Skip to content

Merge pull request #2032 from subspace/gemini-3f-backport-fix-proving… #173

Merge pull request #2032 from subspace/gemini-3f-backport-fix-proving…

Merge pull request #2032 from subspace/gemini-3f-backport-fix-proving… #173

Workflow file for this run

# This action enables building container images and executables for farmer and node, can be triggered manually or by
# release creation.
#
# Container images are only pushed to GitHub Container Registry for releases.
# Executables are built both for releases and for manually triggered runs, uploaded to artifacts and assets.
name: Snapshot build
on:
workflow_dispatch:
push:
tags:
- 'snapshot-*'
- 'gemini-*'
# Incremental compilation here isn't helpful
env:
CARGO_INCREMENTAL: 0
jobs:
container-linux:
runs-on: ubuntu-22.04
permissions:
contents: write
packages: write
strategy:
matrix:
image:
- farmer
- node
- bootstrap-node
platform:
- arch: linux/amd64
dockerfile-suffix: ''
suffix: ubuntu-x86_64-${{ github.ref_name }}
image-suffix: ''
rustflags: '-C target-cpu=skylake'
# We build AArch64
- arch: linux/amd64
dockerfile-suffix: '.aarch64'
suffix: ubuntu-aarch64-${{ github.ref_name }}
image-suffix: '-aarch64'
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # @v2.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # @v2.2.1
- name: Log into registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # @v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # @v4.1.1
with:
images: |
ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
tags: |
type=ref,event=tag
type=ref,event=branch
type=sha,format=long
flavor: |
latest=false
suffix=${{ matrix.platform.image-suffix }}
- name: Build and push ${{ matrix.image }} image
uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # @v3.2.0
with:
file: Dockerfile-${{ matrix.image }}${{ matrix.platform.dockerfile-suffix }}
platforms: ${{ matrix.platform.arch }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
SUBSTRATE_CLI_GIT_COMMIT_HASH=${{ github.sha }}
RUSTFLAGS=${{ matrix.platform.rustflags }}
executables:
strategy:
matrix:
build:
- os: ubuntu-20.04
target: x86_64-unknown-linux-gnu
suffix: ubuntu-x86_64-v2-${{ github.ref_name }}
rustflags: '-C target-cpu=x86-64-v2'
- os: ubuntu-20.04
target: x86_64-unknown-linux-gnu
suffix: ubuntu-x86_64-skylake-${{ github.ref_name }}
rustflags: '-C target-cpu=skylake'
- os: ubuntu-20.04
target: aarch64-unknown-linux-gnu
suffix: ubuntu-aarch64-${{ github.ref_name }}
# TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to
# at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373
rustflags: '-C linker=aarch64-linux-gnu-gcc --cfg aes_armv8'
- os: macos-12
target: x86_64-apple-darwin
suffix: macos-x86_64-${{ github.ref_name }}
rustflags: ''
- os: macos-12
target: aarch64-apple-darwin
suffix: macos-aarch64-${{ github.ref_name }}
# TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to
# at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373
rustflags: '--cfg aes_armv8'
- os: windows-2022
target: x86_64-pc-windows-msvc
suffix: windows-x86_64-v2-${{ github.ref_name }}
rustflags: '-C target-cpu=x86-64-v2'
- os: windows-2022
target: x86_64-pc-windows-msvc
suffix: windows-x86_64-skylake-${{ github.ref_name }}
rustflags: '-C target-cpu=skylake'
runs-on: ${{ matrix.build.os }}
env:
PRODUCTION_TARGET: target/${{ matrix.build.target }}/production
RUSTFLAGS: ${{ matrix.build.rustflags }}
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
# On macOS, we need a proper Clang version, not Apple's custom version without wasm32 support
# TODO: on macOS, the consensus/domain runtime build is not compatible with LLVM 15.0.7 and
# LLVM 15.0.{3, 4, 5, 6} is not released for macOS thus install LLVM 15.0.2 explicitly as a
# temporary workaround, and remove once incompatible is fixed.
- name: Install LLVM and Clang for macOS
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3
with:
version: "15.0.2"
if: runner.os == 'macOS'
# TODO: on Linux and Windows, the consensus/domain runtime build is not compatible with LLVM 16,
# thus install LLVM 15 explicitly as a temporary workaround, and remove once incompatible is fixed.
- name: Install LLVM and Clang for Linux and Windows
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3
with:
version: "15.0"
if: runner.os != 'macOS'
- name: Install Protoc
uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # @v1.1.2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll
- name: Remove msys64
run: Remove-Item -LiteralPath "C:\msys64\" -Force -Recurse
if: runner.os == 'Windows'
- name: AArch64 cross-compile packages
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libc6-dev-arm64-cross
if: matrix.build.target == 'aarch64-unknown-linux-gnu'
- name: Build farmer
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1
with:
command: build
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --bin subspace-farmer
- name: Build node
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1
with:
command: build
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --bin subspace-node
- name: Sign Application (macOS)
run: |
echo "Importing certificate"
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
security create-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain
security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PW }}" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CERTIFICATE_PW }}" build.keychain
echo "Signing farmer"
codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/subspace-farmer
echo "Signing node"
codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/subspace-node
echo "Creating an archive"
mkdir ${{ env.PRODUCTION_TARGET }}/macos-binaries
cp ${{ env.PRODUCTION_TARGET }}/subspace-farmer ${{ env.PRODUCTION_TARGET }}/subspace-node ${{ env.PRODUCTION_TARGET }}/macos-binaries
ditto -c -k --rsrc ${{ env.PRODUCTION_TARGET }}/macos-binaries subspace-binaries.zip
echo "Notarizing"
xcrun altool --notarize-app --primary-bundle-id binaries-${{ github.ref_name }} --username "${{ secrets.MACOS_APPLE_ID}}" --password "${{ secrets.MACOS_APP_PW }}" --file subspace-binaries.zip
# TODO: Wait for notarization before stapling
# echo "Stapling farmer"
# xcrun stapler staple ${{ env.PRODUCTION_TARGET }}/subspace-farmer
# echo "Stapling node"
# xcrun stapler staple ${{ env.PRODUCTION_TARGET }}/subspace-node
echo "Done!"
# Allow code signing to fail on non-release builds and in non-subspace repos (forks)
continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'macOS'
- name: Sign Application (Windows)
uses: skymatic/code-sign-action@cfcc1c15b32938bab6dea25192045b6d2989e4d0 # @v1.1.0
with:
certificate: '${{ secrets.WINDOWS_CERTIFICATE }}'
password: '${{ secrets.WINDOWS_CERTIFICATE_PW }}'
certificatesha1: 'FCA030AC3840FAED48ADC5A8F734ACFCC857DF37'
folder: '${{ env.PRODUCTION_TARGET }}'
# Allow code signing to fail on non-release builds and in non-subspace repos (forks)
continue-on-error: ${{ github.github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'Windows'
- name: Prepare executables for uploading (Ubuntu)
run: |
mkdir executables
mv ${{ env.PRODUCTION_TARGET }}/subspace-farmer executables/subspace-farmer-${{ matrix.build.suffix }}
mv ${{ env.PRODUCTION_TARGET }}/subspace-node executables/subspace-node-${{ matrix.build.suffix }}
if: runner.os == 'Linux'
- name: Prepare executables for uploading (macOS)
run: |
mkdir executables
mv ${{ env.PRODUCTION_TARGET }}/subspace-farmer executables/subspace-farmer-${{ matrix.build.suffix }}
mv ${{ env.PRODUCTION_TARGET }}/subspace-node executables/subspace-node-${{ matrix.build.suffix }}
# Zip it so that signature is not lost
ditto -c -k --rsrc executables/subspace-farmer-${{ matrix.build.suffix }} executables/subspace-farmer-${{ matrix.build.suffix }}.zip
ditto -c -k --rsrc executables/subspace-node-${{ matrix.build.suffix }} executables/subspace-node-${{ matrix.build.suffix }}.zip
rm executables/subspace-farmer-${{ matrix.build.suffix }}
rm executables/subspace-node-${{ matrix.build.suffix }}
if: runner.os == 'macOS'
- name: Prepare executables for uploading (Windows)
run: |
mkdir executables
move ${{ env.PRODUCTION_TARGET }}/subspace-farmer.exe executables/subspace-farmer-${{ matrix.build.suffix }}.exe
move ${{ env.PRODUCTION_TARGET }}/subspace-node.exe executables/subspace-node-${{ matrix.build.suffix }}.exe
if: runner.os == 'Windows'
- name: Upload node and farmer executables to artifacts
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1
with:
name: executables-${{ matrix.build.suffix }}
path: |
executables/*
if-no-files-found: error
- name: Upload node and farmer executables to assets
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0
env:
GITHUB_TOKEN: ${{ github.token }}
with:
asset_paths: '["executables/*"]'
if: github.event_name == 'push' && github.ref_type == 'tag'