From f3856c785bd46553351b4f7acff904710846162e Mon Sep 17 00:00:00 2001 From: Vasil Boyadzhiev Date: Fri, 15 Nov 2024 16:34:04 +0000 Subject: [PATCH 01/37] ci: Enabling workflows for semantic release Signed-off-by: Vasil Boyadzhiev --- .../node-flow-deploy-release-artifact.yaml | 74 ++++++++++++++----- .../node-zxc-build-release-artifact.yaml | 40 +++++++++- .releaserc.json | 47 ++++++++++++ ...com.hedera.gradle.maven-publish.gradle.kts | 12 +-- ...com.hedera.gradle.nexus-publish.gradle.kts | 2 +- 5 files changed, 146 insertions(+), 29 deletions(-) create mode 100644 .releaserc.json diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index 88c88c911d5a..19164cf044a7 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -51,34 +51,72 @@ jobs: prerelease: ${{ steps.tag.outputs.prerelease }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit - - name: Install Semantic Version Tools + - name: Checkout Code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + token: ${{ secrets.GH_ACCESS_TOKEN }} + fetch-depth: 0 + + + - name: Install GnuPG Tools run: | - echo "::group::Download SemVer Binary" - sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver - echo "::endgroup::" - echo "::group::Change SemVer Binary Permissions" - sudo chmod -v +x /usr/local/bin/semver - echo "::endgroup::" - echo "::group::Show SemVer Binary Version Info" - semver --version - echo "::endgroup::" + if ! command -v gpg2 >/dev/null 2>&1; then + echo "::group::Updating APT Repository Indices" + sudo apt update + echo "::endgroup::" + echo "::group::Installing GnuPG Tools" + sudo apt install -y gnupg2 + echo "::endgroup::" + fi + + - name: Import GPG key + id: gpg_key + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 + with: + gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} + git_config_global: true + git_user_signingkey: true + git_commit_gpgsign: true + git_tag_gpgsign: false + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 20 + + - name: Install Semantic Release + run: | + npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 + npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 + npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 + + - name: Calculate Next Version + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + run: | + npx semantic-release --dry-run + ls -al + cat VERSION - name: Extract Tag Version id: tag run: | - RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" - PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" - - FINAL_VERSION="${RELEASE_VERSION}" + cat VERSION + RELEASE_VERSION="$(cat VERSION | tr -d '[:space:]')" PRERELEASE_FLAG="false" - [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" - [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + [[ "${RELEASE_VERSION}" == *"-"* ]] && PRERELEASE_FLAG="true" - echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" + echo "version=${RELEASE_VERSION}" >>"${GITHUB_OUTPUT}" echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" release-tag: diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index f3addaeef986..f88be67d0bbf 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -146,6 +146,36 @@ jobs: semver --version echo "::endgroup::" + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 20 + + - name: Install Semantic Release + run: | + npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 + npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 + npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 + + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Calculate Next Version + if: ${{ inputs.version-policy == 'specified' }} + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + run: | + npx semantic-release --dry-run + ls -al + cat VERSION + - name: Verify Workflow Parameters id: parameters run: | @@ -174,9 +204,6 @@ jobs: exit 2 fi - - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Setup Java uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: @@ -205,7 +232,12 @@ jobs: - name: Compute Final Effective Version id: effective-version run: | - EFF_VERSION="$(./gradlew showVersion --quiet | tr -d '[:space:]')" + if [[ "${{ inputs.version-policy }}" == "specified" ]]; then + EFF_VERSION="${{ inputs.new-version }}" + else + EFF_VERSION="$(cat VERSION | tr -d '[:space:]')" + fi + PRERELEASE_SUFFIX="$(semver get prerel "${EFF_VERSION}")" PRERELEASE="false" [[ -n "${PRERELEASE_SUFFIX}" ]] && PRERELEASE="true" diff --git a/.releaserc.json b/.releaserc.json new file mode 100644 index 000000000000..badc91541894 --- /dev/null +++ b/.releaserc.json @@ -0,0 +1,47 @@ +{ + "branches": ["main", "develop"], + "plugins": [ + ["@semantic-release/commit-analyzer", { + "preset": "conventional-commits", + "releaseRules": [ + {"type": "breaking", "release": "minor"}, + {"type": "feat", "release": "minor"}, + {"type": "fix", "release": "patch"}, + {"type": "docs", "release": "patch"}, + {"type": "style", "release": "patch"}, + {"type": "refactor", "release": "patch"}, + {"type": "perf", "release": "patch"}, + {"type": "test", "release": "patch"}, + {"type": "ci", "release": "patch"}, + {"type": "chore", "release": "patch"} + ], + "parserOpts": { + "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES", "BREAKING"] + } + }], + ["@semantic-release/release-notes-generator", { + "preset": "conventional-commits", + "presetConfig": { + "types": [ + {"type": "feat", "section": "Features"}, + {"type": "fix", "section": "Bug Fixes"}, + {"type": "docs", "section": "Documentation"}, + {"type": "style", "section": "Styles"}, + {"type": "refactor", "section": "Code Refactoring"}, + {"type": "perf", "section": "Performance Improvements"}, + {"type": "test", "section": "Tests"}, + {"type": "ci", "section": "Continuous Integration"}, + {"type": "chore", "section": "Chores"}, + {"type": "breaking", "section": "Breaking Changes"} + ] + } + }], + "@semantic-release/changelog", + "@semantic-release/npm", + "@semantic-release/github", + ["@semantic-release/git", { + "assets": ["package.json", "CHANGELOG.md"], + "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + }] + ] +} \ No newline at end of file diff --git a/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts b/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts index 43667a50aa3a..9d9639f5ab3e 100644 --- a/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts +++ b/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts @@ -22,12 +22,12 @@ plugins { id("signing") } -tasks.withType().configureEach { - // Publishing tasks are only enabled if we publish to the matching group. - // Otherwise, Nexus configuration and credentials do not fit. - val publishingPackageGroup = providers.gradleProperty("publishingPackageGroup").orNull - enabled = publishingPackageGroup == project.group -} +// tasks.withType().configureEach { +// Publishing tasks are only enabled if we publish to the matching group. +// Otherwise, Nexus configuration and credentials do not fit. +// val publishingPackageGroup = providers.gradleProperty("publishingPackageGroup").orNull +// enabled = publishingPackageGroup == project.group +// } java { withJavadocJar() diff --git a/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts b/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts index 429566cb793a..94e039bf66d2 100644 --- a/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts +++ b/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts @@ -44,7 +44,7 @@ tasks.named("closeSonatypeStagingRepository") { tasks.named("releaseMavenCentral") { group = "release" - dependsOn(tasks.closeAndReleaseStagingRepository) + dependsOn(tasks.named("closeSonatypeStagingRepository")) } tasks.register("releaseMavenCentralSnapshot") { From c6676f99a0185acbede623b3b0bae2f3566bf3b9 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Fri, 22 Nov 2024 08:38:22 -0600 Subject: [PATCH 02/37] TEMPORARY COMMIT FOR TESTING SEMANTIC RELEASE Signed-off-by: Andrew Brandt --- .releaserc.json | 2 +- .../com.hedera.gradle.maven-publish.gradle.kts | 12 ++++++------ .../com.hedera.gradle.nexus-publish.gradle.kts | 1 + 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.releaserc.json b/.releaserc.json index badc91541894..a1cfff4b29e6 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -1,5 +1,5 @@ { - "branches": ["main", "develop"], + "branches": ["main", "develop", "semantic-release-workflow-update"], "plugins": [ ["@semantic-release/commit-analyzer", { "preset": "conventional-commits", diff --git a/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts b/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts index 9d9639f5ab3e..43667a50aa3a 100644 --- a/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts +++ b/gradle/plugins/src/main/kotlin/com.hedera.gradle.maven-publish.gradle.kts @@ -22,12 +22,12 @@ plugins { id("signing") } -// tasks.withType().configureEach { -// Publishing tasks are only enabled if we publish to the matching group. -// Otherwise, Nexus configuration and credentials do not fit. -// val publishingPackageGroup = providers.gradleProperty("publishingPackageGroup").orNull -// enabled = publishingPackageGroup == project.group -// } +tasks.withType().configureEach { + // Publishing tasks are only enabled if we publish to the matching group. + // Otherwise, Nexus configuration and credentials do not fit. + val publishingPackageGroup = providers.gradleProperty("publishingPackageGroup").orNull + enabled = publishingPackageGroup == project.group +} java { withJavadocJar() diff --git a/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts b/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts index 94e039bf66d2..d95fa5f00400 100644 --- a/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts +++ b/gradle/plugins/src/main/kotlin/com.hedera.gradle.nexus-publish.gradle.kts @@ -44,6 +44,7 @@ tasks.named("closeSonatypeStagingRepository") { tasks.named("releaseMavenCentral") { group = "release" +// dependsOn(tasks.closeAndReleaseStagingRepository) dependsOn(tasks.named("closeSonatypeStagingRepository")) } From d5b496a13ca1f8691e5316287bc3aa0af36820b4 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 4 Dec 2024 14:16:19 -0600 Subject: [PATCH 03/37] Add .releaserc blank file Signed-off-by: Andrew Brandt --- .releaserc | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .releaserc diff --git a/.releaserc b/.releaserc new file mode 100644 index 000000000000..e69de29bb2d1 From 0b412836bbbe936802c2cbd1baf7cd99d3bd62de Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Fri, 6 Dec 2024 13:19:52 -0600 Subject: [PATCH 04/37] Add very basic template releaserc file Signed-off-by: Andrew Brandt --- .releaserc | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/.releaserc b/.releaserc index e69de29bb2d1..00b29bc0b93a 100644 --- a/.releaserc +++ b/.releaserc @@ -0,0 +1,54 @@ +{ + "branches": ["main", "develop", "semantic-release-workflow-update"], + "plugins": [ + [ + "@semantic-release/commit-analyzer", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/release-notes-generator", + { + "preset": "conventionalcommits" + } + ], + [ + "@semantic-release/changelog", + { + "changelogFile": "CHANGELOG.md" + } + ], + [ + "@semantic-release/github", + { + "assets": [ + { + "path": "target/*.jar", + "label": "JAR Package" + }, + { + "path": "target/*.pom", + "label": "POM File" + } + ] + } + ], + [ + "semantic-release-maven", + { + "deploy": true, + "deployUrl": "https://oss.sonatype.org/service/local/staging/deploy/maven2/", + "repositoryId": "ossrh", + "gpgSign": true + } + ], + [ + "@semantic-release/git", + { + "assets": ["CHANGELOG.md", "pom.xml"], + "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + } + ] + ] +} From d197832ed8aa8dc8004986d147c8f5f1b63a43fa Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Mon, 9 Dec 2024 15:50:24 -0600 Subject: [PATCH 05/37] Modify releaserc file Signed-off-by: Andrew Brandt --- .releaserc | 83 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 37 deletions(-) diff --git a/.releaserc b/.releaserc index 00b29bc0b93a..01fe327d2ee3 100644 --- a/.releaserc +++ b/.releaserc @@ -1,54 +1,63 @@ { - "branches": ["main", "develop", "semantic-release-workflow-update"], "plugins": [ - [ - "@semantic-release/commit-analyzer", - { - "preset": "conventionalcommits" - } - ], + "@semantic-release/commit-analyzer", [ "@semantic-release/release-notes-generator", { "preset": "conventionalcommits" } ], + "@semantic-release/git", + "@semantic-release/github" + ], + "verifyRelease": [ [ - "@semantic-release/changelog", - { - "changelogFile": "CHANGELOG.md" - } - ], - [ - "@semantic-release/github", - { - "assets": [ - { - "path": "target/*.jar", - "label": "JAR Package" - }, - { - "path": "target/*.pom", - "label": "POM File" - } - ] - } - ], + "@semantic-release/exec", + { "cmd": "echo ${nextRelease.version} > VERSION" } + ] + ], + "prepare": [ [ - "semantic-release-maven", - { - "deploy": true, - "deployUrl": "https://oss.sonatype.org/service/local/staging/deploy/maven2/", - "repositoryId": "ossrh", - "gpgSign": true - } + "@semantic-release/exec", + { "cmd": "./gradlew versionAsSpecified --scan -PnewVersion=${nextRelease.version}" } ], [ "@semantic-release/git", { - "assets": ["CHANGELOG.md", "pom.xml"], - "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" + "assets": [ + "gradle.properties" + ] } ] + ], + "branches":[ + { + "name": "main", "develop", "semantic-release-workflow-update" + }, + { + "name": "release/([0-9]+).