DVT-1200 configure pipeline for polycli docker deployment (#189)

* configure pipeline for polycli docker and dpkg deployment * change names for pipelines to make it clear * add to secrets * make sure vars is reachable * fix: FROM scratch * Update .github/workflows/build-docker.yml Co-authored-by: Léo Vincent <[email protected]> * Update .github/workflows/build-docker.yml Co-authored-by: Léo Vincent <[email protected]> * Update .github/workflows/build-package.yml Co-authored-by: Léo Vincent <[email protected]> * Update .github/workflows/build-package.yml Co-authored-by: Léo Vincent <[email protected]> * Update .github/workflows/build-docker.yml Co-authored-by: Léo Vincent <[email protected]> * Update .github/workflows/build-package.yml Co-authored-by: Léo Vincent <[email protected]> * fix: RUN CGO_ENABLED=0 * fix: retry with beta command installation * fix: install local-extract * Update Dockerfile Co-authored-by: Léo Vincent <[email protected]> * leo commit * revert directory docker * remove scan vulnerabilities * this works * final push * skip signing for now --------- Co-authored-by: Léo Vincent <[email protected]>
0xPolygon · Jan 25, 2024 · 8439087 · 8439087
1 parent d207baf
commit 8439087
Show file tree

Hide file tree

Showing 7 changed files with 198 additions and 3 deletions.
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -0,0 +1,69 @@
+name: "Build Pipeline (Docker)"
+
+on:
+  push:
+    branches:
+      - jesse/pipeline-deploy
+      - main
+
+env:
+  IMAGE_NAME: "${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ secrets.DOCKER_REPOSITORY }}/polygon-cli"
+
+  ATTESTOR_PROJECT_ID: ${{ vars.PROJECT_ID }}
+  KEY_RING: "jesse-artifacts-ring"
+  KEY: "jesse-artifacts-binary-auth-key"
+  ATTESTOR: "jesse-artifacts-attestor"
+
+jobs:
+  build-pipeline-docker:
+    name: Build, push, scan, and sign Docker image
+    permissions:
+      contents: "write"
+      id-token: "write"
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "${{ secrets.WIF_PROVIDER }}" # this was hard to find: WIP --> Expand pool --> Click pencil icon"
+          service_account: "${{ secrets.WIF_SERVICE_ACCOUNT }}"
+
+      - name: Docker Auth
+        id: docker-auth
+        uses: docker/login-action@v3
+        with:
+          username: "oauth2accesstoken"
+          password: "${{ steps.auth.outputs.access_token }}"
+          registry: "${{ vars.GAR_LOCATION }}-docker.pkg.dev"
+
+      - name: Build and Push Docker Image to GCP Artifact Registry
+        run: |-
+          docker build -t "${{ env.IMAGE_NAME }}:${{ github.sha }}" .
+          docker push "${{ env.IMAGE_NAME }}:${{ github.sha }}"
+
+      - name: "Set up Cloud SDK"
+        uses: google-github-actions/setup-gcloud@v2
+
+      # - name: Sign the docker image
+      #   run: |-
+      #     export CLOUDSDK_CORE_DISABLE_PROMPTS=1
+      #     gcloud components install beta --quiet
+
+      #     DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)')
+
+      #     gcloud beta container binauthz attestations sign-and-create \
+      #         --artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \
+      #         --attestor="${{ env.ATTESTOR }}" \
+      #         --attestor-project="${{ env.ATTESTOR_PROJECT_ID }}" \
+      #         --keyversion-project="${{ env.ATTESTOR_PROJECT_ID }}" \
+      #         --keyversion-location="${{ vars.GAR_LOCATION }}" \
+      #         --keyversion-keyring="${{ env.KEY_RING }}" \
+      #         --keyversion-key="${{ env.KEY }}" \
+      #         --keyversion="1"
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
@@ -0,0 +1,81 @@
+name: "Build Pipeline (Debian)"
+
+on:
+  push:
+    branches:
+      - jesse/pipeline-deploy
+      - main
+
+jobs:
+  build-pipeline-apt:
+    name: Build and upload APT package
+    permissions:
+      contents: "write"
+      id-token: "write"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Adding TAG to ENV
+        run: echo "GIT_TAG=`echo $(git describe --tags --abbrev=0)`" >> $GITHUB_ENV
+
+      - name: Building for amd64
+        run: make build
+
+      - name: Making directory structure
+        run: mkdir -p packaging/deb/polycli/usr/bin
+
+      - name: Copying necessary files
+        run: cp -rp out/polycli packaging/deb/polycli/usr/bin/
+
+      - name: Copying control file
+        run: |
+          VERSION="0-${{ github.sha }}"
+          cp -rp packaging/templates/package_scripts/control packaging/deb/polycli/DEBIAN/control
+          sed -i "s/^Version: .*/Version: $VERSION/" packaging/deb/polycli/DEBIAN/control
+
+      - name: Creating package for binary for polycli ${{ env.ARCH }}
+        run: cp -rp packaging/deb/polycli packaging/deb/polycli-${{ env.GIT_TAG }}-${{ env.ARCH }}-${{ github.sha }}
+        env:
+          ARCH: amd64
+
+      - name: Running package build
+        run: dpkg-deb --build --root-owner-group packaging/deb/polycli-${{ env.GIT_TAG }}-${{ env.ARCH }}-${{ github.sha }}
+        env:
+          ARCH: amd64
+
+      - name: Removing the polycli binary
+        run: rm -rf packaging/deb/polycli/usr/bin/polycli
+
+#######################################
+
+      - name: Google Auth
+        id: auth
+        uses: google-github-actions/auth@v2
+        with:
+          token_format: "access_token"
+          workload_identity_provider: "${{ secrets.WIF_PROVIDER }}" # this was hard to find: WIP --> Expand pool --> Click pencil icon
+          service_account: "${{ secrets.WIF_SERVICE_ACCOUNT }}"
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Check pwd
+        run: pwd
+
+      - name: Check files
+        run: ls -ltr packaging/deb/ | grep polycli
+
+      - id: gcloud
+        name: gcloud
+        run: |-
+          gcloud config set artifacts/repository ${{ secrets.APT_REPOSITORY }}
+          gcloud config set artifacts/location ${{ vars.GAR_LOCATION }}
+          gcloud config set project ${{ vars.PROJECT_ID }}
+          gcloud artifacts apt upload ${{ secrets.APT_REPOSITORY }} --source=packaging/deb/polycli-${{ env.GIT_TAG }}-${{ env.ARCH }}-${{ github.sha }}.deb
+        env:
+          ARCH: amd64
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,13 @@
+FROM golang:1.21 as builder
+WORKDIR /go/src/app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 make build
+
+FROM scratch
+WORKDIR /
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=builder /go/src/app/out/polycli /usr/bin/polycli
+ENTRYPOINT ["polycli"]
+CMD ["--help"]
diff --git a/go.mod b/go.mod
@@ -103,7 +103,7 @@ require (
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
 	github.com/multiformats/go-base36 v0.2.0 // indirect
-	github.com/multiformats/go-multiaddr v0.11.0 // indirect
+	github.com/multiformats/go-multiaddr v0.12.1 // indirect
 	github.com/multiformats/go-multibase v0.2.0 // indirect
 	github.com/multiformats/go-multicodec v0.9.0 // indirect
 	github.com/multiformats/go-multihash v0.2.3 // indirect

