Limit the publishing of public builds and Docker images to only the p…

…ublic repository (#145) - Splits the deploy-docker.sh into build and deploy parts (merged) - Updates the CI workflows to the new docker scripts - Add running permission to the new scripts - Limit the publishing of public builds and Docker images to only the public repository - Add limitations for Windows builds - Use proper string comparison and end if for Linux - Allow build directory definition in secrets Co-authored-by: Zach Hyatt <zhyatt@nano.org>
nanocurrency · May 27, 2022 · 5ede119 · 5ede119
1 parent 51f997b
commit 5ede119
Show file tree

Hide file tree

Showing 10 changed files with 139 additions and 80 deletions.
diff --git a/.github/workflows/beta_artifacts.yml b/.github/workflows/beta_artifacts.yml
@@ -36,6 +36,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/deploy.sh
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
@@ -61,6 +62,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/deploy.sh
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
@@ -81,8 +83,11 @@ jobs:
         env:
           COMPILER: gcc
         run: ci/actions/linux/install_deps.sh
+      - name: Build Docker (nanocurrency/nano-beta)
+        run: TRAVIS_TAG=${TAG} ci/actions/linux/docker-build.sh
       - name: Deploy Docker (nanocurrency/nano-beta)
-        run: TRAVIS_TAG=${TAG} ci/actions/linux/deploy-docker.sh
+        if: ${{ github.repository == 'nanocurrency/nano-node' }}
+        run: TRAVIS_TAG=${TAG} ci/actions/linux/docker-deploy.sh
         env:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to ghcr.io
@@ -116,6 +121,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/windows/deploy.ps1
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
diff --git a/.github/workflows/develop.yml b/.github/workflows/develop.yml
@@ -22,6 +22,6 @@ jobs:
       - name: Deploy Docker (ghcr.io)
         run: ci/actions/linux/ghcr_push.sh
       - name: Deploy Docker (nanocurrency/nano-env)
-        run: ci/actions/linux/deploy-docker.sh
+        run: ci/actions/linux/docker-deploy.sh
         env:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
diff --git a/.github/workflows/live_artifacts.yml b/.github/workflows/live_artifacts.yml
@@ -35,6 +35,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/deploy.sh
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
@@ -60,6 +61,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/deploy.sh
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
@@ -80,8 +82,11 @@ jobs:
         env:
           COMPILER: gcc
         run: ci/actions/linux/install_deps.sh
-      - name: Deploy Docker (nanocurrency/nano)
-        run: TRAVIS_TAG=${TAG} ci/actions/linux/deploy-docker.sh
+      - name: Build Docker (nanocurrency/nano)
+        run: TRAVIS_TAG=${TAG} ci/actions/linux/docker-build.sh
+      - name: Deploy Docker Hub (nanocurrency/nano)
+        if: ${{ github.repository == 'nanocurrency/nano-node' }}
+        run: TRAVIS_TAG=${TAG} ci/actions/linux/docker-deploy.sh
         env:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to ghcr.io
@@ -90,7 +95,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GHCR_PAT }}
-      - name: Deploy Docker (ghcr.io
+      - name: Deploy Docker (ghcr.io)
         run: ci/actions/linux/ghcr_push.sh
 
   windows_job:
@@ -115,6 +120,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/windows/deploy.ps1
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
diff --git a/.github/workflows/test_network_artifacts.yml b/.github/workflows/test_network_artifacts.yml
@@ -36,6 +36,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/deploy.sh
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
@@ -61,6 +62,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/deploy.sh
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
@@ -81,8 +83,11 @@ jobs:
         env:
           COMPILER: gcc
         run: ci/actions/linux/install_deps.sh
+      - name: Build Docker (nanocurrency/nano)
+        run: TRAVIS_TAG=${TAG} ci/actions/linux/docker-build.sh
       - name: Deploy Docker (nanocurrency/nano)
-        run: TRAVIS_TAG=${TAG} ci/actions/linux/deploy-docker.sh
+        if: ${{ github.repository == 'nanocurrency/nano-node' }}
+        run: TRAVIS_TAG=${TAG} ci/actions/linux/docker-deploy.sh
         env:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
       - name: Login to ghcr.io
@@ -116,6 +121,7 @@ jobs:
       - name: Deploy Artifact
         run: ci/actions/windows/deploy.ps1
         env:
+          S3_BUILD_DIRECTORY: ${{ secrets.S3_BUILD_DIRECTORY }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-east-2
diff --git a/ci/actions/deploy.sh b/ci/actions/deploy.sh
@@ -13,15 +13,21 @@ else
     BUILD="live"
 fi
 