([0-9]+)", + "channel": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x", + "range": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x" + }, + { + "name": "alpha/*", + "prerelease": "alpha", + "channel": "alpha" + }, + { + "name": "ci/*", + "prerelease": "alpha", + "channel": "alpha" + }, + { + "name": "beta/*", + "prerelease": "beta", + "channel": "beta" + }, + { + "name": "rc/*", + "prerelease": "rc", + "channel": "rc" + } ] -} +} \ No newline at end of file From 776cbb4dab056628fa67bf2d195eb69adfd19a2e Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Mon, 9 Dec 2024 15:51:15 -0600 Subject: [PATCH 06/37] Change from gradle.properties to version.txt Signed-off-by: Andrew Brandt --- .releaserc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.releaserc b/.releaserc index 01fe327d2ee3..9ee22fdafa19 100644 --- a/.releaserc +++ b/.releaserc @@ -25,7 +25,7 @@ "@semantic-release/git", { "assets": [ - "gradle.properties" + "version.txt" ] } ] From 733f13971da6ddac001279dab23c4f8b176334eb Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 11 Dec 2024 07:47:47 -0600 Subject: [PATCH 07/37] Update version to -SNAPSHOT for testing purposes Signed-off-by: Andrew Brandt --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 46448c71b9df..68f77c426364 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.57.0 +0.57.0-SNAPSHOT From 1fe8065c9f9905cd87d778f68baab5b199fa9901 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Mon, 16 Dec 2024 13:17:45 -0500 Subject: [PATCH 08/37] Update branch names, remove alpha beta ci and rc branch rules Signed-off-by: Andrew Brandt --- .releaserc | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/.releaserc b/.releaserc index 9ee22fdafa19..9711287ab04e 100644 --- a/.releaserc +++ b/.releaserc @@ -32,32 +32,12 @@ ], "branches":[ { - "name": "main", "develop", "semantic-release-workflow-update" + "name": "semantic-release-workflow-update" }, { "name": "release/([0-9]+).([0-9]+)", "channel": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x", "range": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x" - }, - { - "name": "alpha/*", - "prerelease": "alpha", - "channel": "alpha" - }, - { - "name": "ci/*", - "prerelease": "alpha", - "channel": "alpha" - }, - { - "name": "beta/*", - "prerelease": "beta", - "channel": "beta" - }, - { - "name": "rc/*", - "prerelease": "rc", - "channel": "rc" } ] } \ No newline at end of file From 34e35204fe9d6d98506ff1476324e29de8281c93 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 19 Dec 2024 15:10:49 -0500 Subject: [PATCH 09/37] Remove releaserc.json file Signed-off-by: Andrew Brandt --- .releaserc.json | 47 ----------------------------------------------- 1 file changed, 47 deletions(-) delete mode 100644 .releaserc.json diff --git a/.releaserc.json b/.releaserc.json deleted file mode 100644 index a1cfff4b29e6..000000000000 --- a/.releaserc.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "branches": ["main", "develop", "semantic-release-workflow-update"], - "plugins": [ - ["@semantic-release/commit-analyzer", { - "preset": "conventional-commits", - "releaseRules": [ - {"type": "breaking", "release": "minor"}, - {"type": "feat", "release": "minor"}, - {"type": "fix", "release": "patch"}, - {"type": "docs", "release": "patch"}, - {"type": "style", "release": "patch"}, - {"type": "refactor", "release": "patch"}, - {"type": "perf", "release": "patch"}, - {"type": "test", "release": "patch"}, - {"type": "ci", "release": "patch"}, - {"type": "chore", "release": "patch"} - ], - "parserOpts": { - "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES", "BREAKING"] - } - }], - ["@semantic-release/release-notes-generator", { - "preset": "conventional-commits", - "presetConfig": { - "types": [ - {"type": "feat", "section": "Features"}, - {"type": "fix", "section": "Bug Fixes"}, - {"type": "docs", "section": "Documentation"}, - {"type": "style", "section": "Styles"}, - {"type": "refactor", "section": "Code Refactoring"}, - {"type": "perf", "section": "Performance Improvements"}, - {"type": "test", "section": "Tests"}, - {"type": "ci", "section": "Continuous Integration"}, - {"type": "chore", "section": "Chores"}, - {"type": "breaking", "section": "Breaking Changes"} - ] - } - }], - "@semantic-release/changelog", - "@semantic-release/npm", - "@semantic-release/github", - ["@semantic-release/git", { - "assets": ["package.json", "CHANGELOG.md"], - "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" - }] - ] -} \ No newline at end of file From 42b2802b7a53b84cae9d28141af5470819faa28e Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 19 Dec 2024 15:17:22 -0500 Subject: [PATCH 10/37] Update version.txt to 99.99.99-SNAPSHOT for testing Signed-off-by: Andrew Brandt --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index a60476bfe1c7..59d57f0e6440 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -0.58.0 +99.99.99-SNAPSHOT From 42274de52cc68afc3162517ed4f41557af5a09e5 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Thu, 19 Dec 2024 15:33:31 -0500 Subject: [PATCH 11/37] Add spotless fix Signed-off-by: Andrew Brandt --- .../node-zxc-build-release-artifact.yaml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index 78cc55c99587..b64d4450524f 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -1,4 +1,19 @@ -# SPDX-License-Identifier: Apache-2.0 +## +# Copyright (C) 2024 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + name: "ZXC: [Node] Deploy Release Artifacts" on: workflow_call: From 86004cd71426f4c2ca35019ef7359f0aec884f2c Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Fri, 20 Dec 2024 11:05:38 -0500 Subject: [PATCH 12/37] Use official release version instead of SNAPSHOT version Signed-off-by: Andrew Brandt --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 59d57f0e6440..857e0684c4e3 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -99.99.99-SNAPSHOT +99.99.99 From 90528a5fee34aa0aa69aecf22727d2c3efcbd312 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Fri, 20 Dec 2024 13:08:41 -0500 Subject: [PATCH 13/37] Roll version of gradle build to 0.1.3 Signed-off-by: Andrew Brandt --- settings.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/settings.gradle.kts b/settings.gradle.kts index 0630c1461051..5982303982c9 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -14,7 +14,7 @@ * limitations under the License. */ -plugins { id("org.hiero.gradle.build") version "0.1.2" } +plugins { id("org.hiero.gradle.build") version "0.1.3" } javaModules { // This "intermediate parent project" should be removed From 5d91721dc34e8fd2822848e4c4ee3f152a5493f8 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Fri, 20 Dec 2024 14:36:24 -0500 Subject: [PATCH 14/37] Update gradle build to 0.1.4 Signed-off-by: Andrew Brandt --- settings.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/settings.gradle.kts b/settings.gradle.kts index 5982303982c9..f1d55a92049b 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -14,7 +14,7 @@ * limitations under the License. */ -plugins { id("org.hiero.gradle.build") version "0.1.3" } +plugins { id("org.hiero.gradle.build") version "0.1.4" } javaModules { // This "intermediate parent project" should be removed From c432403d3e14d03d28dc8b7abcbeb1c375a36f32 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Fri, 20 Dec 2024 21:20:53 -0500 Subject: [PATCH 15/37] Roll version.txt back to 0.58.0 and change branch to "main" Signed-off-by: Andrew Brandt --- .releaserc | 2 +- version.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.releaserc b/.releaserc index 9711287ab04e..9fdf24d0c498 100644 --- a/.releaserc +++ b/.releaserc @@ -32,7 +32,7 @@ ], "branches":[ { - "name": "semantic-release-workflow-update" + "name": "main" }, { "name": "release/([0-9]+).([0-9]+)", diff --git a/version.txt b/version.txt index 857e0684c4e3..a60476bfe1c7 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -99.99.99 +0.58.0 From 68239602236993d777997d0f7f8f12d9808894a9 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Mon, 6 Jan 2025 12:39:26 -0600 Subject: [PATCH 16/37] Add releaseRules Signed-off-by: Andrew Brandt --- .releaserc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.releaserc b/.releaserc index 9fdf24d0c498..1279f7610f96 100644 --- a/.releaserc +++ b/.releaserc @@ -1,4 +1,7 @@ { + "releaseRules": [ + { "breaking": "true", "release": "minor"} + ], "plugins": [ "@semantic-release/commit-analyzer", [ From baceff2c16e209ce69ea3f2797f5b6977556d190 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:40:55 -0600 Subject: [PATCH 17/37] Add more content Signed-off-by: Andrew Brandt --- .releaserc | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/.releaserc b/.releaserc index 1279f7610f96..ae0b51cd37ea 100644 --- a/.releaserc +++ b/.releaserc @@ -13,26 +13,6 @@ "@semantic-release/git", "@semantic-release/github" ], - "verifyRelease": [ - [ - "@semantic-release/exec", - { "cmd": "echo ${nextRelease.version} > VERSION" } - ] - ], - "prepare": [ - [ - "@semantic-release/exec", - { "cmd": "./gradlew versionAsSpecified --scan -PnewVersion=${nextRelease.version}" } - ], - [ - "@semantic-release/git", - { - "assets": [ - "version.txt" - ] - } - ] - ], "branches":[ { "name": "main" From cb1178b18df12d0ee0180dc8075fa9c98d868782 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:43:22 -0600 Subject: [PATCH 18/37] Restore yaml files Signed-off-by: Andrew Brandt --- .../node-flow-deploy-release-artifact.yaml | 113 ++++++++---------- .../node-zxc-build-release-artifact.yaml | 54 ++------- 2 files changed, 63 insertions(+), 104 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index c06f84f98e34..a66aff48bee5 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -41,6 +41,11 @@ defaults: run: shell: bash +permissions: + id-token: write + contents: read + actions: read + jobs: prepare-tag-release: name: Prepare Release [Tag] @@ -55,68 +60,30 @@ jobs: with: egress-policy: audit - - name: Checkout Code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - token: ${{ secrets.GH_ACCESS_TOKEN }} - fetch-depth: 0 - - - - name: Install GnuPG Tools - run: | - if ! command -v gpg2 >/dev/null 2>&1; then - echo "::group::Updating APT Repository Indices" - sudo apt update - echo "::endgroup::" - echo "::group::Installing GnuPG Tools" - sudo apt install -y gnupg2 - echo "::endgroup::" - fi - - - name: Import GPG key - id: gpg_key - uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - with: - gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} - passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} - git_config_global: true - git_user_signingkey: true - git_commit_gpgsign: true - git_tag_gpgsign: false - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - - name: Install Semantic Release + - name: Install Semantic Version Tools run: | - npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 - npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 - npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 - - - name: Calculate Next Version - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - run: | - npx semantic-release --dry-run - ls -al - cat VERSION + echo "::group::Download SemVer Binary" + sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + echo "::endgroup::" + echo "::group::Change SemVer Binary Permissions" + sudo chmod -v +x /usr/local/bin/semver + echo "::endgroup::" + echo "::group::Show SemVer Binary Version Info" + semver --version + echo "::endgroup::" - name: Extract Tag Version id: tag run: | - cat VERSION - RELEASE_VERSION="$(cat VERSION | tr -d '[:space:]')" + RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" + PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" + + FINAL_VERSION="${RELEASE_VERSION}" PRERELEASE_FLAG="false" - [[ "${RELEASE_VERSION}" == *"-"* ]] && PRERELEASE_FLAG="true" + [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" + [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" - echo "version=${RELEASE_VERSION}" >>"${GITHUB_OUTPUT}" + echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" release-tag: @@ -188,28 +155,52 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: '0' - ref: develop + ref: main token: ${{ secrets.GH_ACCESS_TOKEN }} - - name: Trigger ZXF Prepare Extended Test Suite + - name: Check Prep XTS Job State + id: check-xts-job if: ${{ needs.release-branch.result == 'success' }} + env: + GH_TOKEN: ${{ github.token }} + run: | + JOB_ENABLED="true" + JOB_STATE=$(gh workflow list --all --json name,state | jq -r '.[]|select(.name=="ZXF: Prepare Extended Test Suite")|.state') + [[ "${JOB_STATE}" == "disabled_manually" ]] && JOB_ENABLED="false" + echo "enabled=${JOB_ENABLED}" >> $GITHUB_OUTPUT + + - name: Trigger ZXF Prepare Extended Test Suite + if: ${{ needs.release-branch.result == 'success' && steps.check-xts-job.outputs.enabled == 'true' }} uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 with: workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: develop # ensure we are always using the workflow definition from the develop branch + ref: main # ensure we are always using the workflow definition from the main branch token: ${{ secrets.GH_ACCESS_TOKEN }} inputs: '{ "ref": "${{ inputs.ref }}" }' - - name: Trigger ZXF Deploy Integration + - name: Check Integration Job State + id: check-integration-job if: ${{ needs.release-branch.result == 'success' && + (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && + !cancelled() }} + env: + GH_TOKEN: ${{ github.token }} + run: | + JOB_ENABLED="true" + JOB_STATE=$(gh workflow list --all --json name,state | jq -r '.