From 124d0a2f12cc156482c1bb05ba2fe08a3cd249c8 Mon Sep 17 00:00:00 2001 From: Rodrigo Quelhas <22591718+RomarQ@users.noreply.github.com> Date: Fri, 29 Nov 2024 10:00:52 +0000 Subject: [PATCH] [CI] - workflow maintenance (#2984) * refresh dockerfiles * update prepare-binary to publish custom client versions * fix upload/download for artifacts * build all the versions (not only x86_64) * fetch all the history to search for a specific commit * build either a branch or a tag * rename default binary (x86-64) to moonbeam * use ubuntu+debian with same glibc version * use job branch for loading resources * use debian:stable as image for building cfg moonbeam-networks * use debian:stable as image * creating the issue doesn't need bare-metal * add permissions for build workflow * use .nvmrc to set the node version * add docker and scripts to codeowners * update workflow permissions * use ubuntu-latest for building binaries * use ubuntu-latest to build release runtimes * Testing faster machines * using custom moonbeam GHA runner * less expensive server for release * Removes extra docker uid mapping from opslayer * removes support for custom private repositories * Try a better foreign initcode creation * better check for initcode * Remove cleanup used for permanent servers * fixes permissions * testing other instance * fix typo * Restore cheaper instances * Updates node to v22 * fix yaml * fixing permissions * chore: :wrench: Update rustc 1.78 for check licenses * Push client release on github hosted runners * fixes permissions --------- Co-authored-by: noandrea Co-authored-by: crystalin Co-authored-by: timbrinded <79199034+timbrinded@users.noreply.github.com> Co-authored-by: Alan Sapede --- .github/CODEOWNERS | 5 +- .../workflow-templates/dev-tests/action.yml | 2 +- .github/workflows/build.yml | 47 ++++++++++++-- .github/workflows/cancel.yml | 5 +- .github/workflows/check-benchmarks.yml | 23 +++---- .github/workflows/check-licenses.yml | 2 + .github/workflows/client-release-issue.yml | 9 ++- .github/workflows/coverage.yml | 8 ++- .github/workflows/docs.yml | 3 +- .github/workflows/enforce-pr-labels.yml | 4 ++ .github/workflows/prepare-binary.yml | 65 +++++++++++-------- .github/workflows/publish-binary.yml | 12 +++- .github/workflows/publish-docker-runtime.yml | 2 + .github/workflows/publish-docker.yml | 2 + .github/workflows/publish-runtime.yml | 44 ++++--------- .github/workflows/publish-typescript-api.yml | 4 +- .github/workflows/runtime-release-issue.yml | 9 ++- .github/workflows/subxt-diff.yml | 7 ++ .github/workflows/upgrade-typescript-api.yml | 5 +- .github/workflows/version-bump.yml | 5 +- docker/moonbase-parachain.Dockerfile | 2 +- docker/moonbeam-production.Dockerfile | 23 +++++-- docker/moonbeam.Dockerfile | 5 +- docker/polkadot-relay.Dockerfile | 8 +-- pallets/moonbeam-foreign-assets/build.rs | 15 ++++- scripts/build-runtime-srtool.sh | 4 -- test/.nvmrc | 1 + 27 files changed, 211 insertions(+), 110 deletions(-) create mode 100644 test/.nvmrc diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 303a99c5e4..614a8c381e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,5 +1,4 @@ -# Changes to .github must be approved by the following groups - /.github/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops /tools/github/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops - +/docker/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops +/scripts/ @moonbeam-foundation/moonsong-perm @moonbeam-foundation/opslayer-devops diff --git a/.github/workflow-templates/dev-tests/action.yml b/.github/workflow-templates/dev-tests/action.yml index f6a3a3f368..e5316557be 100644 --- a/.github/workflow-templates/dev-tests/action.yml +++ b/.github/workflow-templates/dev-tests/action.yml @@ -24,7 +24,7 @@ runs: version: 9 - uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" cache: "pnpm" cache-dependency-path: pnpm-lock.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 811511e211..87a1aa8844 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,8 @@ jobs: ####### Check files and formatting ####### set-tags: runs-on: ubuntu-latest + permissions: + contents: read outputs: git_branch: ${{ steps.check-git-ref.outputs.git_branch }} git_ref: ${{ steps.check-git-ref.outputs.git_ref }} @@ -116,6 +118,8 @@ jobs: check-copyright: runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -134,6 +138,8 @@ jobs: check-links: runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -148,6 +154,8 @@ jobs: check-editorconfig: name: "Check editorconfig" runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -168,6 +176,8 @@ jobs: check-prettier: name: "Check with Prettier" runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -191,6 +201,8 @@ jobs: check-eslint: name: "Check with EsLint" runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -204,7 +216,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" cache: "pnpm" cache-dependency-path: pnpm-lock.yaml - name: Run Eslint check @@ -216,7 +228,9 @@ jobs: check-cargo-toml-format: name: "Check Cargo.toml files format" runs-on: - labels: bare-metal + labels: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -235,6 +249,8 @@ jobs: check-forbid-evm-reentrancy: name: "Check 'forbid-evm-reentrancy'" runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -251,6 +267,8 @@ jobs: check-rust-fmt: name: "Check with rustfmt" runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -271,6 +289,8 @@ jobs: cargo-clippy: runs-on: labels: bare-metal + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -296,6 +316,8 @@ jobs: build: runs-on: labels: bare-metal + permissions: + contents: read needs: ["set-tags"] steps: - name: Checkout @@ -325,6 +347,9 @@ jobs: check-wasm-size: name: "Check WASM runtimes with Twiggy" runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write if: github.event_name == 'pull_request' needs: ["set-tags", "build"] env: @@ -489,6 +514,8 @@ jobs: rust-test: runs-on: labels: bare-metal + permissions: + contents: read needs: ["set-tags"] env: RUSTC_WRAPPER: "sccache" @@ -530,6 +557,8 @@ jobs: dev-test: runs-on: labels: bare-metal + permissions: + contents: read needs: ["set-tags", "build"] timeout-minutes: 20 strategy: @@ -594,6 +623,8 @@ jobs: (github.event_name == 'push' && github.ref == 'refs/heads/master') runs-on: labels: bare-metal + permissions: + contents: read needs: ["set-tags", "build", "dev-test"] steps: - name: Checkout @@ -611,7 +642,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" cache: "pnpm" cache-dependency-path: pnpm-lock.yaml - run: | @@ -652,6 +683,8 @@ jobs: docker-moonbeam: runs-on: ubuntu-latest + permissions: + contents: read needs: ["set-tags", "build"] if: ${{ needs.set-tags.outputs.image_exists == 'false' && !github.event.pull_request.head.repo.fork }} steps: @@ -704,6 +737,8 @@ jobs: lazy-loading-tests: runs-on: labels: bare-metal + permissions: + contents: read needs: ["set-tags", "build", "typescript-tracing-tests"] strategy: fail-fast: false @@ -724,7 +759,7 @@ jobs: version: 9 - uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Create local folders run: | mkdir -p target/release/wbuild/${{ matrix.chain }}-runtime/ @@ -795,7 +830,7 @@ jobs: version: 9 - uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" cache: "pnpm" cache-dependency-path: pnpm-lock.yaml - name: Create local folders @@ -860,7 +895,7 @@ jobs: version: 9 - uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Create local folders run: | mkdir -p target/release/wbuild/${{ matrix.chain }}-runtime/ diff --git a/.github/workflows/cancel.yml b/.github/workflows/cancel.yml index 208c9b766b..a38b572c53 100644 --- a/.github/workflows/cancel.yml +++ b/.github/workflows/cancel.yml @@ -5,10 +5,13 @@ jobs: name: "Cancel Previous Build" if: github.ref != 'refs/heads/master' runs-on: ubuntu-latest + permissions: + actions: write + contents: read timeout-minutes: 3 steps: - uses: styfle/cancel-workflow-action@0.12.1 with: workflow_id: ".github/workflows/build.yml,.github/workflows/coverage.yml" all_but_latest: true - access_token: ${{ github.token }} + access_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/check-benchmarks.yml b/.github/workflows/check-benchmarks.yml index 523bf5925e..db0a49f52e 100644 --- a/.github/workflows/check-benchmarks.yml +++ b/.github/workflows/check-benchmarks.yml @@ -2,7 +2,6 @@ name: Check benchmarks on: workflow_dispatch: - on: schedule: - cron: "0 5 * * 0" # Runs every Sunday at 5:00 AM UTC - cron: "0 5 * * 3" # Runs every Wednesday at 5:00 AM UTC @@ -10,26 +9,28 @@ on: jobs: set-tags: runs-on: ubuntu-latest + permissions: + contents: read outputs: git_ref: ${{ steps.check-git-ref.outputs.git_ref }} steps: - name: Check git ref id: check-git-ref - # if PR - # else if manual PR - # else (push) run: | if [[ -n "${{ github.event.pull_request.head.sha }}" ]]; then - echo "git_ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT + echo "git_ref=${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT" elif [[ -n "${{ github.event.inputs.pull_request }}" ]]; then - echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >> $GITHUB_OUTPUT + echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >> "$GITHUB_OUTPUT" else - echo "git_ref=$GITHUB_REF" >> $GITHUB_OUTPUT + echo "git_ref=${GITHUB_REF}" >> "$GITHUB_OUTPUT" fi + verify: needs: ["set-tags"] runs-on: labels: bare-metal + permissions: + contents: read strategy: matrix: runtime: [moonbeam, moonbase, moonriver] @@ -38,12 +39,12 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ needs.set-tags.outputs.git_ref }} + persist-credentials: false + fetch-depth: 0 - name: Setup Variables - shell: bash run: | - echo "RUSTFLAGS=-C opt-level=3 -D warnings -C linker=clang -C link-arg=-fuse-ld=$(pwd)/mold/bin/mold" >> $GITHUB_ENV + echo "RUSTFLAGS=-C opt-level=3 -D warnings -C linker=clang -C link-arg=-fuse-ld=$(pwd)/mold/bin/mold" >> "$GITHUB_ENV" - name: Setup Mold Linker - shell: bash run: | mkdir -p mold curl -L --retry 10 --silent --show-error https://github.com/rui314/mold/releases/download/v2.30.0/mold-2.30.0-$(uname -m)-linux.tar.gz | tar -C $(realpath mold) --strip-components=1 -xzf - @@ -64,5 +65,5 @@ jobs: ./scripts/run-benches-for-runtime.sh ${{ matrix.runtime }} release if test -f "benchmarking_errors.txt"; then cat benchmarking_errors.txt - false + exit 1 fi diff --git a/.github/workflows/check-licenses.yml b/.github/workflows/check-licenses.yml index 393d14b276..89b96bb521 100644 --- a/.github/workflows/check-licenses.yml +++ b/.github/workflows/check-licenses.yml @@ -7,6 +7,8 @@ on: jobs: verify: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - name: Install Rust toolchain diff --git a/.github/workflows/client-release-issue.yml b/.github/workflows/client-release-issue.yml index 963075185e..4935690b3b 100644 --- a/.github/workflows/client-release-issue.yml +++ b/.github/workflows/client-release-issue.yml @@ -11,7 +11,9 @@ on: jobs: setup-scripts: - runs-on: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - name: Upload tools @@ -23,13 +25,16 @@ jobs: create_client_ticket: needs: ["setup-scripts"] runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Checkout uses: actions/checkout@v4 - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Download Original Tools uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index ef5f1c1a5a..db6fa033ee 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -19,8 +19,9 @@ jobs: ####### Check files and formatting ####### set-tags: - runs-on: - labels: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read outputs: git_branch: ${{ steps.check-git-ref.outputs.git_branch }} git_target_branch: ${{ steps.check-git-ref.outputs.git_target_branch }} @@ -89,6 +90,9 @@ jobs: build-and-coverage: runs-on: labels: bare-metal + permissions: + contents: read + pull-requests: write needs: ["set-tags"] if: ${{ !github.event.pull_request.head.repo.fork }} timeout-minutes: 90 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2b44bef261..3927819083 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -9,7 +9,8 @@ jobs: deploy-docs: name: Deploy docs runs-on: bare-metal - + permissions: + contents: read steps: # The protobuf compiler should be pre-installed on bare-metal #- name: Install tooling diff --git a/.github/workflows/enforce-pr-labels.yml b/.github/workflows/enforce-pr-labels.yml index 49d07b147e..d08c7e4517 100644 --- a/.github/workflows/enforce-pr-labels.yml +++ b/.github/workflows/enforce-pr-labels.yml @@ -6,6 +6,8 @@ on: jobs: enforce-noteworthiness-label: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: yogevbd/enforce-label-action@2.2.2 with: @@ -21,6 +23,8 @@ jobs: BANNED_LABELS: "" enforce-auditability-label: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: yogevbd/enforce-label-action@2.2.2 with: diff --git a/.github/workflows/prepare-binary.yml b/.github/workflows/prepare-binary.yml index c29016be85..f4f6ddadd6 100644 --- a/.github/workflows/prepare-binary.yml +++ b/.github/workflows/prepare-binary.yml @@ -7,63 +7,76 @@ on: sha: description: full sha to build the binary from required: true + tag: + description: docker tag to apply to the image + required: true jobs: ####### Building binaries ####### build-binary: - runs-on: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: - cpu: ["", "skylake"] - env: - RUSTFLAGS: "-C target-cpu=${{ matrix.cpu }}" + cpu: ["x86-64", "skylake", "znver3"] steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.sha }} - - name: Setup Rust toolchain + - name: Build production moonbeam run: | - rustup override unset - rustup show - - name: Build Node - run: cargo build --profile=production --all + # Build moonbeam + # (we don't use volumes because of ownership/permissions issues) + docker build \ + --tag prod --no-cache \ + --build-arg="COMMIT=${{ github.event.inputs.sha }}" \ + --build-arg="RUSTFLAGS=-C target-cpu=${{ matrix.cpu }}" \ + - < docker/moonbeam-production.Dockerfile + + # Copy moonbeam binary + docker rm -f dummy 2> /dev/null | true + docker create -ti --name dummy prod bash + docker cp dummy:/moonbeam/moonbeam moonbeam + docker rm -f dummy + + # Cleanup + docker rmi prod + - name: Save parachain binary - if: ${{ matrix.cpu == '' }} - run: | - mkdir -p build - cp target/production/moonbeam build/moonbeam - - name: Save parachain custom binary - if: ${{ matrix.cpu != '' }} run: | mkdir -p build - cp target/production/moonbeam build/moonbeam-${{matrix.cpu}} + cp moonbeam build/moonbeam-${{matrix.cpu}} - name: Upload binary uses: actions/upload-artifact@v4 with: - name: moonbeam - path: build + name: binaries-${{matrix.cpu}} + path: build/moonbeam-${{matrix.cpu}} ####### Prepare the release draft ####### - docker-moonbeam: + docker-release-candidate: runs-on: ubuntu-latest + permissions: + contents: read needs: ["build-binary"] steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.sha }} - uses: actions/download-artifact@v4 with: - name: moonbeam + pattern: binaries-* + merge-multiple: true path: build - name: Prepare id: prep run: | + echo "rename default binary" + mv build/moonbeam-x86-64 build/moonbeam DOCKER_IMAGE=moonbeamfoundation/moonbeam - SHA8="$(git log -1 --format="%H" | cut -c1-8)" - TAGS="${DOCKER_IMAGE}:sha-${SHA8}-opt" + COMMIT_SHA8=`echo ${{ github.event.inputs.sha }} | cut -c1-8` + TAG_SHA="${DOCKER_IMAGE}:sha-${COMMIT_SHA8}" + TAG_VER="${DOCKER_IMAGE}:${{ github.event.inputs.tag }}" + TAGS="${TAG_SHA},${TAG_VER}" echo "tags=${TAGS}" >> $GITHUB_OUTPUT echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT - name: Set up QEMU diff --git a/.github/workflows/publish-binary.yml b/.github/workflows/publish-binary.yml index 14bc3135f3..f68f7997d5 100644 --- a/.github/workflows/publish-binary.yml +++ b/.github/workflows/publish-binary.yml @@ -14,7 +14,9 @@ on: jobs: ####### Building binaries ####### setup-scripts: - runs-on: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - name: Upload tools @@ -25,7 +27,9 @@ jobs: build-binary: needs: ["setup-scripts"] - runs-on: bare-metal + runs-on: moonbeam-release-medium + permissions: + contents: read strategy: matrix: cpu: ["x86-64", "skylake", "znver3"] @@ -67,6 +71,8 @@ jobs: publish-draft-release: runs-on: ubuntu-latest + permissions: + contents: write needs: ["build-binary"] outputs: release_url: ${{ steps.create-release.outputs.html_url }} @@ -85,7 +91,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Download Original Tools uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/publish-docker-runtime.yml b/.github/workflows/publish-docker-runtime.yml index d16255e057..48dd01457e 100644 --- a/.github/workflows/publish-docker-runtime.yml +++ b/.github/workflows/publish-docker-runtime.yml @@ -10,6 +10,8 @@ on: jobs: tag-docker: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml index faf0f0f59c..0bc5e48174 100644 --- a/.github/workflows/publish-docker.yml +++ b/.github/workflows/publish-docker.yml @@ -10,6 +10,8 @@ on: jobs: tag-docker: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml index 1e50fd2ae0..ad266613c8 100644 --- a/.github/workflows/publish-runtime.yml +++ b/.github/workflows/publish-runtime.yml @@ -15,7 +15,9 @@ jobs: ####### Build runtimes with srtool ####### setup-scripts: - runs-on: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - name: Upload scripts @@ -30,7 +32,9 @@ jobs: path: tools read-rust-version: - runs-on: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read outputs: rust_version: ${{ steps.get-version.outputs.rust_version }} steps: @@ -42,12 +46,14 @@ jobs: build-srtool-runtimes: needs: ["setup-scripts", "read-rust-version"] - runs-on: bare-metal + runs-on: moonbeam-release-medium + permissions: + contents: read strategy: matrix: chain: ["moonbase", "moonriver", "moonbeam"] srtool_image: - - moonbeamfoundation/srtool + - paritytech/srtool srtool_image_tag: - ${{ needs.read-rust-version.outputs.rust_version }} steps: @@ -66,23 +72,6 @@ jobs: with: name: original-scripts path: original-scripts - - name: Build & Push moonbeamfoundation/srtool image - if: github.repository == 'moonbeam-foundation/moonbeam' - run: | - docker pull "${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }}" && image_exists=true || image_exists=false - - if [[ $image_exists = "false" ]]; then - echo building "${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }}" - docker build --pull --no-cache . \ - -f docker/moonbeam-srtool.Dockerfile \ - --build-arg SRTOOL_IMAGE_TAG=${{ matrix.srtool_image_tag }} \ - -t ${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }} - - echo pushing "${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }}" - docker push "${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }}" - else - echo skiping build "${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }}", image already exists - fi - name: Build runtime using "${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }}" id: srtool_build env: @@ -110,19 +99,12 @@ jobs: path: | ${{ matrix.chain }}-runtime.compact.compressed.wasm ${{ matrix.chain }}-srtool-digest.json - - name: Cleanup - run: | - echo "Removing runtime/${{ matrix.chain }}/target" - ls -lna runtime/${{ matrix.chain }}/target - - # Removing using docker root to ensure we have permissions - docker run -u 0 -v $(pwd)/runtime/${{ matrix.chain }}/:/runtime \ - -it --entrypoint bash ${{ matrix.srtool_image }}:${{ matrix.srtool_image_tag }} -c "id; ls -lna /runtime/target; rm -rf /runtime/target" ####### Prepare the release draft ####### - publish-draft-release: runs-on: ubuntu-latest + permissions: + contents: write needs: ["setup-scripts", "build-srtool-runtimes"] outputs: release_url: ${{ steps.create-release.outputs.html_url }} @@ -151,7 +133,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Download Original Tools uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/publish-typescript-api.yml b/.github/workflows/publish-typescript-api.yml index 2ea3ab5e04..9d500384fd 100644 --- a/.github/workflows/publish-typescript-api.yml +++ b/.github/workflows/publish-typescript-api.yml @@ -13,6 +13,8 @@ on: jobs: publish-typescript-api: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4 @@ -26,7 +28,7 @@ jobs: - name: Install Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" cache: pnpm registry-url: https://registry.npmjs.org/ - name: Build Typescript Augment API package diff --git a/.github/workflows/runtime-release-issue.yml b/.github/workflows/runtime-release-issue.yml index dd8f404416..ae45208087 100644 --- a/.github/workflows/runtime-release-issue.yml +++ b/.github/workflows/runtime-release-issue.yml @@ -14,7 +14,9 @@ on: jobs: setup-scripts: - runs-on: bare-metal + runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - name: Upload tools @@ -26,13 +28,16 @@ jobs: create_runtime_ticket: needs: ["setup-scripts"] runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Checkout uses: actions/checkout@v4 - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Download Original Tools uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/subxt-diff.yml b/.github/workflows/subxt-diff.yml index aa18eb500e..00dbb9b8a5 100644 --- a/.github/workflows/subxt-diff.yml +++ b/.github/workflows/subxt-diff.yml @@ -13,6 +13,8 @@ jobs: build: runs-on: labels: bare-metal + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v4 @@ -29,6 +31,8 @@ jobs: local-diff: needs: build runs-on: bare-metal + permissions: + contents: read strategy: matrix: runtime: [moonbeam, moonbase, moonriver] @@ -105,6 +109,9 @@ jobs: create_pr: needs: local-diff runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/upgrade-typescript-api.yml b/.github/workflows/upgrade-typescript-api.yml index 15dcfd8541..f2bae89652 100644 --- a/.github/workflows/upgrade-typescript-api.yml +++ b/.github/workflows/upgrade-typescript-api.yml @@ -14,6 +14,9 @@ on: jobs: upgrading-typescript-api: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 @@ -28,7 +31,7 @@ jobs: - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Use pnpm uses: pnpm/action-setup@v4 with: diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index f17ad63031..b151986b82 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -12,13 +12,16 @@ on: jobs: create_bump_ticket: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Checkout uses: actions/checkout@v4 - name: Use Node.js uses: actions/setup-node@v4 with: - node-version: 22 + node-version-file: "test/.nvmrc" - name: Generate version bump issue env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/docker/moonbase-parachain.Dockerfile b/docker/moonbase-parachain.Dockerfile index f0f857e398..c822300184 100644 --- a/docker/moonbase-parachain.Dockerfile +++ b/docker/moonbase-parachain.Dockerfile @@ -3,7 +3,7 @@ # Requires to run from repository root and to copy the binary in the build folder (part of the release workflow) FROM phusion/baseimage:0.11 -LABEL maintainer "alan@purestake.com" +LABEL maintainer="alan@moonsonglabs.com" LABEL description="Moonbeam network node. Supports Alphanet/Stagenet. Will support Moonriver and Moonbeam mainnet." ARG PROFILE=release diff --git a/docker/moonbeam-production.Dockerfile b/docker/moonbeam-production.Dockerfile index 0c0af9e9b2..369db3c78f 100644 --- a/docker/moonbeam-production.Dockerfile +++ b/docker/moonbeam-production.Dockerfile @@ -2,7 +2,7 @@ # # Requires to run from repository root and to copy the binary in the build folder (part of the release workflow) -FROM docker.io/library/ubuntu:20.04 AS builder +FROM debian:stable AS builder # Branch or tag to build moonbeam from ARG COMMIT="master" @@ -24,16 +24,29 @@ ENV PATH="/root/.cargo/bin:$PATH" RUN rustup default stable # rustup version are pinned in the rust-toolchain file -RUN echo "*** Cloning Moonbeam ***" -RUN git clone --depth=1 --branch $COMMIT https://github.com/purestake/moonbeam.git +# Clone the Moonbeam repository +RUN echo "*** Cloning Moonbeam ***" && \ + if git ls-remote --heads https://github.com/moonbeam-foundation/moonbeam.git $COMMIT | grep -q $COMMIT; then \ + echo "Cloning branch $COMMIT"; \ + git clone --depth=1 --branch $COMMIT https://github.com/moonbeam-foundation/moonbeam.git; \ + else \ + echo "Cloning specific commit $COMMIT"; \ + git clone --depth=1 https://github.com/moonbeam-foundation/moonbeam.git && \ + cd moonbeam && \ + git fetch --depth=1 origin $COMMIT && \ + git checkout $COMMIT; \ + fi WORKDIR /moonbeam/moonbeam +# Print target cpu +RUN rustc --print target-cpus + RUN echo "*** Building Moonbeam ***" RUN cargo build --profile=production --all -FROM debian:bookworm-slim -LABEL maintainer "alan@purestake.com" +FROM debian:stable-slim +LABEL maintainer="alan@moonsonglabs.com" LABEL description="Binary for Moonbeam Nodes" RUN useradd -m -u 1000 -U -s /bin/sh -d /moonbeam moonbeam && \ diff --git a/docker/moonbeam.Dockerfile b/docker/moonbeam.Dockerfile index 8e33ba662a..746243e88c 100644 --- a/docker/moonbeam.Dockerfile +++ b/docker/moonbeam.Dockerfile @@ -2,14 +2,15 @@ # # Requires to run from repository root and to copy the binary in the build folder (part of the release workflow) -FROM docker.io/library/ubuntu:20.04 AS builder +FROM debian:stable AS builder RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates -FROM debian:bookworm-slim +FROM debian:stable-slim LABEL maintainer="alan@moonsonglabs.com" LABEL description="Binary for Moonbeam Collator" + RUN useradd -m -u 1000 -U -s /bin/sh -d /moonbeam moonbeam && \ mkdir -p /moonbeam/.local/share && \ mkdir /data && \ diff --git a/docker/polkadot-relay.Dockerfile b/docker/polkadot-relay.Dockerfile index 51a0c82c68..52d68de5b6 100644 --- a/docker/polkadot-relay.Dockerfile +++ b/docker/polkadot-relay.Dockerfile @@ -1,7 +1,7 @@ # Inspired by Polkadot Dockerfile FROM docker.io/paritytech/ci-linux:production as builder -LABEL maintainer "alan@purestake.com" +LABEL maintainer="alan@moonsonglabs.com" LABEL description="This is the build stage for Polkadot. Here we create the binary." ARG POLKADOT_COMMIT=master @@ -21,8 +21,8 @@ RUN cargo build --profile release --locked # ===== SECOND STAGE ====== -FROM debian:buster-slim -LABEL maintainer "alan@purestake.com" +FROM debian:stable-slim +LABEL maintainer="alan@moonsonglabs.com" LABEL description="Polkadot for Moonbeam Relay Chains" COPY --from=builder /polkadot-sdk/target/release/polkadot /usr/local/bin COPY --from=builder /polkadot-sdk/target/release/polkadot-execute-worker /usr/local/bin @@ -38,7 +38,7 @@ USER moonbeam COPY --chown=moonbeam specs/alphanet/westend-embedded-specs-v8.json /moonbase-alphanet/alphanet-relay-raw-specs.json RUN grep -v '/p2p/' /moonbase-alphanet/alphanet-relay-raw-specs.json > \ - /moonbase-alphanet/alphanet-relay-raw-specs-no-bootnodes.json + /moonbase-alphanet/alphanet-relay-raw-specs-no-bootnodes.json # 30333 for p2p traffic # 9933 for RPC call diff --git a/pallets/moonbeam-foreign-assets/build.rs b/pallets/moonbeam-foreign-assets/build.rs index b3bb0cc3a9..ae3c9da441 100644 --- a/pallets/moonbeam-foreign-assets/build.rs +++ b/pallets/moonbeam-foreign-assets/build.rs @@ -14,8 +14,9 @@ // You should have received a copy of the GNU General Public License // along with Moonbeam. If not, see . -use std::fs::File; +use std::fs; use std::io::prelude::*; +use std::path::Path; // Length of encoded constructor parameters const PARAMS_LEN: usize = 256; @@ -38,7 +39,17 @@ fn main() { 0 }; - let mut file = File::create("resources/foreign_erc20_initcode.bin") + let file_path = "resources/foreign_erc20_initcode.bin"; + + if Path::new(file_path).exists() { + let existing_content = fs::read(file_path).expect("Unable to read file"); + let existing_hex_code = hex::encode(existing_content); + if existing_hex_code == hex::encode(&bytecode[..bytecode_end]) { + return; + } + } + + let mut file = fs::File::create(file_path) .expect("Fail to create file resources/foreign_erc20_initcode.bin"); file.write_all(&bytecode[..bytecode_end]) .expect("fail to write bytecode in /foreign_erc20_initcode.bin"); diff --git a/scripts/build-runtime-srtool.sh b/scripts/build-runtime-srtool.sh index 642464182f..1478e32a88 100755 --- a/scripts/build-runtime-srtool.sh +++ b/scripts/build-runtime-srtool.sh @@ -9,7 +9,6 @@ CMD="docker run \ -i \ --rm \ - $(~/srtool/uid-gid-mapping.sh 1001 | xargs) \ -e CARGO_NET_GIT_FETCH_WITH_CLI=true \ -e PACKAGE=${GH_WORKFLOW_MATRIX_CHAIN}-runtime \ -e RUNTIME_DIR=runtime/${GH_WORKFLOW_MATRIX_CHAIN} \ @@ -17,9 +16,6 @@ CMD="docker run \ -e PROFILE=${RUNTIME_BUILD_PROFILE} \ -e WASM_BUILD_STD=0 \ -v ${PWD}:/build \ - -v /home/${USER}/srtool/.ssh:/home/builder/.ssh \ - -v /home/${USER}/srtool/entrypoint.sh:/srtool/entrypoint.sh \ - --entrypoint /srtool/entrypoint.sh \ ${GH_WORKFLOW_MATRIX_SRTOOL_IMAGE}:${GH_WORKFLOW_MATRIX_SRTOOL_IMAGE_TAG} \ build --app --json -cM" diff --git a/test/.nvmrc b/test/.nvmrc new file mode 100644 index 0000000000..92f279e3e6 --- /dev/null +++ b/test/.nvmrc @@ -0,0 +1 @@ +v22 \ No newline at end of file