/xcm-executor/src/lib.rs +++ b/polkadot/xcm/xcm-executor/src/lib.rs @@ -915,6 +915,18 @@ impl XcmExecutor { // Macro to deduplicate the transactional holding-backup pattern. macro_rules! process_holding_transaction { + // Use this variant for instructions that don't touch storage. + // Since storage is unaffected, the holding register must always be + // rolled back on error regardless of the `TransactionalProcessor` + // config item. + (always, $self:ident, $body:expr) => {{ + let old_holding = $self.holding.clone(); + let result = Config::TransactionalProcessor::process(|| $body); + if result.is_err() { + $self.holding = old_holding; + } + result + }}; ($self:ident, $body:expr) => { process_holding_transaction!($self, $body, {}) }; @@ -1431,7 +1443,7 @@ impl XcmExecutor { target: "xcm::executor::BuyExecution", asset_used_in_buy_execution = ?self.asset_used_in_buy_execution ); - process_holding_transaction!(self, { + process_holding_transaction!(always, self, { // pay for `weight` using up to `fees` of the holding register. let max_fee = self.holding.try_take(fees.clone().into()).map_err(|e| { @@ -1737,7 +1749,10 @@ impl XcmExecutor { &want, maximal, ) - .map_err(|_| XcmError::NoDeal)?; + .map_err(|unspent| { + self.holding.subsume_assets(unspent); + XcmError::NoDeal + })?; self.holding.subsume_assets(received); Ok(()) })