[]|select(.name=="ZXF: [Node] Deploy Integration Network Release")|.state') + [[ "${JOB_STATE}" == "disabled_manually" ]] && JOB_ENABLED="false" + echo "enabled=${JOB_ENABLED}" >> $GITHUB_OUTPUT + + - name: Trigger ZXF Deploy Integration + if: ${{ needs.release-branch.result == 'success' && steps.check-integration-job.outputs.enabled == 'true' && (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && !cancelled() }} uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 with: workflow: .github/workflows/node-zxf-deploy-integration.yaml repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: develop # ensure we are always using the workflow definition from the develop branch + ref: main # ensure we are always using the workflow definition from the main branch token: ${{ secrets.GH_ACCESS_TOKEN }} inputs: '{ "ref": "${{ inputs.ref }}", @@ -233,7 +224,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ secrets.GH_ACCESS_TOKEN }} - ref: develop + ref: main fetch-depth: '0' - name: Checkout Hedera Protobufs Code diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index e97b20411059..8fbbda4dbbb5 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -147,36 +147,6 @@ jobs: semver --version echo "::endgroup::" - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - - name: Install Semantic Release - run: | - npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 - npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 - npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 - - - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - name: Calculate Next Version - if: ${{ inputs.version-policy == 'specified' }} - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - run: | - npx semantic-release --dry-run - ls -al - cat VERSION - - name: Verify Workflow Parameters id: parameters run: | @@ -205,14 +175,17 @@ jobs: exit 2 fi + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Setup Java - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 + uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 + uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 with: gradle-version: ${{ inputs.gradle-version }} @@ -227,12 +200,7 @@ jobs: - name: Compute Final Effective Version id: effective-version run: | - if [[ "${{ inputs.version-policy }}" == "specified" ]]; then - EFF_VERSION="${{ inputs.new-version }}" - else - EFF_VERSION="$(cat VERSION | tr -d '[:space:]')" - fi - + EFF_VERSION="$(./gradlew showVersion --quiet | tr -d '[:space:]')" PRERELEASE_SUFFIX="$(semver get prerel "${EFF_VERSION}")" PRERELEASE="false" [[ -n "${PRERELEASE_SUFFIX}" ]] && PRERELEASE="true" @@ -316,13 +284,13 @@ jobs: if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} - name: Setup Java - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 + uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 + uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 with: gradle-version: ${{ inputs.gradle-version }} @@ -607,7 +575,7 @@ jobs: service_account: "swirlds-automation@hedera-registry.iam.gserviceaccount.com" - name: Setup JFrog CLI - uses: jfrog/setup-jfrog-cli@dff217c085c17666e8849ebdbf29c8fe5e3995e6 # v4.5.2 + uses: jfrog/setup-jfrog-cli@f0a84f35b0e0bd21838c5fb3e6788072d6540d13 # v4.5.5 env: JF_URL: ${{ secrets.jf-url }} JF_ACCESS_TOKEN: ${{ secrets.jf-access-token }} @@ -746,13 +714,13 @@ jobs: if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} - name: Setup Java - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 + uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 + uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 with: gradle-version: ${{ inputs.gradle-version }} From a291a713a6782a648f292f89d6aa2bf2629b499b Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:50:16 -0600 Subject: [PATCH 19/37] Fix yaml file Signed-off-by: Andrew Brandt --- .github/workflows/node-flow-deploy-release-artifact.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index a66aff48bee5..ef255ef5ce1a 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -182,8 +182,8 @@ jobs: - name: Check Integration Job State id: check-integration-job if: ${{ needs.release-branch.result == 'success' && - (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && - !cancelled() }} + (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && + !cancelled() }} env: GH_TOKEN: ${{ github.token }} run: | @@ -264,4 +264,4 @@ jobs: commit: --signoff message: "ci: Copied recent protobuf changes from hedera-services" new_branch: "update-recent-protobuf-changes-${{ github.run_number }}" - tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' + tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' \ No newline at end of file From 50490cef25096bc1f4735b2b293c5d0dd1a18bc6 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:51:29 -0600 Subject: [PATCH 20/37] Fix yaml files Signed-off-by: Andrew Brandt --- .../node-flow-deploy-release-artifact.yaml | 182 +++++++----------- .../node-zxc-build-release-artifact.yaml | 156 ++++++++++----- 2 files changed, 173 insertions(+), 165 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index ef255ef5ce1a..19164cf044a7 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -41,11 +41,6 @@ defaults: run: shell: bash -permissions: - id-token: write - contents: read - actions: read - jobs: prepare-tag-release: name: Prepare Release [Tag] @@ -56,34 +51,72 @@ jobs: prerelease: ${{ steps.tag.outputs.prerelease }} steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit - - name: Install Semantic Version Tools + - name: Checkout Code + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + token: ${{ secrets.GH_ACCESS_TOKEN }} + fetch-depth: 0 + + + - name: Install GnuPG Tools run: | - echo "::group::Download SemVer Binary" - sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver - echo "::endgroup::" - echo "::group::Change SemVer Binary Permissions" - sudo chmod -v +x /usr/local/bin/semver - echo "::endgroup::" - echo "::group::Show SemVer Binary Version Info" - semver --version - echo "::endgroup::" + if ! command -v gpg2 >/dev/null 2>&1; then + echo "::group::Updating APT Repository Indices" + sudo apt update + echo "::endgroup::" + echo "::group::Installing GnuPG Tools" + sudo apt install -y gnupg2 + echo "::endgroup::" + fi + + - name: Import GPG key + id: gpg_key + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 + with: + gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} + git_config_global: true + git_user_signingkey: true + git_commit_gpgsign: true + git_tag_gpgsign: false + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 20 + + - name: Install Semantic Release + run: | + npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 + npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 + npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 + + - name: Calculate Next Version + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + run: | + npx semantic-release --dry-run + ls -al + cat VERSION - name: Extract Tag Version id: tag run: | - RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" - PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" - - FINAL_VERSION="${RELEASE_VERSION}" + cat VERSION + RELEASE_VERSION="$(cat VERSION | tr -d '[:space:]')" PRERELEASE_FLAG="false" - [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" - [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + [[ "${RELEASE_VERSION}" == *"-"* ]] && PRERELEASE_FLAG="true" - echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" + echo "version=${RELEASE_VERSION}" >>"${GITHUB_OUTPUT}" echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" release-tag: @@ -147,7 +180,7 @@ jobs: - release-branch steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -155,113 +188,32 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: '0' - ref: main + ref: develop token: ${{ secrets.GH_ACCESS_TOKEN }} - - name: Check Prep XTS Job State - id: check-xts-job - if: ${{ needs.release-branch.result == 'success' }} - env: - GH_TOKEN: ${{ github.token }} - run: | - JOB_ENABLED="true" - JOB_STATE=$(gh workflow list --all --json name,state | jq -r '.[]|select(.name=="ZXF: Prepare Extended Test Suite")|.state') - [[ "${JOB_STATE}" == "disabled_manually" ]] && JOB_ENABLED="false" - echo "enabled=${JOB_ENABLED}" >> $GITHUB_OUTPUT - - name: Trigger ZXF Prepare Extended Test Suite - if: ${{ needs.release-branch.result == 'success' && steps.check-xts-job.outputs.enabled == 'true' }} + if: ${{ needs.release-branch.result == 'success' }} uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 with: workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: main # ensure we are always using the workflow definition from the main branch + ref: develop # ensure we are always using the workflow definition from the develop branch token: ${{ secrets.GH_ACCESS_TOKEN }} inputs: '{ "ref": "${{ inputs.ref }}" }' - - name: Check Integration Job State - id: check-integration-job - if: ${{ needs.release-branch.result == 'success' && - (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && - !cancelled() }} - env: - GH_TOKEN: ${{ github.token }} - run: | - JOB_ENABLED="true" - JOB_STATE=$(gh workflow list --all --json name,state | jq -r '.[]|select(.name=="ZXF: [Node] Deploy Integration Network Release")|.state') - [[ "${JOB_STATE}" == "disabled_manually" ]] && JOB_ENABLED="false" - echo "enabled=${JOB_ENABLED}" >> $GITHUB_OUTPUT - - name: Trigger ZXF Deploy Integration - if: ${{ needs.release-branch.result == 'success' && steps.check-integration-job.outputs.enabled == 'true' && + if: ${{ needs.release-branch.result == 'success' && (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && !cancelled() }} uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 with: workflow: .github/workflows/node-zxf-deploy-integration.yaml repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: main # ensure we are always using the workflow definition from the main branch + ref: develop # ensure we are always using the workflow definition from the develop branch token: ${{ secrets.GH_ACCESS_TOKEN }} inputs: '{ - "ref": "${{ inputs.ref }}", - "author": "${{ inputs.author }}", - "msg": "${{ inputs.msg }}", - "sha": "${{ inputs.sha }}" - }' - - update-hedera-protobufs: - name: Update Hedera Protobufs - runs-on: network-node-linux-medium - needs: - - prepare-tag-release - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Checkout Hedera Services Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.GH_ACCESS_TOKEN }} - ref: main - fetch-depth: '0' - - - name: Checkout Hedera Protobufs Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.PROTOBUFS_GH_ACCESS_TOKEN }} - fetch-depth: '0' - repository: hashgraph/hedera-protobufs - path: hedera-protobufs - - - name: Install rsync - run: sudo apt update && sudo apt -y install rsync - - - name: Update the folders owned by Services - working-directory: hedera-protobufs - run: | - git push --delete origin v${{ needs.prepare-tag-release.outputs.version }} || true - git tag --delete v${{ needs.prepare-tag-release.outputs.version }} || true - rsync -a --delete ../hapi/hedera-protobufs/services/ services/ - - - name: Import GPG key for commit signoff - id: gpg_import - uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - with: - gpg_private_key: ${{ secrets.PROTOBUFS_GPG_KEY_CONTENTS }} - passphrase: ${{ secrets.PROTOBUFS_GPG_KEY_PASSPHRASE }} - git_user_signingkey: true - git_commit_gpgsign: true - git_tag_gpgsign: true - - - name: Add & Commit - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 - with: - cwd: 'hedera-protobufs' - author_name: swirlds-eng-automation - author_email: ${{ secrets.PROTOBUFS_GPG_USER_EMAIL }} - commit: --signoff - message: "ci: Copied recent protobuf changes from hedera-services" - new_branch: "update-recent-protobuf-changes-${{ github.run_number }}" - tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' \ No newline at end of file + "ref": "${{ inputs.ref }}", + "author": "${{ inputs.author }}", + "msg": "${{ inputs.msg }}", + "sha": "${{ inputs.sha }}" + }' diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index 8fbbda4dbbb5..f88be67d0bbf 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -1,5 +1,5 @@ ## -# Copyright (C) 2024 Hedera Hashgraph, LLC +# Copyright (C) 2022-2024 Hedera Hashgraph, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -118,7 +118,6 @@ jobs: validate: name: Validate runs-on: network-node-linux-large - if: ${{ !github.event.workflow_call.repository.fork }} outputs: branch-name: ${{ steps.parameters.outputs.branch-name }} branch-name-lower: ${{ steps.parameters.outputs.branch-name-lower }} @@ -131,7 +130,7 @@ jobs: prerelease: ${{ steps.effective-version.outputs.prerelease }} steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -147,6 +146,36 @@ jobs: semver --version echo "::endgroup::" + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 20 + + - name: Install Semantic Release + run: | + npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 + npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 + npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 + + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Calculate Next Version + if: ${{ inputs.version-policy == 'specified' }} + env: + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} + GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} + run: | + npx semantic-release --dry-run + ls -al + cat VERSION + - name: Verify Workflow Parameters id: parameters run: | @@ -175,32 +204,40 @@ jobs: exit 2 fi - - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Setup Java - uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 with: gradle-version: ${{ inputs.gradle-version }} - name: Gradle Update Version (As Specified) + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 if: ${{ inputs.version-policy == 