infra/.circleci/continue_config.yml
Hamdi Allam dff24e9fca
op-txproxy: external validating proxy for conditional transactions (#42)
* txpool svc

* change mod github path

* tag-tool

* codeowners
2024-09-30 13:43:34 -07:00

643 lines
22 KiB
YAML

version: 2.1
orbs:
go: circleci/go@1.9.0
gcp-cli: circleci/gcp-cli@2.4.1
shellcheck: circleci/shellcheck@3.1.2
path-filtering: circleci/path-filtering@1.0.0
parameters:
run-build-op-conductor-mon:
type: boolean
default: false
run-build-op-signer:
type: boolean
default: false
run-build-op-txproxy:
type: boolean
default: false
run-build-op-ufm:
type: boolean
default: false
run-build-proxyd:
type: boolean
default: false
run-all:
type: boolean
default: false
commands:
gcp-oidc-authenticate:
description: "Authenticate with GCP using a CircleCI OIDC token."
parameters:
project_id:
type: env_var_name
default: GCP_PROJECT_ID
workload_identity_pool_id:
type: env_var_name
default: GCP_WIP_ID
workload_identity_pool_provider_id:
type: env_var_name
default: GCP_WIP_PROVIDER_ID
service_account_email:
type: env_var_name
default: GCP_SERVICE_ACCOUNT_EMAIL
gcp_cred_config_file_path:
type: string
default: /home/circleci/gcp_cred_config.json
oidc_token_file_path:
type: string
default: /home/circleci/oidc_token.json
steps:
- run:
name: "Create OIDC credential configuration"
command: |
# Store OIDC token in temp file
echo $CIRCLE_OIDC_TOKEN > << parameters.oidc_token_file_path >>
# Create a credential configuration for the generated OIDC ID Token
gcloud iam workload-identity-pools create-cred-config \
"projects/${<< parameters.project_id >>}/locations/global/workloadIdentityPools/${<< parameters.workload_identity_pool_id >>}/providers/${<< parameters.workload_identity_pool_provider_id >>}"\
--output-file="<< parameters.gcp_cred_config_file_path >>" \
--service-account="${<< parameters.service_account_email >>}" \
--credential-source-file=<< parameters.oidc_token_file_path >>
- run:
name: "Authenticate with GCP using OIDC"
command: |
# Configure gcloud to leverage the generated credential configuration
gcloud auth login --brief --cred-file "<< parameters.gcp_cred_config_file_path >>"
# Configure ADC
echo "export GOOGLE_APPLICATION_CREDENTIALS='<< parameters.gcp_cred_config_file_path >>'" | tee -a "$BASH_ENV"
jobs:
log-config-results:
docker:
- image: us-docker.pkg.dev/oplabs-tools-artifacts/images/ci-builder:latest # only used to enable codecov.
environment:
CURRENT_TAG: << pipeline.git.tag >>
steps:
- checkout
- run:
name: Log Configuration Results
command: |
echo "Configuration Results:"
echo "run-build-op-conductor-mon: << pipeline.parameters.run-build-op-conductor-mon >>"
echo "run-build-op-signer: << pipeline.parameters.run-build-op-signer >>"
echo "run-build-op-ufm: << pipeline.parameters.run-build-op-ufm >>"
echo "run-build-proxyd: << pipeline.parameters.run-build-proxyd >>"
echo "run-all: << pipeline.parameters.run-all >>"
echo ""
echo "Pipeline Trigger Information:"
echo "pipeline.trigger_source: << pipeline.trigger_source >>"
echo "Is not a scheduled pipeline: $([ "<< pipeline.trigger_source >>" != "scheduled_pipeline" ] && echo "true" || echo "false")"
echo ""
echo "Tag Information:"
echo "Current tag: $CURRENT_TAG"
# Use the same regex patterns as defined in the YAML anchors
if [[ $CURRENT_TAG =~ ^proxyd/v.* ]]; then
echo "proxyd tag regex match: true"
else
echo "proxyd tag regex match: false"
fi
if [[ $CURRENT_TAG =~ ^op-conductor-mon/v.* ]]; then
echo "op-conductor-mon tag regex match: true"
else
echo "op-conductor-mon tag regex match: false"
fi
if [[ $CURRENT_TAG =~ ^op-signer/v.* ]]; then
echo "op-signer tag regex match: true"
else
echo "op-signer tag regex match: false"
fi
if [[ $CURRENT_TAG =~ ^op-ufm/v.* ]]; then
echo "op-ufm tag regex match: true"
else
echo "op-ufm tag regex match: false"
fi
docker-build:
environment:
DOCKER_BUILDKIT: 1
parameters:
docker_name:
description: Docker image name
type: string
docker_tags:
description: Docker image tags as csv
type: string
docker_file:
description: Path to Dockerfile
type: string
docker_context:
description: Docker build context
type: string
registry:
description: Docker registry
type: string
default: "us-docker.pkg.dev"
repo:
description: Docker repo
type: string
default: "oplabs-tools-artifacts/images"
machine:
image: default
steps:
- checkout
- run:
command: mkdir -p /tmp/docker_images
- run:
