change: ETCM-8949 use permissioned candidates offchain in wizard #1408
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened, closed] | |
branches: | |
- master | |
workflow_dispatch: | |
env: | |
AWS_REGION: "eu-central-1" | |
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
permissions: | |
id-token: write | |
contents: write | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && (github.event.pull_request.merged || github.event.action != 'closed')) | |
outputs: | |
sha: ${{ steps.get_sha.outputs.sha }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Get current commit SHA | |
id: get_sha | |
run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT | |
- name: Setup Earthly | |
uses: ./.github/earthly-setup | |
with: | |
ssh_key: ${{ secrets.SUBSTRATE_REPO_SSH_KEY }} | |
config_tar: ${{ secrets.EARTHLY_TAR }} | |
- name: Acquire AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRET }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Login to container registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ secrets.ECR_REGISTRY_SECRET }} | |
- name: Build and Artifacts and Push Image | |
env: | |
EARTHLY_CI: true | |
EARTHLY_OUTPUT: true | |
EARTHLY_PUSH: true | |
run: | | |
earthly -P +ci --image=${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node | |
- name: Upload partner-chains-cli artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: partner-chains-cli-artifact | |
path: partner-chains-cli-artifact | |
- name: Upload partner-chains-node artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: partner-chains-node-artifact | |
path: partner-chains-node-artifact | |
- name: Upload chain spec artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: chain-specs | |
path: | | |
./devnet_chain_spec.json | |
./staging_preview_chain_spec.json | |
./staging_preprod_chain_spec.json | |
local-environment-tests: | |
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == false) | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Deploy and test against local environment | |
uses: ./.github/actions/tests/local-environment-tests | |
with: | |
tag: CI | |
image: ${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node:${{ needs.build.outputs.sha }} | |
sha: ${{ needs.build.outputs.sha }} | |
tests: premerge | |
env: | |
SUBSTRATE_REPO_SSH_KEY: ${{ secrets.SUBSTRATE_REPO_SSH_KEY }} | |
EARTHLY_TAR: ${{ secrets.EARTHLY_TAR }} | |
AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_ROLE_ARN_SECRET }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} | |
ECR_REGISTRY_SECRET: ${{ secrets.ECR_REGISTRY_SECRET }} | |
TEST_ENVIRONMENT: local | |
local-environment-tests-alert: | |
needs: local-environment-tests | |
if: always() && needs.local-environment-tests.result != 'skipped' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Download test report | |
uses: actions/download-artifact@v4 | |
with: | |
name: test-results | |
- name: Report to slack | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
JIRA_URL: ${{ secrets.JIRA_URL }} | |
repository: ${{ github.repository }} | |
slack_ref_name: ${{ github.ref_name }} | |
job_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
github_actor_username: ${{ github.actor }} | |
env: local-pre-merge | |
run: | | |
mv .report.json E2E-tests/.report.json | |
cd E2E-tests | |
./report_slack.sh $repository $slack_ref_name $job_url $env $github_actor_username null | |
shell: bash | |
deploy-argocd: | |
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == false) | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Deploy ArgoCD Node | |
uses: ./.github/actions/deploy/argocd/deploy-argocd | |
with: | |
sha: ${{ needs.build.outputs.sha }} | |
env: | |
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} | |
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }} | |
K8S_SERVER: ${{ secrets.K8S_SERVER }} | |
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }} | |
argocd-tests: | |
continue-on-error: true | |
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == false) | |
needs: [build, deploy-argocd] | |
runs-on: eks | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Run Tests | |
uses: ./.github/actions/tests/argocd-tests | |
with: | |
sha: ${{ needs.build.outputs.sha }} | |
node-host: sha-${{ needs.build.outputs.sha }}-service.integration-testing.svc.cluster.local | |
node-port: 9933 | |
ssh_key_binary_host: ${{ secrets.SSH_KEY_BINARY_HOST }} | |
env: | |
AWS_ROLE_ARN_: ${{ secrets.AWS_ROLE_ARN_ }} | |
SSH_KEY_BINARY_HOST: ${{ secrets.SSH_KEY_BINARY_HOST }} | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
JIRA_URL: ${{ secrets.JIRA_URL }} | |
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} | |
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }} | |
K8S_SERVER: ${{ secrets.K8S_SERVER }} | |
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }} | |
teardown-argocd: | |
needs: [build, argocd-tests] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Teardown ArgoCD Environment | |