'specified' && !cancelled() && !failure() }} - run: ./gradlew versionAsSpecified -PnewVersion=${{ inputs.new-version }} --scan + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: versionAsSpecified -PnewVersion=${{ inputs.new-version }} --scan - name: Gradle Update Version (Branch Commit) + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 if: ${{ inputs.version-policy != 'specified' && !cancelled() && !failure() }} - run: ./gradlew versionAsPrefixedCommit -PcommitPrefix=${{ steps.parameters.outputs.commit-prefix }} --scan + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: versionAsPrefixedCommit -PcommitPrefix=${{ steps.parameters.outputs.commit-prefix }} --scan - name: Compute Final Effective Version id: effective-version run: | - EFF_VERSION="$(./gradlew showVersion --quiet | tr -d '[:space:]')" + if [[ "${{ inputs.version-policy }}" == "specified" ]]; then + EFF_VERSION="${{ inputs.new-version }}" + else + EFF_VERSION="$(cat VERSION | tr -d '[:space:]')" + fi + PRERELEASE_SUFFIX="$(semver get prerel "${EFF_VERSION}")" PRERELEASE="false" [[ -n "${PRERELEASE_SUFFIX}" ]] && PRERELEASE="true" @@ -213,7 +250,7 @@ jobs: echo "prerelease=${PRERELEASE}" >>"${GITHUB_OUTPUT}" - name: Cache Build Version - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: version.txt key: node-build-version-${{ steps.effective-version.outputs.number }}-${{ github.sha }} @@ -225,7 +262,7 @@ jobs: - validate steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -273,46 +310,52 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Authenticate to Google Cloud - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: workload_identity_provider: "projects/235822363393/locations/global/workloadIdentityPools/hedera-builds-pool/providers/hedera-builds-gh-actions" service_account: "hedera-artifact-builds@devops-1-254919.iam.gserviceaccount.com" - name: Setup Google Cloud SDK - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 + uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} - name: Setup Java - uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 with: gradle-version: ${{ inputs.gradle-version }} - name: Restore Build Version - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: fail-on-cache-miss: true path: version.txt key: node-build-version-${{ needs.validate.outputs.version }}-${{ github.sha }} - name: Cache Build Artifacts - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: ~/artifact-build key: node-build-artifacts-${{ needs.validate.outputs.version }}-${{ github.sha }} - name: Gradle Assemble id: gradle-build - run: ./gradlew assemble --scan + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: assemble --scan - name: Gradle Version Summary - run: ./gradlew githubVersionSummary --scan + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: githubVersionSummary --scan - name: Stage Artifact Build Folder id: artifact-staging @@ -361,7 +404,7 @@ jobs: sha384sum "${ARTIFACT_NAME}.zip" | tee "${ARTIFACT_NAME}.sha384" - name: Upload Artifacts (DevOps GCP Bucket) - uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 + uses: google-github-actions/upload-cloud-storage@22121cd842b0d185e042e28d969925b538c33d77 # v2.1.0 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: path: ${{ steps.artifact-release.outputs.folder }} @@ -369,7 +412,7 @@ jobs: parent: false - name: Upload Artifacts (CDN Bucket) - uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 + uses: google-github-actions/upload-cloud-storage@22121cd842b0d185e042e28d969925b538c33d77 # v2.1.0 if: ${{ inputs.dry-run-enabled != true && needs.validate.outputs.prerelease != 'true' && !cancelled() && !failure() }} with: path: ${{ steps.artifact-release.outputs.folder }} @@ -382,9 +425,10 @@ jobs: needs: - validate - build-artifact + steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -393,7 +437,7 @@ jobs: - name: Authenticate to Google Cloud id: google-auth - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: token_format: 'access_token' @@ -417,10 +461,10 @@ jobs: echo "docker-tag-base=${DOCKER_TAG_BASE}" >>"${GITHUB_OUTPUT}" - name: Setup QEmu Support - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Setup Docker Buildx Support - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: version: v0.16.2 driver-opts: network=host @@ -441,7 +485,7 @@ jobs: password: ${{ steps.google-auth.outputs.access_token }} - name: Restore Build Artifacts - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: fail-on-cache-miss: true path: ~/artifact-build @@ -453,7 +497,7 @@ jobs: cp -rvf ~/artifact-build/* hedera-node/infrastructure/docker/containers/local-node/main-network-node/sdk/ - name: Build Haveged Image - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -461,7 +505,7 @@ jobs: tags: ${{ steps.set-registry.outputs.docker-tag-base }}/network-node-haveged:${{ needs.validate.outputs.version }} - name: Build Base Image - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -469,7 +513,7 @@ jobs: tags: ${{ steps.set-registry.outputs.docker-tag-base }}/network-node-base:${{ needs.validate.outputs.version }} - name: Build Network Node Image - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -559,7 +603,7 @@ jobs: if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -568,14 +612,14 @@ jobs: - name: Authenticate to Google Cloud id: google-auth - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: token_format: 'access_token' workload_identity_provider: "projects/235822363393/locations/global/workloadIdentityPools/hedera-builds-pool/providers/hedera-builds-gh-actions" service_account: "swirlds-automation@hedera-registry.iam.gserviceaccount.com" - name: Setup JFrog CLI - uses: jfrog/setup-jfrog-cli@f0a84f35b0e0bd21838c5fb3e6788072d6540d13 # v4.5.5 + uses: jfrog/setup-jfrog-cli@9fe0f98bd45b19e6e931d457f4e98f8f84461fb5 # v4.4.1 env: JF_URL: ${{ secrets.jf-url }} JF_ACCESS_TOKEN: ${{ secrets.jf-access-token }} @@ -658,7 +702,7 @@ jobs: fi - name: Upload Manifests - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ (steps.gcp.outcome == 'success' || steps.jfrog.outcome == 'success') && !cancelled() && always() }} with: name: Production Image Manifests @@ -672,7 +716,7 @@ jobs: if: ${{ inputs.release-profile != 'none' }} steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -704,38 +748,44 @@ jobs: - name: Authenticate to Google Cloud id: google-auth - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 + uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 with: workload_identity_provider: "projects/229164983194/locations/global/workloadIdentityPools/registry-identity-pool/providers/gh-provider" service_account: "artifact-deployer@swirlds-registry.iam.gserviceaccount.com" - name: Setup Google Cloud SDK - uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 + uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} - name: Setup Java - uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: ${{ inputs.java-distribution }} java-version: ${{ inputs.java-version }} - name: Setup Gradle - uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4.2.2 + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 with: gradle-version: ${{ inputs.gradle-version }} - name: Restore Build Version - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: fail-on-cache-miss: true path: version.txt key: node-build-version-${{ needs.validate.outputs.version }}-${{ github.sha }} - name: Gradle Assemble - run: ./gradlew assemble --scan + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: assemble --scan - name: Gradle Version Summary - run: ./gradlew githubVersionSummary --scan + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: githubVersionSummary --scan - name: Stage SDK Release Archives working-directory: platform-sdk @@ -810,18 +860,24 @@ jobs: echo "::endgroup::" - name: Gradle Publish Platform to ${{ inputs.version-policy == 'specified' && 'Maven Central' || 'Google Artifact Registry' }} (${{ inputs.release-profile }}) + uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 if: ${{ inputs.dry-run-enabled != true && inputs.release-profile != 'none' && !cancelled() && !failure() }} env: NEXUS_USERNAME: ${{ secrets.sdk-ossrh-username }} NEXUS_PASSWORD: ${{ secrets.sdk-ossrh-password }} - run: ./gradlew release${{ inputs.release-profile }} -PpublishingPackageGroup=com.swirlds -Ps01SonatypeHost=true -PpublishSigningEnabled=true --scan --no-configuration-cache + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: "release${{ inputs.release-profile }} -PpublishingPackageGroup=com.swirlds -Ps01SonatypeHost=true -PpublishSigningEnabled=true --scan --no-configuration-cache" - name: Gradle Publish Services to ${{ inputs.version-policy == 'specified' && 'Maven Central' || 'Google Artifact Registry' }} (${{ inputs.release-profile }}) + uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 if: ${{ inputs.dry-run-enabled != true && inputs.release-profile != 'none' && !cancelled() && !failure() }} env: NEXUS_USERNAME: ${{ secrets.svcs-ossrh-username }} NEXUS_PASSWORD: ${{ secrets.svcs-ossrh-password }} - run: ./gradlew release${{ inputs.release-profile }} -PpublishingPackageGroup=com.hedera.hashgraph -PpublishSigningEnabled=true --scan --no-configuration-cache + with: + gradle-version: ${{ inputs.gradle-version }} + arguments: "release${{ inputs.release-profile }} -PpublishingPackageGroup=com.hedera.hashgraph -PpublishSigningEnabled=true --scan --no-configuration-cache" - name: Upload SDK Release Archives if: ${{ inputs.dry-run-enabled != true && inputs.version-policy == 'specified' && !cancelled() && !failure() }} @@ -842,7 +898,7 @@ jobs: if: ${{ inputs.dry-run-enabled != true && inputs.version-policy == 'specified' && !cancelled() && !failure() }} steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -864,11 +920,11 @@ jobs: echo "artifact-registry=${ARTIFACT_REGISTRY}" >>"${GITHUB_OUTPUT}" - name: Send Slack Notification (Maven Central) - uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 + uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 + env: + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK + SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }} with: - webhook: ${{ secrets.slack-webhook-url }} - webhook-type: incoming-webhook - payload-templated: true payload: | { "attachments": [ From d4780dd621e5920a47944fe27b01cb819693cd74 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:52:41 -0600 Subject: [PATCH 21/37] More yaml file modifications Signed-off-by: Andrew Brandt --- .../node-flow-deploy-release-artifact.yaml | 277 ++++++++++-------- 1 file changed, 159 insertions(+), 118 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index 19164cf044a7..a09fbd473629 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. ## - name: "ZXF: Deploy Production Release" on: push: @@ -36,11 +35,9 @@ on: required: false description: "The commit ID of the commit that triggered the workflow" default: "" - defaults: run: shell: bash - jobs: prepare-tag-release: name: Prepare Release [Tag] @@ -51,102 +48,76 @@ jobs: prerelease: ${{ steps.tag.outputs.prerelease }} steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - name: Checkout Code - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - token: ${{ secrets.GH_ACCESS_TOKEN }} - fetch-depth: 0 - - - - name: Install GnuPG Tools + - name: Install Semantic Version Tools run: | - if ! command -v gpg2 >/dev/null 2>&1; then - echo "::group::Updating APT Repository Indices" - sudo apt update - echo "::endgroup::" - echo "::group::Installing GnuPG Tools" - sudo apt install -y gnupg2 - echo "::endgroup::" - fi - - - name: Import GPG key - id: gpg_key - uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - with: - gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} - passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }} - git_config_global: true - git_user_signingkey: true - git_commit_gpgsign: true - git_tag_gpgsign: false - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - - name: Install Semantic Release - run: | - npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 - npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 - npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 - - - name: Calculate Next Version - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - run: | - npx semantic-release --dry-run - ls -al - cat VERSION - + echo "::group::Download SemVer Binary" + sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + echo "::endgroup::" + echo "::group::Change SemVer Binary Permissions" + sudo chmod -v +x /usr/local/bin/semver + echo "::endgroup::" + echo "::group::Show SemVer Binary Version Info" + semver --version + echo "::endgroup::" - name: Extract Tag Version id: tag run: | - cat VERSION - RELEASE_VERSION="$(cat VERSION | tr -d '[:space:]')" + RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" + PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" + FINAL_VERSION="${RELEASE_VERSION}" PRERELEASE_FLAG="false" - [[ "${RELEASE_VERSION}" == *"-"* ]] && PRERELEASE_FLAG="true" - - echo "version=${RELEASE_VERSION}" >>"${GITHUB_OUTPUT}" + [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" + [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" - release-tag: - name: Release [Tag] - uses: ./.github/workflows/node-zxc-build-release-artifact.yaml - needs: - - prepare-tag-release - with: - version-policy: specified - new-version: ${{ needs.prepare-tag-release.outputs.version }} - trigger-env-deploy: none - release-profile: ${{ needs.prepare-tag-release.outputs.prerelease == 'true' && 'PrereleaseChannel' || 'MavenCentral' }} - secrets: - access-token: ${{ secrets.GITHUB_TOKEN }} - bucket-name: ${{ secrets.RELEASE_ARTIFACT_BUCKET_NAME }} - cdn-bucket-name: ${{ secrets.CDN_ARTIFACT_BUCKET_NAME }} - svcs-ossrh-username: ${{ secrets.SVCS_OSSRH_USERNAME }} - svcs-ossrh-password: ${{ secrets.SVCS_OSSRH_PASSWORD }} - svcs-gpg-key-contents: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} - svcs-gpg-key-passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} - sdk-ossrh-username: ${{ secrets.PLATFORM_OSSRH_USERNAME }} - sdk-ossrh-password: ${{ secrets.PLATFORM_OSSRH_PASSWORD }} - sdk-gpg-key-contents: ${{ secrets.PLATFORM_GPG_KEY_CONTENTS }} - sdk-gpg-key-passphrase: ${{ secrets.PLATFORM_GPG_KEY_PASSPHRASE }} - slack-webhook-url: ${{ secrets.PLATFORM_SLACK_RELEASE_WEBHOOK }} - jf-url: ${{ vars.JF_URL }} - jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} - jf-user-name: ${{ vars.JF_USER_NAME }} - jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} + + + + + + + Expand Down + + + + + + Expand Up + + @@ -142,7 +180,7 @@ jobs: + + name: Release [Tag] + uses: ./.github/workflows/node-zxc-build-release-artifact.yaml + needs: + - prepare-tag-release + with: + version-policy: specified + new-version: ${{ needs.prepare-tag-release.outputs.version }} + trigger-env-deploy: none + release-profile: ${{ needs.prepare-tag-release.outputs.prerelease == 'true' && 'PrereleaseChannel' || 'MavenCentral' }} + secrets: + access-token: ${{ secrets.GITHUB_TOKEN }} + bucket-name: ${{ secrets.RELEASE_ARTIFACT_BUCKET_NAME }} + cdn-bucket-name: ${{ secrets.CDN_ARTIFACT_BUCKET_NAME }} + svcs-ossrh-username: ${{ secrets.SVCS_OSSRH_USERNAME }} + svcs-ossrh-password: ${{ secrets.SVCS_OSSRH_PASSWORD }} + svcs-gpg-key-contents: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} + svcs-gpg-key-passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} + sdk-ossrh-username: ${{ secrets.PLATFORM_OSSRH_USERNAME }} + sdk-ossrh-password: ${{ secrets.PLATFORM_OSSRH_PASSWORD }} + sdk-gpg-key-contents: ${{ secrets.PLATFORM_GPG_KEY_CONTENTS }} + sdk-gpg-key-passphrase: ${{ secrets.PLATFORM_GPG_KEY_PASSPHRASE }} + slack-webhook-url: ${{ secrets.PLATFORM_SLACK_RELEASE_WEBHOOK }} + jf-url: ${{ vars.JF_URL }} + jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} + jf-user-name: ${{ vars.JF_USER_NAME }} + jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} release-branch: name: Release [Branch] uses: ./.github/workflows/node-zxc-build-release-artifact.yaml @@ -172,48 +143,118 @@ jobs: jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} jf-user-name: ${{ vars.JF_USER_NAME }} jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} - deploy-ci-trigger: - name: Trigger CI Flows + name: Trigger CI Flows + runs-on: network-node-linux-medium + needs: + - release-branch + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + + + + + + + + Expand Down + + + + + + Expand Up + + @@ -174,65 +212,8 @@ jobs: + + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: '0' + ref: develop + token: ${{ secrets.GH_ACCESS_TOKEN }} + - name: Trigger ZXF Prepare Extended Test Suite + if: ${{ needs.release-branch.result == 'success' }} + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ "ref": "${{ inputs.ref }}" }' + - name: Trigger ZXF Deploy Integration + if: ${{ needs.release-branch.result == 'success' && + (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && + !cancelled() }} + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/node-zxf-deploy-integration.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ + "ref": "${{ inputs.ref }}", + "author": "${{ inputs.author }}", + "msg": "${{ inputs.msg }}", + "sha": "${{ inputs.sha }}" + }' + + update-hedera-protobufs: + name: Update Hedera Protobufs runs-on: network-node-linux-medium needs: - - release-branch + - prepare-tag-release steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - name: Checkout Code + - name: Checkout Hedera Services Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - fetch-depth: '0' - ref: develop token: ${{ secrets.GH_ACCESS_TOKEN }} + ref: develop + fetch-depth: '0' - - name: Trigger ZXF Prepare Extended Test Suite - if: ${{ needs.release-branch.result == 'success' }} - uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + - name: Checkout Hedera Protobufs Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml - repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: develop # ensure we are always using the workflow definition from the develop branch - token: ${{ secrets.GH_ACCESS_TOKEN }} - inputs: '{ "ref": "${{ inputs.ref }}" }' + token: ${{ secrets.PROTOBUFS_GH_ACCESS_TOKEN }} + fetch-depth: '0' + repository: hashgraph/hedera-protobufs + path: hedera-protobufs + + - name: Install rsync + run: sudo apt update && sudo apt -y install rsync - - name: Trigger ZXF Deploy Integration - if: ${{ needs.release-branch.result == 'success' && - (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && - !cancelled() }} - uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + - name: Update the folders owned by Services + working-directory: hedera-protobufs + run: | + git push --delete origin v${{ needs.prepare-tag-release.outputs.version }} || true + git tag --delete v${{ needs.prepare-tag-release.outputs.version }} || true + rsync -a --delete ../hapi/hedera-protobufs/services/ services/ + - name: Import GPG key for commit signoff + id: gpg_import + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 with: - workflow: .github/workflows/node-zxf-deploy-integration.yaml - repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: develop # ensure we are always using the workflow definition from the develop branch - token: ${{ secrets.GH_ACCESS_TOKEN }} - inputs: '{ - "ref": "${{ inputs.ref }}", - "author": "${{ inputs.author }}", - "msg": "${{ inputs.msg }}", - "sha": "${{ inputs.sha }}" - }' + gpg_private_key: ${{ secrets.PROTOBUFS_GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.PROTOBUFS_GPG_KEY_PASSPHRASE }} + git_user_signingkey: true + git_commit_gpgsign: true + git_tag_gpgsign: true + + - name: Add & Commit + uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 + with: + cwd: 'hedera-protobufs' + author_name: swirlds-eng-automation + author_email: ${{ secrets.PROTOBUFS_GPG_USER_EMAIL }} + commit: --signoff + message: "ci: Copied recent protobuf changes from hedera-services" + new_branch: "update-recent-protobuf-changes-${{ github.run_number }}" + tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' \ No newline at end of file From e63d0e757055a6ac1c4b5408400fbf408d93dce0 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:54:07 -0600 Subject: [PATCH 22/37] Fixed Signed-off-by: Andrew Brandt --- .../node-flow-deploy-release-artifact.yaml | 364 +++++++++--------- 1 file changed, 190 insertions(+), 174 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index a09fbd473629..c8e05ee67f2a 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -13,11 +13,23 @@ # See the License for the specific language governing permissions and # limitations under the License. ## + name: "ZXF: Deploy Production Release" on: push: - tags: - - "v[0-9]+.[0-9]+.[0-9]+-?*" + + + + + + + + Expand All + + @@ -36,11 +35,9 @@ on: + + tags: + - "v[0-9]+.[0-9]+.[0-9]+-?*" workflow_dispatch: inputs: ref: @@ -35,89 +47,85 @@ on: required: false description: "The commit ID of the commit that triggered the workflow" default: "" + defaults: run: shell: bash + jobs: prepare-tag-release: - name: Prepare Release [Tag] - runs-on: network-node-linux-medium - if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} - outputs: - version: ${{ steps.tag.outputs.version }} - prerelease: ${{ steps.tag.outputs.prerelease }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - name: Install Semantic Version Tools - run: | - echo "::group::Download SemVer Binary" - sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver - echo "::endgroup::" - echo "::group::Change SemVer Binary Permissions" - sudo chmod -v +x /usr/local/bin/semver - echo "::endgroup::" - echo "::group::Show SemVer Binary Version Info" - semver --version - echo "::endgroup::" - - name: Extract Tag Version - id: tag - run: | - RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" - PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" - FINAL_VERSION="${RELEASE_VERSION}" - PRERELEASE_FLAG="false" - [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" - [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" - echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" - echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" - release-tag: - - + name: Prepare Release [Tag] + + + + + + + + Expand All + @@ -66,49 +63,61 @@ jobs: + runs-on: network-node-linux-medium + if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} + outputs: + version: ${{ steps.tag.outputs.version }} + prerelease: ${{ steps.tag.outputs.prerelease }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Install Semantic Version Tools + run: | + echo "::group::Download SemVer Binary" + sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + echo "::endgroup::" + echo "::group::Change SemVer Binary Permissions" + sudo chmod -v +x /usr/local/bin/semver + echo "::endgroup::" + echo "::group::Show SemVer Binary Version Info" + semver --version + echo "::endgroup::" + - name: Extract Tag Version + id: tag + run: | + RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" + PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" + FINAL_VERSION="${RELEASE_VERSION}" + PRERELEASE_FLAG="false" + [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" + [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" + echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" + release-tag: + name: Release [Tag] + uses: ./.github/workflows/node-zxc-build-release-artifact.yaml + needs: + - prepare-tag-release + with: + version-policy: specified + new-version: ${{ needs.prepare-tag-release.outputs.version }} + trigger-env-deploy: none + release-profile: ${{ needs.prepare-tag-release.outputs.prerelease == 'true' && 'PrereleaseChannel' || 'MavenCentral' }} + secrets: + access-token: ${{ secrets.GITHUB_TOKEN }} + bucket-name: ${{ secrets.RELEASE_ARTIFACT_BUCKET_NAME }} + cdn-bucket-name: ${{ secrets.CDN_ARTIFACT_BUCKET_NAME }} + svcs-ossrh-username: ${{ secrets.SVCS_OSSRH_USERNAME }} + svcs-ossrh-password: ${{ secrets.SVCS_OSSRH_PASSWORD }} + svcs-gpg-key-contents: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} + svcs-gpg-key-passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} + sdk-ossrh-username: ${{ secrets.PLATFORM_OSSRH_USERNAME }} + sdk-ossrh-password: ${{ secrets.PLATFORM_OSSRH_PASSWORD }} + sdk-gpg-key-contents: ${{ secrets.PLATFORM_GPG_KEY_CONTENTS }} + sdk-gpg-key-passphrase: ${{ secrets.PLATFORM_GPG_KEY_PASSPHRASE }} + slack-webhook-url: ${{ secrets.PLATFORM_SLACK_RELEASE_WEBHOOK }} + jf-url: ${{ vars.JF_URL }} + jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} + jf-user-name: ${{ vars.JF_USER_NAME }} + jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} - - - Expand Down - - - - - - Expand Up - - @@ -142,7 +180,7 @@ jobs: - - name: Release [Tag] - uses: ./.github/workflows/node-zxc-build-release-artifact.yaml - needs: - - prepare-tag-release - with: - version-policy: specified - new-version: ${{ needs.prepare-tag-release.outputs.version }} - trigger-env-deploy: none - release-profile: ${{ needs.prepare-tag-release.outputs.prerelease == 'true' && 'PrereleaseChannel' || 'MavenCentral' }} - secrets: - access-token: ${{ secrets.GITHUB_TOKEN }} - bucket-name: ${{ secrets.RELEASE_ARTIFACT_BUCKET_NAME }} - cdn-bucket-name: ${{ secrets.CDN_ARTIFACT_BUCKET_NAME }} - svcs-ossrh-username: ${{ secrets.SVCS_OSSRH_USERNAME }} - svcs-ossrh-password: ${{ secrets.SVCS_OSSRH_PASSWORD }} - svcs-gpg-key-contents: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} - svcs-gpg-key-passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} - sdk-ossrh-username: ${{ secrets.PLATFORM_OSSRH_USERNAME }} - sdk-ossrh-password: ${{ secrets.PLATFORM_OSSRH_PASSWORD }} - sdk-gpg-key-contents: ${{ secrets.PLATFORM_GPG_KEY_CONTENTS }} - sdk-gpg-key-passphrase: ${{ secrets.PLATFORM_GPG_KEY_PASSPHRASE }} - slack-webhook-url: ${{ secrets.PLATFORM_SLACK_RELEASE_WEBHOOK }} - jf-url: ${{ vars.JF_URL }} - jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} - jf-user-name: ${{ vars.JF_USER_NAME }} - jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} release-branch: name: Release [Branch] uses: ./.github/workflows/node-zxc-build-release-artifact.yaml @@ -143,118 +151,126 @@ jobs: jf-docker-registry: ${{ vars.JF_DOCKER_REGISTRY }} jf-user-name: ${{ vars.JF_USER_NAME }} jf-access-token: ${{ secrets.JF_ACCESS_TOKEN }} + deploy-ci-trigger: - name: Trigger CI Flows + name: Trigger CI Flows + runs-on: network-node-linux-medium + needs: + - release-branch + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: '0' + ref: develop + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Trigger ZXF Prepare Extended Test Suite + if: ${{ needs.release-branch.result == 'success' }} + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ "ref": "${{ inputs.ref }}" }' + + - name: Trigger ZXF Deploy Integration + if: ${{ needs.release-branch.result == 'success' && + (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && + !cancelled() }} + uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + with: + workflow: .github/workflows/node-zxf-deploy-integration.yaml + repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org + ref: develop # ensure we are always using the workflow definition from the develop branch + token: ${{ secrets.GH_ACCESS_TOKEN }} + inputs: '{ + "ref": "${{ inputs.ref }}", + "author": "${{ inputs.author }}", + "msg": "${{ inputs.msg }}", + + + + + + + + Expand Down + + + + + + Expand Up + + @@ -215,7 +238,6 @@ jobs: + + "sha": "${{ inputs.sha }}" + }' + update-hedera-protobufs: + name: Update Hedera Protobufs runs-on: network-node-linux-medium needs: - - release-branch + - prepare-tag-release steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - - - - - - - - Expand Down - - - - - - Expand Up - - @@ -174,65 +212,8 @@ jobs: - - - name: Checkout Code + - name: Checkout Hedera Services Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - fetch-depth: '0' - ref: develop - token: ${{ secrets.GH_ACCESS_TOKEN }} - - name: Trigger ZXF Prepare Extended Test Suite - if: ${{ needs.release-branch.result == 'success' }} - uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 - with: - workflow: .github/workflows/zxf-prepare-extended-test-suite.yaml - repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: develop # ensure we are always using the workflow definition from the develop branch token: ${{ secrets.GH_ACCESS_TOKEN }} - inputs: '{ "ref": "${{ inputs.ref }}" }' - - name: Trigger ZXF Deploy Integration - if: ${{ needs.release-branch.result == 'success' && - (inputs.author != '' && inputs.msg != '' && inputs.sha != '') && - !cancelled() }} - uses: step-security/workflow-dispatch@4d1049025980f72b1327cbfdeecb07fe7a20f577 # v1.2.4 + ref: develop + fetch-depth: '0' + - name: Checkout Hedera Protobufs Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - workflow: .github/workflows/node-zxf-deploy-integration.yaml - repo: hashgraph/hedera-services # ensure we are executing in the hashgraph org - ref: develop # ensure we are always using the workflow definition from the develop branch - token: ${{ secrets.GH_ACCESS_TOKEN }} - inputs: '{ - "ref": "${{ inputs.ref }}", - "author": "${{ inputs.author }}", - "msg": "${{ inputs.msg }}", - "sha": "${{ inputs.sha }}" - }' + token: ${{ secrets.PROTOBUFS_GH_ACCESS_TOKEN }} + fetch-depth: '0' + repository: hashgraph/hedera-protobufs + path: hedera-protobufs + - name: Install rsync + run: sudo apt update && sudo apt -y install rsync + - name: Update the folders owned by Services + working-directory: hedera-protobufs + run: | + git push --delete origin v${{ needs.prepare-tag-release.outputs.version }} || true + git tag --delete v${{ needs.prepare-tag-release.outputs.version }} || true + rsync -a --delete ../hapi/hedera-protobufs/services/ services/ + - name: Import GPG key for commit signoff + id: gpg_import + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - update-hedera-protobufs: - name: Update Hedera Protobufs - runs-on: network-node-linux-medium - needs: - - prepare-tag-release - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: Checkout Hedera Services Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.GH_ACCESS_TOKEN }} - ref: develop - fetch-depth: '0' - - name: Checkout Hedera Protobufs Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.PROTOBUFS_GH_ACCESS_TOKEN }} - fetch-depth: '0' - repository: hashgraph/hedera-protobufs - path: hedera-protobufs - - name: Install rsync - run: sudo apt update && sudo apt -y install rsync - - name: Update the folders owned by Services - working-directory: hedera-protobufs - run: | - git push --delete origin v${{ needs.prepare-tag-release.outputs.version }} || true - git tag --delete v${{ needs.prepare-tag-release.outputs.version }} || true - rsync -a --delete ../hapi/hedera-protobufs/services/ services/ - - name: Import GPG key for commit signoff - id: gpg_import - uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - with: - gpg_private_key: ${{ secrets.PROTOBUFS_GPG_KEY_CONTENTS }} - passphrase: ${{ secrets.PROTOBUFS_GPG_KEY_PASSPHRASE }} - git_user_signingkey: true - git_commit_gpgsign: true - git_tag_gpgsign: true - - name: Add & Commit - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 - with: - cwd: 'hedera-protobufs' - author_name: swirlds-eng-automation - author_email: ${{ secrets.PROTOBUFS_GPG_USER_EMAIL }} - commit: --signoff - message: "ci: Copied recent protobuf changes from hedera-services" - new_branch: "update-recent-protobuf-changes-${{ github.run_number }}" - tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' \ No newline at end of file + + Expand All + + @@ -235,4 +257,4 @@ jobs: + + with: + gpg_private_key: ${{ secrets.PROTOBUFS_GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.PROTOBUFS_GPG_KEY_PASSPHRASE }} + git_user_signingkey: true + git_commit_gpgsign: true + git_tag_gpgsign: true + - name: Add & Commit + uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 + with: + cwd: 'hedera-protobufs' + author_name: swirlds-eng-automation + author_email: ${{ secrets.PROTOBUFS_GPG_USER_EMAIL }} + commit: --signoff + message: "ci: Copied recent protobuf changes from hedera-services" + new_branch: "update-recent-protobuf-changes-${{ github.run_number }}" + tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' \ No newline at end of file From 76c214e5edf9765bd6e663540e25e43dd8dd626f Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 13:57:54 -0600 Subject: [PATCH 23/37] Fix yaml files Signed-off-by: Andrew Brandt --- .../node-flow-deploy-release-artifact.yaml | 183 +++++------------- .../node-zxc-build-release-artifact.yaml | 40 +--- 2 files changed, 48 insertions(+), 175 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index c8e05ee67f2a..88c88c911d5a 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -17,19 +17,8 @@ name: "ZXF: Deploy Production Release" on: push: - - - - - - - - Expand All - - @@ -36,11 +35,9 @@ on: - - tags: - - "v[0-9]+.[0-9]+.[0-9]+-?*" + tags: + - "v[0-9]+.[0-9]+.[0-9]+-?*" workflow_dispatch: inputs: ref: @@ -54,50 +43,44 @@ defaults: jobs: prepare-tag-release: - name: Prepare Release [Tag] - - - - - - - - Expand All + name: Prepare Release [Tag] + runs-on: network-node-linux-medium + if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} + outputs: + version: ${{ steps.tag.outputs.version }} + prerelease: ${{ steps.tag.outputs.prerelease }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit - @@ -66,49 +63,61 @@ jobs: + - name: Install Semantic Version Tools + run: | + echo "::group::Download SemVer Binary" + sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + echo "::endgroup::" + echo "::group::Change SemVer Binary Permissions" + sudo chmod -v +x /usr/local/bin/semver + echo "::endgroup::" + echo "::group::Show SemVer Binary Version Info" + semver --version + echo "::endgroup::" + + - name: Extract Tag Version + id: tag + run: | + RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" + PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" + + FINAL_VERSION="${RELEASE_VERSION}" + PRERELEASE_FLAG="false" + [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" + [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + + echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" + echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" - runs-on: network-node-linux-medium - if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} - outputs: - version: ${{ steps.tag.outputs.version }} - prerelease: ${{ steps.tag.outputs.prerelease }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: Install Semantic Version Tools - run: | - echo "::group::Download SemVer Binary" - sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver - echo "::endgroup::" - echo "::group::Change SemVer Binary Permissions" - sudo chmod -v +x /usr/local/bin/semver - echo "::endgroup::" - echo "::group::Show SemVer Binary Version Info" - semver --version - echo "::endgroup::" - - name: Extract Tag Version - id: tag - run: | - RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" - PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" - FINAL_VERSION="${RELEASE_VERSION}" - PRERELEASE_FLAG="false" - [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" - [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" - echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" - echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" release-tag: name: Release [Tag] uses: ./.github/workflows/node-zxc-build-release-artifact.yaml @@ -159,7 +142,7 @@ jobs: - release-branch steps: - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 with: egress-policy: audit @@ -191,86 +174,8 @@ jobs: ref: develop # ensure we are always using the workflow definition from the develop branch token: ${{ secrets.GH_ACCESS_TOKEN }} inputs: '{ - "ref": "${{ inputs.ref }}", - "author": "${{ inputs.author }}", - "msg": "${{ inputs.msg }}", - - - - - - - - Expand Down - - - - - - Expand Up - - @@ -215,7 +238,6 @@ jobs: - - "sha": "${{ inputs.sha }}" - }' - update-hedera-protobufs: - name: Update Hedera Protobufs - runs-on: network-node-linux-medium - needs: - - prepare-tag-release - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: Checkout Hedera Services Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.GH_ACCESS_TOKEN }} - ref: develop - fetch-depth: '0' - - name: Checkout Hedera Protobufs Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - token: ${{ secrets.PROTOBUFS_GH_ACCESS_TOKEN }} - fetch-depth: '0' - repository: hashgraph/hedera-protobufs - path: hedera-protobufs - - name: Install rsync - run: sudo apt update && sudo apt -y install rsync - - name: Update the folders owned by Services - working-directory: hedera-protobufs - run: | - git push --delete origin v${{ needs.prepare-tag-release.outputs.version }} || true - git tag --delete v${{ needs.prepare-tag-release.outputs.version }} || true - rsync -a --delete ../hapi/hedera-protobufs/services/ services/ - - name: Import GPG key for commit signoff - id: gpg_import - uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - - - - - - - - Expand All - - @@ -235,4 +257,4 @@ jobs: - - with: - gpg_private_key: ${{ secrets.PROTOBUFS_GPG_KEY_CONTENTS }} - passphrase: ${{ secrets.PROTOBUFS_GPG_KEY_PASSPHRASE }} - git_user_signingkey: true - git_commit_gpgsign: true - git_tag_gpgsign: true - - name: Add & Commit - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 - with: - cwd: 'hedera-protobufs' - author_name: swirlds-eng-automation - author_email: ${{ secrets.PROTOBUFS_GPG_USER_EMAIL }} - commit: --signoff - message: "ci: Copied recent protobuf changes from hedera-services" - new_branch: "update-recent-protobuf-changes-${{ github.run_number }}" - tag: 'v${{ needs.prepare-tag-release.outputs.version }} -s -m "Hedera Protobufs v${{ needs.prepare-tag-release.outputs.version }}" -u "${{ steps.gpg_import.outputs.keyid }}"' \ No newline at end of file + "ref": "${{ inputs.ref }}", + "author": "${{ inputs.author }}", + "msg": "${{ inputs.msg }}", + "sha": "${{ inputs.sha }}" + }' diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index f88be67d0bbf..f3addaeef986 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -146,36 +146,6 @@ jobs: semver --version echo "::endgroup::" - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - - name: Install Semantic Release - run: | - npm install -g semantic-release@21.0.7 @semantic-release/git@10.0.1 @semantic-release/exec@6.0.3 gradle-semantic-release-plugin@1.7.6 - npm install -g conventional-changelog-conventionalcommits@6.1.0 @commitlint/cli@17.6.6 @commitlint/config-conventional@17.6.6 - npm install -g marked-mangle@1.0.1 marked-gfm-heading-id@3.0.4 semantic-release-conventional-commits@3.0.0 - - - name: Checkout Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - name: Calculate Next Version - if: ${{ inputs.version-policy == 'specified' }} - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GIT_AUTHOR_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_AUTHOR_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - GIT_COMMITTER_NAME: ${{ secrets.GIT_USER_NAME }} - GIT_COMMITTER_EMAIL: ${{ secrets.GIT_USER_EMAIL }} - run: | - npx semantic-release --dry-run - ls -al - cat VERSION - - name: Verify Workflow Parameters id: parameters run: | @@ -204,6 +174,9 @@ jobs: exit 2 fi + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Setup Java uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: @@ -232,12 +205,7 @@ jobs: - name: Compute Final Effective Version id: effective-version run: | - if [[ "${{ inputs.version-policy }}" == "specified" ]]; then - EFF_VERSION="${{ inputs.new-version }}" - else - EFF_VERSION="$(cat VERSION | tr -d '[:space:]')" - fi - + EFF_VERSION="$(./gradlew showVersion --quiet | tr -d '[:space:]')" PRERELEASE_SUFFIX="$(semver get prerel "${EFF_VERSION}")" PRERELEASE="false" [[ -n "${PRERELEASE_SUFFIX}" ]] && PRERELEASE="true" From d361afa4220d36eb288b91cfb3f191e26df6f499 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 14:10:43 -0600 Subject: [PATCH 24/37] Spotless Signed-off-by: Andrew Brandt --- .github/workflows/node-flow-deploy-release-artifact.yaml | 2 +- .github/workflows/node-zxc-build-release-artifact.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index 5c7916b6ca21..19a9def66b83 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -1,5 +1,5 @@ ## -# Copyright (C) 2022-2024 Hedera Hashgraph, LLC +# Copyright (C) 2022-2025 Hedera Hashgraph, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index 619d939d1019..f2a46279a593 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -1,5 +1,5 @@ ## -# Copyright (C) 2022-2024 Hedera Hashgraph, LLC +# Copyright (C) 2022-2025 Hedera Hashgraph, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From 72058de02c1ca874c6c84832b2563e6a5cb3a566 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 14:15:17 -0600 Subject: [PATCH 25/37] Fix file Signed-off-by: Andrew Brandt --- .../node-flow-deploy-release-artifact.