name: Build
command: |
# Check to see if DOCKER_HUB_READ_ONLY_TOKEN is set (i.e. we are in repo) before attempting to use secrets.
# Building should work without this read only login, but may get rate limited.
if [[ -v DOCKER_HUB_READ_ONLY_TOKEN ]]; then
echo "$DOCKER_HUB_READ_ONLY_TOKEN" | docker login -u "$DOCKER_HUB_READ_ONLY_USER" --password-stdin
fi
IMAGE_BASE="<<parameters.registry>>/<<parameters.repo>>/<<parameters.docker_name>>"
DOCKER_TAGS=$(echo -ne <<parameters.docker_tags>> | sed "s/,/\n/g" | sed "s/[^a-zA-Z0-9\n]/-/g" | sed -e "s|^|-t ${IMAGE_BASE}:|")
docker build \
$(echo -ne $DOCKER_TAGS | tr '\n' ' ') \
-f <<parameters.docker_file>> \
<<parameters.docker_context>>
- run:
name: Save
command: |
IMAGE_BASE="<<parameters.registry>>/<<parameters.repo>>/<<parameters.docker_name>>"
DOCKER_LABELS=$(echo -ne <<parameters.docker_tags>> | sed "s/,/\n/g" | sed "s/[^a-zA-Z0-9\n]/-/g")
echo -ne $DOCKER_LABELS | tr ' ' '\n' | xargs -I {} docker save -o /tmp/docker_images/<<parameters.docker_name>>_{}.tar $IMAGE_BASE:{}
- persist_to_workspace:
root: /tmp/docker_images
paths:
- "."
docker-publish:
parameters:
docker_name:
description: Docker image name
type: string
docker_tags:
description: Docker image tags as csv
type: string
registry:
description: Docker registry
type: string
default: "us-docker.pkg.dev"
repo:
description: Docker repo
type: string
default: "oplabs-tools-artifacts/images"
machine:
image: default
steps:
- attach_workspace:
at: /tmp/docker_images
- run:
name: Docker load
command: |
DOCKER_LABELS=$(echo -ne <<parameters.docker_tags>> | sed "s/,/\n/g" | sed "s/[^a-zA-Z0-9\n]/-/g")
echo -ne $DOCKER_LABELS | tr ' ' '\n' | xargs -I {} docker load -i /tmp/docker_images/<<parameters.docker_name>>_{}.tar
- gcp-oidc-authenticate
# Below is CircleCI recommended way of specifying nameservers on an Ubuntu box:
# https://support.circleci.com/hc/en-us/articles/7323511028251-How-to-set-custom-DNS-on-Ubuntu-based-images-using-netplan
- run: sudo sed -i '13 i \ \ \ \ \ \ \ \ \ \ \ \ nameservers:' /etc/netplan/50-cloud-init.yaml
- run: sudo sed -i '14 i \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ addresses:' /etc/netplan/50-cloud-init.yaml
- run: sudo sed -i "s/addresses:/ addresses":" [8.8.8.8, 8.8.4.4] /g" /etc/netplan/50-cloud-init.yaml
- run: sudo cat /etc/netplan/50-cloud-init.yaml
- run: sudo netplan apply
- run:
name: Publish
command: |
gcloud auth configure-docker <<parameters.registry>>
IMAGE_BASE="<<parameters.registry>>/<<parameters.repo>>/<<parameters.docker_name>>"
