feat: include signer messages in Stacks predicate payloads #1564
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- develop | |
paths-ignore: | |
- '**/CHANGELOG.md' | |
pull_request: | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }} | |
cancel-in-progress: true | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- suite: cli | |
features: redis_tests | |
- suite: sdk | |
features: stacks-signers | |
defaults: | |
run: | |
working-directory: ./components/chainhook-${{ matrix.suite }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Install Rust toolchain | |
run: | | |
rustup toolchain install stable --profile minimal | |
echo "RUST_VERSION_HASH=$(rustc --version | sha256sum | awk '{print $1}')" >> $GITHUB_ENV | |
- name: Cache cargo | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/bin/ | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
# Cache crates.toml & crates2.json to allow `cargo install` | |
~/.cargo/.crates.toml | |
~/.cargo/.crates2.json | |
target/ | |
key: ${{ runner.os }}-rust-${{ env.RUST_VERSION_HASH }}-${{ matrix.suite }}-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Install cargo-tarpaulin | |
run: | | |
cargo install cargo-tarpaulin | |
- name: Setup integration environment | |
run: | | |
sudo ufw disable | |
docker compose -f ../../dockerfiles/docker-compose.dev.yml up -d | |
docker compose -f ../../dockerfiles/docker-compose.dev.yml logs -t -f --no-color &> docker-compose-logs.txt & | |
if: matrix.suite == 'cli' | |
- name: Run tests | |
run: | | |
cargo tarpaulin --skip-clean --out lcov --features ${{ matrix.features }} -- --test-threads=1 | |
- name: Upload coverage reports to Codecov | |
uses: codecov/codecov-action@v4 | |
env: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
codecov_yml_path: .github/codecov.yml | |
- name: Print integration environment logs | |
run: cat docker-compose-logs.txt | |
if: matrix.suite == 'cli' && failure() | |
- name: Teardown integration environment | |
run: docker compose -f ../../dockerfiles/docker-compose.dev.yml down -v -t 0 | |
if: matrix.suite == 'cli' && always() | |
distributions: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: ubuntu-latest | |
platform: linux | |
target: x86_64-unknown-linux-gnu | |
architecture: x64 | |
libc: glibc | |
- os: windows-latest | |
platform: windows | |
target: x86_64-pc-windows-msvc | |
architecture: x64 | |
- os: macos-latest | |
platform: darwin | |
target: x86_64-apple-darwin | |
architecture: x64 | |
- os: macos-latest | |
platform: darwin | |
target: aarch64-apple-darwin | |
architecture: arm64 | |
steps: | |
- name: Configure git to use LF (Windows) | |
if: matrix.os == 'windows-latest' | |
run: | | |
git config --global core.autocrlf false | |
git config --global core.eol lf | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install Rust toolchain | |
run: rustup toolchain install stable --profile minimal --target ${{ matrix.target }} | |
- name: Install Rust Target | |
run: rustup target add ${{ matrix.target }} | |
- name: List rust targets | |
run: rustup target list | |
- name: "Get Rust version (unix)" | |
if: matrix.os != 'windows-latest' | |
run: echo "RUST_VERSION_HASH=$(rustc --version | shasum -a 256 | awk '{print $1}')" >> $GITHUB_ENV | |
- name: "Get Rust version (windows)" | |
if: matrix.os == 'windows-latest' | |
shell: bash | |
run: echo "RUST_VERSION_HASH=$(rustc --version | sha256sum | awk '{print $1}')" >> $GITHUB_ENV | |
- name: Cache cargo | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/ | |
./target/ | |
key: ${{ runner.os }}-rust-${{ env.RUST_VERSION_HASH }}-${{ matrix.target }}-cargo-${{ hashFiles('./Cargo.lock') }} | |
- name: Install wix (Windows) | |
if: matrix.os == 'windows-latest' && steps.cache-cargo.outputs.cache-hit != 'true' | |
run: cargo install cargo-wix | |
# Set environment variables required from cross compiling from macos-x86_64 to macos-arm64 | |
- name: Configure macos-arm64 cross compile config | |
if: matrix.target == 'aarch64-apple-darwin' | |
run: | | |
echo "SDKROOT=$(xcrun -sdk macosx --show-sdk-path)" >> $GITHUB_ENV | |
