From 5052b04837dc888eee7c725e09a5ef6581363f99 Mon Sep 17 00:00:00 2001 From: Egor_P Date: Thu, 19 Feb 2026 16:31:08 +0100 Subject: [PATCH] BACKPORT-CONFLICT --- .../workflows/release-10_branchoff-stable.yml | 21 +- .../workflows/release-11_rc-automation.yml | 6 +- .github/workflows/release-20_build-rc.yml | 4 +- .../workflows/release-21_build-runtimes.yml | 93 +++++ ...mbined-rc-runtime-builds-release-draft.yml | 129 ++++++ .../release-30_publish_release_draft.yml | 98 ++++- .../release-31_promote-rc-to-final.yml | 4 +- .../workflows/release-50_publish-docker.yml | 53 ++- ...ease-60_post-crates-release-activities.yml | 385 ++++++++++++++++++ .../workflows/release-80_publish-crates.yml | 274 +++++++++++++ .../workflows/release-99_notif-published.yml | 43 ++ .github/workflows/release-build-binary.yml | 22 +- .../release-reusable-publish-packages.yml | 203 +++++++++ .../workflows/release-reusable-rc-build.yml | 85 +++- .../workflows/release-reusable-s3-upload.yml | 6 +- .github/workflows/release-srtool.yml | 43 +- 16 files changed, 1406 insertions(+), 63 deletions(-) create mode 100644 .github/workflows/release-21_build-runtimes.yml create mode 100644 .github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml create mode 100644 .github/workflows/release-60_post-crates-release-activities.yml create mode 100644 .github/workflows/release-80_publish-crates.yml create mode 100644 .github/workflows/release-reusable-publish-packages.yml diff --git a/.github/workflows/release-10_branchoff-stable.yml b/.github/workflows/release-10_branchoff-stable.yml index 307980c4f7c2e..ae08a2ff84cc1 100644 --- a/.github/workflows/release-10_branchoff-stable.yml +++ b/.github/workflows/release-10_branchoff-stable.yml @@ -37,15 +37,18 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_NODE_VERSION: ${{ inputs.node_version }} + INPUT_STABLE_VERSION: ${{ inputs.stable_version }} run: | . ./.github/scripts/common/lib.sh - if [ -n "${{ inputs.node_version }}" ]; then - node_version=$(filter_version_from_input "${{ inputs.node_version }}") + if [ -n "$INPUT_NODE_VERSION" ]; then + node_version=$(filter_version_from_input "$INPUT_NODE_VERSION") echo "node_version=${node_version}" >> $GITHUB_OUTPUT fi - stable_version=$(validate_stable_tag ${{ inputs.stable_version }}) + stable_version=$(validate_stable_tag "$INPUT_STABLE_VERSION") echo "stable_version=${stable_version}" >> $GITHUB_OUTPUT create-stable-branch: @@ -103,10 +106,10 @@ jobs: - name: Bump versions, reorder prdocs and push stable branch env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + NODE_VERSION: ${{ needs.validate-inputs.outputs.node_version }} run: | . ./.github/scripts/release/release_lib.sh - NODE_VERSION="${{ needs.validate-inputs.outputs.node_version }}" NODE_VERSION_PATTERN="\(NODE_VERSION[^=]*= \)\".*\"" set_version "$NODE_VERSION_PATTERN" $NODE_VERSION "polkadot/node/primitives/src/lib.rs" commit_with_message "Bump node version to $NODE_VERSION in polkadot-cli" @@ -127,12 +130,14 @@ jobs: if: ${{ inputs.tag_rc }} env: GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} # or use a PAT with workflow scope + STABLE_VERSION: ${{ needs.validate-inputs.outputs.stable_version }} + GH_REPOSITORY: ${{ github.repository }} run: | - stable_tag_base=polkadot-${{ needs.validate-inputs.outputs.stable_version }} + stable_tag_base="polkadot-${STABLE_VERSION}" gh workflow run release-11_rc-automation.yml \ - --repo ${{ github.repository }} \ - --ref ${{ needs.validate-inputs.outputs.stable_version }} \ - --field version=${stable_tag_base} + --repo "$GH_REPOSITORY" \ + --ref "$STABLE_VERSION" \ + --field version="${stable_tag_base}" tag-rc-without-branchoff: if: ${{ !inputs.is_new_stable && inputs.tag_rc }} diff --git a/.github/workflows/release-11_rc-automation.yml b/.github/workflows/release-11_rc-automation.yml index 85e54b0cb3e28..864fd2d1f6c2f 100644 --- a/.github/workflows/release-11_rc-automation.yml +++ b/.github/workflows/release-11_rc-automation.yml @@ -79,14 +79,16 @@ jobs: # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }} id: compute_tag shell: bash + env: + INPUT_VERSION: ${{ inputs.version }} run: | . ./.github/scripts/common/lib.sh # Get last rc tag if exists, else set it to {version}-rc1 - if [[ -z "${{ inputs.version }}" ]]; then + if [[ -z "$INPUT_VERSION" ]]; then version=v$(get_polkadot_node_version_from_code) else - version=$(validate_stable_tag ${{ inputs.version }}) + version=$(validate_stable_tag "$INPUT_VERSION") fi echo "$version" echo "version=$version" >> $GITHUB_OUTPUT diff --git a/.github/workflows/release-20_build-rc.yml b/.github/workflows/release-20_build-rc.yml index 6b4c67b832685..1feac9f0f7efb 100644 --- a/.github/workflows/release-20_build-rc.yml +++ b/.github/workflows/release-20_build-rc.yml @@ -38,10 +38,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-polkadot-binary: diff --git a/.github/workflows/release-21_build-runtimes.yml b/.github/workflows/release-21_build-runtimes.yml new file mode 100644 index 0000000000000..764e7e2657b22 --- /dev/null +++ b/.github/workflows/release-21_build-runtimes.yml @@ -0,0 +1,93 @@ +name: Release - Build runtimes + +on: + workflow_dispatch: + inputs: + chain: + description: The chain to use + default: all + required: true + type: choice + options: + - all + - westend + - asset-hub-westend + - bridge-hub-westend + - collectives-westend + - coretime-westend + - glutton-westend + - people-westend + runtime_dir: + description: The runtime dir to be used (⚠️ this parameter is optional and needed only in case of the single runtime build, set it accordingly to the runtime you want to build) + default: polkadot/runtime/westend + type: choice + options: + - polkadot/runtime/westend + - cumulus/parachains/runtimes/assets/asset-hub-westend + - cumulus/parachains/runtimes/bridge-hubs/bridge-hub-westend + - cumulus/parachains/runtimes/collectives/collectives-westend + - cumulus/parachains/runtimes/coretime/coretime-westend + - cumulus/parachains/runtimes/people/people-westend + - cumulus/parachains/runtimes/glutton/glutton-westend + + release_tag: + description: Tag matching the actual release candidate with the format polkadot-stableYYMM(-X)-rcY or polkadot-stableYYMM(-X) + type: string + + workflow_call: + inputs: + chain: + description: The chain to use + default: all + required: true + type: string + runtime_dir: + description: The runtime dir to be used (⚠️ this parameter is optional and needed only in case of the single runtime build, set it accordingly to the runtime you want to build) + default: polkadot/runtime/westend + type: string + release_tag: + description: Tag matching the actual release candidate with the format polkadot-stableYYMM(-X)-rcY or polkadot-stableYYMM(-X) + type: string + outputs: + published_runtimes: + value: ${{ jobs.build-runtimes.outputs.published_runtimes }} + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + validate-inputs: + needs: [check-synchronization] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + release_tag: ${{ steps.validate_inputs.outputs.release_tag }} + steps: + - name: Checkout sources + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Validate inputs + id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} + run: | + . ./.github/scripts/common/lib.sh + + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT + + build-runtimes: + needs: [validate-inputs] + uses: "./.github/workflows/release-srtool.yml" + with: + excluded_runtimes: "rococo asset-hub-rococo bridge-hub-rococo rococo substrate-test bp cumulus-test kitchensink minimal-template parachain-template penpal polkadot-test seedling shell frame-try sp solochain-template polkadot-sdk-docs-first pallet-staking-async-parachain pallet-staking-async-rc frame-storage-access-test yet-another-parachain revive-dev" + build_opts: "--features on-chain-release-build" + profile: production + chain: ${{ inputs.chain }} + runtime_dir: ${{ inputs.runtime_dir }} + permissions: + id-token: write + attestations: write + contents: read diff --git a/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml new file mode 100644 index 0000000000000..a82df10ff212b --- /dev/null +++ b/.github/workflows/release-22_combined-rc-runtime-builds-release-draft.yml @@ -0,0 +1,129 @@ +name: Release - Combined Builds Flow + +on: + workflow_dispatch: + inputs: + chain: + description: The chain to use for runtime builds + default: all + required: true + type: choice + options: + - all + - westend + - asset-hub-westend + - bridge-hub-westend + - collectives-westend + - coretime-westend + - glutton-westend + - people-westend + runtime_dir: + description: The runtime dir to be used (⚠️ this parameter is optional and needed only in case of the single runtime build, set it accordingly to the runtime you want to build) + default: polkadot/runtime/westend + type: choice + options: + - polkadot/runtime/westend + - cumulus/parachains/runtimes/assets/asset-hub-westend + - cumulus/parachains/runtimes/bridge-hubs/bridge-hub-westend + - cumulus/parachains/runtimes/collectives/collectives-westend + - cumulus/parachains/runtimes/coretime/coretime-westend + - cumulus/parachains/runtimes/people/people-westend + - cumulus/parachains/runtimes/glutton/glutton-westend + binary: + description: Binary to be built for the release candidate + default: all + type: choice + options: + - polkadot + - polkadot-parachain + - polkadot-omni-node + - frame-omni-bencher + - chain-spec-builder + - substrate-node + - eth-rpc + - subkey + - all + release_tag: + description: Tag matching the actual release candidate with the format polkadot-stableYYMM(-X)-rcY or polkadot-stableYYMM(-X) + type: string + required: true + no_runtimes: + description: If true, no runtime build will be triggered and release draft will be published without runtimes (⚠️ use it for the patch releases of the latest stable) + required: true + type: boolean + default: false + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + validate-inputs: + needs: [check-synchronization] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + release_tag: ${{ steps.validate_inputs.outputs.release_tag }} + steps: + - name: Checkout sources + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Validate inputs + id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} + run: | + . ./.github/scripts/common/lib.sh + + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") + echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT + + build-runtimes-flow: + if: ${{ inputs.no_runtimes == false }} + needs: [validate-inputs] + uses: "./.github/workflows/release-21_build-runtimes.yml" + with: + chain: ${{ inputs.chain }} + runtime_dir: ${{ inputs.runtime_dir }} + release_tag: ${{ needs.validate-inputs.outputs.release_tag }} + secrets: inherit + permissions: + id-token: write + attestations: write + contents: read + + build-rc-flow: + needs: [validate-inputs] + uses: "./.github/workflows/release-20_build-rc.yml" + with: + binary: ${{ inputs.binary }} + release_tag: ${{ needs.validate-inputs.outputs.release_tag }} + secrets: inherit + permissions: + id-token: write + attestations: write + contents: read + + trigger-release-draft-with-runtimes: + if: ${{ inputs.no_runtimes == false }} + needs: [build-runtimes-flow, build-rc-flow, validate-inputs] + uses: "./.github/workflows/release-30_publish_release_draft.yml" + with: + release_tag: ${{ needs.validate-inputs.outputs.release_tag }} + build_run_id: ${{ github.run_id }} + runtimes: '${{ needs.build-runtimes-flow.outputs.published_runtimes }}' + no_runtimes: ${{ inputs.no_runtimes }} + crates_only: false + secrets: inherit + + trigger-release-draft-without-runtimes: + if: ${{ inputs.no_runtimes == true }} + needs: [build-rc-flow, validate-inputs] + uses: "./.github/workflows/release-30_publish_release_draft.yml" + with: + release_tag: ${{ needs.validate-inputs.outputs.release_tag }} + build_run_id: ${{ github.run_id }} + no_runtimes: ${{ inputs.no_runtimes }} + crates_only: false + secrets: inherit diff --git a/.github/workflows/release-30_publish_release_draft.yml b/.github/workflows/release-30_publish_release_draft.yml index c6efe8d53b9a1..20b5badb2deb6 100644 --- a/.github/workflows/release-30_publish_release_draft.yml +++ b/.github/workflows/release-30_publish_release_draft.yml @@ -35,10 +35,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT build-runtimes: @@ -65,8 +67,29 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 +<<<<<<< HEAD - name: Download artifacts uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 +======= + - name: Generate content write token for the release automation + id: generate_write_token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }} + private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }} + owner: paritytech + repositories: polkadot-sdk + + - name: Download runtimes artifacts + if: ${{ inputs.no_runtimes == false && inputs.crates_only == false }} + env: + GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} + run: | + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Prepare tooling run: | @@ -86,6 +109,12 @@ jobs: PEOPLE_WESTEND_DIGEST: ${{ github.workspace}}/people-westend-runtime/people-westend-srtool-digest.json WESTEND_DIGEST: ${{ github.workspace}}/westend-runtime/westend-srtool-digest.json RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} +<<<<<<< HEAD +======= + NO_RUNTIMES: ${{ inputs.no_runtimes }} + CRATES_ONLY: ${{ inputs.crates_only }} + GH_REF_NAME: ${{ github.ref_name }} +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) shell: bash run: | . ./.github/scripts/common/lib.sh @@ -94,7 +123,7 @@ jobs: export REF1=$(get_latest_release_tag) if [[ -z "$RELEASE_TAG" ]]; then - export REF2="${{ github.ref_name }}" + export REF2="${GH_REF_NAME}" echo "REF2: ${REF2}" else export REF2="$RELEASE_TAG" @@ -164,14 +193,37 @@ jobs: owner: paritytech repositories: polkadot-sdk +<<<<<<< HEAD +======= + - name: Download runtimes + env: + GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BUILD_RUN_ID: ${{ inputs.build_run_id }} + run: | + mkdir -p "${GITHUB_WORKSPACE}/runtimes/" + gh run download "$BUILD_RUN_ID" --dir "${GITHUB_WORKSPACE}/runtimes" + ls -la "${GITHUB_WORKSPACE}/runtimes" + + - name: Get runtime info + env: + CHAIN: ${{ matrix.chain }} + JSON: ${{ github.workspace}}/release-notes-context/runtimes/${{ matrix.chain }}-runtime/${{ matrix.chain }}-srtool-digest.json + run: | + cd "${GITHUB_WORKSPACE}/runtimes" + >>$GITHUB_ENV echo ASSET=$(find "${CHAIN}-runtime" -name '*.compact.compressed.wasm') + >>$GITHUB_ENV echo SPEC=$(<${JSON} jq -r .runtimes.compact.subwasm.core_version.specVersion) + +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Upload compressed ${{ matrix.chain }} v${{ env.SPEC }} wasm env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + CHAIN: ${{ matrix.chain }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} run: | - VERSIONED_ASSET="${{ matrix.chain }}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" + VERSIONED_ASSET="${CHAIN}_runtime-v${{ env.SPEC }}.compact.compressed.wasm" mv "${{ env.ASSET }}" "$VERSIONED_ASSET" - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk "$VERSIONED_ASSET" publish-release-artifacts: @@ -189,23 +241,28 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Fetch binaries from s3 based on version + env: + VERSION: ${{ needs.validate-inputs.outputs.release_tag }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.release_tag }}" - fetch_release_artifacts_from_s3 ${{ matrix.binary }} ${{ matrix.target }} + fetch_release_artifacts_from_s3 "$BINARY" "$TARGET" - name: Rename aarch64-apple-darwin binaries if: ${{ matrix.target == 'aarch64-apple-darwin' }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} + env: + BINARY: ${{ matrix.binary }} run: | . ../../../.github/scripts/common/lib.sh - mv ${{ matrix.binary }} ${{ matrix.binary }}-aarch64-apple-darwin - mv ${{ matrix.binary }}.asc ${{ matrix.binary }}-aarch64-apple-darwin.asc + mv "$BINARY" "${BINARY}-aarch64-apple-darwin" + mv "${BINARY}.asc" "${BINARY}-aarch64-apple-darwin.asc" - sha256sum "${{ matrix.binary }}-aarch64-apple-darwin" | tee "${{ matrix.binary }}-aarch64-apple-darwin.sha256" - check_sha256 "${{ matrix.binary }}-aarch64-apple-darwin" && echo "OK" || echo "ERR" + sha256sum "${BINARY}-aarch64-apple-darwin" | tee "${BINARY}-aarch64-apple-darwin.sha256" + check_sha256 "${BINARY}-aarch64-apple-darwin" && echo "OK" || echo "ERR" - name: Generate content write token for the release automation id: generate_write_token @@ -219,20 +276,23 @@ jobs: - name: Upload ${{ matrix.binary }} binary to release draft env: GITHUB_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BINARY: ${{ matrix.binary }} + TARGET: ${{ matrix.target }} + VALIDATED_RELEASE_TAG: ${{ needs.validate-inputs.outputs.release_tag }} working-directory: ${{ github.workspace}}/release-artifacts/${{ matrix.target }}/${{ matrix.binary }} run: | - if [[ ${{ matrix.target }} == "aarch64-apple-darwin" ]]; then - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + if [[ "$TARGET" == "aarch64-apple-darwin" ]]; then + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }}-aarch64-apple-darwin \ - ${{ matrix.binary }}-aarch64-apple-darwin.asc \ - ${{ matrix.binary }}-aarch64-apple-darwin.sha256 + "${BINARY}-aarch64-apple-darwin" \ + "${BINARY}-aarch64-apple-darwin.asc" \ + "${BINARY}-aarch64-apple-darwin.sha256" else - gh release upload ${{ needs.validate-inputs.outputs.release_tag }} \ + gh release upload "$VALIDATED_RELEASE_TAG" \ --repo paritytech/polkadot-sdk \ - ${{ matrix.binary }} \ - ${{ matrix.binary }}.asc \ - ${{ matrix.binary }}.sha256 + "$BINARY" \ + "${BINARY}.asc" \ + "${BINARY}.sha256" fi post_to_matrix: diff --git a/.github/workflows/release-31_promote-rc-to-final.yml b/.github/workflows/release-31_promote-rc-to-final.yml index d12374962fc99..43b23db51cab0 100644 --- a/.github/workflows/release-31_promote-rc-to-final.yml +++ b/.github/workflows/release-31_promote-rc-to-final.yml @@ -40,10 +40,12 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} run: | . ./.github/scripts/common/lib.sh - RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }}) + RELEASE_TAG=$(validate_stable_tag "$INPUT_RELEASE_TAG") echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT promote-polkadot-rc-to-final: diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml index 8855c5580815c..dc3412284394e 100644 --- a/.github/workflows/release-50_publish-docker.yml +++ b/.github/workflows/release-50_publish-docker.yml @@ -83,13 +83,16 @@ jobs: - name: Validate inputs id: validate_inputs + env: + INPUT_VERSION: ${{ inputs.version }} + INPUT_STABLE_TAG: ${{ inputs.stable_tag }} run: | . ./.github/scripts/common/lib.sh - VERSION=$(filter_version_from_input "${{ inputs.version }}") + VERSION=$(filter_version_from_input "$INPUT_VERSION") echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }}) + STABLE_TAG=$(validate_stable_tag "$INPUT_STABLE_TAG") echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build @@ -102,12 +105,17 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Fetch rc artifacts or release artifacts from s3 based on version +<<<<<<< HEAD # if: ${{ env.EVENT_NAME == 'workflow_dispatch' && inputs.binary != 'polkadot-omni-node' && inputs.binary != 'chain-spec-builder'}} +======= + if: ${{ inputs.binary == 'polkadot-omni-node' || inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }} + env: + VERSION: ${{ needs.validate-inputs.outputs.stable_tag }} +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) run: | . ./.github/scripts/common/lib.sh - VERSION="${{ needs.validate-inputs.outputs.stable_tag }}" - if [[ ${{ inputs.binary }} == 'polkadot' ]]; then + if [[ "$BINARY" == 'polkadot' ]]; then bins=(polkadot polkadot-prepare-worker polkadot-execute-worker) for bin in "${bins[@]}"; do fetch_release_artifacts_from_s3 $bin x86_64-unknown-linux-gnu @@ -157,25 +165,31 @@ jobs: if: ${{ env.IMAGE_TYPE == 'rc' }} id: fetch_rc_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh commit=$(git rev-parse --short HEAD) && \ echo "commit=${commit}" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "tag=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "tag=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Fetch release tags working-directory: release-artifacts if: ${{ env.IMAGE_TYPE == 'release'}} id: fetch_release_refs shell: bash + env: + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + VALIDATED_STABLE_TAG: ${{ needs.validate-inputs.outputs.stable_tag }} run: | . ../.github/scripts/common/lib.sh echo "tag=latest" >> $GITHUB_OUTPUT - echo "release=$(echo ${{ needs.validate-inputs.outputs.version }})" >> $GITHUB_OUTPUT - echo "stable=$(prepare_docker_stable_tag ${{ needs.validate-inputs.outputs.stable_tag }})" >> $GITHUB_OUTPUT + echo "release=${VALIDATED_VERSION}" >> $GITHUB_OUTPUT + echo "stable=$(prepare_docker_stable_tag "$VALIDATED_STABLE_TAG")" >> $GITHUB_OUTPUT - name: Build Injected Container image for polkadot rc if: ${{ env.BINARY == 'polkadot' }} @@ -184,10 +198,33 @@ jobs: IMAGE_NAME: ${{ env.BINARY }} OWNER: ${{ env.DOCKER_OWNER }} TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }} +<<<<<<< HEAD run: | ls -al echo "Building container for $BINARY" ./docker/scripts/polkadot/build-injected.sh $ARTIFACTS_FOLDER +======= + VALIDATED_VERSION: ${{ needs.validate-inputs.outputs.version }} + shell: bash + run: | + ls -al + echo "Building container for $BINARY" + echo "IMAGE_TYPE: $IMAGE_TYPE" + + if [[ "$IMAGE_TYPE" == "rc" ]]; then + echo "Building RC container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + ./docker/scripts/build-injected.sh + else + echo "Building release container for polkadot" + export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected_debian.Dockerfile" + export BINARY="polkadot,polkadot-execute-worker,polkadot-prepare-worker" + export POLKADOT_DEB=true + export VERSION="$VALIDATED_VERSION" + ./docker/scripts/build-injected.sh + fi +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Build Injected Container image for polkadot-omni-node/chain-spec-builder if: ${{ env.BINARY == 'polkadot-omni-node' || env.BINARY == 'chain-spec-builder' }} diff --git a/.github/workflows/release-60_post-crates-release-activities.yml b/.github/workflows/release-60_post-crates-release-activities.yml new file mode 100644 index 0000000000000..e9ac2ec5460c2 --- /dev/null +++ b/.github/workflows/release-60_post-crates-release-activities.yml @@ -0,0 +1,385 @@ +name: Release - Post Crates Release Activities + +on: + workflow_dispatch: + inputs: + version: + description: 'Full release version identifier (e.g., stable2512 or stable2512-2)' + required: true + type: string + bump_node_version: + description: 'Bump NODE_VERSION? Select "yes" if this is the first run for this post-crates PR, "no" if re-running or if you have another reason not to bump' + required: true + type: choice + options: + - 'yes' + - 'no' + bump_spec_version: + description: 'Bump spec_version? Select "yes" to bump spec version for all runtimes, "no" if re-running or if you have another reason not to bump' + required: true + type: choice + options: + - 'yes' + - 'no' + +permissions: + contents: write + pull-requests: write + +jobs: + #check-synchronization: + # uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + #secrets: + # fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + set-image: + #needs: [ check-synchronization ] + #if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + IMAGE: ${{ steps.set_image.outputs.IMAGE }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - id: set_image + run: cat .github/env >> $GITHUB_OUTPUT + + post-crates-activities: + needs: set-image + runs-on: ubuntu-latest + environment: release + env: + PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }} + PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + container: + image: ${{ needs.set-image.outputs.IMAGE }} + + steps: + - name: Install pgpkms + run: | + # Install pgpkms that is used to sign commits + pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151 + # Find and display where pgpkms-git is installed + echo "pgpkms-git location: $(which pgpkms-git)" + ls -la $(which pgpkms-git) + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Import GPG keys + shell: bash + run: | + . ./.github/scripts/common/lib.sh + import_gpg_keys + + - name: Configure git + shell: bash + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" + git config --global commit.gpgsign true + # Dynamically find pgpkms-git path + PGPKMS_PATH=$(which pgpkms-git) + echo "Using pgpkms-git at: $PGPKMS_PATH" + git config --global gpg.program "$PGPKMS_PATH" + git config --global user.name "ParityReleases" + git config --global user.email "release-team@parity.io" + git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51" + + - name: Bump NODE_VERSION for polkadot + if: inputs.bump_node_version == 'yes' + run: | + echo "Bumping NODE_VERSION in polkadot..." + FILE="polkadot/node/primitives/src/lib.rs" + + # Extract current NODE_VERSION + current_version=$(grep 'pub const NODE_VERSION' "$FILE" | grep -oE '"[0-9]+\.[0-9]+\.[0-9]+"' | tr -d '"') + echo "Current version: $current_version" + + # Bump patch version + new_version=$(echo "$current_version" | awk -F. '{print $1"."$2"."$3+1}') + echo "New version: $new_version" + + # Update the file + sed -i.bak "s/NODE_VERSION: &'static str = \"$current_version\"/NODE_VERSION: \&'static str = \"$new_version\"/" "$FILE" + rm -f "$FILE.bak" + + echo "Successfully bumped NODE_VERSION from $current_version to $new_version" + + - name: Bump NODE_VERSION for polkadot-parachain and polkadot-omni-node + if: inputs.bump_node_version == 'yes' + run: | + echo "Bumping NODE_VERSION in cumulus..." + FILE="cumulus/polkadot-omni-node/lib/src/nodes/mod.rs" + + # Extract current NODE_VERSION + current_version=$(grep 'pub const NODE_VERSION' "$FILE" | grep -oE '"[0-9]+\.[0-9]+\.[0-9]+"' | tr -d '"') + echo "Current version: $current_version" + + # Bump patch version + new_version=$(echo "$current_version" | awk -F. '{print $1"."$2"."$3+1}') + echo "New version: $new_version" + + # Update the file + sed -i.bak "s/NODE_VERSION: &'static str = \"$current_version\"/NODE_VERSION: \&'static str = \"$new_version\"/" "$FILE" + rm -f "$FILE.bak" + + echo "Successfully bumped NODE_VERSION from $current_version to $new_version" + + - name: Commit NODE_VERSION bumps + if: inputs.bump_node_version == 'yes' + shell: bash + run: | + . ./.github/scripts/release/release_lib.sh + + # Extract the bumped NODE_VERSION + FILE="polkadot/node/primitives/src/lib.rs" + NODE_VERSION=$(grep 'pub const NODE_VERSION' "$FILE" | grep -oE '"[0-9]+\.[0-9]+\.[0-9]+"' | tr -d '"') + + echo "Committing NODE_VERSION bump to $NODE_VERSION" + commit_with_message "Bump NODE_VERSION to $NODE_VERSION" + echo "✅ Successfully committed NODE_VERSION bump" + + - name: Bump spec_version + if: inputs.bump_spec_version == 'yes' + shell: bash + run: | + . ./.github/scripts/release/release_lib.sh + + FILE="polkadot/node/primitives/src/lib.rs" + NODE_VERSION=$(grep 'pub const NODE_VERSION' "$FILE" | grep -oE '"[0-9]+\.[0-9]+\.[0-9]+"' | tr -d '"') + + # Determine if this is a patch release or new stable release + patch=$(echo "$NODE_VERSION" | awk -F'[.-]' '{print $3}') + if [ "$patch" -gt 0 ]; then + IS_PATCH_RELEASE="true" + printf "📋 Patch release detected (patch=$patch) - bumping spec_version patch part\n" + else + IS_PATCH_RELEASE="false" + printf "📋 New stable release detected - bumping spec_version minor part\n" + fi + + runtimes_list=$(get_filtered_runtimes_list) + + for f in ${runtimes_list[@]}; do + new_version=$(bump_spec_version "$f" "$IS_PATCH_RELEASE") + printf " 🔄 $f → spec_version: $new_version\n" + done + + commit_with_message "Bump spec_version for $([ \"$IS_PATCH_RELEASE\" = \"true\" ] && echo \"patch\" || echo \"stable\") release" + + - name: Move prdocs to release folder + shell: bash + env: + VERSION: ${{ inputs.version }} + run: | + . ./.github/scripts/release/release_lib.sh + + echo "Version: $VERSION" + + reorder_prdocs "$VERSION" + + - name: Replace path dependencies + run: | + echo "Running replace-all-path-deps.sh..." + bash scripts/release/replace-all-path-deps.sh + + # Show git diff to see what changed + git diff --stat + + - name: Remove versions where path deps are present + run: | + echo "Running delete-versions-if-path-is-present.sh..." + bash scripts/release/delete-versions-if-path-is-present.sh + + # Show git diff to see what changed + git diff --stat + + - name: Remove version from umbrella/Cargo.toml + run: | + echo "Running delete-version-from-umbrella.sh..." + bash scripts/release/delete-version-from-umbrella.sh + + # Show git diff to see what changed + git diff --stat + + - name: Install newer Zepter + run: | + cargo install zepter@1.82.1 --locked -q && zepter --version + + - name: Run Zepter - check issues + run: | + echo "Running zepter run check to identify issues..." + zepter run check || echo "Zepter found issues that need to be fixed" + + - name: Run Zepter - fix issues + run: | + echo "Running zepter to fix issues..." + zepter || echo "Zepter fix completed" + # Show git diff to see what changed + git diff --stat + + - name: Run Zepter - verify fixes + run: | + echo "Running zepter run check again to verify fixes..." + zepter run check || echo "There are still issues to fix manually" + + - name: Run taplo - check formatting + run: | + echo "Running taplo format check..." + taplo format --check --config .config/taplo.toml || echo "Taplo found formatting issues" + + - name: Run taplo - format + run: | + echo "Running taplo format..." + taplo format --config .config/taplo.toml + # Show git diff to see what changed + git diff --stat + + - name: Run taplo - verify formatting + run: | + echo "Running taplo format check