Skip to content

feat: deploy without exposing secrets stored in args (#375) #2265

feat: deploy without exposing secrets stored in args (#375)

feat: deploy without exposing secrets stored in args (#375) #2265

Workflow file for this run

---
# Basic deployment workflow.
# Note that more advanced use cases are tested in the nightly workflow.
name: Deploy
on:
pull_request:
push:
branches: [main]
concurrency:
group: deploy-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
ENCLAVE_NAME: cdk
jobs:
run-without-args:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# This step will only execute if the necessary secrets are available, preventing failures
# on pull requests from forked repositories.
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Kurtosis CDK tools
uses: ./.github/actions/setup-kurtosis-cdk
- name: Run Starlark
run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --show-enclave-inspect=false .
- name: Inspect enclave
run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}
- name: List databases
run: |
postgres_port=$(kurtosis port print ${{ env.ENCLAVE_NAME }} postgres-001 postgres | cut -d':' -f3)
PGPASSWORD=master_password psql --host 127.0.0.1 --port "$postgres_port" --username master_user --dbname master --list
- name: Monitor verified batches (CDK Erigon Permissionless RPC)
working-directory: .github/scripts
run: |
./monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)
- name: Dump enclave
if: ${{ !cancelled() }}
run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump
- name: Upload enclave dump
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: dump_run_without_args_${{ github.run_id }}
path: ./dump
list-ymls:
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- name: Generate test combinations
working-directory: .github/tests
run: ./combine-ymls.sh
- id: set-matrix
# List all yml files in the .github/tests directory, as well as test combinations, except for the additional-services.yml file.
run: |
files=$(ls -R ./.github/tests/combinations/*.yml ./.github/tests/static-ports/custom-static-ports.yml ./.github/tests/static-ports/default-static-ports.yml | grep -v 'additional-services.yml')
matrix=$(echo "$files" | jq -R -s -c 'split("\n")[:-1]')
echo "matrix=$matrix" >> $GITHUB_OUTPUT
run-with-args:
needs: list-ymls
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
file_name: ${{ fromJson(needs.list-ymls.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# This step will only execute if the necessary secrets are available, preventing failures
# on pull requests from forked repositories.
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Kurtosis CDK tools
uses: ./.github/actions/setup-kurtosis-cdk
- name: Generate test combinations
working-directory: .github/tests
run: ./combine-ymls.sh
- name: Run Starlark
run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=${{ matrix.file_name }} --show-enclave-inspect=false .
- name: Inspect enclave
run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}
- name: Verify static ports
run: |
if [[ ${{ matrix.file_name }} == "./.github/tests/static-ports/default-static-ports.yml" ]]; then
echo "Making sure public ports start by a 5 as defined by the static ports in the input_parser.star file."
ports=$(kurtosis enclave inspect ${{ env.ENCLAVE_NAME }} | sed -n '/^========================================== User Services ==========================================$/,$ p' | tail -n +3)
if ! wrong_ports=$(echo "$ports" | grep -vE '127.0.0.1:5|none'); then
echo "✅ Default static ports are set correctly."
exit 0
else
echo "wrong_ports: $wrong_ports"
echo "❌ Default static ports are not set correctly."
exit 1
fi
else
echo "Skipping."
fi
- name: Monitor verified batches (Central RPC)
run: |
sequencer_type=$(yq --raw-output '.args.sequencer_type' ${{ matrix.file_name }})
rpc_name=""
if [[ "$sequencer_type" == "erigon" ]]; then
rpc_name="cdk-erigon-rpc-001"
elif [[ "$sequencer_type" == "zkevm" ]]; then
rpc_name="zkevm-node-rpc-001"
elif [[ "$sequencer_type" == "null" ]]; then
rpc_name="cdk-erigon-rpc-001"
else
echo "Unknown sequencer type: $sequencer_type"
exit 1
fi
echo "RPC name: $rpc_name"
./.github/scripts/monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} $rpc_name rpc)
- name: Monitor verified batches (zkEVM Permissionless RPC)
run: |
result=$(yq --raw-output '.args.additional_services // [] | contains(["pless_zkevm_node"])' ${{ matrix.file_name }})
if [[ "$result" == "true" ]]; then
./.github/scripts/monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} zkevm-node-rpc-pless-001 rpc)
else
echo "Skipping batch verification as there is no zkevm permissionless RPC in the environment"
fi
- name: Dump enclave
if: ${{ !cancelled() }}
run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump
- name: Generate archive name
if: ${{ !cancelled() }}
run: |
file_name=$(basename "${{ matrix.file_name }}" ".yml")
archive_name="dump_run_with_args_${file_name}_${{ github.run_id }}"
echo "ARCHIVE_NAME=${archive_name}" >> "$GITHUB_ENV"
echo "Generated archive name: ${archive_name}"
- name: Upload enclave dump
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARCHIVE_NAME }}
path: ./dump
additional-services:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# This step will only execute if the necessary secrets are available, preventing failures
# on pull requests from forked repositories.
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Kurtosis CDK tools
uses: ./.github/actions/setup-kurtosis-cdk
- name: Run Starlark
run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/additional-services.yml --show-enclave-inspect=false .
- name: Inspect enclave
run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}
- name: Monitor verified batches (CDK Erigon Permissionless RPC)
working-directory: .github/scripts
run: |
./monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)
- name: Verify Arpeggio RPC
run: |
result=$(yq '.args.additional_services | contains(["arpeggio"])' ./.github/tests/additional-services.yml)
if [ "$result" = "true" ]; then
cast bn --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} arpeggio-001 rpc)
else
echo "Arpeggio is not deployed."
fi
- name: Verify Blutgang RPC
run: |
result=$(yq '.args.additional_services | contains(["blutgang"])' ./.github/tests/additional-services.yml)
if [ "$result" = "true" ]; then
cast bn --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} blutgang-001 http)
else
echo "Blutgang is not deployed."
fi
- name: Verify erpc RPC
run: |
result=$(yq '.args.additional_services | contains(["erpc"])' ./.github/tests/additional-services.yml)
if [ "$result" = "true" ]; then
cast bn --rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} erpc-001 rpc)/main/evm/10101"
else
echo "ERPC is not deployed."
fi
- name: Verify permissionless zkevm-node rpc
run: |
result=$(yq '.args.additional_services | contains(["pless_zkevm_node"])' ./.github/tests/additional-services.yml)
if [ "$result" = "true" ]; then
cast bn --rpc-url $(kurtosis port print ${{ env.ENCLAVE_NAME }} zkevm-node-rpc-pless-001 rpc)
else
echo "Permissionless zkevm-node is not deployed."
fi
- name: Verify that Prometheus collects Panoptichain metrics
run: |
result=$(yq '.args.additional_services | contains(["prometheus_grafana"])' ./.github/tests/additional-services.yml)
if [ "$result" = "true" ]; then
echo "Wait for one minute while Prometheus gathers metrics..."
sleep 60
echo "Retrieve Panoptichain metrics from Prometheus..."
panoptichain_metric="panoptichain_system_uptime"
prometheus_url=$(kurtosis port print ${{ env.ENCLAVE_NAME }} prometheus-001 http)
prometheus_query=$(curl "$prometheus_url/api/v1/query?query=$panoptichain_metric")
echo $prometheus_query | jq
if [ "$(jq -r '.data.result[0].metric.__name__' <<<$prometheus_query)" == "$panoptichain_metric" ]; then
echo "✅ Prometheus collects panoptichain metrics!"
else
echo "❌ Prometheus does not collect panoptichain metrics..."
exit 1
fi
else
echo "Prometheus is not deployed."
fi
- name: Dump enclave
if: ${{ !cancelled() }}
run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump
- name: Upload enclave dump
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: dump_additional_services_${{ github.run_id }}
path: ./dump
attach-second-cdk:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# This step will only execute if the necessary secrets are available, preventing failures
# on pull requests from forked repositories.
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Kurtosis CDK tools
uses: ./.github/actions/setup-kurtosis-cdk
- name: Deploy L1 chain and a first CDK L2 chain (cdk-erigon sequencer + cdk stack)
run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} .
- name: Attach a second CDK L2 chain (cdk-erigon sequencer + cdk stack)
run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/attach-second-cdk.yml .
- name: Update the agglayer config
run: |
# Download the agglayer config file.
kurtosis files download ${{ env.ENCLAVE_NAME }} agglayer-config-artifact
cd agglayer-config-artifact
# Update the config by adding the rpc and proof signer of the second chain.
tomlq -Y --toml-output --in-place '."full-node-rpcs" += {"2": "http://cdk-erigon-rpc-002:8123"}' agglayer-config.toml
# Replace the agglayer config.
agglayer_container_id="$(docker ps --filter name=agglayer --format json | jq -r -s '. | map(select(.Names | startswith("agglayer--"))) | .[].ID')"
docker cp agglayer-config.toml "$agglayer_container_id:/etc/zkevm/agglayer-config.toml"
# Restart the agglayer service.
kurtosis service stop ${{ env.ENCLAVE_NAME }} agglayer
kurtosis service start ${{ env.ENCLAVE_NAME }} agglayer
- name: Inspect enclave
run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}
- name: Monitor verified batches of the first L2 chain (CDK Erigon Permissionless RPC)
working-directory: .github/scripts
run: |
./monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)"
- name: Monitor verified batches of the second L2 chain (CDK Erigon Permissionless RPC)
working-directory: .github/scripts
run: |
./monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-002 rpc)"
- name: Dump enclave
if: ${{ !cancelled() }}
run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump
- name: Upload enclave dump
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: dump_attach_ckds_${{ github.run_id }}
path: ./dump
deploy-to-external_l1:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
# This step will only execute if the necessary secrets are available, preventing failures
# on pull requests from forked repositories.
if: ${{ env.DOCKERHUB_USERNAME && env.DOCKERHUB_TOKEN }}
env:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Kurtosis CDK tools
uses: ./.github/actions/setup-kurtosis-cdk
- name: Deploy L1 chain
run: kurtosis run --enclave=${{ env.ENCLAVE_NAME }} --args-file=./.github/tests/external-l1/deploy-local-l1.yml .
- name: Deploy to local L1 chain
run: |
kurtosis run --enclave=${{ env.ENCLAVE_NAME }} . '{"deployment_stages": {"deploy_l1": false}}'
- name: Inspect enclave
run: kurtosis enclave inspect ${{ env.ENCLAVE_NAME }}
- name: Monitor verified batches
working-directory: .github/scripts
run: |
./monitor-verified-batches.sh \
--enclave ${{ env.ENCLAVE_NAME }} \
--rpc-url "$(kurtosis port print ${{ env.ENCLAVE_NAME }} cdk-erigon-rpc-001 rpc)"
- name: Dump enclave
if: ${{ !cancelled() }}
run: kurtosis enclave dump ${{ env.ENCLAVE_NAME }} ./dump
- name: Upload enclave dump
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: dump_deploy_to_external_l1_${{ github.run_id }}
path: ./dump