diff --git a/go.sum b/go.sum
@@ -360,8 +360,8 @@ github.com/multiformats/go-base32 v0.1.0 h1:pVx9xoSPqEIQG8o+UbAe7DNi51oej1NtK+aG
 github.com/multiformats/go-base32 v0.1.0/go.mod h1:Kj3tFY6zNr+ABYMqeUNeGvkIC/UYgtWibDcT0rExnbI=
 github.com/multiformats/go-base36 v0.2.0 h1:lFsAbNOGeKtuKozrtBsAkSVhv1p9D0/qedU9rQyccr0=
 github.com/multiformats/go-base36 v0.2.0/go.mod h1:qvnKE++v+2MWCfePClUEjE78Z7P2a1UV0xHgWc0hkp4=
-github.com/multiformats/go-multiaddr v0.11.0 h1:XqGyJ8ufbCE0HmTDwx2kPdsrQ36AGPZNZX6s6xfJH10=
-github.com/multiformats/go-multiaddr v0.11.0/go.mod h1:gWUm0QLR4thQ6+ZF6SXUw8YjtwQSPapICM+NmCkxHSM=
+github.com/multiformats/go-multiaddr v0.12.1 h1:vm+BA/WZA8QZDp1pF1FWhi5CT3g1tbi5GJmqpb6wnlk=
+github.com/multiformats/go-multiaddr v0.12.1/go.mod h1:7mPkiBMmLeFipt+nNSq9pHZUeJSt8lHBgH6yhj0YQzE=
 github.com/multiformats/go-multibase v0.2.0 h1:isdYCVLvksgWlMW9OZRYJEa9pZETFivncJHmHnnd87g=
 github.com/multiformats/go-multibase v0.2.0/go.mod h1:bFBZX4lKCA/2lyOFSAoKH5SS6oPyjtnzK/XTFDPkNuk=
 github.com/multiformats/go-multicodec v0.9.0 h1:pb/dlPnzee/Sxv/j4PmkDRxCOi3hXTz3IbPKOXWJkmg=

diff --git a/packaging/deb/polycli/DEBIAN/README.md b/packaging/deb/polycli/DEBIAN/README.md
@@ -0,0 +1,20 @@
+# Debian
+
+
+
+For debian packages you will need to add the following layouts during the build
+
+
+
+polycli/
+   DEBIAN/control
+   /usr/bin/polycli
+
+This will be wrapped during the build package process building
+
+
+Note this is still a work in progress:
+
+TODO: removal/purge on removal using dpkg
+      cleanup of control files to list what we want
+      copyright inclusion
diff --git a/packaging/templates/package_scripts/control b/packaging/templates/package_scripts/control
@@ -0,0 +1,12 @@
+Source: polygon-cli
+Version: 0.3.5-beta
+Section: main
+Priority: standard
+Maintainer: Polygon <[email protected]>
+Build-Depends: debhelper-compat (= 13)
+Package: polygon-cli
+Rules-Requires-Root: yes
+Architecture: amd64
+Multi-Arch: foreign
+Depends:
+Description: A Swiss Army knife of blockchain tools (from Polygon Technology).