again..." + taplo format --check --config .config/taplo.toml || echo "There are still formatting issues" + + - name: Install Python dependencies + run: | + echo "Installing Python dependencies..." + pip3 install toml "cargo-workspace>=1.2.6" + + - name: Run workspace check + run: | + echo "Running workspace check..." + python3 .github/scripts/check-workspace.py . --exclude \ + "substrate/frame/contracts/fixtures/build" \ + "substrate/frame/contracts/fixtures/contracts/common" + + - name: Deny git dependencies + run: | + echo "Checking for git dependencies..." + python3 .github/scripts/deny-git-deps.py . + + - name: Check git status before commit + run: | + echo "=== Git status ===" + git status + echo "" + echo "=== Git status --porcelain ===" + git status --porcelain + echo "" + echo "=== Changed files count ===" + git status --porcelain | wc -l + + - name: Commit and push changes + shell: bash + run: | + . ./.github/scripts/release/release_lib.sh + + # Check if there are changes to commit + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: post crates release actions - version bumps, path deps, zepter, taplo" + echo "Changes committed successfully" + # Push changes to the branch + echo "Pushing changes to branch..." + git push + echo "Changes pushed successfully" + else + echo "No changes to commit" + fi + + - name: Generate token for paritytech/polkadot-sdk + id: generate_write_token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ vars.POLKADOT_SDK_RELEASE_RW_APP_ID }} + private-key: ${{ secrets.POLKADOT_SDK_RELEASE_RW_APP_KEY }} + owner: paritytech + repositories: polkadot-sdk + + - name: Create Pull Request to base release branch + env: + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + FULL_RELEASE: ${{ inputs.version }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} + shell: bash + run: | + echo "Current branch: $BRANCH_NAME" + echo "Version: $FULL_RELEASE" + + # Extract base release branch name by removing the last segment after dash + if [[ "$FULL_RELEASE" =~ ^(.+)-[^-]+$ ]]; then + BASE_RELEASE="${BASH_REMATCH[1]}" + else + BASE_RELEASE="$FULL_RELEASE" + fi + + TARGET_REPO="paritytech/polkadot-sdk" + + # Determine if running from a fork or the main repo + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + # Same-repo PR: head is just the branch name + PR_HEAD="$BRANCH_NAME" + EXTRA_FLAGS="" + else + # Cross-fork PR: head needs the fork owner prefix + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + EXTRA_FLAGS="--no-maintainer-edit" + fi + + # Check if PR already exists + EXISTING_PR=$(gh pr list --repo "$TARGET_REPO" --head "$PR_HEAD" --base "$BASE_RELEASE" --json number --jq '.[0].number') + + if [ -n "$EXISTING_PR" ]; then + echo "✅ PR #$EXISTING_PR already exists for this branch" + echo "PR URL: $(gh pr view $EXISTING_PR --repo "$TARGET_REPO" --json url --jq '.url')" + else + echo "Creating PR from $PR_HEAD to $BASE_RELEASE in $TARGET_REPO..." + gh pr create \ + --repo "$TARGET_REPO" \ + --title "[${BASE_RELEASE}] Post crates release activities for $FULL_RELEASE" \ + --body "Automated PR containing post-crates-release activities: + - NODE_VERSION bumps (if selected) + - Path dependencies replacement + - Zepter fixes + - Taplo formatting + - PRDocs reorganization (if prdocs exist)" \ + --base "$BASE_RELEASE" \ + --head "$PR_HEAD" \ + $EXTRA_FLAGS + echo "PR created successfully" + fi + + - name: Add comment about spec_version + env: + GH_TOKEN: ${{ steps.generate_write_token.outputs.token }} + BRANCH_NAME: ${{ github.ref_name }} + GH_REPOSITORY: ${{ github.repository }} + GH_REPOSITORY_OWNER: ${{ github.repository_owner }} + shell: bash + run: | + TARGET_REPO="paritytech/polkadot-sdk" + + # Match the head format used when creating the PR + if [ "$GH_REPOSITORY" = "$TARGET_REPO" ]; then + PR_HEAD="$BRANCH_NAME" + else + FORK_OWNER="$GH_REPOSITORY_OWNER" + PR_HEAD="${FORK_OWNER}:${BRANCH_NAME}" + fi + + # Find the PR number for this branch in the upstream repo + PR_NUMBER=$(gh pr list --repo "$TARGET_REPO" --head "$PR_HEAD" --json number --jq '.[0].number') + + if [ -n "$PR_NUMBER" ]; then + echo "Adding comment to PR #$PR_NUMBER..." + gh pr comment "$PR_NUMBER" --repo "$TARGET_REPO" --body "⚠️ **Reminder:** If spec_version was not bumped automatically as part of this flow. Please ensure it is updated manually if required." + else + echo "⚠️ WARNING: Could not find PR for branch $PR_HEAD" + fi diff --git a/.github/workflows/release-80_publish-crates.yml b/.github/workflows/release-80_publish-crates.yml new file mode 100644 index 0000000000000..b72493eb92567 --- /dev/null +++ b/.github/workflows/release-80_publish-crates.yml @@ -0,0 +1,274 @@ +name: Release - Publish Crates + +on: + workflow_dispatch: + inputs: + release_name: + description: 'Release name (e.g., stable2509-3). Base branch is derived by removing the last -N suffix.' + required: true + type: string + registry: + description: 'Registry to publish crates to' + required: true + type: choice + options: + - staging.crates.io + - crates.io + default: staging.crates.io + is_patch: + description: 'Is this a patch release? (Set to false for new stable releases)' + required: true + type: boolean + default: true + dry_run: + description: 'Dry run - do not actually publish crates' + required: true + type: boolean + default: true + +permissions: + contents: write + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + set-image: + needs: [ check-synchronization ] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + IMAGE: ${{ steps.set_image.outputs.IMAGE }} + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - id: set_image + run: cat .github/env >> $GITHUB_OUTPUT + + publish-crates: + needs: set-image + runs-on: ubuntu-latest + environment: release + env: + PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }} + PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + container: + image: ${{ needs.set-image.outputs.IMAGE }} + + steps: + - name: Install pgpkms + run: | + # Install pgpkms that is used to sign commits + pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151 + + - name: Derive stable branch from release name + id: derive_branch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + echo "Release name: $RELEASE_NAME" + + # Extract stable branch by removing the last -N suffix + # e.g., stable2509-3 -> stable2509 + if [[ "$RELEASE_NAME" =~ ^(.