echo "MACOSX_DEPLOYMENT_TARGET=$(xcrun -sdk macosx --show-sdk-platform-version)" >> $GITHUB_ENV | |
- name: Configure artifact names (libc) | |
if: ${{ matrix.libc }} | |
shell: bash | |
run: | | |
echo "SHORT_TARGET_NAME=${{ matrix.platform }}-${{ matrix.architecture }}-${{ matrix.libc }}" >> $GITHUB_ENV | |
echo "PRE_GYP_TARGET_NAME=${{ matrix.platform }}-${{ matrix.architecture }}-${{ matrix.libc }}" >> $GITHUB_ENV | |
- name: Configure artifact names (not libc) | |
if: ${{ ! matrix.libc }} | |
shell: bash | |
run: | | |
echo "SHORT_TARGET_NAME=${{ matrix.platform }}-${{ matrix.architecture }}" >> $GITHUB_ENV | |
echo "PRE_GYP_TARGET_NAME=${{ matrix.platform }}-${{ matrix.architecture }}-unknown" >> $GITHUB_ENV | |
- name: Build - Cargo | |
if: matrix.target != 'x86_64-unknown-linux-musl' | |
run: cargo build --release --features cli --features debug --no-default-features --target ${{ matrix.target }} | |
# Steps for Windows Code Signing with DigiCert | |
- name: Windows - Setup Certificate | |
if: startsWith(github.ref, 'refs/heads/main') && matrix.os == 'windows-latest' | |
run: | | |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 | |
cat /d/Certificate_pkcs12.p12 | |
shell: bash | |
- name: Windows - Set variables | |
if: startsWith(github.ref, 'refs/heads/main') && matrix.os == 'windows-latest' | |
id: variables | |
run: | | |
dir | |
echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" | |
echo "::set-output name=KEYPAIR_NAME::gt-standard-keypair" | |
echo "::set-output name=CERTIFICATE_NAME::gt-certificate" | |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH | |
shell: bash | |
- name: Windows - Setup Keylocker KSP | |
if: startsWith(github.ref, 'refs/heads/main') && matrix.os == 'windows-latest' | |
run: | | |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi | |
msiexec /i Keylockertools-windows-x64.msi /quiet /qn | |
smksp_registrar.exe list | |
smctl.exe keypair ls | |
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
shell: cmd | |
- name: Windows - Certificates Sync | |
if: startsWith(github.ref, 'refs/heads/main') && matrix.os == 'windows-latest' | |
run: | | |
smctl windows certsync | |
shell: cmd | |
- name: Code sign bin (Windows) | |
if: startsWith(github.ref, 'refs/heads/main') && matrix.os == 'windows-latest' | |
run: | | |
$signtool_path = ((Resolve-Path -Path "${env:ProgramFiles(x86)}/Windows Kits/10/bin/10*/x86").Path[-1]) + "/signtool.exe" | |
$bin_path = (Resolve-Path -Path "target/${{ matrix.target }}/release/chainhook.exe").Path | |
& ${signtool_path} sign ` | |
/d "Chainhook is a reorg-aware indexing engine for the Stacks & Bitcoin blockchains." ` | |
/du "https://github.com/hirosystems/chainhook" ` | |
/tr http://timestamp.digicert.com ` | |
/sha1 "${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" ` | |
/td sha256 ` | |
/fd sha256 ` | |
"${bin_path}" | |
& ${signtool_path} verify /v /pa "${bin_path}" | |
- name: Build Installer (Windows) | |
if: matrix.os == 'windows-latest' | |
run: cargo wix -v --no-build --nocapture -p chainhook | |
- name: Code sign installed (Windows) | |
if: startsWith(github.ref, 'refs/heads/main') && matrix.os == 'windows-latest' | |
run: | | |
$signtool_path = ((Resolve-Path -Path "${env:ProgramFiles(x86)}/Windows Kits/10/bin/10*/x86").Path[-1]) + "/signtool.exe" | |
$msi_path = (Resolve-Path -Path "target/wix/*.msi").Path | |
& ${signtool_path} sign ` | |
/d "Chainhook is a reorg-aware indexing engine for the Stacks & Bitcoin blockchains." ` | |
/du "https://github.com/hirosystems/chainhook" ` | |
/tr http://timestamp.digicert.com ` | |
/sha1 "${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" ` | |
/td sha256 ` | |
/fd sha256 ` | |
"${msi_path}" | |
& ${signtool_path} verify /v /pa "${msi_path}" | |
# Don't compress for Windows because winget can't yet unzip files | |
- name: Compress cargo artifact (Linux) | |
if: matrix.os != 'windows-latest' | |
run: tar -C target/${{ matrix.target }}/release -zcvf chainhook-${{ env.SHORT_TARGET_NAME }}.tar.gz chainhook | |
- name: Rename cargo artifact (Windows) | |
if: matrix.os == 'windows-latest' | |
