[CI] - workflow maintenance (#2984)

* refresh dockerfiles * update prepare-binary to publish custom client versions * fix upload/download for artifacts * build all the versions (not only x86_64) * fetch all the history to search for a specific commit * build either a branch or a tag * rename default binary (x86-64) to moonbeam * use ubuntu+debian with same glibc version * use job branch for loading resources * use debian:stable as image for building cfg moonbeam-networks * use debian:stable as image * creating the issue doesn't need bare-metal * add permissions for build workflow * use .nvmrc to set the node version * add docker and scripts to codeowners * update workflow permissions * use ubuntu-latest for building binaries * use ubuntu-latest to build release runtimes * Testing faster machines * using custom moonbeam GHA runner * less expensive server for release * Removes extra docker uid mapping from opslayer * removes support for custom private repositories * Try a better foreign initcode creation * better check for initcode * Remove cleanup used for permanent servers * fixes permissions * testing other instance * fix typo * Restore cheaper instances * Updates node to v22 * fix yaml * fixing permissions * chore: 🔧 Update rustc 1.78 for check licenses * Push client release on github hosted runners * fixes permissions --------- Co-authored-by: noandrea <[email protected]> Co-authored-by: crystalin <[email protected]> Co-authored-by: timbrinded <[email protected]> Co-authored-by: Alan Sapede <[email protected]>
moonbeam-foundation · Nov 29, 2024 · 124d0a2 · 124d0a2
1 parent c8cc4ed
commit 124d0a2
Show file tree

Hide file tree

Showing 27 changed files with 211 additions and 110 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,5 +1,4 @@
-# Changes to .github must be approved by the following groups
-
 /.github/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops
 /tools/github/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops
-
+/docker/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops
+/scripts/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops
diff --git a/.github/workflow-templates/dev-tests/action.yml b/.github/workflow-templates/dev-tests/action.yml
@@ -24,7 +24,7 @@ runs:
         version: 9
     - uses: actions/setup-node@v4
       with:
-        node-version: 22
+        node-version-file: "test/.nvmrc"
         cache: "pnpm"
         cache-dependency-path: pnpm-lock.yaml
 

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,6 +25,8 @@ jobs:
   ####### Check files and formatting #######
   set-tags:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       git_branch: ${{ steps.check-git-ref.outputs.git_branch }}
       git_ref: ${{ steps.check-git-ref.outputs.git_ref }}
@@ -116,6 +118,8 @@ jobs:
 
   check-copyright:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -134,6 +138,8 @@ jobs:
 
   check-links:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -148,6 +154,8 @@ jobs:
   check-editorconfig:
     name: "Check editorconfig"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -168,6 +176,8 @@ jobs:
   check-prettier:
     name: "Check with Prettier"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -191,6 +201,8 @@ jobs:
   check-eslint:
     name: "Check with EsLint"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -204,7 +216,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version-file: "test/.nvmrc"
           cache: "pnpm"
           cache-dependency-path: pnpm-lock.yaml
       - name: Run Eslint check
@@ -216,7 +228,9 @@ jobs:
   check-cargo-toml-format:
     name: "Check Cargo.toml files format"
     runs-on:
-      labels: bare-metal
+      labels: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -235,6 +249,8 @@ jobs:
   check-forbid-evm-reentrancy:
     name: "Check 'forbid-evm-reentrancy'"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -251,6 +267,8 @@ jobs:
   check-rust-fmt:
     name: "Check with rustfmt"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -271,6 +289,8 @@ jobs:
   cargo-clippy:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -296,6 +316,8 @@ jobs:
   build:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags"]
     steps:
       - name: Checkout
@@ -325,6 +347,9 @@ jobs:
   check-wasm-size:
     name: "Check WASM runtimes with Twiggy"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     if: github.event_name == 'pull_request'
     needs: ["set-tags", "build"]
     env:
@@ -489,6 +514,8 @@ jobs:
   rust-test:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags"]
     env:
       RUSTC_WRAPPER: "sccache"
@@ -530,6 +557,8 @@ jobs:
   dev-test:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags", "build"]
     timeout-minutes: 20
     strategy:
@@ -594,6 +623,8 @@ jobs:
       (github.event_name == 'push' && github.ref == 'refs/heads/master')
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags", "build", "dev-test"]
     steps:
       - name: Checkout
@@ -611,7 +642,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version-file: "test/.nvmrc"
           cache: "pnpm"
           cache-dependency-path: pnpm-lock.yaml
       - run: |
@@ -652,6 +683,8 @@ jobs:
 
   docker-moonbeam:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: ["set-tags", "build"]
     if: ${{ needs.set-tags.outputs.image_exists == 'false' && !github.event.pull_request.head.repo.fork }}
     steps:
@@ -704,6 +737,8 @@ jobs:
   lazy-loading-tests:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     needs: ["set-tags", "build", "typescript-tracing-tests"]
     strategy:
       fail-fast: false
@@ -724,7 +759,7 @@ jobs:
           version: 9
       - uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version-file: "test/.nvmrc"
       - name: Create local folders
         run: |
           mkdir -p target/release/wbuild/${{ matrix.chain }}-runtime/
@@ -795,7 +830,7 @@ jobs:
           version: 9
       - uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version-file: "test/.nvmrc"
           cache: "pnpm"
           cache-dependency-path: pnpm-lock.yaml
       - name: Create local folders
@@ -860,7 +895,7 @@ jobs:
           version: 9
       - uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version-file: "test/.nvmrc"
       - name: Create local folders
         run: |
           mkdir -p target/release/wbuild/${{ matrix.chain }}-runtime/

diff --git a/.github/workflows/cancel.yml b/.github/workflows/cancel.yml
@@ -5,10 +5,13 @@ jobs:
     name: "Cancel Previous Build"
     if: github.ref != 'refs/heads/master'
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
     timeout-minutes: 3
     steps:
       - uses: styfle/[email protected]
         with:
           workflow_id: ".github/workflows/build.yml,.github/workflows/coverage.yml"
           all_but_latest: true
-          access_token: ${{ github.token }}
+          access_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/check-benchmarks.yml b/.github/workflows/check-benchmarks.yml
@@ -2,34 +2,35 @@ name: Check benchmarks
 
 on:
   workflow_dispatch:
-    on:
   schedule:
     - cron: "0 5 * * 0" # Runs every Sunday at 5:00 AM UTC
     - cron: "0 5 * * 3" # Runs every Wednesday at 5:00 AM UTC
 
 jobs:
   set-tags:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       git_ref: ${{ steps.check-git-ref.outputs.git_ref }}
     steps:
       - name: Check git ref
         id: check-git-ref
-        # if PR
-        # else if manual PR
-        # else (push)
         run: |
           if [[ -n "${{ github.event.pull_request.head.sha }}" ]]; then
-            echo "git_ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
+            echo "git_ref=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
           elif [[ -n "${{ github.event.inputs.pull_request }}" ]]; then
-            echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >> $GITHUB_OUTPUT
+            echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >> "$GITHUB_OUTPUT"
           else
-            echo "git_ref=$GITHUB_REF" >> $GITHUB_OUTPUT
+            echo "git_ref=${GITHUB_REF}" >> "$GITHUB_OUTPUT"
           fi
+
   verify:
     needs: ["set-tags"]
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
     strategy:
       matrix:
         runtime: [moonbeam, moonbase, moonriver]
@@ -38,12 +39,12 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ needs.set-tags.outputs.git_ref }}
+          persist-credentials: false
+          fetch-depth: 0
       - name: Setup Variables
-        shell: bash
         run: |
-          echo "RUSTFLAGS=-C opt-level=3 -D warnings -C linker=clang -C link-arg=-fuse-ld=$(pwd)/mold/bin/mold" >> $GITHUB_ENV
+          echo "RUSTFLAGS=-C opt-level=3 -D warnings -C linker=clang -C link-arg=-fuse-ld=$(pwd)/mold/bin/mold" >> "$GITHUB_ENV"
       - name: Setup Mold Linker
-        shell: bash
         run: |
           mkdir -p mold
           curl -L --retry 10 --silent --show-error https://github.com/rui314/mold/releases/download/v2.30.0/mold-2.30.0-$(uname -m)-linux.tar.gz | tar -C $(realpath mold) --strip-components=1 -xzf -
@@ -64,5 +65,5 @@ jobs:
           ./scripts/run-benches-for-runtime.sh ${{ matrix.runtime }} release
           if test -f "benchmarking_errors.txt"; then
             cat benchmarking_errors.txt
-            false
+            exit 1
           fi
diff --git a/.github/workflows/check-licenses.yml b/.github/workflows/check-licenses.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   verify:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Install Rust toolchain

diff --git a/.github/workflows/client-release-issue.yml b/.github/workflows/client-release-issue.yml
@@ -11,7 +11,9 @@ on:
 
 jobs:
   setup-scripts:
-    runs-on: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: Upload tools
@@ -23,13 +25,16 @@ jobs:
   create_client_ticket:
     needs: ["setup-scripts"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Use Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version-file: "test/.nvmrc"
       - name: Download Original Tools
         uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -19,8 +19,9 @@ jobs:
   ####### Check files and formatting #######
 
   set-tags:
-    runs-on:
-      labels: bare-metal
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       git_branch: ${{ steps.check-git-ref.outputs.git_branch }}
       git_target_branch: ${{ steps.check-git-ref.outputs.git_target_branch }}
@@ -89,6 +90,9 @@ jobs:
   build-and-coverage:
     runs-on:
       labels: bare-metal
+    permissions:
+      contents: read
+      pull-requests: write
     needs: ["set-tags"]
     if: ${{ !github.event.pull_request.head.repo.fork }}
     timeout-minutes: 90

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,7 +9,8 @@ jobs:
   deploy-docs:
     name: Deploy docs
     runs-on: bare-metal
-
+    permissions:
+      contents: read
     steps:
       # The protobuf compiler should be pre-installed on bare-metal
       #- name: Install tooling

diff --git a/.github/workflows/enforce-pr-labels.yml b/.github/workflows/enforce-pr-labels.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   enforce-noteworthiness-label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: yogevbd/[email protected]
         with:
@@ -21,6 +23,8 @@ jobs:
           BANNED_LABELS: ""
   enforce-auditability-label:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: yogevbd/[email protected]
         with: