Skip to content

CD

CD #151

Workflow file for this run

name: "CD"
on:
workflow_dispatch:
inputs:
sha:
description: "partner-chains commit SHA to build from"
required: true
type: string
tag:
description: "partner-chains release tag"
required: true
type: string
no-build:
description: "Skip build and use previously artifacts built in a past run"
required: false
type: boolean
default: false
no-public:
description: "Skip steps to publish public release and public GHCR image"
required: false
type: boolean
default: true
no-release:
description: "Skip creating draft release page"
required: false
type: boolean
default: false
no-deploy:
description: "Skip deployment to staging environment"
required: false
type: boolean
default: false
no-wipe:
description: "Skip staging environment chain wipe and keep volumes"
required: false
type: boolean
default: false
no-tests:
description: "Skip all test steps against staging environment"
required: false
type: boolean
default: false
permissions:
id-token: write
contents: write
packages: write
env:
AWS_REGION: "eu-central-1"
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
STAGING_PREVIEW_SERVICES_HOST: staging-preview-services-service.staging-preview.svc.cluster.local
STAGING_PREVIEW_VALIDATOR_1_HOST: staging-preview-validator-1-service.staging-preview.svc.cluster.local
STAGING_PREVIEW_VALIDATOR_1_PORT: 9933
jobs:
build-linux:
if: ${{ github.event.inputs.no-build != 'true' }}
permissions:
id-token: write
contents: write
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and Upload for Linux
uses: ./.github/actions/artifacts/build-pc-artifacts
with:
sha: ${{ inputs.sha }}
tag: ${{ inputs.tag }}
os: linux
build-macos-x86_64:
if: ${{ github.event.inputs.no-build != 'true' }}
permissions:
id-token: write
contents: write
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and Upload for macOS x86_64
uses: ./.github/actions/artifacts/build-pc-artifacts
with:
sha: ${{ inputs.sha }}
tag: ${{ inputs.tag }}
os: macos-x86_64
build-macos-arm64:
if: ${{ github.event.inputs.no-build != 'true' }}
permissions:
id-token: write
contents: write
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and Upload for macOS arm64
uses: ./.github/actions/artifacts/build-pc-artifacts
with:
sha: ${{ inputs.sha }}
tag: ${{ inputs.tag }}
os: macos-arm64
upload-to-s3:
if: ${{ github.event.inputs.no-build != 'true' }}
needs:
- build-linux
- build-macos-x86_64
- build-macos-arm64
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Upload Artifacts to S3
uses: ./.github/actions/artifacts/upload-to-s3
with:
sha: ${{ inputs.sha }}
bucket-name: ${{ secrets.AWS_CD_ARTIFACT_S3_BUCKET }}
env:
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_S3_ROLE_ARN_SECRET }}
download-from-s3:
if: ${{ github.event.inputs.no-build == 'true' }}
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download Artifacts from S3
uses: ./.github/actions/artifacts/download-from-s3
with:
sha: ${{ inputs.sha }}
bucket-name: ${{ secrets.AWS_CD_ARTIFACT_S3_BUCKET }}
env:
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_S3_ROLE_ARN_SECRET }}
artifacts-ready:
needs:
- upload-to-s3
- download-from-s3
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
if: ${{ needs.upload-to-s3.result == 'success' || needs.download-from-s3.result == 'success' }}
steps:
- name: Artifacts Ready
run: |
if [[ "${{ needs.upload-to-s3.result }}" == "success" ]]; then
echo "Artifacts have been compiled and uploaded to S3"
elif [[ "${{ needs.download-from-s3.result }}" == "success" ]]; then
echo "Previously built artifacts were downloaded from S3."
fi
build-and-publish-ecr:
permissions:
id-token: write
contents: write
needs: artifacts-ready
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build and Publish to ECR
uses: ./.github/actions/images/build-and-publish-ecr
with:
sha: ${{ inputs.sha }}
tag: ${{ inputs.tag }}
env:
AWS_REGION: "eu-central-1"
ECR_REGISTRY_SECRET: ${{ secrets.ECR_REGISTRY_SECRET }}
AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_ROLE_ARN_SECRET }}
create-draft-release:
if: ${{ github.event.inputs.no-release != 'true' }}
permissions:
id-token: write
contents: write
needs: artifacts-ready
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Create Draft Release
uses: ./.github/actions/release/create-draft-release
with:
tag: ${{ inputs.tag }}
env:
GITHUB_TOKEN: ${{ github.token }}
generate-chain-specs:
permissions:
id-token: write
contents: write
needs: artifacts-ready
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Generate Chain Specs
uses: ./.github/actions/artifacts/generate-chain-specs
with:
tag: ${{ inputs.tag }}
upload-chain-specs:
permissions:
id-token: write
contents: write
needs: generate-chain-specs
runs-on: eks
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Upload chain spec artifacts to Kubernetes
uses: ./.github/actions/deploy/upload-chain-specs
with:
sha: ${{ github.sha }}
env:
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
deploy-staging-preview:
if: ${{ github.event.inputs.no-deploy != 'true' }}
permissions:
id-token: write
contents: write
needs:
- build-and-publish-ecr
- upload-chain-specs
runs-on: eks
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Deploy staging-preview
uses: ./.github/actions/deploy/deploy-staging-preview
with:
image: ${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node:${{ inputs.sha }}
sha: ${{ github.sha }}
no-wipe: ${{ github.event.inputs.no-wipe || 'false' }}
env:
AWS_REGION: "eu-central-1"
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_ROLE_ARN_SECRET }}
ECR_REGISTRY_SECRET: ${{ secrets.ECR_REGISTRY_SECRET }}
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
partner-chain-ready:
if: ${{ github.event.inputs.no-tests != 'true' && (needs.deploy-staging-preview.result == 'success' || needs.deploy-staging-preview.result == 'skipped') }}
runs-on: eks
needs: deploy-staging-preview
outputs:
deployment_mc_epoch: ${{ steps.mc-epoch.outputs.deployment_mc_epoch }}
steps:
- name: Set deployment main chain epoch
id: mc-epoch
run: echo "deployment_mc_epoch=$(curl -s http://$STAGING_PREVIEW_SERVICES_HOST:1337/health | jq .currentEpoch)" >> $GITHUB_OUTPUT
shell: bash
- name: Check Finalization Status
run: |
FINALIZED_NUMBER=$(
curl -s -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"chain_getFinalizedHead","params":[],"id":"1"}' http://$STAGING_PREVIEW_VALIDATOR_1_HOST:$STAGING_PREVIEW_VALIDATOR_1_PORT |
jq -r ".result" |
xargs -I {} curl -s -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"chain_getHeader","params":["{}"],"id":"1"}' http://$STAGING_PREVIEW_VALIDATOR_1_HOST:$STAGING_PREVIEW_VALIDATOR_1_PORT |
jq -r ".result.number" | xargs printf "%d"
)
timeout=300 # Timeout in seconds
interval=10 # Interval in seconds
elapsed=0
while [ "$FINALIZED_NUMBER" -le 0 ]; do
if [ $elapsed -ge $timeout ]; then
echo "Timeout reached: $timeout seconds"
exit 1
fi
echo "Waiting for blocks to be finalized..."
sleep $interval
elapsed=$((elapsed + interval))
FINALIZED_NUMBER=$(
curl -s -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"chain_getFinalizedHead","params":[],"id":"1"}' http://$STAGING_PREVIEW_VALIDATOR_1_HOST:$STAGING_PREVIEW_VALIDATOR_1_PORT |
jq -r ".result" |
xargs -I {} curl -s -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"chain_getHeader","params":["{}"],"id":"1"}' http://$STAGING_PREVIEW_VALIDATOR_1_HOST:$STAGING_PREVIEW_VALIDATOR_1_PORT |
jq -r ".result.number" | xargs printf "%d"
)
done
echo "Blocks are being finalized. Finalized Block Number: $FINALIZED_NUMBER"
shell: bash
run-smoke-tests:
if: ${{ github.event.inputs.no-tests != 'true' }}
permissions:
id-token: write
contents: read
needs: partner-chain-ready
runs-on: eks
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup tests
uses: ./.github/actions/tests/setup-python
env:
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
- name: Run smoke tests
uses: ./.github/actions/tests/run-e2e-tests
with:
blockchain: substrate
env: staging
decrypt: true
markers: "not active_flow and not passive_flow and (CD or rpc)"
threads: 1
run-all-tests:
if: ${{ github.event.inputs.no-tests != 'true' }}
permissions:
id-token: write
contents: read
needs: run-smoke-tests
runs-on: eks
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup tests
uses: ./.github/actions/tests/setup-python
env:
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
- name: Run all tests (some skipped due to new deployment)
uses: ./.github/actions/tests/run-e2e-tests
env:
DEPLOYMENT_MC_EPOCH: ${{ needs.partner-chain-ready.outputs.deployment_mc_epoch }}
with:
blockchain: substrate
env: staging
decrypt: true
markers: "not active_flow and not passive_flow"
deployment_mc_epoch: $DEPLOYMENT_MC_EPOCH
threads: 1
wait-for-n1-epoch:
if: ${{ github.event.inputs.no-tests != 'true' }}
permissions:
id-token: write
contents: read
needs: partner-chain-ready
runs-on: eks
timeout-minutes: 1440
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure kubectl
uses: ./.github/actions/tests/configure-kubectl
env:
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
- name: Set MC epoch to wait for
id: increment-epoch
env:
DEPLOYMENT_MC_EPOCH: ${{ needs.partner-chain-ready.outputs.deployment_mc_epoch }}
run: |
echo "Current epoch: $DEPLOYMENT_MC_EPOCH"
incremented_epoch=$((DEPLOYMENT_MC_EPOCH + 1))
echo "Incremented epoch: $incremented_epoch"
echo "mc_epoch_to_wait_for=$incremented_epoch" >> $GITHUB_OUTPUT
- name: Wait for next MC epoch
uses: ./.github/actions/tests/wait-for-epoch
with:
epoch: ${{ steps.increment-epoch.outputs.mc_epoch_to_wait_for }}
deployment: kubernetes
node: staging-preview-validator-1
environment: staging-preview
run-all-tests-on-n1-epoch:
if: ${{ github.event.inputs.no-tests != 'true' }}
permissions:
id-token: write
contents: read
needs: wait-for-n1-epoch
runs-on: eks
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup tests
uses: ./.github/actions/tests/setup-python
env:
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
- name: Run all tests (some skipped due to new deployment)
uses: ./.github/actions/tests/run-e2e-tests
env:
DEPLOYMENT_MC_EPOCH: ${{ needs.partner-chain-ready.outputs.deployment_mc_epoch }}
with:
blockchain: substrate
env: staging
decrypt: true
latest_mc_epoch: true
markers: "not active_flow and not passive_flow"
deployment_mc_epoch: $DEPLOYMENT_MC_EPOCH
threads: 1
wait-for-n2-epoch:
if: ${{ github.event.inputs.no-tests != 'true' }}
permissions:
id-token: write
contents: read
needs:
- partner-chain-ready
- wait-for-n1-epoch
runs-on: eks
timeout-minutes: 1450
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure kubectl
uses: ./.github/actions/tests/configure-kubectl
env:
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
- name: Set MC epoch to wait for
id: increment-epoch
env:
DEPLOYMENT_MC_EPOCH: ${{ needs.partner-chain-ready.outputs.deployment_mc_epoch }}
run: |
echo "Current epoch: $DEPLOYMENT_MC_EPOCH"
incremented_epoch=$((DEPLOYMENT_MC_EPOCH + 2))
echo "Incremented epoch: $incremented_epoch"
echo "mc_epoch_to_wait_for=$incremented_epoch" >> $GITHUB_OUTPUT
- name: Wait for next MC epoch
uses: ./.github/actions/tests/wait-for-epoch
with:
epoch: ${{ steps.increment-epoch.outputs.mc_epoch_to_wait_for }}
deployment: kubernetes
node: staging-preview-validator-1
environment: staging-preview
run-all-tests-on-n2-epoch:
if: ${{ github.event.inputs.no-tests != 'true' }}
permissions:
id-token: write
contents: read
needs: wait-for-n2-epoch
runs-on: eks
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup tests
uses: ./.github/actions/tests/setup-python
env:
ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
K8S_SERVER: ${{ secrets.K8S_SERVER }}
K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
- name: Run all tests (no skipped tests)
uses: ./.github/actions/tests/run-e2e-tests
env:
DEPLOYMENT_MC_EPOCH: ${{ needs.partner-chain-ready.outputs.deployment_mc_epoch }}
with:
blockchain: substrate
env: staging
decrypt: true
latest_mc_epoch: true
markers: "not active_flow and not passive_flow"
deployment_mc_epoch: $DEPLOYMENT_MC_EPOCH
threads: 1
publish:
if: ${{ always() && github.event.inputs.no-release != 'true' && github.event.inputs.no-public != 'true' && (github.event.inputs.no-tests == 'true' || needs.run-all-tests-on-n2-epoch.result == 'success') }}
permissions:
id-token: write
contents: write
packages: write
needs:
- artifacts-ready
- run-all-tests-on-n2-epoch
runs-on: ubuntu-latest
steps:
- name: Trigger Publish Workflow
run: |
curl -X POST \
-H "Authorization: token ${{ secrets.ACTIONS_PUBLISH_PAT }}" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/${{ github.repository }}/actions/workflows/publish.yml/dispatches \
-d '{"ref": "${{ github.ref_name }}", "inputs": {"sha": "${{ inputs.sha }}", "tag": "${{ inputs.tag }}"}}'
# deploy-staging-preprod:
# if: ${{ github.event.inputs.no-deploy != 'true' }}
# permissions:
# id-token: write
# contents: write
# needs: run-all-tests-on-n2-epoch
# runs-on: eks
# steps:
# - name: Checkout
# uses: actions/checkout@v4
# - name: Deploy staging-preprod
# uses: ./.github/actions/deploy-staging-preprod
# with:
# image: ${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node:${{ inputs.sha }}
# chain-spec-secret: ${{ inputs.chain-spec-secret }}
# no-wipe: ${{ github.event.inputs.no-wipe || 'false' }}
# env:
# AWS_REGION: "eu-central-1"
# SSH_AUTH_SOCK: /tmp/ssh_agent.sock
# ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
# AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_ROLE_ARN_SECRET }}
# ECR_REGISTRY_SECRET: ${{ secrets.ECR_REGISTRY_SECRET }}
# kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
# K8S_SERVER: ${{ secrets.K8S_SERVER }}
# K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}
#
# staging-preprod-tests:
# if: ${{ github.event.inputs.no-tests != 'true' }}
# permissions:
# id-token: write
# contents: write
# needs: deploy-staging-preprod
# runs-on: eks
# steps:
# - name: Checkout
# uses: actions/checkout@v4
# - name: Run Tests
# uses: ./.github/actions/tests/staging-preprod-tests
# with:
# node-host: staging-preprod-validator-1.staging-preprod.svc.cluster.local
# node-port: 9933
# env:
# SSH_AUTH_SOCK: /tmp/ssh_agent.sock
# AWS_ROLE_ARN_: ${{ secrets.AWS_ROLE_ARN_ }}
# SSH_KEY_BINARY_HOST: ${{ secrets.SSH_KEY_BINARY_HOST }}
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
# JIRA_URL: ${{ secrets.JIRA_URL }}
# ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
# kubeconfig_base64: ${{ secrets.kubeconfig_base64 }}
# K8S_SERVER: ${{ secrets.K8S_SERVER }}
# K8S_SA_TOKEN: ${{ secrets.K8S_SA_TOKEN }}