Snapshot build #201
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This action enables building container images and executables for farmer and node, can be triggered manually or by | |
# release creation. | |
# | |
# Container images are only pushed to GitHub Container Registry for releases. | |
# Executables are built both for releases and for manually triggered runs, uploaded to artifacts and assets. | |
name: Snapshot build | |
on: | |
workflow_dispatch: | |
push: | |
tags: | |
- "snapshot-*" | |
- "gemini-*" | |
# Incremental compilation here isn't helpful | |
env: | |
CARGO_INCREMENTAL: 0 | |
jobs: | |
container-linux: | |
runs-on: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || 'ubuntu-22.04') }} | |
permissions: | |
contents: write | |
packages: write | |
strategy: | |
matrix: | |
image: | |
- farmer | |
- node | |
- bootstrap-node | |
platform: | |
- arch: linux/amd64 | |
dockerfile-suffix: "" | |
suffix: ubuntu-x86_64-${{ github.ref_name }} | |
image-suffix: "" | |
rustflags: "-C target-cpu=skylake" | |
# We build AArch64 | |
- arch: linux/amd64 | |
dockerfile-suffix: ".aarch64" | |
suffix: ubuntu-aarch64-${{ github.ref_name }} | |
image-suffix: "-aarch64" | |
steps: | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # @v2.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # @v2.2.1 | |
- name: Log into registry | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # @v2.2.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ github.token }} | |
- name: Extract Docker metadata | |
id: meta | |
uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # @v4.1.1 | |
with: | |
images: | | |
ghcr.io/${{ github.repository_owner }}/${{ matrix.image }} | |
tags: | | |
type=ref,event=tag | |
type=ref,event=branch | |
type=sha,format=long | |
flavor: | | |
latest=false | |
suffix=${{ matrix.platform.image-suffix }} | |
- name: Build and push ${{ matrix.image }} image | |
uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # @v3.2.0 | |
with: | |
file: Dockerfile-${{ matrix.image }}${{ matrix.platform.dockerfile-suffix }} | |
platforms: ${{ matrix.platform.arch }} | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
build-args: | | |
SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }} | |
RUSTFLAGS=${{ matrix.platform.rustflags }} | |
executables: | |
strategy: | |
matrix: | |
build: | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || 'ubuntu-20.04') }} | |
target: x86_64-unknown-linux-gnu | |
suffix: ubuntu-x86_64-skylake-${{ github.ref_name }} | |
rustflags: "-C target-cpu=skylake" | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || 'ubuntu-20.04') }} | |
target: x86_64-unknown-linux-gnu | |
suffix: ubuntu-x86_64-v2-${{ github.ref_name }} | |
rustflags: "-C target-cpu=x86-64-v2" | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || 'ubuntu-20.04') }} | |
target: aarch64-unknown-linux-gnu | |
suffix: ubuntu-aarch64-${{ github.ref_name }} | |
# TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to | |
# at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373 | |
rustflags: "-C linker=aarch64-linux-gnu-gcc --cfg aes_armv8" | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "macos-12-arm64"]' || 'macos-12') }} | |
target: aarch64-apple-darwin | |
suffix: macos-aarch64-${{ github.ref_name }} | |
# TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to | |
# at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373 | |
rustflags: "--cfg aes_armv8" | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "macos-12-arm64"]' || 'macos-12') }} | |
target: x86_64-apple-darwin | |
suffix: macos-x86_64-${{ github.ref_name }} | |
rustflags: "" | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "windows-server-2022-x86-64"]' || 'windows-2022') }} | |
target: x86_64-pc-windows-msvc | |
suffix: windows-x86_64-skylake-${{ github.ref_name }} | |
rustflags: "-C target-cpu=skylake" | |
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "windows-server-2022-x86-64"]' || 'windows-2022') }} | |
target: x86_64-pc-windows-msvc | |
suffix: windows-x86_64-v2-${{ github.ref_name }} | |
rustflags: "-C target-cpu=x86-64-v2" | |
runs-on: ${{ matrix.build.os }} | |
env: | |
PRODUCTION_TARGET: target/${{ matrix.build.target }}/production | |
RUSTFLAGS: ${{ matrix.build.rustflags }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0 | |
# On macOS, we need a proper Clang version, not Apple's custom version without wasm32 support | |
# TODO: on macOS, the consensus/domain runtime build is not compatible with LLVM 15.0.7 and | |
# LLVM 15.0.{3, 4, 5, 6} is not released for macOS thus install LLVM 15.0.2 explicitly as a | |
# temporary workaround, and remove once incompatible is fixed. | |
- name: Install LLVM and Clang for macOS | |
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3 | |
with: | |
version: "15.0.2" | |
if: runner.os == 'macOS' | |
# TODO: on Linux and Windows, the consensus/domain runtime build is not compatible with LLVM 16, | |
# thus install LLVM 15 explicitly as a temporary workaround, and remove once incompatible is fixed. | |
- name: Install LLVM and Clang for Linux and Windows | |
