Skip to content

Commit

Permalink
Merge pull request #6452 from smartcontractkit/release/1.3.0-rc5
Browse files Browse the repository at this point in the history
1.3.0-rc5 -> master
  • Loading branch information
chainchad authored Apr 18, 2022
2 parents 5e927eb + 1971bc9 commit a2d6c4b
Show file tree
Hide file tree
Showing 535 changed files with 25,609 additions and 6,812 deletions.
7 changes: 5 additions & 2 deletions .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@ tmp/

contracts/node_modules
examples/
integration/node_modules

integration/
integration-scripts/
integration-tests/

tools/gethnet/datadir/geth
tools/clroot/db.bolt
tools/clroot/*.jsonl
tools/clroot/*.log
tools/clroot/tempkeys

core/sgx/target/
Expand Down
113 changes: 93 additions & 20 deletions .github/actions/build-sign-publish-chainlink/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,18 @@ inputs:
description: When set to the string boolean value of "true", the resulting build image will be signed
default: "false"
required: false

cosign-private-key:
description: The private key to be used with cosign to sign the image
required: false

cosign-password:
description: The password to decrypt the cosign private key needed to sign the image
sign-method:
description: Build image will be signed using keypair or keyless methods
default: "keypair"
required: true
verify-signature:
description: When set to the string boolean value of "true", the resulting build image signature will be verified
default: "false"
required: false

runs:
Expand All @@ -65,7 +70,6 @@ runs:
SHARED_BUILD_ARGS=$(cat << EOF
COMMIT_SHA=${{ github.sha }}
ENVIRONMENT=release
EOF
)
Expand Down Expand Up @@ -108,19 +112,26 @@ runs:
images: ${{ env.shared-images }}
tags: ${{ env.shared-tag-list }}


- name: Build and push root docker image
id: buildpush-root
uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 # v2.7.0
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
with:
push: ${{ inputs.publish }}
load: ${{ contains(inputs.publish, false) }}
tags: ${{ steps.meta-root.outputs.tags }}
labels: ${{ steps.meta-root.outputs.labels }}
file: core/chainlink.Dockerfile
build-args: |
CHAINLINK_USER=root
${{ env.shared-build-args }}
- name: Save root image name in GITHUB_ENV
id: save-root-image-name-env
shell: sh
run: |
IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
echo "root_image_name=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)" >> $GITHUB_ENV
- name: Generate docker metadata for non-root image
id: meta-nonroot
uses: docker/metadata-action@e5622373a38e60fb6d795a4421e56882f2d7a681 # v3.6.2
Expand All @@ -134,46 +145,108 @@ runs:

- name: Build and push non-root docker image
id: buildpush-nonroot
uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 # v2.7.0
uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0
with:
push: ${{ inputs.publish }}
load: ${{ contains(inputs.publish, false) }}
tags: ${{ steps.meta-nonroot.outputs.tags }}
labels: ${{ steps.meta-nonroot.outputs.labels }}
file: core/chainlink.Dockerfile
build-args: |
CHAINLINK_USER=chainlink
${{ env.shared-build-args }}
- name: Save non-root image name in GITHUB_ENV
id: save-non-root-image-name-env
shell: sh
run: |
IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
echo "nonroot_image_name=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)" >> $GITHUB_ENV
- name: Check if non-root image runs as root
id: check-nonroot-runs-root
shell: sh
env:
PUBLISH: ${{ inputs.publish }}
run: |
echo "Fail build if non-root image runs as user: root"
# if we're publishing the image, it doesn't get loaded into the local docker daemon
# so we need to pull the image into our daemon
if [ $PUBLISH = "true" ]; then
docker pull "${nonroot_image_name}"
fi
docker inspect "${nonroot_image_name}" | jq -r '.[].Config.User' | ( ! grep "root" )
- if: inputs.sign-images == 'true'
name: Install cosign
uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 # v1.4.0
with:
cosign-release: 'v1.4.0'

- if: inputs.sign-images == 'true'
name: Write signing key to disk (only needed for `cosign sign --key`)
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
name: Sign the published root Docker image using keypair method
shell: sh
run: echo "${{ inputs.cosign-private-key }}" > cosign.key
env:
COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
run: |
echo "${{ inputs.cosign-private-key }}" > cosign.key
cosign sign --key cosign.key "${{ env.root_image_name }}"
rm -f cosign.key
- if: inputs.sign-images == 'true'
name: Sign the published root Docker image
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
name: Verify the signature of the published root Docker image using keypair
shell: sh
run: |
echo "${{ inputs.cosign-public-key }}" > cosign.key
cosign verify --key cosign.key "${{ env.root_image_name }}"
rm -f cosign.key
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
name: Sign the published root Docker image using keyless method
shell: sh
env:
COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
COSIGN_EXPERIMENTAL: 1
run: |
IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
cosign sign "${{ env.root_image_name }}"
cosign sign --key cosign.key "$IMAGE_NAME"
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
name: Verify the signature of the published root Docker image using keyless
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify "${{ env.root_image_name }}"
- if: inputs.sign-images == 'true'
name: Sign the published non-root Docker image
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
name: Sign the published non-root Docker image using keypair method
shell: sh
env:
COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
run: |
IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-nonroot.outputs.metadata)['image.name'] }}
IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
echo "${{ inputs.cosign-private-key }}" > cosign.key
cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
rm -f cosign.key
cosign sign --key cosign.key "$IMAGE_NAME"
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
name: Verify the signature of the published non-root Docker image using keypair
shell: sh
run: |
echo "${{ inputs.cosign-public-key }}" > cosign.key
cosign verify --key cosign.key "${{ env.nonroot_image_name }}"
rm -f cosign.key
- if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
name: Sign the published non-root Docker image using keyless method
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign "${{ env.nonroot_image_name }}"
- if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
name: Verify the signature of the published non-root Docker image using keyless
shell: sh
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify "${{ env.nonroot_image_name }}"
5 changes: 5 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ updates:
schedule:
interval: monthly
open-pull-requests-limit: 10
ignore:
# Old versions are pinned for libocr.
- dependency-name: github.com/libp2p/go-libp2p-core
- dependency-name: github.com/libp2p/go-libp2p-peerstore
- dependency-name: github.com/multiformats/go-multiaddr
- package-ecosystem: npm
directory: '/'
schedule:
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# GitHub Workflows

## Required Checks and Path Filters

We want to run certain workflows only when certain file paths change. We can accomplish this with [path based filtering on GitHub actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore). The problem that we run into is that we have certain required checks on GitHub that will not run or pass if we have path based filtering that never executes the workflow.

The [solution that GitHub recommends](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#handling-skipped-but-required-checks) is to create a "dummy" workflow with the same workflow name and job names as the required workflow/jobs with the jobs running a command to simply exit zero immediately to indicate success.

### Solution

If your workflow is named `solidity.yml`, create a `solidity-paths-ignore.yml` file with the same workflow name, event triggers (except for the path filters, use `paths-ignore` instead of `paths`), same job names, and then in the steps feel free to echo a command or explicitly `exit 0` to make sure it passes. See the workflow file names with the `-paths-ignore.yml` suffix in this directory for examples.
5 changes: 3 additions & 2 deletions .github/workflows/build-custom.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
ref: ${{ github.event.inputs.cl_ref }}
- uses: actions/setup-go@v2
with:
go-version: '1.17.2'
go-version: ~1.17
- name: Replace Solana deps manual flow
if: ${{ github.event.inputs.dep_solana_sha }}
run: |
Expand Down Expand Up @@ -99,6 +99,7 @@ jobs:
with:
context: .
file: core/chainlink.Dockerfile
build-args: COMMIT_SHA=${{ github.sha }},ENVIRONMENT=release
# comma separated like: KEY1=VAL1,KEY2=VAL2,...
build-args: COMMIT_SHA=${{ github.sha }}
tags: 795953128386.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/chainlink:custom.${{ github.sha }}
push: true
19 changes: 19 additions & 0 deletions .github/workflows/build-publish-release-ignore.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
##
# This workflow needs to be ran because `build-sign-publish-chainlink` is
# a required check but we do not want our release branches to build and
# publish images. Instead we use tags.
# If the workflow does not run, the required check will never pass.
##

name: 'Build Chainlink and Publish'

on:
push:
branches:
- release/*

jobs:
build-sign-publish-chainlink:
runs-on: ubuntu-latest
steps:
- run: 'echo "No job required"'
4 changes: 3 additions & 1 deletion .github/workflows/build-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ on:
branches:
- master
- develop
- 'release/*'

jobs:
build-sign-publish-chainlink:
Expand All @@ -29,5 +28,8 @@ jobs:
aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
aws-region: ${{ secrets.AWS_REGION }}
sign-images: true
sign-method: 'keypair'
cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosign-password: ${{ secrets.COSIGN_PASSWORD }}
verify-signature: true
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
name: CI
name: CI Core

on: [push]
on: push

jobs:
core:
strategy:
fail-fast: false
matrix:
cmd: ['go_core_tests', 'go_core_race_tests']
cmd: ["go_core_tests", "go_core_race_tests"]
name: Core Tests
runs-on: ubuntu-latest
env:
Expand Down Expand Up @@ -35,7 +35,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: ^1.17
go-version: ~1.17
- name: Cache Go vendor packages
uses: actions/cache@v2
with:
Expand Down Expand Up @@ -67,30 +67,3 @@ jobs:
with:
args: logs ${{ job.services.postgres.id }}

prepublish_npm:
name: Prepublish NPM
runs-on: ubuntu-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v2
- name: Setup node
uses: actions/setup-node@v2
with:
node-version: "16"
- name: Yarn cache
uses: actions/cache@v2
env:
cache-name: yarn-cache
with:
path: |
~/.npm
~/.cache
**/node_modules
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
${{ runner.os }}-
- run: yarn install --frozen-lockfile
- name: Run prepublish NPM test
run: ./tools/ci/prepublish_npm_test
4 changes: 2 additions & 2 deletions .github/workflows/code-quality.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ name: Code Quality
on:
push:
branches:
- auto
- try
- staging
- trying
- rollup
pull_request:

Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ on:
push:
branches:
- develop
- auto
- try
- staging
- trying
- rollup
pull_request:
# The branches below must be a subset of the branches above
Expand Down Expand Up @@ -33,7 +33,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: ^1.17
go-version: ~1.17

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
24 changes: 24 additions & 0 deletions .github/workflows/dependency-check-paths-ignore.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
##
# This workflow needs to be ran in case it is a required check and
# we conditionally only run the `dependency-check` workflow when certain
# paths change.
# If the workflow does not run, and it is ever marked as required,
# then the check will never pass.
# This is GitHub's workaround:
# https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/troubleshooting-required-status-checks#example
##

name: Dependency Vulnerability Check

on:
push:
paths-ignore:
- '**/go.mod'
- '**/go.sum'
jobs:
Go:
runs-on: ubuntu-latest
steps:
- run: 'echo "No job required" '


Loading

0 comments on commit a2d6c4b

Please sign in to comment.