diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml new file mode 100644 index 000000000..8f205378b --- /dev/null +++ b/.github/workflows/publish-docker.yml @@ -0,0 +1,101 @@ +name: Docker + +on: + workflow_dispatch: + + push: + branches: [ main ] + tags: [ 'v*.*.*' ] + pull_request: + branches: [ main ] + +env: + REGISTRY: ghcr.io + IMAGE_NAME_1: ${{ github.repository }}/egg-standalone-node + IMAGE_NAME_2: ${{ github.repository }}/egg-collator + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + include: + - dockerfile: ./docker/Standalone.Dockerfile + image: ghcr.io/${{ github.repository }}/egg-standalone-node + - dockerfile: ./docker/Parachain.Dockerfile + image: ghcr.io/${{ github.repository }}/egg-collator + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + + - name: Cancel Previous Runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - uses: actions/checkout@v3 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605 + with: + cosign-release: 'v1.7.1' + + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v2 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ matrix.image }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v3 + with: + context: . + file: ${{ matrix.dockerfile }} + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=registry,ref=${{ steps.meta.outputs.tags }} + cache-to: type=inline + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} diff --git a/docker/Parachain.Dockerfile b/docker/Parachain.Dockerfile index faf2ea2e3..a9e1bff3e 100644 --- a/docker/Parachain.Dockerfile +++ b/docker/Parachain.Dockerfile @@ -1,5 +1,5 @@ FROM rust:buster as builder -WORKDIR /app +WORKDIR /network RUN rustup default nightly-2021-11-07 && \ rustup target add wasm32-unknown-unknown --toolchain nightly-2021-11-07 @@ -13,7 +13,7 @@ ARG BUILD_ARGS COPY . . # Build DKG Parachain Node -RUN cargo build --release -p dkg-node +RUN cargo build --release --locked -p egg-collator # ============= @@ -21,11 +21,11 @@ FROM phusion/baseimage:bionic-1.0.0 RUN useradd -m -u 1000 -U -s /bin/sh -d /dkg dkg -COPY --from=builder /app/target/release/dkg-node /usr/local/bin +COPY --from=builder /network/target/release/egg-collator /usr/local/bin # checks -RUN ldd /usr/local/bin/dkg-node && \ - /usr/local/bin/dkg-node --version +RUN ldd /usr/local/bin/egg-collator && \ + /usr/local/bin/egg-collator --version # Shrinking RUN rm -rf /usr/lib/python* && \ @@ -39,4 +39,4 @@ RUN chown -R dkg:dkg /dkg/data VOLUME ["/dkg/data"] -ENTRYPOINT [ "/usr/local/bin/dkg-node" ] \ No newline at end of file +ENTRYPOINT [ "/usr/local/bin/egg-collator" ] \ No newline at end of file diff --git a/docker/Standalone.Dockerfile b/docker/Standalone.Dockerfile new file mode 100644 index 000000000..64f905949 --- /dev/null +++ b/docker/Standalone.Dockerfile @@ -0,0 +1,42 @@ +FROM rust:buster as builder +WORKDIR /network + +RUN rustup default nightly-2021-11-07 && \ + rustup target add wasm32-unknown-unknown --toolchain nightly-2021-11-07 + +# Install Required Packages +RUN apt-get update && apt-get install -y git clang curl libssl-dev llvm libudev-dev libgmp3-dev && rm -rf /var/lib/apt/lists/* + +ARG GIT_COMMIT= +ENV GIT_COMMIT=$GIT_COMMIT +ARG BUILD_ARGS + +COPY . . +# Build DKG Parachain Node +RUN cargo build --release --locked -p egg-standalone-node + +# ============= + +FROM phusion/baseimage:bionic-1.0.0 + +RUN useradd -m -u 1000 -U -s /bin/sh -d /dkg dkg + +COPY --from=builder /network/target/release/egg-standalone-node /usr/local/bin + +# checks +RUN ldd /usr/local/bin/egg-standalone-node && \ + /usr/local/bin/egg-standalone-node --version + +# Shrinking +RUN rm -rf /usr/lib/python* && \ + rm -rf /usr/bin /usr/sbin /usr/share/man + +USER dkg +EXPOSE 30333 9933 9944 9615 + +RUN mkdir /dkg/data +RUN chown -R dkg:dkg /dkg/data + +VOLUME ["/dkg/data"] + +ENTRYPOINT [ "/usr/local/bin/egg-standalone-node" ] \ No newline at end of file