DOCKER_TAGS=$(echo -ne <<parameters.docker_tags>> | sed "s/,/\n/g" | sed "s/[^a-zA-Z0-9\n]/-/g" | sed -e "s|^|${IMAGE_BASE}:|")
echo -ne $DOCKER_TAGS | tr ' ' '\n' | xargs -L1 docker push
- when:
condition:
equal: ['main', <<pipeline.git.branch>>]
steps:
- gcp-oidc-authenticate:
service_account_email: GCP_SERVICE_ATTESTOR_ACCOUNT_EMAIL
- run:
name: Sign
command: |
git clone --branch v1.0.3 --depth 1 https://github.com/ethereum-optimism/binary_signer
cd binary_signer/signer
IMAGE_PATH="<<parameters.registry>>/<<parameters.repo>>/<<parameters.docker_name>>:<<pipeline.git.revision>>"
echo $IMAGE_PATH
pip3 install -r requirements.txt
python3 ./sign_image.py --command="sign"\
--attestor-project-name="$ATTESTOR_PROJECT_NAME"\
--attestor-name="$ATTESTOR_NAME"\
--image-path="$IMAGE_PATH"\
--signer-logging-level="INFO"\
--attestor-key-id="//cloudkms.googleapis.com/v1/projects/$ATTESTOR_PROJECT_NAME/locations/global/keyRings/$ATTESTOR_NAME-key-ring/cryptoKeys/$ATTESTOR_NAME-key/cryptoKeyVersions/1"
docker-tag-op-stack-release:
parameters:
registry:
description: Docker registry
type: string
default: "us-docker.pkg.dev"
repo:
description: Docker repo
type: string
default: "oplabs-tools-artifacts/images"
docker:
- image: cimg/python:3.7
resource_class: small
steps:
- gcp-cli/install
- gcp-oidc-authenticate
- checkout
- run:
name: Tag
command: |
gcloud auth configure-docker <<parameters.registry>>
./ops/ci-tag-docker-release/ci-docker-tag-op-stack-release.sh <<parameters.registry>>/<<parameters.repo>> $CIRCLE_TAG $CIRCLE_SHA1
go-lint:
parameters:
module:
description: Go Module Name
type: string
docker:
- image: cimg/go:1.21
steps:
- checkout
- run:
name: run generate
command: |
make generate || go generate ./...
working_directory: <<parameters.module>>
- run:
name: run tidy
command: |
go mod tidy && git diff --exit-code
working_directory: <<parameters.module>>
- run:
name: run lint
command: |
if [ -f .golangci.yml ]; then
golangci-lint run -c .golangci.yml -E goimports,sqlclosecheck,bodyclose,asciicheck,misspell,errorlint -e "errors.As" -e "errors.Is" --timeout "3m0s" ./...
else
golangci-lint run -E goimports,sqlclosecheck,bodyclose,asciicheck,misspell,errorlint -e "errors.As" -e "errors.Is" --timeout "3m0s" ./...
fi
working_directory: <<parameters.module>>
go-test:
parameters:
module:
description: Go Module Name
type: string
docker:
- image: us-docker.pkg.dev/oplabs-tools-artifacts/images/ci-builder:latest # only used to enable codecov.