shell: bash | |
run: mv target/wix/*.msi chainhook-${{ env.SHORT_TARGET_NAME }}.msi | |
# Separate uploads to prevent paths from being preserved | |
- name: Upload cargo artifacts (Linux) | |
if: matrix.os != 'windows-latest' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: chainhook-${{ env.SHORT_TARGET_NAME }} | |
path: chainhook-${{ env.SHORT_TARGET_NAME }}.tar.gz | |
- name: Upload cargo artifact (Windows) | |
if: matrix.os == 'windows-latest' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: chainhook-${{ env.SHORT_TARGET_NAME }} | |
path: chainhook-${{ env.SHORT_TARGET_NAME }}.msi | |
semantic-release: | |
runs-on: ubuntu-latest | |
needs: | |
- test | |
- distributions | |
outputs: | |
new_release_version: ${{ steps.semantic.outputs.new_release_version }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Download pre-built dists | |
uses: actions/download-artifact@v4 | |
- name: Semantic Release | |
uses: cycjimmy/semantic-release-action@v4 | |
id: semantic | |
# Only run on non-PR events or only PRs that aren't from forks | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SEMANTIC_RELEASE_PACKAGE: ${{ github.event.repository.name }} | |
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_CRATES_IO_API_KEY }} | |
with: | |
semantic_version: 19 | |
extra_plugins: | | |
@semantic-release/changelog@6.0.3 | |
@semantic-release/git@10.0.1 | |
@semantic-release/exec@6.0.3 | |
conventional-changelog-conventionalcommits@6.1.0 | |
- name: Trigger pkg-version-bump workflow | |
uses: peter-evans/repository-dispatch@v1 | |
if: steps.semantic.outputs.new_release_version != '' | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
event-type: released | |
client-payload: '{"tag": "${{ steps.semantic.outputs.new_release_version }}"}' | |
build-publish: | |
runs-on: ubuntu-latest | |
needs: semantic-release | |
outputs: | |
docker_image_digest: ${{ steps.docker_push.outputs.digest }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- image: ${{ github.repository }} | |
artifact: chainhook-linux-x64-glibc | |
dockerfile: dockerfiles/components/chainhook-node.dockerfile | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Checkout tag | |
if: needs.semantic-release.outputs.new_release_version != '' | |
uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
ref: ${{ needs.semantic-release.outputs.new_release_version }} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Docker Meta | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
hirosystems/${{ github.event.repository.name }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}},value=${{ needs.semantic-release.outputs.new_release_version }},enable=${{ needs.semantic-release.outputs.new_release_version != '' }} | |
type=semver,pattern={{major}}.{{minor}},value=${{ needs.semantic-release.outputs.new_release_version }},enable=${{ needs.semantic-release.outputs.new_release_version != '' }} | |
type=raw,value=latest,enable={{is_default_branch}} | |
- name: Log in to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
- name: Download pre-built dist | |
uses: actions/download-artifact@v4 | |
with: | |
name: ${{ matrix.artifact }} | |
- name: Untar pre-built dist | |
run: tar zxvf *.tar.gz | |
- name: Build/Push Image | |
uses: docker/build-push-action@v5 | |
id: docker_push | |
with: | |
context: . | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
file: ${{ matrix.dockerfile }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
# Only push if (there's a new release on main branch, or if building a non-main branch) and (Only run on non-PR events or only PRs that aren't from forks) | |
push: ${{ (github.ref != 'refs/heads/main' || needs.semantic-release.outputs.new_release_version != '') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} | |
deploy-dev: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
k8s-env: [mainnet,testnet] | |
needs: build-publish | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
env: | |
DEPLOY_ENV: dev | |
environment: | |
name: Development-${{ matrix.k8s-env }} | |
url: https://platform.dev.hiro.so/ | |
steps: | |
- name: Checkout actions repo | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
token: ${{ secrets.GH_TOKEN }} | |
repository: ${{ secrets.DEVOPS_ACTIONS_REPO }} | |
- name: Deploy Chainhook build to Dev ${{ matrix.k8s-env }} | |
uses: ./actions/deploy | |
with: | |
docker_image_tag_or_digest: ${{ needs.build-publish.outputs.docker_image_digest }} | |
file_pattern: manifests/chainhooks/${{ matrix.k8s-env }}/chainhook-node/${{ env.DEPLOY_ENV }}/base/kustomization.yaml | |
gh_token: ${{ secrets.GH_TOKEN }} | |
auto-approve-dev: | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/heads/main') && needs.semantic-release.outputs.new_release_version != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) | |
needs: | |
- build-publish | |
steps: | |
- name: Approve pending deployments | |
run: | | |
sleep 5 | |
ENV_IDS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/hirosystems/chainhook/actions/runs/${{ github.run_id }}/pending_deployments" | jq -r '[.[].environment.id // empty]') | |
if [[ "${ENV_IDS}" != "[]" ]]; then | |
curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/hirosystems/chainhook/actions/runs/${{ github.run_id }}/pending_deployments" -d "{\"environment_ids\":${ENV_IDS},\"state\":\"approved\",\"comment\":\"auto approve\"}" | |
fi | |
deploy-staging: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
k8s-env: [mainnet,testnet] | |
needs: | |
- build-publish | |
- deploy-dev | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository | |
env: | |
DEPLOY_ENV: stg | |
environment: | |
name: Staging-${{ matrix.k8s-env }} | |
url: https://platform.stg.hiro.so/ | |
steps: | |
- name: Checkout actions repo | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
token: ${{ secrets.GH_TOKEN }} | |
repository: ${{ secrets.DEVOPS_ACTIONS_REPO }} | |
- name: Deploy Chainhook build to Stg ${{ matrix.k8s-env }} | |
uses: ./actions/deploy | |
with: | |
docker_image_tag_or_digest: ${{ needs.build-publish.outputs.docker_image_digest }} | |
file_pattern: manifests/chainhooks/${{ matrix.k8s-env }}/chainhook-node/${{ env.DEPLOY_ENV }}/base/kustomization.yaml | |
gh_token: ${{ secrets.GH_TOKEN }} | |
auto-approve-stg: | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/heads/main') && needs.semantic-release.outputs.new_release_version != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) | |
needs: | |
- build-publish | |
- deploy-dev | |
steps: | |
- name: Approve pending deployments | |
run: | | |
sleep 5 | |
ENV_IDS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/hirosystems/chainhook/actions/runs/${{ github.run_id }}/pending_deployments" | jq -r '[.[].environment.id // empty]') | |
if [[ "${ENV_IDS}" != "[]" ]]; then | |
curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/hirosystems/chainhook/actions/runs/${{ github.run_id }}/pending_deployments" -d "{\"environment_ids\":${ENV_IDS},\"state\":\"approved\",\"comment\":\"auto approve\"}" | |
fi | |
deploy-prod: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
include: | |
- k8s-env: mainnet | |
k8s-subenv: blue | |
- k8s-env: mainnet | |
k8s-subenv: green | |
- k8s-env: testnet | |
k8s-subenv: blue | |
needs: | |
- build-publish | |
- deploy-staging | |
if: startsWith(github.ref, 'refs/heads/main') && needs.semantic-release.outputs.new_release_version != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) | |
env: | |
DEPLOY_ENV: prd | |
environment: | |
name: Production-${{ matrix.k8s-env }}-${{ matrix.k8s-subenv }} | |
url: https://platform.hiro.so/ | |
steps: | |
- name: Checkout actions repo | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
token: ${{ secrets.GH_TOKEN }} | |
repository: ${{ secrets.DEVOPS_ACTIONS_REPO }} | |
- name: Deploy Chainhook build to Prd ${{ matrix.k8s-env }}-${{ matrix.k8s-subenv }} | |
uses: ./actions/deploy | |
with: | |
docker_image_tag_or_digest: ${{ needs.build-publish.outputs.docker_image_digest }} | |
file_pattern: manifests/chainhooks/${{ matrix.k8s-env }}/chainhook-node/${{ env.DEPLOY_ENV }}/base/kustomization.yaml | |
subenv: ${{ matrix.k8s-subenv }} | |
gh_token: ${{ secrets.GH_TOKEN }} |