+if [[ "${GITHUB_REPOSITORY:-}" == "nanocurrency/nano-node" ]]; then
+    DIRECTORY=$BUILD
+else
+    DIRECTORY="${S3_BUILD_DIRECTORY}/${BUILD}"
+fi
+
 if [[ "$OS" == 'Linux' ]]; then
     sha256sum $GITHUB_WORKSPACE/build/nano-node-*-Linux.tar.bz2 >$GITHUB_WORKSPACE/nano-node-$TAG-Linux.tar.bz2.sha256
     sha256sum $GITHUB_WORKSPACE/build/nano-node-*-Linux.deb >$GITHUB_WORKSPACE/nano-node-$TAG-Linux.deb.sha256
-    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-*-Linux.tar.bz2 s3://repo.nano.org/$BUILD/binaries/nano-node-$TAG-Linux.tar.bz2 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-    aws s3 cp $GITHUB_WORKSPACE/nano-node-$TAG-Linux.tar.bz2.sha256 s3://repo.nano.org/$BUILD/binaries/nano-node-$TAG-Linux.tar.bz2.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-*-Linux.deb s3://repo.nano.org/$BUILD/binaries/nano-node-$TAG-Linux.deb --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-    aws s3 cp $GITHUB_WORKSPACE/nano-node-$TAG-Linux.deb.sha256 s3://repo.nano.org/$BUILD/binaries/nano-node-$TAG-Linux.deb.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-*-Linux.tar.bz2 s3://repo.nano.org/$DIRECTORY/binaries/nano-node-$TAG-Linux.tar.bz2 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+    aws s3 cp $GITHUB_WORKSPACE/nano-node-$TAG-Linux.tar.bz2.sha256 s3://repo.nano.org/$DIRECTORY/binaries/nano-node-$TAG-Linux.tar.bz2.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-*-Linux.deb s3://repo.nano.org/$DIRECTORY/binaries/nano-node-$TAG-Linux.deb --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+    aws s3 cp $GITHUB_WORKSPACE/nano-node-$TAG-Linux.deb.sha256 s3://repo.nano.org/$DIRECTORY/binaries/nano-node-$TAG-Linux.deb.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
 else
     sha256sum $GITHUB_WORKSPACE/build/nano-node-*-Darwin.dmg >$GITHUB_WORKSPACE/build/nano-node-$TAG-Darwin.dmg.sha256
-    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-*-Darwin.dmg s3://repo.nano.org/$BUILD/binaries/nano-node-$TAG-Darwin.dmg --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-$TAG-Darwin.dmg.sha256 s3://repo.nano.org/$BUILD/binaries/nano-node-$TAG-Darwin.dmg.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-fi
+    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-*-Darwin.dmg s3://repo.nano.org/$DIRECTORY/binaries/nano-node-$TAG-Darwin.dmg --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+    aws s3 cp $GITHUB_WORKSPACE/build/nano-node-$TAG-Darwin.dmg.sha256 s3://repo.nano.org/$DIRECTORY/binaries/nano-node-$TAG-Darwin.dmg.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+fi
diff --git a/ci/actions/linux/deploy-docker.sh b/ci/actions/linux/deploy-docker.sh
diff --git a/ci/actions/linux/docker-build.sh b/ci/actions/linux/docker-build.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+set -x
+
+source "$(dirname "$BASH_SOURCE")/docker-impl/docker-common.sh"
+
+docker_build
diff --git a/ci/actions/linux/docker-deploy.sh b/ci/actions/linux/docker-deploy.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+set -x
+
+source "$(dirname "$BASH_SOURCE")/docker-impl/docker-common.sh"
+
+docker_deploy
diff --git a/ci/actions/linux/docker-impl/docker-common.sh b/ci/actions/linux/docker-impl/docker-common.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+set -e
+set -a
+
+scripts="$PWD/ci"
+TRAVIS_BRANCH=$(git branch | cut -f2 -d' ')
+tags=()
+if [ -n "$TRAVIS_TAG" ]; then
+    tags+=("$TRAVIS_TAG")
+elif [ -n "$TRAVIS_BRANCH" ]; then
+    TRAVIS_TAG=$TRAVIS_BRANCH
+    tags+=("$TRAVIS_BRANCH")
+fi
+if [[ "$GITHUB_WORKFLOW" = "Live" ]]; then
+    echo "Live"
+    network_tag_suffix=''
+    network="live"
+elif [[ "$GITHUB_WORKFLOW" = "Beta" ]]; then
+    echo "Beta"
+    network_tag_suffix="-beta"
+    network="beta"
+elif [[ "$GITHUB_WORKFLOW" = "Test" ]]; then
+    echo "Test"
+    network_tag_suffix="-test"
+    network="test"
+fi
+
+if [[ "$GITHUB_WORKFLOW" != "Develop" ]]; then
+    docker_image_name="nanocurrency/nano${network_tag_suffix}"
+fi
+
+docker_build()
+{
+    if [[ "$GITHUB_WORKFLOW" != "Develop" ]]; then
+        ghcr_image_name="ghcr.io/${GITHUB_REPOSITORY}/nano${network_tag_suffix}"
+        "$scripts"/build-docker-image.sh docker/node/Dockerfile "$docker_image_name" --build-arg NETWORK="$network" --build-arg CI_BUILD=true --build-arg TRAVIS_TAG="$TRAVIS_TAG"
+        for tag in "${tags[@]}"; do
+            # Sanitize docker tag
+            # https://docs.docker.com/engine/reference/commandline/tag/
+            tag="$(printf '%s' "$tag" | tr -c '[a-z][A-Z][0-9]_.-' -)"
+            if [ "$tag" != "latest" ]; then
+                docker tag "$docker_image_name" "${docker_image_name}:$tag"
+                docker tag "$ghcr_image_name" "${ghcr_image_name}:$tag"
+            fi
+        done
+    fi
+}
+
+docker_deploy()
+{
+    if [ -n "$DOCKER_PASSWORD" ]; then
+        echo "$DOCKER_PASSWORD" | docker login -u nanoreleaseteam --password-stdin
+        if [[ "$GITHUB_WORKFLOW" = "Develop" ]]; then
+            "$scripts"/custom-timeout.sh 30 docker push "nanocurrency/nano-env:base"
+            "$scripts"/custom-timeout.sh 30 docker push "nanocurrency/nano-env:gcc"
+            "$scripts"/custom-timeout.sh 30 docker push "nanocurrency/nano-env:clang-6"
+            echo "Deployed nano-env"
+            exit 0
+        else
+            if [[ "$GITHUB_WORKFLOW" = "Live" ]]; then
+                tags=$(docker images --format '{{.Repository}}:{{.Tag }}' | grep nanocurrency | grep -vE "env|ghcr.io|none|latest")
+            else
+                tags=$(docker images --format '{{.Repository}}:{{.Tag }}' | grep nanocurrency | grep -vE "env|ghcr.io|none")
+            fi
+            for a in $tags; do
+                "$scripts"/custom-timeout.sh 30 docker push "$a"
+            done
+            echo "$docker_image_name with tags ${tags//$'\n'/' '} deployed"
+        fi
+    else
+        echo "\$DOCKER_PASSWORD environment variable required"
+        exit 0
+    fi
+}
diff --git a/ci/actions/windows/deploy.ps1 b/ci/actions/windows/deploy.ps1
@@ -10,13 +10,20 @@ else {
     $network_cfg = "live"
 }
 