+)-[0-9]+$ ]]; then + STABLE_BRANCH="${BASH_REMATCH[1]}" + else + # If no suffix, use the release name as-is (first release) + STABLE_BRANCH="$RELEASE_NAME" + fi + + echo "Stable branch: $STABLE_BRANCH" + echo "STABLE_BRANCH=$STABLE_BRANCH" >> $GITHUB_OUTPUT + + echo "CRATES_RELEASE_BRANCH=post-crates-release-$RELEASE_NAME" >> $GITHUB_OUTPUT + + - name: Checkout stable branch + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ steps.derive_branch.outputs.STABLE_BRANCH }} + fetch-depth: 0 + + - name: Import GPG keys + shell: bash + run: | + . ./.github/scripts/common/lib.sh + import_gpg_keys + + - name: Configure git + shell: bash + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" + git config --global commit.gpgsign true + PGPKMS_PATH=$(which pgpkms-git) + echo "Using pgpkms-git at: $PGPKMS_PATH" + git config --global gpg.program "$PGPKMS_PATH" + git config --global user.name "ParityReleases" + git config --global user.email "release-team@parity.io" + git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51" + + - name: Create or switch to release branch + shell: bash + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + + if git rev-parse --verify -q "$CRATES_RELEASE_BRANCH" &>/dev/null; then + echo "Branch $CRATES_RELEASE_BRANCH already exists, switching to it" + git checkout "$CRATES_RELEASE_BRANCH" + else + echo "Creating branch: $CRATES_RELEASE_BRANCH" + git checkout -b "$CRATES_RELEASE_BRANCH" + fi + echo "On branch $CRATES_RELEASE_BRANCH" + + - name: Install Rust 1.93 + shell: bash + run: | + rustup install 1.93 + rustup default 1.93 + echo "Rust version:" + rustc --version + cargo --version + + - name: Rust Cache + uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + with: + cache-on-failure: true + + - name: Install parity-publish + run: | + apt-get update && apt-get install -y --no-install-recommends libcurl4-openssl-dev pkg-config + cargo install parity-publish@0.10.10 --locked -q + + - name: Run parity-publish plan + run: | + echo "Running parity-publish plan..." + parity-publish plan --prdoc prdoc + + - name: Save Plan.toml diff + if: inputs.is_patch + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + mkdir -p release-artifacts + + echo "Saving Plan.toml diff..." + git diff Plan.toml > "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + echo "Plan.toml changes:" + cat "release-artifacts/changed_crates_${RELEASE_NAME}.txt" + + - name: Parse crate names for release notes + if: inputs.is_patch + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + + echo "Parsing crate names..." + python3 scripts/release/parse-crates-names.py \ + "release-artifacts/changed_crates_${RELEASE_NAME}.txt" \ + scripts/release/templates/crates_list.md.tera + + echo "Crates list:" + cat scripts/release/templates/crates_list.md.tera + + - name: Commit Plan.toml and crates list + shell: bash + env: + IS_PATCH: ${{ inputs.is_patch }} + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add Plan.toml + if [ "$IS_PATCH" = true ]; then + git add scripts/release/templates/crates_list.md.tera + fi + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: update Plan.toml and crates list for $RELEASE_NAME" + echo "Committed Plan.toml and crates list" + else + echo "No changes to commit" + fi + + - name: Run parity-publish apply + run: | + echo "Running parity-publish apply..." + parity-publish apply + + - name: Update Cargo.lock + run: | + echo "Updating Cargo.lock..." + cargo update --workspace --offline || cargo update --workspace + echo "Cargo.lock updated" + + - name: Commit version bumps + shell: bash + env: + RELEASE_NAME: ${{ inputs.release_name }} + run: | + . ./.github/scripts/release/release_lib.sh + + git add -A + + if [[ -n $(git status --porcelain) ]]; then + commit_with_message "chore: apply version bumps for $RELEASE_NAME" + echo "Committed version bumps" + else + echo "No changes to commit" + fi + + - name: Push release branch + env: + CRATES_RELEASE_BRANCH: ${{ steps.derive_branch.outputs.CRATES_RELEASE_BRANCH }} + run: | + echo "Pushing branch $CRATES_RELEASE_BRANCH..." + git push origin "$CRATES_RELEASE_BRANCH" + echo "Successfully pushed $CRATES_RELEASE_BRANCH" + + - name: Configure cargo registry + shell: bash + env: + REGISTRY: ${{ inputs.registry }} + run: | + echo "Configuring cargo for $REGISTRY..." + mkdir -p ~/.cargo + + if [ "$REGISTRY" = "staging.crates.io" ]; then + cat >> ~/.cargo/config.toml << 'EOF' + [registries.crates-io] + index = "sparse+https://index.staging.crates.io/" + EOF + else + echo "Using default crates.io registry" + fi + + echo "Cargo config:" + cat ~/.cargo/config.toml || echo "(using defaults)" + + - name: Publish crates + shell: bash + env: + PARITY_PUBLISH_CRATESIO_TOKEN: ${{ inputs.registry == 'staging.crates.io' && secrets.STAGING_CRATES_IO_API_TOKEN || secrets.CRATES_IO_API_TOKEN }} + DRY_RUN: ${{ inputs.dry_run }} + REGISTRY: ${{ inputs.registry }} + run: | + + if [ "$DRY_RUN" = true ]; then + echo "DRY RUN - Not actually publishing crates" + echo "Target registry: $REGISTRY" + parity-publish apply -p -d + else + echo "Publishing crates to $REGISTRY..." + parity-publish apply -p + echo "Crates published successfully to $REGISTRY!" + fi diff --git a/.github/workflows/release-99_notif-published.yml b/.github/workflows/release-99_notif-published.yml index b5b2ed38e845e..c006ec265ed00 100644 --- a/.github/workflows/release-99_notif-published.yml +++ b/.github/workflows/release-99_notif-published.yml @@ -6,6 +6,49 @@ on: - prereleased jobs: +<<<<<<< HEAD +======= + check_if_release_is_latest: + runs-on: ubuntu-latest + outputs: + is_latest: ${{ steps.check_is_latest.outputs.is_latest }} + steps: + - name: Fetch latest release tag name + id: fetch_latest_release_tag + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPOSITORY: ${{ github.repository }} + run: | + TAG_NAME=$(curl -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + -sL "https://api.github.com/repos/${GH_REPOSITORY}/releases/latest" \ + | jq -r '.tag_name') + + echo "Latest release tag: $TAG_NAME" + echo "latest_tag_name=$TAG_NAME" >> $GITHUB_OUTPUT + - name: Fetch current release tag name + id: fetch_curent_release_tag + env: + CURRENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} + run: | + echo "Current release tag: $CURRENT_RELEASE_TAG_NAME" + echo "current_tag_name=$CURRENT_RELEASE_TAG_NAME" >> $GITHUB_OUTPUT + + - name: Check if release is latest + id: check_is_latest + env: + LATEST_TAG: ${{ steps.fetch_latest_release_tag.outputs.latest_tag_name }} + CURRENT_TAG: ${{ steps.fetch_curent_release_tag.outputs.current_tag_name }} + run: | + if [[ "$LATEST_TAG" == "$CURRENT_TAG" ]]; then + echo "Release is latest" + echo "is_latest=true" >> $GITHUB_OUTPUT + else + echo "Release is not latest" + echo "is_latest=false" >> $GITHUB_OUTPUT + fi + +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) ping_matrix: runs-on: ubuntu-latest environment: release diff --git a/.github/workflows/release-build-binary.yml b/.github/workflows/release-build-binary.yml index a5adab421a8a4..364263d9f181d 100644 --- a/.github/workflows/release-build-binary.yml +++ b/.github/workflows/release-build-binary.yml @@ -44,8 +44,10 @@ jobs: - name: Set runner id: set_runner shell: bash + env: + INPUT_BINARY: ${{ inputs.binary }} run: | - if [[ "${{ inputs.binary }}" == "polkadot-parachain" ]]; then + if [[ "$INPUT_BINARY" == "polkadot-parachain" ]]; then echo "RUNNER=parity-large" >> $GITHUB_OUTPUT else echo "RUNNER=ubuntu-latest" >> $GITHUB_OUTPUT @@ -61,16 +63,30 @@ jobs: uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Build binary + env: + INPUT_BINARY: ${{ inputs.binary }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_PROFILE: ${{ inputs.profile }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - PROFILE=${{ inputs.profile }} - if [ "${{ inputs.binary }}" = "polkadot" ]; then + PROFILE="$INPUT_PROFILE" + if [ "$INPUT_BINARY" = "polkadot" ]; then for binary in polkadot polkadot-prepare-worker polkadot-execute-worker; do +<<<<<<< HEAD echo "Building $binary..." ./.github/scripts/release/build-linux-release.sh $binary ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} done else ./.github/scripts/release/build-linux-release.sh ${{ inputs.binary }} ${{ inputs.package }} "${PROFILE}" ${{ inputs.features }} +======= + echo "Building $binary with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$binary" "$INPUT_PACKAGE" "$INPUT_FEATURES" + done + else + echo "Building $INPUT_BINARY with profile $PROFILE and features $INPUT_FEATURES" + ./.github/scripts/release/build-linux-release.sh "$INPUT_BINARY" "$INPUT_PACKAGE" "$INPUT_FEATURES" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) fi - name: Upload ${{ inputs.binary }} artifacts diff --git a/.github/workflows/release-reusable-publish-packages.yml b/.github/workflows/release-reusable-publish-packages.yml new file mode 100644 index 0000000000000..3d8bd8292618c --- /dev/null +++ b/.github/workflows/release-reusable-publish-packages.yml @@ -0,0 +1,203 @@ +name: Reusable - Publish Package + +on: + workflow_call: + inputs: + tag: + description: Current final release tag (e.g., polkadot-stableYYMM) + required: true + type: string + distribution: + description: Distribution where to publish package (e.g., release, staging) + required: true + type: string + package_type: + description: Type of package to publish (deb or rpm) + required: true + type: string + aws_repo_base_path: + description: Base S3 path for package repositories + type: string + cloudfront_distribution_id: + description: CloudFront Distribution ID for cache invalidation + required: true + type: string + +jobs: + check-synchronization: + uses: paritytech-release/sync-workflows/.github/workflows/check-synchronization.yml@main + secrets: + fork_writer_app_key: ${{ secrets.UPSTREAM_CONTENT_SYNC_APP_KEY }} + + validate-inputs: + needs: [check-synchronization] + if: needs.check-synchronization.outputs.checks_passed == 'true' + runs-on: ubuntu-latest + outputs: + release_tag: ${{ steps.validate_inputs.outputs.release_tag }} + steps: + - name: Checkout sources + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Validate package type + if: ${{ inputs.package_type != 'deb' && inputs.package_type != 'rpm' }} + run: | + echo "Error: package_type must be either 'deb' or 'rpm'" + exit 1 + + - name: Validate inputs + id: validate_inputs + env: + INPUT_TAG: ${{ inputs.tag }} + run: | + # Source common library for helper functions + . ./.github/scripts/common/lib.sh + RELEASE_TAG=$(validate_stable_tag "$INPUT_TAG") + echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT + + fetch-artifacts-from-s3: + runs-on: ubuntu-latest + needs: [validate-inputs] + environment: release + env: + REPO: ${{ github.repository }} + VERSION: ${{ needs.validate-inputs.outputs.release_tag }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + outputs: + NODE_VERSION: ${{ steps.fetch_artifacts_from_s3.outputs.NODE_VERSION }} + steps: + - name: Checkout sources + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Fetch rc artifacts or release artifacts from s3 based on version + id: fetch_artifacts_from_s3 + env: + PACKAGE_TYPE: ${{ inputs.package_type }} + run: | + . ./.github/scripts/common/lib.sh + NODE_VERSION="$(get_polkadot_node_version_from_code)" + echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT + + # Fetch specific package type artifact (deb or rpm) + if [[ "$PACKAGE_TYPE" == "deb" ]]; then + fetch_debian_package_from_s3 polkadot + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then + fetch_rpm_package_from_s3 polkadot + fi + + - name: Upload artifacts for later jobs + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: release-artifacts-${{ inputs.package_type }} + path: release-artifacts/polkadot/*.${{ inputs.package_type }} + + publish-package: + runs-on: ubuntu-latest + needs: [fetch-artifacts-from-s3] + environment: release + env: + AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} + AWS_REPO_PATH: "${{ inputs.aws_repo_base_path }}/${{ inputs.package_type }}" + LOCAL_REPO_PATH: ${{ github.workspace }}/${{ inputs.package_type }} + NODE_VERSION: ${{ needs.fetch-artifacts-from-s3.outputs.NODE_VERSION }} + steps: + - name: Install dependencies + run: | + sudo apt-get update + sudo apt-get install -y python3-pip reprepro rpm createrepo-c + + python3 -m pip install --user awscli "pgpkms @ git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151" + + # Ensure ~/.local/bin is in PATH right now and for later steps + export PATH=$HOME/.local/bin:$PATH + echo "$HOME/.local/bin" >> $GITHUB_PATH + + # Export to GITHUB_ENV (this time they won’t be empty) + echo "PGPKMS_REPREPRO_PATH=$(which pgpkms-reprepro)" >> $GITHUB_ENV + echo "PGPKMS_RPMSIGN_PATH=$(which pgpkms-rpmsign)" >> $GITHUB_ENV + + - name: Checkout sources + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Download artifacts from previous job + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + name: release-artifacts-${{ inputs.package_type }} + path: release-artifacts + + - name: Setup local deb repo config + if: ${{ inputs.package_type == 'deb' }} + run: | + sed -i "s|^SignWith:.*|SignWith: ! ${PGPKMS_REPREPRO_PATH}|" ${{ github.workspace }}/.github/scripts/release/distributions + mkdir -p "$LOCAL_REPO_PATH/conf" + cp ${{ github.workspace }}/.github/scripts/release/distributions "$LOCAL_REPO_PATH/conf/distributions" + + - name: Sync local repo + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + PACKAGE_TYPE: ${{ inputs.package_type }} + run: | + # --- Sync Local Repo from S3 --- + mkdir -p "$LOCAL_REPO_PATH" + if [[ "$PACKAGE_TYPE" == "deb" ]]; then + aws s3 sync "$AWS_REPO_PATH/db" "$LOCAL_REPO_PATH/db" || true + aws s3 sync "$AWS_REPO_PATH/pool" "$LOCAL_REPO_PATH/pool" || true + aws s3 sync "$AWS_REPO_PATH/dists" "$LOCAL_REPO_PATH/dists" || true + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then + aws s3 sync "$AWS_REPO_PATH" "$LOCAL_REPO_PATH" || true + fi + + - name: Add packages to local repo, sign, and update metadata + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }} + PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }} + PACKAGE_TYPE: ${{ inputs.package_type }} + DISTRIBUTION: ${{ inputs.distribution }} + run: | + . ./.github/scripts/common/lib.sh + import_gpg_keys + + # --- Add Package to Repo and Sign --- + if [[ "$PACKAGE_TYPE" == "deb" ]]; then + debname=$(find release-artifacts/ -name 'polkadot_*.deb' | head -n 1) + reprepro -b "$LOCAL_REPO_PATH" includedeb "$DISTRIBUTION" "$debname" + + elif [[ "$PACKAGE_TYPE" == "rpm" ]]; then + rpmname=$(find release-artifacts/ -name 'polkadot-*.rpm' | head -n 1) + + echo "Signing package with pgpkms (via AWS KMS)..." + chmod +x .github/scripts/release/pgpkms-gpg-wrapper.sh + cp .github/scripts/release/rpmmacros $HOME/.rpmmacros + + echo "Dumping rpm gpg-related macros..." + rpm --showrc | grep gpg || true + echo "Contents of .rpmmacros:" + cat $HOME/.rpmmacros + rpm --addsign "$rpmname" + + echo "Copying signed package to local repo..." + cp "$rpmname" "$LOCAL_REPO_PATH/" + + echo "Updating repository metadata..." + createrepo_c --update "$LOCAL_REPO_PATH" + fi + + - name: Upload updated repo to S3 + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }} + DISTRIBUTION: ${{ inputs.distribution }} + CLOUDFRONT_DISTRIBUTION_ID: ${{ inputs.cloudfront_distribution_id }} + PACKAGE_TYPE: ${{ inputs.package_type }} + run: | + if [[ "$DISTRIBUTION" == "release" ]]; then + aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" --acl public-read + else + aws s3 sync "$LOCAL_REPO_PATH" "$AWS_REPO_PATH" + fi + aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/${PACKAGE_TYPE}/*" diff --git a/.github/workflows/release-reusable-rc-build.yml b/.github/workflows/release-reusable-rc-build.yml index e7c0ed48e4706..32575b0c3da4a 100644 --- a/.github/workflows/release-reusable-rc-build.yml +++ b/.github/workflows/release-reusable-rc-build.yml @@ -104,9 +104,13 @@ jobs: import_gpg_keys - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} run: | git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error - ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }} ${{ inputs.features }} + ./.github/scripts/release/build-linux-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 @@ -115,25 +119,31 @@ jobs: - name: Sign artifacts working-directory: /artifacts/${{ matrix.binaries }} + env: + BINARY_NAME: ${{ matrix.binaries }} run: | - python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" - name: Check sha256 ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - echo "Checking binary ${{ matrix.binaries }}" - check_sha256 ${{ matrix.binaries }} + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" - name: Check GPG ${{ matrix.binaries }} working-directory: /artifacts/${{ matrix.binaries }} shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh - check_gpg ${{ matrix.binaries }} + check_gpg "$BINARY_NAME" - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 @@ -242,14 +252,26 @@ jobs: echo "Checking binary ${{ matrix.binaries }}" check_sha256 ${{ matrix.binaries }} +<<<<<<< HEAD - name: Check GPG ${{ matrix.binaries }} working-directory: ${{ env.ARTIFACTS_PATH }} shell: bash run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh +======= + - name: Build binary + env: + BINARY_NAME: ${{ matrix.binaries }} + INPUT_PACKAGE: ${{ inputs.package }} + INPUT_FEATURES: ${{ inputs.features }} + run: | + git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error + ./.github/scripts/release/build-macos-release.sh "$BINARY_NAME" "$INPUT_PACKAGE" "$INPUT_FEATURES" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) check_gpg ${{ matrix.binaries }} +<<<<<<< HEAD - name: Upload ${{ matrix.binaries }} artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: @@ -257,6 +279,43 @@ jobs: path: ${{ env.ARTIFACTS_PATH }} build-polkadot-deb-package: +======= + - name: Sign artifacts + working-directory: ${{ env.ARTIFACTS_PATH }} + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + python3 -m pgpkms sign --input "$BINARY_NAME" -o "${BINARY_NAME}.asc" + + - name: Check sha256 ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + echo "Checking binary $BINARY_NAME" + check_sha256 "$BINARY_NAME" + + - name: Check GPG ${{ matrix.binaries }} + working-directory: ${{ env.ARTIFACTS_PATH }} + shell: bash + env: + BINARY_NAME: ${{ matrix.binaries }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + + check_gpg "$BINARY_NAME" + + - name: Upload ${{ matrix.binaries }} artifacts + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: ${{ matrix.binaries }}_${{ inputs.target }} + path: ${{ env.ARTIFACTS_PATH }} + + build-polkadot-deb-and-rpm-package: +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) if: ${{ inputs.package == 'polkadot' && inputs.target == 'x86_64-unknown-linux-gnu' }} needs: [build-rc] runs-on: ubuntu-latest @@ -291,11 +350,25 @@ jobs: - name: Build polkadot deb package shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} + run: | + . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh + VERSION=$(get_polkadot_node_version_from_code) + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh "$INPUT_PACKAGE" "${VERSION}" + +<<<<<<< HEAD +======= + - name: Build polkadot rpm package + shell: bash + env: + INPUT_PACKAGE: ${{ inputs.package }} run: | . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh VERSION=$(get_polkadot_node_version_from_code) - . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION} + . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-rpm.sh "$INPUT_PACKAGE" "${VERSION}" +>>>>>>> cf88f8c3 ([Release|CI/CD] Replace direct use of inputs with ENVs (#11116)) - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 with: diff --git a/.github/workflows/release-reusable-s3-upload.yml b/.github/workflows/release-reusable-s3-upload.yml index b4c7b5d77bb53..45ff51f59aa56 100644 --- a/.github/workflows/release-reusable-s3-upload.yml +++ b/.github/workflows/release-reusable-s3-upload.yml @@ -53,6 +53,10 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload ${{ inputs.package }} artifacts to s3 + env: + PACKAGE: ${{ inputs.package }} + RELEASE_TAG: ${{ inputs.release_tag }} + TARGET: ${{ inputs.target }} run: | . ./.github/scripts/release/release_lib.sh - upload_s3_release ${{ inputs.package }} ${{ inputs.release_tag }} ${{ inputs.target }} + upload_s3_release "$PACKAGE" "$RELEASE_TAG" "$TARGET" diff --git a/.github/workflows/release-srtool.yml b/.github/workflows/release-srtool.yml index fac6f300ae71c..d3a76bbf21d01 100644 --- a/.github/workflows/release-srtool.yml +++ b/.github/workflows/release-srtool.yml @@ -48,7 +48,7 @@ jobs: run: | . ./.github/scripts/common/lib.sh - echo "Github workspace: ${{ github.workspace }}" + echo "Github workspace: ${GITHUB_WORKSPACE}" echo "Current folder: $(pwd)"; ls -al ls -al @@ -80,11 +80,16 @@ jobs: profile: ${{ inputs.profile }} - name: Summary + env: + SRTOOL_JSON: ${{ steps.srtool_build.outputs.json }} + CHAIN: ${{ matrix.chain }} + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} run: | - echo '${{ steps.srtool_build.outputs.json }}' | jq > ${{ matrix.chain }}-srtool-digest.json - cat ${{ matrix.chain }}-srtool-digest.json - echo "Compact Runtime: ${{ steps.srtool_build.outputs.wasm }}" - echo "Compressed Runtime: ${{ steps.srtool_build.outputs.wasm_compressed }}" + echo "$SRTOOL_JSON" | jq > "${CHAIN}-srtool-digest.json" + cat "${CHAIN}-srtool-digest.json" + echo "Compact Runtime: $WASM_PATH" + echo "Compressed Runtime: $WASM_COMPRESSED_PATH" - name: Generate artifact attestation uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0 @@ -100,25 +105,35 @@ jobs: - name: Show Runtime information shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + WASM_COMPRESSED_PATH: ${{ steps.srtool_build.outputs.wasm_compressed }} + CHAIN: ${{ matrix.chain }} run: | - subwasm info ${{ steps.srtool_build.outputs.wasm }} - subwasm info ${{ steps.srtool_build.outputs.wasm_compressed }} - subwasm --json info ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-info.json - subwasm --json info ${{ steps.srtool_build.outputs.wasm_compressed }} > ${{ matrix.chain }}-compressed-info.json + subwasm info "$WASM_PATH" + subwasm info "$WASM_COMPRESSED_PATH" + subwasm --json info "$WASM_PATH" > "${CHAIN}-info.json" + subwasm --json info "$WASM_COMPRESSED_PATH" > "${CHAIN}-compressed-info.json" - name: Extract the metadata shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} run: | - subwasm meta ${{ steps.srtool_build.outputs.wasm }} - subwasm --json meta ${{ steps.srtool_build.outputs.wasm }} > ${{ matrix.chain }}-metadata.json + subwasm meta "$WASM_PATH" + subwasm --json meta "$WASM_PATH" > "${CHAIN}-metadata.json" - name: Check the metadata diff shell: bash + env: + WASM_PATH: ${{ steps.srtool_build.outputs.wasm }} + CHAIN: ${{ matrix.chain }} # the following subwasm call will error for chains that are not known and/or live, that includes shell for instance run: | - subwasm diff ${{ steps.srtool_build.outputs.wasm }} --chain-b ${{ matrix.chain }} || \ - echo "Subwasm call failed, check the logs. This is likely because ${{ matrix.chain }} is not known by subwasm" | \ - tee ${{ matrix.chain }}-diff.txt + subwasm diff "$WASM_PATH" --chain-b "$CHAIN" || \ + echo "Subwasm call failed, check the logs. This is likely because $CHAIN is not known by subwasm" | \ + tee "${CHAIN}-diff.txt" - name: Archive Subwasm results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1