uses: ./.github/actions/deploy/argocd/teardown-argocd | |
with: | |
sha: ${{ needs.build.outputs.sha }} | |
env: | |
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} | |
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }} | |
K8S_SERVER: ${{ secrets.K8S_SERVER }} | |
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }} | |
devshell-tests: | |
needs: build | |
strategy: | |
matrix: | |
os: [nixos, macos] | |
runs-on: | |
- self-hosted | |
- ${{ matrix.os }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Acquire AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE_ARN_ }} | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Add signing key for nix | |
run: echo "${{ secrets.NIX_SIGNING_KEY }}" > "${{ runner.temp }}/nix-key" | |
- name: Run nixci to build/test all outputs | |
run: | | |
nix run github:srid/nixci -- -v build -- --fallback > /tmp/outputs | |
- name: Copy nix scopes to nix cache | |
run: | | |
nix-store --stdin -q --deriver < /tmp/outputs | nix-store --stdin -qR --include-outputs \ | |
| nix copy --stdin --to \ | |
"s3://cache.sc.iog.io?secret-key=${{ runner.temp }}/nix-key®ion=$AWS_DEFAULT_REGION" \ | |
&& rm /tmp/outputs | |
pre-merge-checks-complete: | |
if: ${{ always() && (github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged == false)) }} | |
needs: [build, local-environment-tests, devshell-tests] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check if any needed job failed | |
run: | | |
if [[ "${{ needs.build.result }}" != "success" || | |
"${{ needs.local-environment-tests.result }}" != "success" || | |
"${{ needs.devshell-tests.result }}" != "success" ]]; then | |
echo "One or more needed jobs failed." | |
exit 1 | |
else | |
echo "All needed jobs passed." | |
fi | |
upload-chain-specs: | |
if: github.event_name == 'pull_request' && github.event.pull_request.merged == true | |
needs: build | |
runs-on: eks | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Upload chain spec artifacts to Kubernetes | |
uses: ./.github/actions/deploy/upload-chain-specs | |
with: | |
sha: ${{ needs.build.outputs.sha }} | |
env: | |
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }} | |
K8S_SERVER: ${{ secrets.K8S_SERVER }} | |
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }} | |
deploy-rustdoc: | |
if: github.event_name == 'pull_request' && github.event.pull_request.merged == true | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- name: Deploy Rust Docs | |
uses: ./.github/actions/deploy/deploy-rustdoc | |
with: | |
ssh_key: ${{ secrets.SUBSTRATE_REPO_SSH_KEY }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | |
local-environment-tests-post-merge: | |
if: github.event_name == 'pull_request' && github.event.pull_request.merged == true | |
needs: build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} | |
- name: Deploy and test against local environment | |
uses: ./.github/actions/tests/local-environment-tests | |
with: | |
tag: CI | |
image: ${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node:${{ needs.build.outputs.sha }} | |
sha: ${{ needs.build.outputs.sha }} | |
tests: postmerge | |
env: | |
SUBSTRATE_REPO_SSH_KEY: ${{ secrets.SUBSTRATE_REPO_SSH_KEY }} | |
EARTHLY_TAR: ${{ secrets.EARTHLY_TAR }} | |
AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_ROLE_ARN_SECRET }} | |
AWS_REGION: ${{ env.AWS_REGION }} | |
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} | |
ECR_REGISTRY_SECRET: ${{ secrets.ECR_REGISTRY_SECRET }} | |
TEST_ENVIRONMENT: local | |
local-environment-tests-post-merge-alert: | |
needs: local-environment-tests-post-merge | |
if: always() && needs.local-environment-tests-post-merge.result != 'skipped' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.event.pull_request.merge_commit_sha || github.sha }} | |
- name: Download test report | |
uses: actions/download-artifact@v4 | |
with: | |
name: test-results | |
- name: Report to slack | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
JIRA_URL: ${{ secrets.JIRA_URL }} | |
repository: ${{ github.repository }} | |
slack_ref_name: ${{ github.ref_name }} | |
job_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
github_actor_username: ${{ github.actor }} | |
env: local-post-merge | |
run: | | |
mv .report.json E2E-tests/.report.json | |
cd E2E-tests | |
./report_slack.sh $repository $slack_ref_name $job_url $env $github_actor_username null | |
shell: bash | |
post-merge-actions-complete: | |
if: ${{ always() && (github.event_name == 'pull_request' && github.event.pull_request.merged == true) }} | |
needs: [deploy-rustdoc, upload-chain-specs, local-environment-tests-post-merge] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check if any needed job failed | |
run: | | |
if [[ "${{ needs.deploy-rustdoc.result }}" != "success" || | |
"${{ needs.upload-chain-specs.result }}" != "success" || | |
"${{ needs.local-environment-tests-post-merge.result }}" != "success" ]]; then | |
echo "One or more needed jobs failed." | |
exit 1 | |
else | |
echo "All needed jobs passed." | |
fi |