Skip to content

ZXF: Deploy Production Release #4076

ZXF: Deploy Production Release

ZXF: Deploy Production Release #4076

##
# Copyright (C) 2022-2024 Hedera Hashgraph, LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
name: "ZXF: Deploy Production Release"
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+-?*"
workflow_dispatch:
inputs:
ref:
required: true
description: "The github branch or tag that triggered the workflow"
author:
required: false
description: "The author of the commit"
default: ""
msg:
required: false
description: "The message on the head commit"
default: ""
sha:
required: false
description: "The commit ID of the commit that triggered the workflow"
default: ""
defaults:
run:
shell: bash
permissions:
id-token: write
contents: read
actions: read
jobs:
prepare-tag-release:
name: Prepare Release [Tag]
runs-on: network-node-linux-medium
if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
outputs:
version: ${{ steps.tag.outputs.version }}
prerelease: ${{ steps.tag.outputs.prerelease }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Install Semantic Version Tools
run: |
echo "::group::Download SemVer Binary"
sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver
echo "::endgroup::"
echo "::group::Change SemVer Binary Permissions"
sudo chmod -v +x /usr/local/bin/semver
echo "::endgroup::"
echo "::group::Show SemVer Binary Version Info"
semver --version
echo "::endgroup::"
- name: Extract Tag Version
id: tag
run: |
RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")"
PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")"
FINAL_VERSION="${RELEASE_VERSION}"
PRERELEASE_FLAG="false"
[[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}"
[[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true"
echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}"
echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}"
release-tag:
name: Release [Tag]
uses: ./.github/workflows/node-zxc-build-release-artifact.yaml
needs:
- prepare-tag-release
with:
version-policy: specified
new-version: ${{ needs.prepare-tag-release.outputs.version }}
trigger-env-deploy: none
release-profile: ${{ needs.prepare-tag-release.outputs.prerelease == 'true' && 'PrereleaseChannel' || 'MavenCentral' }}
secrets:
access-token: ${{ secrets.GITHUB_TOKEN }}
bucket-name: ${{ secrets.RELEASE_ARTIFACT_BUCKET_NAME }}
cdn-bucket-name: ${{ secrets.CDN_ARTIFACT_BUCKET_NAME }}
svcs-ossrh-username: ${{ secrets.SVCS_OSSRH_USERNAME }}
svcs-ossrh-password: ${{ secrets.SVCS_OSSRH_PASSWORD }}
svcs-gpg-key-contents: ${{ secrets.SVCS_GPG_KEY_CONTENTS }}
svcs-gpg-key-passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }}
sdk-ossrh-username: ${{ secrets.PLATFORM_OSSRH_USERNAME }}
sdk-ossrh-password: ${{ secrets.PLATFORM_OSSRH_PASSWORD }}
sdk-gpg-key-contents: ${{ secrets.PLATFORM_GPG_KEY_CONTENTS }}
sdk-gpg-key-passphrase: ${{ secrets.PLATFORM_GPG_KEY_PASSPHRASE }}
slack-webhook-url: ${{ secrets.PLATFORM_SLACK_RELEASE_WEBHOOK }}
jf-url: ${{ vars.JF_URL }}
jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }}
jf-user-name: ${{ vars.JF_USER_NAME }}
jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }}
release-branch:
name: Release [Branch]
uses: ./.github/workflows/node-zxc-build-release-artifact.yaml
if: ${{ github.event_name == 'workflow_dispatch' }}
with:
version-policy: branch-commit
trigger-env-deploy: integration
release-profile: DevelopCommit
secrets:
access-token: ${{ secrets.GITHUB_TOKEN }}
bucket-name: ${{ secrets.RELEASE_ARTIFACT_BUCKET_NAME }}
cdn-bucket-name: ${{ secrets.CDN_ARTIFACT_BUCKET_NAME }}
svcs-ossrh-username: ${{ secrets.SVCS_OSSRH_USERNAME }}
svcs-ossrh-password: ${{ secrets.SVCS_OSSRH_PASSWORD }}
svcs-gpg-key-contents: ${{ secrets.SVCS_GPG_KEY_CONTENTS }}
svcs-gpg-key-passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }}
sdk-ossrh-username: ${{ secrets.PLATFORM_OSSRH_USERNAME }}
sdk-ossrh-password: ${{ secrets.PLATFORM_OSSRH_PASSWORD }}
sdk-gpg-key-contents: ${{ secrets.PLATFORM_GPG_KEY_CONTENTS }}
sdk-gpg-key-passphrase: ${{ secrets.PLATFORM_GPG_KEY_PASSPHRASE }}