- image: cimg/postgres:14.6
environment:
POSTGRES_USER: opc
POSTGRES_HOST_AUTH_METHOD: trust
resource_class: small
steps:
- checkout
- run:
name: go version
command: go version
- run:
name: prep results dir
command: mkdir -p /tmp/test-results
- run:
name: run generate
command: |
make generate || go generate ./...
working_directory: <<parameters.module>>
- run:
name: run tests
command: |
gotestsum --format=standard-verbose --junitfile=/tmp/test-results/<<parameters.module>>.xml \
-- -coverpkg=github.com/ethereum-optimism/infrastructure-services/... -coverprofile=coverage.out ./...
working_directory: <<parameters.module>>
- run:
name: upload coverage
command: codecov --verbose --clean --flags <<parameters.module>>
- store_test_results:
path: /tmp/test-results
py-presubmit:
parameters:
poetry_root:
description: Root of the Poetry project directory.
type: string
docker:
- image: cimg/python:3.11
resource_class: small
steps:
- checkout
- run:
name: prep results dir
command: mkdir -p /tmp/test-results
- run:
name: run presubmit
command: |
poetry install
poetry run presubmit
working_directory: <<parameters.poetry_root>>
build-release:
parameters:
package_name:
description: Package to build
type: string
artifact_path:
description: Path to build artifact
type: string
default: ./bin
release_env:
description: Release environment
type: string
default: prod
docker:
- image: us-docker.pkg.dev/oplabs-tools-artifacts/images/ci-builder:latest
steps:
- checkout
- run:
name: Build
command: |
VERSION=$(echo "$CIRCLE_TAG" | grep -Eow 'v.*' || true)
make build-release VERSION=$VERSION RELEASE_ENV=<<parameters.release_env>>
working_directory: <<parameters.package_name>>
- persist_to_workspace:
root: <<parameters.package_name>>/<<parameters.artifact_path>>
paths:
- "."
publish-release:
parameters:
package_name:
description: Package to publish
type: string
artifact_path:
description: Path to build artifact
type: string
default: ./bin
docker:
- image: us-docker.pkg.dev/oplabs-tools-artifacts/images/ci-builder:latest
steps:
- attach_workspace:
at: <<parameters.package_name>>/<<parameters.artifact_path>>
- run:
name: "Publish Release on GitHub"
command: |
go install github.com/tcnksm/ghr@v0.16.2
ghr -t "$GITHUB_TOKEN" -u "$CIRCLE_PROJECT_USERNAME" -r "$CIRCLE_PROJECT_REPONAME" -c "$CIRCLE_SHA1" -delete "$CIRCLE_TAG" <<parameters.package_name>>/<<parameters.artifact_path>>
workflows:
logging:
jobs:
- log-config-results:
filters:
tags:
only: /.*/
branches:
ignore: /.*/
op-conductor-mon:
when:
or: [<< pipeline.parameters.run-build-op-conductor-mon >>, << pipeline.parameters.run-all >>]
jobs:
- go-lint:
name: op-conductor-mon-lint
module: op-conductor-mon
- go-test:
name: op-conductor-mon-tests
module: op-conductor-mon
- docker-build:
name: op-conductor-mon-docker-build
docker_file: op-conductor-mon/Dockerfile
docker_name: op-conductor-mon
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
docker_context: .
op-signer:
when:
or: [<< pipeline.parameters.run-build-op-signer >>, << pipeline.parameters.run-all >>]
jobs:
- go-lint:
name: op-signer-lint
module: op-signer
- go-test:
name: op-signer-tests
module: op-signer
- docker-build:
name: op-signer-docker-build
docker_file: op-signer/Dockerfile
docker_name: op-signer
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
docker_context: .
op-txproxy:
when:
or: [<< pipeline.parameters.run-build-op-txproxy >>, << pipeline.parameters.run-all >>]
jobs:
- go-lint:
name: op-txproxy-lint
module: op-txproxy
- go-test:
name: op-txproxy-tests
module: op-txproxy
- docker-build:
name: op-txproxy-docker-build
docker_file: op-txproxy/Dockerfile
docker_name: op-txproxy
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
docker_context: .
op-ufm:
when:
or: [<< pipeline.parameters.run-build-op-ufm >>, << pipeline.parameters.run-all >>]
jobs:
- go-lint:
name: op-ufm-lint
module: op-ufm
- go-test:
name: op-ufm-tests
module: op-ufm
- docker-build:
name: op-ufm-docker-build
docker_file: op-ufm/Dockerfile
docker_name: op-ufm
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
docker_context: .
op-proxyd:
when:
or: [<< pipeline.parameters.run-build-proxyd >>, << pipeline.parameters.run-all >>]
jobs:
- go-lint:
name: proxyd-lint
module: proxyd
- go-test:
name: proxyd-tests
module: proxyd
- docker-build:
name: proxyd-docker-build
docker_file: proxyd/Dockerfile
docker_name: proxyd
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
docker_context: .
release:
jobs:
- log-config-results:
filters:
tags:
only: /^(proxyd|ufm-[a-z0-9\-]*|op-[a-z0-9\-]*)\/v.*/
branches:
ignore: /.*/
- hold:
type: approval
filters:
tags:
only: /^(proxyd|ufm-[a-z0-9\-]*|op-[a-z0-9\-]*)\/v.*/
branches:
ignore: /.*/
- docker-build:
name: op-signer-docker-build
filters:
tags:
only: /^op-signer\/v.*/
docker_name: op-signer
docker_tags: <<pipeline.git.revision>>
docker_context: .
docker_file: op-signer/Dockerfile
context:
- oplabs-gcr-release
requires:
- hold
- docker-publish:
name: op-signer-docker-publish
filters:
tags:
only: /^op-signer\/v.*/
docker_name: op-signer
docker_tags: <<pipeline.git.revision>>
context:
- oplabs-gcr-release
requires:
- op-signer-docker-build
- docker-tag-op-stack-release:
name: op-signer-docker-tag
filters:
tags:
only: /^op-signer\/v.*/
branches:
ignore: /.*/
context:
- oplabs-gcr-release
requires:
- op-signer-docker-publish
- docker-build:
name: op-ufm-docker-build
filters:
tags:
only: /^op-ufm\/v.*/
docker_name: op-ufm
docker_tags: <<pipeline.git.revision>>
docker_context: .
docker_file: op-ufm/Dockerfile
context:
- oplabs-gcr-release
requires:
- hold
- docker-publish:
name: op-ufm-docker-publish
filters:
tags:
only: /^op-ufm\/v.*/
docker_name: op-ufm
docker_tags: <<pipeline.git.revision>>
context:
- oplabs-gcr-release
requires:
- op-ufm-docker-build
- docker-tag-op-stack-release:
name: op-ufm-docker-tag
filters:
tags:
only: /^op-ufm\/v.*/
branches:
ignore: /.*/
context:
- oplabs-gcr-release
requires:
- op-ufm-docker-publish
- docker-build:
name: proxyd-docker-build
filters:
tags:
only: /^proxyd\/v.*/
docker_name: proxyd
docker_tags: <<pipeline.git.revision>>
docker_context: .
docker_file: proxyd/Dockerfile
context:
- oplabs-gcr-release
requires:
- hold
- docker-publish:
name: proxyd-docker-publish
filters:
tags:
only: /^proxyd\/v.*/
docker_name: proxyd
docker_tags: <<pipeline.git.revision>>
context:
- oplabs-gcr-release
requires:
- proxyd-docker-build
- docker-tag-op-stack-release:
name: proxyd-docker-tag
filters:
tags:
only: /^proxyd\/v.*/
branches:
ignore: /.*/
context:
- oplabs-gcr-release
requires:
- proxyd-docker-publish
- docker-build:
name: op-conductor-mon-docker-build
filters:
tags:
only: /^op-conductor-mon\/v.*/
docker_file: op-conductor-mon/Dockerfile
docker_name: op-conductor-mon
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
docker_context: .
context:
- oplabs-gcr-release
requires:
- hold
- docker-publish:
name: op-conductor-mon-docker-publish
filters:
tags:
only: /^op-conductor-mon\/v.*/
docker_name: op-conductor-mon
docker_tags: <<pipeline.git.revision>>,<<pipeline.git.branch>>
context:
- oplabs-gcr-release
requires:
- op-conductor-mon-docker-build
- docker-tag-op-stack-release:
name: op-conductor-mon-docker-tag
filters:
tags:
only: /^op-conductor-mon\/v.*/
branches:
ignore: /.*/
context:
- oplabs-gcr-release
requires:
- op-conductor-mon-docker-publish