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3 | |
with: | |
version: "15.0" | |
if: runner.os != 'macOS' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll | |
- name: Remove msys64 | |
run: Remove-Item -LiteralPath "C:\msys64\" -Force -Recurse | |
if: runner.os == 'Windows' | |
# Doesn't exist on self-hosted runners | |
continue-on-error: true | |
- name: AArch64 cross-compile packages | |
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libc6-dev-arm64-cross | |
if: matrix.build.target == 'aarch64-unknown-linux-gnu' | |
- name: Build farmer | |
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1 | |
with: | |
command: build | |
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --bin subspace-farmer | |
- name: Build node | |
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1 | |
with: | |
command: build | |
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --bin subspace-node | |
- name: Sign Application (macOS) | |
run: | | |
echo "Importing certificate" | |
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 | |
security create-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain | |
security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PW }}" -T /usr/bin/codesign | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain | |
echo "Signing farmer" | |
codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/subspace-farmer | |
echo "Signing node" | |
codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/subspace-node | |
echo "Creating an archive" | |
mkdir ${{ env.PRODUCTION_TARGET }}/macos-binaries | |
cp ${{ env.PRODUCTION_TARGET }}/subspace-farmer ${{ env.PRODUCTION_TARGET }}/subspace-node ${{ env.PRODUCTION_TARGET }}/macos-binaries | |
ditto -c -k --rsrc ${{ env.PRODUCTION_TARGET }}/macos-binaries subspace-binaries.zip | |
echo "Notarizing" | |
brew update | |
brew install mitchellh/gon/gon | |
cat << EOF > gon.hcl | |
source = ["subspace-binaries.zip"] | |
bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}" | |
sign { | |
application_identity = "${{ secrets.MACOS_IDENTITY }}" | |
} | |
apple_id { | |
username = "${{ secrets.MACOS_APPLE_ID }}" | |
password = "${{ secrets.MACOS_APP_PW }}" | |
} | |
EOF | |
gon -log-level=info -log-json gon.hcl | |
# Notarize the ZIP using notarytool | |
xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PW }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait | |
# // todo stapling for macOS artifacts | |
# Staple the zip package | |
# xcrun stapler staple subspace-binaries.zip | |
echo "Done!" | |
# Allow code signing to fail on non-release builds and in non-subspace repos (forks) | |
continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} | |
if: runner.os == 'macOS' | |
- name: Sign Application (Windows) | |
run: | | |
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v "${{ env.PRODUCTION_TARGET }}/subspace-farmer.exe" | |
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v "${{ env.PRODUCTION_TARGET }}/subspace-node.exe" | |
# Allow code signing to fail on non-release builds and in non-subspace repos (forks) | |
continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} | |
if: runner.os == 'Windows' | |
- name: Prepare executables for uploading (Ubuntu) | |
run: | | |
mkdir executables | |
mv ${{ env.PRODUCTION_TARGET }}/subspace-farmer executables/subspace-farmer-${{ matrix.build.suffix }} | |
mv ${{ env.PRODUCTION_TARGET }}/subspace-node executables/subspace-node-${{ matrix.build.suffix }} | |
if: runner.os == 'Linux' | |
- name: Prepare executables for uploading (macOS) | |
run: | | |
mkdir executables | |
mv ${{ env.PRODUCTION_TARGET }}/subspace-farmer executables/subspace-farmer-${{ matrix.build.suffix }} | |
mv ${{ env.PRODUCTION_TARGET }}/subspace-node executables/subspace-node-${{ matrix.build.suffix }} | |
# Zip it so that signature is not lost | |
ditto -c -k --rsrc executables/subspace-farmer-${{ matrix.build.suffix }} executables/subspace-farmer-${{ matrix.build.suffix }}.zip | |
ditto -c -k --rsrc executables/subspace-node-${{ matrix.build.suffix }} executables/subspace-node-${{ matrix.build.suffix }}.zip | |
rm executables/subspace-farmer-${{ matrix.build.suffix }} | |
rm executables/subspace-node-${{ matrix.build.suffix }} | |
if: runner.os == 'macOS' | |
- name: Prepare executables for uploading (Windows) | |
run: | | |
mkdir executables | |
move ${{ env.PRODUCTION_TARGET }}/subspace-farmer.exe executables/subspace-farmer-${{ matrix.build.suffix }}.exe | |
move ${{ env.PRODUCTION_TARGET }}/subspace-node.exe executables/subspace-node-${{ matrix.build.suffix }}.exe | |
if: runner.os == 'Windows' | |
- name: Upload node and farmer executables to artifacts | |
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1 | |
with: | |
name: executables-${{ matrix.build.suffix }} | |
path: | | |
executables/* | |
if-no-files-found: error | |
- name: Upload node and farmer executables to assets | |
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0 | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
with: | |
asset_paths: '["executables/*"]' | |
if: github.event_name == 'push' && github.ref_type == 'tag' |