+if ( ${env:GITHUB_REPOSITORY} -eq "nanocurrency/nano-node" ) {
+    $directory=$network_cfg
+}
+else {
+    $directory=${env:S3_BUILD_DIRECTORY}+"/"+$network_cfg
+}
+
 $exe = Resolve-Path -Path $env:GITHUB_WORKSPACE\build\nano-node-*-win64.exe
 $zip = Resolve-Path -Path $env:GITHUB_WORKSPACE\build\nano-node-*-win64.zip
 
 ((Get-FileHash $exe).hash)+" "+(split-path -Path $exe -Resolve -leaf) | Out-file -FilePath "$exe.sha256"
 ((Get-FileHash $zip).hash)+" "+(split-path -Path $zip -Resolve -leaf) | Out-file -FilePath "$zip.sha256"
 
-aws s3 cp $exe s3://repo.nano.org/$network_cfg/binaries/nano-node-$env:TAG-win64.exe --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-aws s3 cp "$exe.sha256" s3://repo.nano.org/$network_cfg/binaries/nano-node-$env:TAG-win64.exe.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-aws s3 cp "$zip" s3://repo.nano.org/$network_cfg/binaries/nano-node-$env:TAG-win64.zip --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
-aws s3 cp "$zip.sha256" s3://repo.nano.org/$network_cfg/binaries/nano-node-$env:TAG-win64.zip.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+aws s3 cp $exe s3://repo.nano.org/$directory/binaries/nano-node-$env:TAG-win64.exe --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+aws s3 cp "$exe.sha256" s3://repo.nano.org/$directory/binaries/nano-node-$env:TAG-win64.exe.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+aws s3 cp "$zip" s3://repo.nano.org/$directory/binaries/nano-node-$env:TAG-win64.zip --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
+aws s3 cp "$zip.sha256" s3://repo.nano.org/$directory/binaries/nano-node-$env:TAG-win64.zip.sha256 --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers