paritytech-stg · iulianbarbu · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024
diff --git a/.github/scripts/release/build-deb.sh b/.github/scripts/release/build-deb.sh
@@ -9,8 +9,7 @@ cargo install --version 2.7.0 cargo-deb --locked -q
 echo "Using cargo-deb v$(cargo-deb --version)"
 echo "Building a Debian package for '$PRODUCT' in '$PROFILE' profile"
 
-# we need to start  the custom version with a didgit as requires it cargo-deb
-cargo deb --profile $PROFILE --no-strip --no-build -p $PRODUCT --deb-version 1-$VERSION
+cargo deb --profile $PROFILE --no-strip --no-build -p $PRODUCT --deb-version $VERSION
 
 deb=target/debian/$PRODUCT_*_amd64.deb
 

diff --git a/.github/scripts/release/release_lib.sh b/.github/scripts/release/release_lib.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Set the new version by replacing the value of the constant given as patetrn
+# Set the new version by replacing the value of the constant given as pattern
 # in the file.
 #
 # input: pattern, version, file

diff --git a/.github/workflows/release-build-rc.yml b/.github/workflows/release-build-rc.yml
@@ -39,14 +39,57 @@ jobs:
           RELEASE_TAG=$(validate_stable_tag ${{ inputs.release_tag }})
           echo "release_tag=${RELEASE_TAG}" >> $GITHUB_OUTPUT
 
-  build-polkadot-binary:
+  # build-polkadot-binary:
+  #   needs: [validate-inputs]
+  #   if: ${{ inputs.binary == 'polkadot' || inputs.binary == 'all' }}
+  #   uses: "./.github/workflows/release-reusable-rc-buid.yml"
+  #   with:
+  #     binary: '["polkadot", "polkadot-prepare-worker", "polkadot-execute-worker"]'
+  #     package: polkadot
+  #     release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+  #   secrets:
+  #     PGP_KMS_KEY:  ${{ secrets.PGP_KMS_KEY }}
+  #     PGP_KMS_HASH:  ${{ secrets.PGP_KMS_HASH }}
+  #     AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+  #     AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  #     AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
+  #     AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+  #     AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+  #   permissions:
+  #     id-token: write
+  #     attestations: write
+  #     contents: read
+  #
+  # build-polkadot-parachain-binary:
+  #   needs: [validate-inputs]
+  #   if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'all' }}
+  #   uses: "./.github/workflows/release-reusable-rc-buid.yml"
+  #   with:
+  #     binary: '["polkadot-parachain"]'
+  #     package: "polkadot-parachain-bin"
+  #     release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+  #   secrets:
+  #     PGP_KMS_KEY:  ${{ secrets.PGP_KMS_KEY }}
+  #     PGP_KMS_HASH:  ${{ secrets.PGP_KMS_HASH }}
+  #     AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+  #     AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  #     AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
+  #     AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+  #     AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+  #   permissions:
+  #     id-token: write
+  #     attestations: write
+  #     contents: read
+
+  build-polkadot-macos-binary:
     needs: [validate-inputs]
     if: ${{ inputs.binary == 'polkadot' || inputs.binary == 'all' }}
     uses: "./.github/workflows/release-reusable-rc-buid.yml"
     with:
       binary: '["polkadot", "polkadot-prepare-worker", "polkadot-execute-worker"]'
       package: polkadot
       release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+      runs_on: parity-macos
     secrets:
       PGP_KMS_KEY:  ${{ secrets.PGP_KMS_KEY }}
       PGP_KMS_HASH:  ${{ secrets.PGP_KMS_HASH }}
@@ -60,14 +103,15 @@ jobs:
       attestations: write
       contents: read
 
-  build-polkadot-parachain-binary:
+  build-polkadot-parachain-macos-binary:
     needs: [validate-inputs]
     if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'all' }}
     uses: "./.github/workflows/release-reusable-rc-buid.yml"
     with:
       binary: '["polkadot-parachain"]'
       package: "polkadot-parachain-bin"
       release_tag: ${{ needs.validate-inputs.outputs.release_tag }}
+      runs_on: parity-macos
     secrets:
       PGP_KMS_KEY:  ${{ secrets.PGP_KMS_KEY }}
       PGP_KMS_HASH:  ${{ secrets.PGP_KMS_HASH }}

diff --git a/.github/workflows/release-reusable-rc-buid.yml b/.github/workflows/release-reusable-rc-buid.yml
@@ -19,6 +19,12 @@ on:
         required: true
         type: string
 
+      runs_on:
+        description: Operating system used for the workflow call
+        required: true
+        type: string
+        default: ubuntu-latest
+
     secrets:
       PGP_KMS_KEY:
         required: true
@@ -56,6 +62,38 @@ jobs:
       - id: set_image
         run: cat .github/env >> $GITHUB_OUTPUT
 
+  setup-macos-runner:
+    if: ${{ inputs.runs_on == 'parity-macos' }}
+    runs-on: parity-macos
+    env:
+      SKIP_WASM_BUILD: 1
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Set rust version from env file
+        run: |
+          RUST_VERSION=$(cat .github/env | sed -E 's/.*ci-unified:([^-]+)-([^-]+).*/\2/')
+          echo $RUST_VERSION
+          echo "RUST_VERSION=${RUST_VERSION}" >> $GITHUB_ENV
+      - name: Set up Homebrew
+        uses: Homebrew/actions/setup-homebrew@1ccc07ccd54b6048295516a3eb89b192c35057dc # master from 12.09.2024
+      - name: Install rust ${{ env.RUST_VERSION }}
+        uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8 # v1.10.1
+        with:
+          cache: false
+          toolchain: ${{ env.RUST_VERSION }}
+          target: wasm32-unknown-unknown
+          components: cargo, clippy, rust-docs, rust-src, rustfmt, rustc, rust-std
+      - name: Install protobuf
+        run: brew install protobuf
+      - name: cargo info
+        run: |
+          echo "######## rustup show ########"
+          rustup show
+          echo "######## cargo --version ########"
+          cargo --version
+      - name: Check bash
+        run: bash --version
+
   build-rc:
     needs: [set-image]
     runs-on: ubuntu-latest-m
@@ -130,62 +168,138 @@ jobs:
           name: ${{ matrix.binaries }}
           path: /artifacts/${{ matrix.binaries }}
 
-  build-polkadot-deb-package:
-    if: ${{ inputs.package == 'polkadot' }}
-    needs: [build-rc]
-    runs-on: ubuntu-latest
+  build-macos-rc:
+    if: ${{ inputs.runs_on == 'parity-macos' }}
+    needs: [setup-macos-runner]
+    runs-on: parity-macos
+    environment: release
+    strategy:
+      matrix:
+        binaries: ${{ fromJSON(inputs.binary) }}
+    env:
+      PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+      PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
 
     steps:
-    - name: Checkout sources
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
-      with:
-        ref: ${{ inputs.release_tag }}
-        fetch-depth: 0
-
-    - name: Download artifacts
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-      with:
-        path: target/production
-        merge-multiple: true
-
-    - name: Build polkadot deb package
-      shell: bash
-      run: |
-        . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${{ inputs.release_tag }}
-
-    - name: Generate artifact attestation
-      uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
-      with:
-        subject-path: target/production/*.deb
-
-    - name: Upload ${{inputs.package }} artifacts
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-      with:
-        name: ${{ inputs.package }}
-        path: target/production
-        overwrite: true
-
-  upload-polkadot-artifacts-to-s3:
-    if: ${{ inputs.package == 'polkadot' }}
-    needs: [build-polkadot-deb-package]
-    uses: ./.github/workflows/release-reusable-s3-upload.yml
-    with:
-      package: ${{ inputs.package }}
-      release_tag: ${{ inputs.release_tag }}
-    secrets:
-      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-      AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
-      AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+      - name: Install pgpkkms
+        run: |
+          # Install pgpkms that is used to sign built artifacts
+          python3 -m pip install "pgpkms @ git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69"
+          which pgpkms
+
+      - name: Checkout sources
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          ref: ${{ inputs.release_tag }}
+          fetch-depth: 0
 
+      - name: Import gpg keys
+        shell: bash
+        run: |
+          . ./.github/scripts/common/lib.sh
 
-  upload-polkadot-parachain-artifacts-to-s3:
-    if: ${{ inputs.package == 'polkadot-parachain-bin' }}
-    needs: [build-rc]
-    uses: ./.github/workflows/release-reusable-s3-upload.yml
-    with:
-      package: polkadot-parachain
-      release_tag: ${{ inputs.release_tag }}
-    secrets:
-      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-      AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
-      AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+          import_gpg_keys
+
+      - name: Build binary
+        run: |
+          git config --global --add safe.directory "${GITHUB_WORKSPACE}" #avoid "detected dubious ownership" error
+          ./.github/scripts/release/build-linux-release.sh ${{ matrix.binaries }} ${{ inputs.package }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-path: /artifacts/${{ matrix.binaries }}/${{ matrix.binaries }}
+
+      - name: Sign artifacts
+        working-directory: /artifacts/${{ matrix.binaries }}
+        run: |
+          python3 -m pgpkms sign --input ${{matrix.binaries }} -o ${{ matrix.binaries }}.asc
+
+      - name: Check sha256 ${{ matrix.binaries }}
+        working-directory: /artifacts/${{ matrix.binaries }}
+        shell: bash
+        run: |
+          .  "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
+
+          echo "Checking binary  ${{ matrix.binaries }}"
+          check_sha256  ${{ matrix.binaries }}
+
+      - name: Check GPG ${{ matrix.binaries }}
+        working-directory: /artifacts/${{ matrix.binaries }}
+        shell: bash
+        run: |
+          . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
+
+          check_gpg  ${{ matrix.binaries }}
+
+      - name: Upload ${{ matrix.binaries }} artifacts
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: ${{ matrix.binaries }}
+          path: /artifacts/${{ matrix.binaries }}
+
+
+  # build-polkadot-deb-package:
+  #   if: ${{ inputs.package == 'polkadot' }}
+  #   needs: [build-rc]
+  #   runs-on: ubuntu-latest
+  #
+  #   steps:
+  #   - name: Checkout sources
+  #     uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+  #     with:
+  #       ref: ${{ inputs.release_tag }}
+  #       fetch-depth: 0
+  #
+  #   - name: Download artifacts
+  #     uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+  #     with:
+  #       path: target/production
+  #       merge-multiple: true
+  #
+  #   - name: Build polkadot deb package
+  #     shell: bash
+  #     run: |
+  #       . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
+  #       VERSION=$(get_polkadot_node_version_from_code)
+  #       . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION}
+  #
+  #   - name: Generate artifact attestation
+  #     uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+  #     with:
+  #       subject-path: target/production/*.deb
+  #
+  #   - name: Upload ${{inputs.package }} artifacts
+  #     uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+  #     with:
+  #       name: ${{ inputs.package }}
+  #       path: target/production
+  #       overwrite: true
+  #
+  # upload-polkadot-artifacts-to-s3:
+  #   if: ${{ inputs.package == 'polkadot' }}
+  #   needs: [build-polkadot-deb-package]
+  #   uses: ./.github/workflows/release-reusable-s3-upload.yml
+  #   with:
+  #     package: ${{ inputs.package }}
+  #     release_tag: ${{ inputs.release_tag }}
+  #   secrets:
+  #     AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+  #     AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+  #     AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+  #
+  #
+  # upload-polkadot-parachain-artifacts-to-s3:
+  #   if: ${{ inputs.package == 'polkadot-parachain-bin' }}
+  #   needs: [build-rc]
+  #   uses: ./.github/workflows/release-reusable-s3-upload.yml
+  #   with:
+  #     package: polkadot-parachain
+  #     release_tag: ${{ inputs.release_tag }}
+  #   secrets:
+  #     AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+  #     AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
+  #     AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
diff --git a/.gitignore b/.gitignore
@@ -30,7 +30,6 @@ artifacts
 bin/node-template/Cargo.lock
 nohup.out
 polkadot_argument_parsing
-polkadot.*
 !docs/sdk/src/polkadot_sdk/polkadot.rs
 pwasm-alloc/Cargo.lock
 pwasm-libc/Cargo.lock

diff --git a/Cargo.lock b/Cargo.lock