slack-webhook-url: ${{ secrets.PLATFORM_SLACK_RELEASE_WEBHOOK }}
jf-url: ${{ vars.JF_URL }}
jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }}
jf-user-name: ${{ vars.JF_USER_NAME }}
jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }}
deploy-ci-trigger:
name: Trigger CI Flows
runs-on: network-node-linux-medium
needs:
- release-branch
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: '0'
ref: main
token: ${{ secrets.GH_ACCESS_TOKEN }}
- name: Check Prep XTS Job State
id: check-xts-job
if: ${{ needs.release-branch.result == 'success' }}
env:
GH_TOKEN: ${{ github.token }}
run: |
JOB_ENABLED="true"
JOB_STATE=$(gh workflow list --all --json name,state | jq -r '.[]|select(.name=="ZXF: Prepare Extended Test Suite")|.state')
[[ "${JOB_STATE}" == "disabled_manually" ]] && JOB_ENABLED="false"
echo "enabled=${JOB_ENABLED}" >> $GITHUB_OUTPUT
- name: Trigger ZXF Prepare Extended Test Suite
if: ${{ needs.release-branch.result == 'success' && steps.check-xts-job.outputs.enabled == 'true' }}
uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4
with:
workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml
repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org
ref: main # ensure we are always using the workflow definition from the main branch
token: ${{ secrets.GH_ACCESS_TOKEN }}
inputs: '{ "ref": "${{ inputs.ref }}" }'
- name: Check Integration Job State
id: check-integration-job
if: ${{ needs.release-branch.result == 'success' &&
(inputs.author != '' && inputs.msg != '' && inputs.sha != '') &&
!cancelled() }}
env:
GH_TOKEN: ${{ github.token }}
run: |
JOB_ENABLED="true"
JOB_STATE=$(gh workflow list --all --json name,state | jq -r '.[]|select(.name=="ZXF: [Node] Deploy Integration Network Release")|.state')
[[ "${JOB_STATE}" == "disabled_manually" ]] && JOB_ENABLED="false"
echo "enabled=${JOB_ENABLED}" >> $GITHUB_OUTPUT
- name: Trigger ZXF Deploy Integration
if: ${{ needs.release-branch.result == 'success' && steps.check-integration-job.outputs.enabled == 'true' &&
(inputs.author != '' && inputs.msg != '' && inputs.sha != '') &&
!cancelled() }}
uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4
with:
workflow: .github/workflows/node-zxf-deploy-integration.yaml
repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org
ref: main # ensure we are always using the workflow definition from the main branch
token: ${{ secrets.GH_ACCESS_TOKEN }}
inputs: '{
"ref": "${{ inputs.ref }}",
"author": "${{ inputs.author }}",
"msg": "${{ inputs.msg }}",
"sha": "${{ inputs.sha }}"
}'
update-hedera-protobufs:
name: Update Hedera Protobufs
runs-on: network-node-linux-medium
needs:
- prepare-tag-release
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout Hedera Services Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: ${{ secrets.GH_ACCESS_TOKEN }}
ref: main
fetch-depth: '0'
- name: Checkout Hedera Protobufs Code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
token: ${{ secrets.PROTOBUFS_GH_ACCESS_TOKEN }}
fetch-depth: '0'
repository: hashgraph/hedera-protobufs
path: hedera-protobufs
- name: Install rsync
run: sudo apt update && sudo apt -y install rsync
- name: Update the folders owned by Services
working-directory: hedera-protobufs
run: |
git push --delete origin v${{ needs.prepare-tag-release.outputs.version }} || true
git tag --delete v${{ needs.prepare-tag-release.outputs.version }} || true
rsync -a --delete ../hapi/hedera-protobufs/services/ services/
- name: Import GPG key for commit signoff
id: gpg_import
uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0
with:
gpg_private_key: ${{ secrets.PROTOBUFS_GPG_KEY_CONTENTS }}
passphrase: ${{ secrets.PROTOBUFS_GPG_KEY_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
- name: Add & Commit
uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
with:
cwd: 'hedera-protobufs'
author_name: swirlds-eng-automation
author_email: ${{ secrets.PROTOBUFS_GPG_USER_EMAIL }}
commit: --signoff
message: "ci: Copied recent protobuf changes from hedera-services"
new_branch: "update-recent-protobuf-changes-${{ github.run_number }}"
tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"'