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/node-flow-deploy-release-artifact.yaml b/.github/workflows/node-flow-deploy-release-artifact.yaml index 19a9def66b83..a66aff48bee5 100644 --- a/.github/workflows/node-flow-deploy-release-artifact.yaml +++ b/.github/workflows/node-flow-deploy-release-artifact.yaml @@ -1,5 +1,5 @@ ## -# Copyright (C) 2022-2025 Hedera Hashgraph, LLC +# Copyright (C) 2022-2024 Hedera Hashgraph, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -56,7 +56,7 @@ jobs: prerelease: ${{ steps.tag.outputs.prerelease }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -147,7 +147,7 @@ jobs: - release-branch steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -203,11 +203,11 @@ jobs: ref: main # ensure we are always using the workflow definition from the main branch token: ${{ secrets.GH_ACCESS_TOKEN }} inputs: '{ - "ref": "${{ inputs.ref }}", - "author": "${{ inputs.author }}", - "msg": "${{ inputs.msg }}", - "sha": "${{ inputs.sha }}" - }' + "ref": "${{ inputs.ref }}", + "author": "${{ inputs.author }}", + "msg": "${{ inputs.msg }}", + "sha": "${{ inputs.sha }}" + }' update-hedera-protobufs: name: Update Hedera Protobufs From 1764cf2c50cfc4a7ac639ae116af4c2cc289d213 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 14:20:06 -0600 Subject: [PATCH 26/37] Partial fix next file Signed-off-by: Andrew Brandt --- .../node-zxc-build-release-artifact.yaml | 27 ++++++++----------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index f2a46279a593..298bfda290ec 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -1,5 +1,5 @@ ## -# Copyright (C) 2022-2025 Hedera Hashgraph, LLC +# Copyright (C) 2022-2024 Hedera Hashgraph, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -118,6 +118,7 @@ jobs: validate: name: Validate runs-on: network-node-linux-large + if: ${{ !github.event.workflow_call.repository.fork }} outputs: branch-name: ${{ steps.parameters.outputs.branch-name }} branch-name-lower: ${{ steps.parameters.outputs.branch-name-lower }} @@ -130,7 +131,7 @@ jobs: prerelease: ${{ steps.effective-version.outputs.prerelease }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -189,18 +190,12 @@ jobs: gradle-version: ${{ inputs.gradle-version }} - name: Gradle Update Version (As Specified) - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 if: ${{ inputs.version-policy == 'specified' && !cancelled() && !failure() }} - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: versionAsSpecified -PnewVersion=${{ inputs.new-version }} --scan + run: ./gradlew versionAsSpecified -PnewVersion=${{ inputs.new-version }} --scan - name: Gradle Update Version (Branch Commit) - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 if: ${{ inputs.version-policy != 'specified' && !cancelled() && !failure() }} - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: versionAsPrefixedCommit -PcommitPrefix=${{ steps.parameters.outputs.commit-prefix }} --scan + run: ./gradlew versionAsPrefixedCommit -PcommitPrefix=${{ steps.parameters.outputs.commit-prefix }} --scan - name: Compute Final Effective Version id: effective-version @@ -218,7 +213,7 @@ jobs: echo "prerelease=${PRERELEASE}" >>"${GITHUB_OUTPUT}" - name: Cache Build Version - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: version.txt key: node-build-version-${{ steps.effective-version.outputs.number }}-${{ github.sha }} @@ -230,7 +225,7 @@ jobs: - validate steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -278,14 +273,14 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Authenticate to Google Cloud - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: workload_identity_provider: "projects/235822363393/locations/global/workloadIdentityPools/hedera-builds-pool/providers/hedera-builds-gh-actions" service_account: "hedera-artifact-builds@devops-1-254919.iam.gserviceaccount.com" - name: Setup Google Cloud SDK - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 + uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} - name: Setup Java @@ -300,14 +295,14 @@ jobs: gradle-version: ${{ inputs.gradle-version }} - name: Restore Build Version - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: fail-on-cache-miss: true path: version.txt key: node-build-version-${{ needs.validate.outputs.version }}-${{ github.sha }} - name: Cache Build Artifacts - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: ~/artifact-build key: node-build-artifacts-${{ needs.validate.outputs.version }}-${{ github.sha }} From 34e016993c82c699b3532058a0175df993b75fc5 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 14:23:50 -0600 Subject: [PATCH 27/37] More fixes Signed-off-by: Andrew Brandt --- .../node-zxc-build-release-artifact.yaml | 57 +++++++------------ 1 file changed, 22 insertions(+), 35 deletions(-) diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index 298bfda290ec..e415290ea2a8 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -1,5 +1,5 @@ ## -# Copyright (C) 2022-2024 Hedera Hashgraph, LLC +# Copyright (C) 2024 Hedera Hashgraph, LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -309,16 +309,10 @@ jobs: - name: Gradle Assemble id: gradle-build - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: assemble --scan + run: ./gradlew assemble --scan - name: Gradle Version Summary - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: githubVersionSummary --scan + run: ./gradlew githubVersionSummary --scan - name: Stage Artifact Build Folder id: artifact-staging @@ -367,7 +361,7 @@ jobs: sha384sum "${ARTIFACT_NAME}.zip" | tee "${ARTIFACT_NAME}.sha384" - name: Upload Artifacts (DevOps GCP Bucket) - uses: google-github-actions/upload-cloud-storage@22121cd842b0d185e042e28d969925b538c33d77 # v2.1.0 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: path: ${{ steps.artifact-release.outputs.folder }} @@ -375,7 +369,7 @@ jobs: parent: false - name: Upload Artifacts (CDN Bucket) - uses: google-github-actions/upload-cloud-storage@22121cd842b0d185e042e28d969925b538c33d77 # v2.1.0 + uses: google-github-actions/upload-cloud-storage@386ab77f37fdf51c0e38b3d229fad286861cc0d0 # v2.2.1 if: ${{ inputs.dry-run-enabled != true && needs.validate.outputs.prerelease != 'true' && !cancelled() && !failure() }} with: path: ${{ steps.artifact-release.outputs.folder }} @@ -388,10 +382,9 @@ jobs: needs: - validate - build-artifact - steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -400,7 +393,7 @@ jobs: - name: Authenticate to Google Cloud id: google-auth - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} with: token_format: 'access_token' @@ -424,10 +417,10 @@ jobs: echo "docker-tag-base=${DOCKER_TAG_BASE}" >>"${GITHUB_OUTPUT}" - name: Setup QEmu Support - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - name: Setup Docker Buildx Support - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 with: version: v0.16.2 driver-opts: network=host @@ -448,7 +441,7 @@ jobs: password: ${{ steps.google-auth.outputs.access_token }} - name: Restore Build Artifacts - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: fail-on-cache-miss: true path: ~/artifact-build @@ -460,7 +453,7 @@ jobs: cp -rvf ~/artifact-build/* hedera-node/infrastructure/docker/containers/local-node/main-network-node/sdk/ - name: Build Haveged Image - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -468,7 +461,7 @@ jobs: tags: ${{ steps.set-registry.outputs.docker-tag-base }}/network-node-haveged:${{ needs.validate.outputs.version }} - name: Build Base Image - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -476,7 +469,7 @@ jobs: tags: ${{ steps.set-registry.outputs.docker-tag-base }}/network-node-base:${{ needs.validate.outputs.version }} - name: Build Network Node Image - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 with: push: true platforms: linux/amd64,linux/arm64 @@ -566,7 +559,7 @@ jobs: if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -575,7 +568,7 @@ jobs: - name: Authenticate to Google Cloud id: google-auth - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: token_format: 'access_token' workload_identity_provider: "projects/235822363393/locations/global/workloadIdentityPools/hedera-builds-pool/providers/hedera-builds-gh-actions" @@ -665,7 +658,7 @@ jobs: fi - name: Upload Manifests - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: ${{ (steps.gcp.outcome == 'success' || steps.jfrog.outcome == 'success') && !cancelled() && always() }} with: name: Production Image Manifests @@ -679,7 +672,7 @@ jobs: if: ${{ inputs.release-profile != 'none' }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -711,13 +704,13 @@ jobs: - name: Authenticate to Google Cloud id: google-auth - uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: workload_identity_provider: "projects/229164983194/locations/global/workloadIdentityPools/registry-identity-pool/providers/gh-provider" service_account: "artifact-deployer@swirlds-registry.iam.gserviceaccount.com" - name: Setup Google Cloud SDK - uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0 + uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }} - name: Setup Java @@ -732,23 +725,17 @@ jobs: gradle-version: ${{ inputs.gradle-version }} - name: Restore Build Version - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: fail-on-cache-miss: true path: version.txt key: node-build-version-${{ needs.validate.outputs.version }}-${{ github.sha }} - name: Gradle Assemble - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: assemble --scan + run: ./gradlew assemble --scan - name: Gradle Version Summary - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: githubVersionSummary --scan + run: ./gradlew githubVersionSummary --scan - name: Stage SDK Release Archives working-directory: platform-sdk From 57b2fe98d4e4cae7cb431c78d35d946c358108b5 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 14:27:10 -0600 Subject: [PATCH 28/37] Final fixes Signed-off-by: Andrew Brandt --- .../node-zxc-build-release-artifact.yaml | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml index e415290ea2a8..8fbbda4dbbb5 100644 --- a/.github/workflows/node-zxc-build-release-artifact.yaml +++ b/.github/workflows/node-zxc-build-release-artifact.yaml @@ -810,24 +810,18 @@ jobs: echo "::endgroup::" - name: Gradle Publish Platform to ${{ inputs.version-policy == 'specified' && 'Maven Central' || 'Google Artifact Registry' }} (${{ inputs.release-profile }}) - uses: gradle/actions/setup-gradle@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 if: ${{ inputs.dry-run-enabled != true && inputs.release-profile != 'none' && !cancelled() && !failure() }} env: NEXUS_USERNAME: ${{ secrets.sdk-ossrh-username }} NEXUS_PASSWORD: ${{ secrets.sdk-ossrh-password }} - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: "release${{ inputs.release-profile }} -PpublishingPackageGroup=com.swirlds -Ps01SonatypeHost=true -PpublishSigningEnabled=true --scan --no-configuration-cache" + run: ./gradlew release${{ inputs.release-profile }} -PpublishingPackageGroup=com.swirlds -Ps01SonatypeHost=true -PpublishSigningEnabled=true --scan --no-configuration-cache - name: Gradle Publish Services to ${{ inputs.version-policy == 'specified' && 'Maven Central' || 'Google Artifact Registry' }} (${{ inputs.release-profile }}) - uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0 if: ${{ inputs.dry-run-enabled != true && inputs.release-profile != 'none' && !cancelled() && !failure() }} env: NEXUS_USERNAME: ${{ secrets.svcs-ossrh-username }} NEXUS_PASSWORD: ${{ secrets.svcs-ossrh-password }} - with: - gradle-version: ${{ inputs.gradle-version }} - arguments: "release${{ inputs.release-profile }} -PpublishingPackageGroup=com.hedera.hashgraph -PpublishSigningEnabled=true --scan --no-configuration-cache" + run: ./gradlew release${{ inputs.release-profile }} -PpublishingPackageGroup=com.hedera.hashgraph -PpublishSigningEnabled=true --scan --no-configuration-cache - name: Upload SDK Release Archives if: ${{ inputs.dry-run-enabled != true && inputs.version-policy == 'specified' && !cancelled() && !failure() }} @@ -848,7 +842,7 @@ jobs: if: ${{ inputs.dry-run-enabled != true && inputs.version-policy == 'specified' && !cancelled() && !failure() }} steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -870,11 +864,11 @@ jobs: echo "artifact-registry=${ARTIFACT_REGISTRY}" >>"${GITHUB_OUTPUT}" - name: Send Slack Notification (Maven Central) - uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 - env: - SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK - SLACK_WEBHOOK_URL: ${{ secrets.slack-webhook-url }} + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 with: + webhook: ${{ secrets.slack-webhook-url }} + webhook-type: incoming-webhook + payload-templated: true payload: | { "attachments": [ From 37c96124f2d64e95e71aae06a13c3bceecbb3a39 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Tue, 7 Jan 2025 14:58:32 -0600 Subject: [PATCH 29/37] [WIP] First add of node-flow-version-roll file Signed-off-by: Andrew Brandt --- .github/workflows/node-flow-version-roll.yaml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/node-flow-version-roll.yaml diff --git a/.github/workflows/node-flow-version-roll.yaml b/.github/workflows/node-flow-version-roll.yaml new file mode 100644 index 000000000000..887251c4b9c1 --- /dev/null +++ b/.github/workflows/node-flow-version-roll.yaml @@ -0,0 +1,71 @@ +## +# Copyright (C) 2025 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "ZXF: Version Roll" +on: + workflow_dispatch: + +defaults: + run: + shell: bash + +permissions: + id-token: write + contents: read + actions: read + +jobs: + perform-version-roll: + name: Perform Version Roll + runs-on: network-node-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Checkout Code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: '0' + ref: main + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Install Semantic Version Tools + run: | + echo "::group::Download SemVer Binary" + sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + echo "::endgroup::" + echo "::group::Change SemVer Binary Permissions" + sudo chmod -v +x /usr/local/bin/semver + echo "::endgroup::" + echo "::group::Show SemVer Binary Version Info" + semver --version + echo "::endgroup::" + + - name: Extract Tag Version + id: tag + run: | + RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" + PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" + + FINAL_VERSION="${RELEASE_VERSION}" + PRERELEASE_FLAG="false" + [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" + [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + + echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" + echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" \ No newline at end of file From f77283d83b46b12c37fc4bf4eff688fb17d45f77 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 12:55:38 -0600 Subject: [PATCH 30/37] Complete version roll workflow. Signed-off-by: Andrew Brandt --- .github/workflows/node-flow-version-roll.yaml | 53 +++++++++++++++---- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/.github/workflows/node-flow-version-roll.yaml b/.github/workflows/node-flow-version-roll.yaml index 887251c4b9c1..9e2c8139a615 100644 --- a/.github/workflows/node-flow-version-roll.yaml +++ b/.github/workflows/node-flow-version-roll.yaml @@ -38,13 +38,25 @@ jobs: egress-policy: audit - name: Checkout Code + id: checkout_code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: '0' ref: main token: ${{ secrets.GH_ACCESS_TOKEN }} + - name: Import GPG Key + id: gpg_importer + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 + with: + git_commit_gpgsign: true + git_tag_gpgsign: true + git_user_signingkey: true + gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} + - name: Install Semantic Version Tools + id: install_semver run: | echo "::group::Download SemVer Binary" sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver @@ -56,16 +68,37 @@ jobs: semver --version echo "::endgroup::" - - name: Extract Tag Version - id: tag + - name: Read Current Version + id: read_version + run: | + current_version=$(cat version.txt) + echo "Current version: $current_version" + echo "version=$current_version" >> $GITHUB_ENV + + - name: Increment Minor Version + id: increment_version run: | - RELEASE_VERSION="$(semver get release "${{ github.ref_name }}")" - PRERELEASE_VERSION="$(semver get prerel "${{ github.ref_name }}")" + # Strip the -SNAPSHOT suffix + base_version=$(echo $version | sed 's/-SNAPSHOT//') + + # Increment the minor version + new_version=$(semver bump minor $base_version) + + # Add the -SNAPSHOT suffix back + new_version="${new_version}-SNAPSHOT" + + echo "New version: $new_version" + echo "new_version=$new_version" >> $GITHUB_ENV - FINAL_VERSION="${RELEASE_VERSION}" - PRERELEASE_FLAG="false" - [[ -n "${PRERELEASE_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PRERELEASE_VERSION}" - [[ -n "${PRERELEASE_VERSION}" ]] && PRERELEASE_FLAG="true" + - name: Update version.txt + run: | + echo $new_version > version.txt - echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" - echo "prerelease=${PRERELEASE_FLAG}" >>"${GITHUB_OUTPUT}" \ No newline at end of file + - name: Add & Commit + uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 + with: + cwd: '.' + author_name: ${{ secrets.SVCS_GIT_USER_NAME }} + author_email: ${{ secrets.SVCS_GIT_USER_EMAIL }} + commit: --signoff + message: "chore: Minor Version Roll" From 58734ca8c67f6f489620f74fd6789848e67f51b3 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 14:14:49 -0600 Subject: [PATCH 31/37] Add blank workflow for trigger semantic release from a build ID Signed-off-by: Andrew Brandt --- .github/workflows/node-flow-trigger-semantic-release.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .github/workflows/node-flow-trigger-semantic-release.yaml diff --git a/.github/workflows/node-flow-trigger-semantic-release.yaml b/.github/workflows/node-flow-trigger-semantic-release.yaml new file mode 100644 index 000000000000..e69de29bb2d1 From 96d4955bc9ab785e8694e671a3dcd46fcc6cdf1c Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 14:55:32 -0600 Subject: [PATCH 32/37] Change to private branch for testing Signed-off-by: Andrew Brandt --- .github/workflows/node-flow-version-roll.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/node-flow-version-roll.yaml b/.github/workflows/node-flow-version-roll.yaml index 9e2c8139a615..1239224231e0 100644 --- a/.github/workflows/node-flow-version-roll.yaml +++ b/.github/workflows/node-flow-version-roll.yaml @@ -42,7 +42,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: '0' - ref: main + ref: semantic-release-workflow-update token: ${{ secrets.GH_ACCESS_TOKEN }} - name: Import GPG Key From 6a1363a9a5f4910b9397865acc03985c512a8c04 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 15:02:45 -0600 Subject: [PATCH 33/37] Add more things to semantic release workflow Signed-off-by: Andrew Brandt --- .../node-flow-trigger-semantic-release.yaml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/.github/workflows/node-flow-trigger-semantic-release.yaml b/.github/workflows/node-flow-trigger-semantic-release.yaml index e69de29bb2d1..5805a1add11e 100644 --- a/.github/workflows/node-flow-trigger-semantic-release.yaml +++ b/.github/workflows/node-flow-trigger-semantic-release.yaml @@ -0,0 +1,65 @@ +## +# Copyright (C) 2025 Hedera Hashgraph, LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +## + +name: "ZXF: Trigger Semantic Release" +on: + workflow_dispatch: + inputs: + build-id: + description: "Build ID of the Tag" + type: string + required: true + default: "none" + +defaults: + run: + shell: bash + +permissions: + id-token: write + contents: read + actions: read + +jobs: + trigger-semantic-release: + name: Trigger Semantic Release + runs-on: network-node-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Process, Validate, and Pad Build Input + run: | + echo "The input is ${{ inputs.number_input }}" + if ! [[ "${{ inputs.number_input }}" =~ ^[0-9]+$ ]]; then + echo "Input is not a valid integer" + exit 1 + fi + echo "Input is a valid integer: $(( ${{ inputs.number_input }} ))" + + # 5-digit padding + padded_number=$(printf "%05d" ${{ inputs.number_input }}) + echo "Padded number is: $padded_number" + + - name: Checkout Code + id: checkout_code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: '0' + ref: main + token: ${{ secrets.GH_ACCESS_TOKEN }} \ No newline at end of file From 36e18bec39645f0847679110bd21a0f6a841c5f8 Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 15:21:46 -0600 Subject: [PATCH 34/37] Rename workflow file Signed-off-by: Andrew Brandt --- .../{node-flow-version-roll.yaml => zxf-version-roll.yaml} | 5 +++++ 1 file changed, 5 insertions(+) rename .github/workflows/{node-flow-version-roll.yaml => zxf-version-roll.yaml} (95%) diff --git a/.github/workflows/node-flow-version-roll.yaml b/.github/workflows/zxf-version-roll.yaml similarity index 95% rename from .github/workflows/node-flow-version-roll.yaml rename to .github/workflows/zxf-version-roll.yaml index 1239224231e0..2f1c22fab6ee 100644 --- a/.github/workflows/node-flow-version-roll.yaml +++ b/.github/workflows/zxf-version-roll.yaml @@ -37,6 +37,11 @@ jobs: with: egress-policy: audit + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 20 + - name: Checkout Code id: checkout_code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 0da91b676f2db72130d93fdd06fae6e2926d5aca Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 15:22:40 -0600 Subject: [PATCH 35/37] Remove majority of file Signed-off-by: Andrew Brandt --- .github/workflows/zxf-version-roll.yaml | 71 ------------------------- 1 file changed, 71 deletions(-) diff --git a/.github/workflows/zxf-version-roll.yaml b/.github/workflows/zxf-version-roll.yaml index 2f1c22fab6ee..8cc2158e45c2 100644 --- a/.github/workflows/zxf-version-roll.yaml +++ b/.github/workflows/zxf-version-roll.yaml @@ -36,74 +36,3 @@ jobs: uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - - name: Setup Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - node-version: 20 - - - name: Checkout Code - id: checkout_code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: '0' - ref: semantic-release-workflow-update - token: ${{ secrets.GH_ACCESS_TOKEN }} - - - name: Import GPG Key - id: gpg_importer - uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 - with: - git_commit_gpgsign: true - git_tag_gpgsign: true - git_user_signingkey: true - gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} - passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} - - - name: Install Semantic Version Tools - id: install_semver - run: | - echo "::group::Download SemVer Binary" - sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver - echo "::endgroup::" - echo "::group::Change SemVer Binary Permissions" - sudo chmod -v +x /usr/local/bin/semver - echo "::endgroup::" - echo "::group::Show SemVer Binary Version Info" - semver --version - echo "::endgroup::" - - - name: Read Current Version - id: read_version - run: | - current_version=$(cat version.txt) - echo "Current version: $current_version" - echo "version=$current_version" >> $GITHUB_ENV - - - name: Increment Minor Version - id: increment_version - run: | - # Strip the -SNAPSHOT suffix - base_version=$(echo $version | sed 's/-SNAPSHOT//') - - # Increment the minor version - new_version=$(semver bump minor $base_version) - - # Add the -SNAPSHOT suffix back - new_version="${new_version}-SNAPSHOT" - - echo "New version: $new_version" - echo "new_version=$new_version" >> $GITHUB_ENV - - - name: Update version.txt - run: | - echo $new_version > version.txt - - - name: Add & Commit - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 - with: - cwd: '.' - author_name: ${{ secrets.SVCS_GIT_USER_NAME }} - author_email: ${{ secrets.SVCS_GIT_USER_EMAIL }} - commit: --signoff - message: "chore: Minor Version Roll" From ac6bb99d5fab6b9316b6546389f424fa6331adad Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 15:23:12 -0600 Subject: [PATCH 36/37] Break syntax to detect file Signed-off-by: Andrew Brandt --- .github/workflows/zxf-version-roll.yaml | 72 ++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/.github/workflows/zxf-version-roll.yaml b/.github/workflows/zxf-version-roll.yaml index 8cc2158e45c2..1ed63bfddd5b 100644 --- a/.github/workflows/zxf-version-roll.yaml +++ b/.github/workflows/zxf-version-roll.yaml @@ -16,7 +16,6 @@ name: "ZXF: Version Roll" on: - workflow_dispatch: defaults: run: @@ -36,3 +35,74 @@ jobs: uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit + + - name: Setup Node + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: 20 + + - name: Checkout Code + id: checkout_code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: '0' + ref: semantic-release-workflow-update + token: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Import GPG Key + id: gpg_importer + uses: step-security/ghaction-import-gpg@6c8fe4d0126a59d57c21f87c9ae5dd3451fa3cca # v6.1.0 + with: + git_commit_gpgsign: true + git_tag_gpgsign: true + git_user_signingkey: true + gpg_private_key: ${{ secrets.SVCS_GPG_KEY_CONTENTS }} + passphrase: ${{ secrets.SVCS_GPG_KEY_PASSPHRASE }} + + - name: Install Semantic Version Tools + id: install_semver + run: | + echo "::group::Download SemVer Binary" + sudo curl -L -o /usr/local/bin/semver https://raw.githubusercontent.com/fsaintjacques/semver-tool/master/src/semver + echo "::endgroup::" + echo "::group::Change SemVer Binary Permissions" + sudo chmod -v +x /usr/local/bin/semver + echo "::endgroup::" + echo "::group::Show SemVer Binary Version Info" + semver --version + echo "::endgroup::" + + - name: Read Current Version + id: read_version + run: | + current_version=$(cat version.txt) + echo "Current version: $current_version" + echo "version=$current_version" >> $GITHUB_ENV + + - name: Increment Minor Version + id: increment_version + run: | + # Strip the -SNAPSHOT suffix + base_version=$(echo $version | sed 's/-SNAPSHOT//') + + # Increment the minor version + new_version=$(semver bump minor $base_version) + + # Add the -SNAPSHOT suffix back + new_version="${new_version}-SNAPSHOT" + + echo "New version: $new_version" + echo "new_version=$new_version" >> $GITHUB_ENV + + - name: Update version.txt + run: | + echo $new_version > version.txt + + - name: Add & Commit + uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4 + with: + cwd: '.' + author_name: ${{ secrets.SVCS_GIT_USER_NAME }} + author_email: ${{ secrets.SVCS_GIT_USER_EMAIL }} + commit: --signoff + message: "chore: Minor Version Roll" From 0cd60363641303b1e640d48bc0898bc1b22cb1cf Mon Sep 17 00:00:00 2001 From: Andrew Brandt Date: Wed, 8 Jan 2025 15:23:59 -0600 Subject: [PATCH 37/37] Fix syntax Signed-off-by: Andrew Brandt --- .github/workflows/zxf-version-roll.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zxf-version-roll.yaml b/.github/workflows/zxf-version-roll.yaml index 1ed63bfddd5b..2f1c22fab6ee 100644 --- a/.github/workflows/zxf-version-roll.yaml +++ b/.github/workflows/zxf-version-roll.yaml @@ -16,6 +16,7 @@ name: "ZXF: Version Roll" on: + workflow_dispatch: defaults: run: