smartcontractkit · valerii-kabisov-cll · Jul 29, 2024 · Jul 29, 2024 · Jul 29, 2024 · Jul 30, 2024
@@ -0,0 +1,5 @@
+---
+"chainlink": minor
+---
+
+Bump to start the next version
@@ -67,11 +67,10 @@ core/scripts/gateway @smartcontractkit/functions
 
 /contracts/src/v0.8/functions @smartcontractkit/functions
 /contracts/**/*functions* @smartcontractkit/functions
-/contracts/**/*llo-feeds* @smartcontrackit/mercury-team
+/contracts/**/*llo-feeds* @smartcontractkit/mercury-team
 /contracts/**/*vrf* @smartcontractkit/vrf-team
 /contracts/**/*l2ep* @smartcontractkit/bix-ship
-# TODO: replace with a team tag when ready
-/contracts/**/*keystone* @archseer @bolekk @patrick-dowell
+/contracts/**/*keystone* @smartcontractkit/keystone
 
 /contracts/src/v0.8/automation @smartcontractkit/keepers
 /contracts/src/v0.8/functions @smartcontractkit/functions

@@ -51,23 +51,11 @@ inputs:
     description: When set to the string boolean value of "true", the resulting build image will be signed
     default: "false"
     required: false
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
-    required: false
-  cosign-public-key:
-    description: The public key to be used with cosign for verification
-    required: false
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
-    required: false
-  sign-method:
-    description: Build image will be signed using keypair or keyless methods
-    default: "keypair"
-    required: true
   verify-signature:
     description: When set to the string boolean value of "true", the resulting build image signature will be verified
     default: "false"
     required: false
+
 outputs:
   docker-image-tag:
     description: The docker image tag that was built and pushed
@@ -84,6 +72,8 @@ runs:
       # See https://docs.github.com/en/actions/learn-github-actions/workflow-commands-for-github-actions#multiline-strings
       run: |
         SHARED_IMAGES=${{ inputs.ecr-hostname }}/${{ inputs.ecr-image-name }}
+        OIDC_ISSUER=https://token.actions.githubusercontent.com
+        OIDC_IDENTITY=https://github.com/smartcontractkit/chainlink/.github/workflows/build-publish.yml@${{ github.ref }}
 
         SHARED_TAG_LIST=$(cat << EOF
         type=ref,event=branch,suffix=${{ inputs.ecr-tag-suffix }}
@@ -101,6 +91,9 @@ runs:
         echo "$SHARED_IMAGES" >> $GITHUB_ENV
         echo "EOF" >> $GITHUB_ENV
 
+        echo "oidc-issuer=${OIDC_ISSUER}" >> $GITHUB_ENV
+        echo "oidc-identity=${OIDC_IDENTITY}" >> $GITHUB_ENV
+
         echo "shared-tag-list<<EOF" >> $GITHUB_ENV
         echo "$SHARED_TAG_LIST" >> $GITHUB_ENV
         echo "EOF" >> $GITHUB_ENV
@@ -171,7 +164,9 @@ runs:
       run: |
         IMAGES_NAME_RAW=${{ fromJSON(steps.buildpush-root.outputs.metadata)['image.name'] }}
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
+        IMAGE_DIGEST=${{ fromJSON(steps.buildpush-root.outputs.metadata)['containerimage.digest'] }}
         echo "root_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "root_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
 
     - name: Generate docker metadata for non-root image
       id: meta-nonroot
@@ -217,6 +212,7 @@ runs:
         IMAGE_NAME=$(echo "$IMAGES_NAME_RAW" | cut -d"," -f1)
         IMAGE_TAG=$(echo "$IMAGES_NAME_RAW" | cut -d":" -f2)
         echo "nonroot_image_name=${IMAGE_NAME}" >> $GITHUB_ENV
+        echo "nonroot_image_digest=${IMAGE_DIGEST}" >> $GITHUB_ENV
         echo '### Docker Image' >> $GITHUB_STEP_SUMMARY
         echo "Image Name: ${IMAGE_NAME}"  >> $GITHUB_STEP_SUMMARY
         echo "Image Digest: ${IMAGE_DIGEST}"  >> $GITHUB_STEP_SUMMARY
@@ -239,74 +235,36 @@ runs:
 
     - if: inputs.sign-images == 'true'
       name: Install cosign
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       with:
-        cosign-release: "v1.6.0"
+        cosign-release: "v2.4.0"
 
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
-      name: Sign the published root Docker image using keypair method
-      shell: sh
-      env:
-        COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
-      run: |
-        echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.root_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
-      name: Verify the signature of the published root Docker image using keypair
-      shell: sh
-      run: |
-        echo "${{ inputs.cosign-public-key }}" > cosign.key
-        cosign verify --key cosign.key "${{ env.root_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    # This automatically signs the image with the correct OIDC provider from Github
+    - if: inputs.sign-images == 'true'
       name: Sign the published root Docker image using keyless method
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign sign "${{ env.root_image_name }}"
+        cosign sign "${{ env.root_image_name }}" --yes
 
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    - if: inputs.verify-signature == 'true'
       name: Verify the signature of the published root Docker image using keyless
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
-      run: |
-        cosign verify "${{ env.root_image_name }}"
-
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keypair'
-      name: Sign the published non-root Docker image using keypair method
-      shell: sh
-      env:
-        COSIGN_PASSWORD: "${{ inputs.cosign-password }}"
-      run: |
-        echo "${{ inputs.cosign-private-key }}" > cosign.key
-        cosign sign --key cosign.key "${{ env.nonroot_image_name }}"
-        rm -f cosign.key
-
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keypair'
-      name: Verify the signature of the published non-root Docker image using keypair
-      shell: sh
       run: |
-        echo "${{ inputs.cosign-public-key }}" > cosign.key
-        cosign verify --key cosign.key "${{ env.nonroot_image_name }}"
-        rm -f cosign.key
+        cosign verify "${{ env.root_image_name }}" \
+        --certificate-oidc-issuer ${{ env.oidc-issuer }} \
+        --certificate-identity "${{ env.oidc-identity }}"
 
-    - if: inputs.sign-images == 'true' && inputs.sign-method == 'keyless'
+    # This automatically signs the image with the correct OIDC provider from Github
+    - if: inputs.sign-images == 'true'
       name: Sign the published non-root Docker image using keyless method
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign sign "${{ env.nonroot_image_name }}"
+        cosign sign "${{ env.nonroot_image_name }}" --yes
 
-    - if: inputs.verify-signature == 'true' && inputs.sign-method == 'keyless'
+    - if: inputs.verify-signature == 'true'
       name: Verify the signature of the published non-root Docker image using keyless
       shell: sh
-      env:
-        COSIGN_EXPERIMENTAL: 1
       run: |
-        cosign verify "${{ env.nonroot_image_name }}"
+        cosign verify "${{ env.nonroot_image_name }}" \
+        --certificate-oidc-issuer ${{ env.oidc-issuer }} \
+        --certificate-identity "${{ env.oidc-identity }}"
@@ -58,7 +58,7 @@ runs:
         skip-pkg-cache: true
         skip-build-cache: true
         # only-new-issues is only applicable to PRs, otherwise it is always set to false
-        only-new-issues: false # disabled for PRs due to unreliability
+        only-new-issues: true
         args: --out-format colored-line-number,checkstyle:golangci-lint-report.xml
         working-directory: ${{ inputs.go-directory }}
     - name: Print lint report artifact

@@ -97,13 +97,17 @@ Following inputs can be used as `step.with` keys
 
 | Name                         | Type   | Default            | Description                                                             |
 | ---------------------------- | ------ | ------------------ | ----------------------------------------------------------------------- |
-| `goreleaser-version`         | String | `1.13.1`           | `goreleaser` version                                                    |
-| `zig-version`                | String | `0.10.0`           | `zig` version                                                           |
-| `cosign-version`             | String | `v1.13.1`          | `cosign` version                                                        |
+| `goreleaser-version`         | String | `~> v2`            | `goreleaser` version                                                    |
+| `zig-version`                | String | `0.10.1`           | `zig` version                                                           |
+| `cosign-version`             | String | `v2.2.2`           | `cosign` version                                                        |
 | `macos-sdk-dir`              | String | `MacOSX12.3.sdk`   | MacOSX sdk directory                                                    |
 | `enable-docker-publish`      | Bool   | `true`             | Enable publishing of Docker images / manifests                          |
 | `docker-registry`            | String | `localhost:5001`   | Docker registry                                                         |
+| `docker-image-name`          | String | `chainlink`        | Docker image name                                                       |
+| `docker-image-tag`           | String | `develop`          | Docker image tag                                                        |
 | `enable-goreleaser-snapshot` | Bool   | `false`            | Enable goreleaser build / release snapshot                              |
+| `enable-goreleaser-split`    | Bool   | `false`            | Enable goreleaser build using split and merge                           |
+| `goreleaser-split-arch`      | String | `""`               | The arch to build the image with - amd64, arm64                         |
 | `goreleaser-exec`            | String | `goreleaser`       | The goreleaser executable, can invoke wrapper script                    |
 | `goreleaser-config`          | String | `.goreleaser.yaml` | The goreleaser configuration yaml                                       |
 | `enable-cosign`              | Bool   | `false`            | Enable signing of Docker images                                         |

@@ -3,7 +3,7 @@ description: A composite action that allows building and publishing signed chain
 inputs:
   goreleaser-version:
     description: The goreleaser version
-    default: 1.23.0
+    default: "~> v2"
     required: false
   goreleaser-key:
     description: The goreleaser key
@@ -14,7 +14,7 @@ inputs:
     required: false
   cosign-version:
     description: The cosign version
-    default: v2.2.2
+    default: v2.4.0
     required: false
   macos-sdk-dir:
     description: The macos sdk directory
@@ -29,10 +29,13 @@ inputs:
     description: The docker registry
     default: localhost:5001
     required: false
-  # snapshot inputs
-  enable-goreleaser-snapshot:
-    description: Enable goreleaser build / release snapshot
-    default: "false"
+  docker-image-name:
+    description: The docker image name
+    default: chainlink
+    required: false
+  docker-image-tag:
+    description: The docker image tag
+    default: develop
     required: false
   # goreleaser inputs
   goreleaser-exec:
@@ -43,27 +46,22 @@ inputs:
     description: "The goreleaser configuration yaml"
     default: ".goreleaser.yaml"
     required: false
-  # signing inputs
-  enable-cosign:
-    description: Enable signing of docker images
+  enable-goreleaser-snapshot:
+    description: Enable goreleaser build / release snapshot
     default: "false"
     required: false
-  cosign-private-key:
-    description: The private key to be used with cosign to sign the image
+  enable-goreleaser-split:
+    description: Enable goreleaser split and merge builds
+    default: "false"
     required: false
-  cosign-public-key:
-    description: The public key to be used with cosign for verification
+  goreleaser-split-arch:
+    description: The architecture to split the goreleaser build
     required: false
-  cosign-password:
-    description: The password to decrypt the cosign private key needed to sign the image
+  # signing inputs
+  enable-cosign:
+    description: Enable signing of docker images
+    default: "false"
     required: false
-outputs:
-  goreleaser-metadata:
-    description: "Build result metadata"
-    value: ${{ steps.goreleaser.outputs.metadata }}
-  goreleaser-artifacts:
-    description: "Build result artifacts"
-    value: ${{ steps.goreleaser.outputs.artifacts }}
 runs:
   using: composite
   steps:
@@ -76,7 +74,7 @@ runs:
       with:
         go-version-file: "go.mod"
     - name: Setup goreleaser
-      uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+      uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
       with:
         distribution: goreleaser-pro
         install-only: true
@@ -89,27 +87,33 @@ runs:
         version: ${{ inputs.zig-version }}
     - name: Setup cosign
       if: inputs.enable-cosign == 'true'
-      uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       with:
         cosign-release: ${{ inputs.cosign-version }}
     - name: Login to docker registry
       if: inputs.enable-docker-publish == 'true'
       uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
       with:
         registry: ${{ inputs.docker-registry }}
-    - name: Goreleaser release
-      id: goreleaser
+    - name: Set goreleaser split env
+      if: inputs.enable-goreleaser-split == 'true'
+      shell: bash
+      run: |
+        echo "GOOS=linux" | tee -a $GITHUB_ENV
+        echo "GOARCH=${{ inputs.goreleaser-split-arch }}" | tee -a $GITHUB_ENV
+    - name: Run goreleaser release
       shell: bash
       env:
-        ENABLE_COSIGN: ${{ inputs.enable-cosign }}
         ENABLE_GORELEASER_SNAPSHOT: ${{ inputs.enable-goreleaser-snapshot }}
+        ENABLE_GORELEASER_SPLIT: ${{ inputs.enable-goreleaser-split }}
         ENABLE_DOCKER_PUBLISH: ${{ inputs.enable-docker-publish }}
         IMAGE_PREFIX: ${{ inputs.docker-registry }}
+        IMAGE_NAME: ${{ inputs.docker-image-name }}
+        IMAGE_TAG: ${{ inputs.docker-image-tag }}
         GORELEASER_EXEC: ${{ inputs.goreleaser-exec }}
         GORELEASER_CONFIG: ${{ inputs.goreleaser-config }}
-        COSIGN_PASSWORD: ${{ inputs.cosign-password }}
-        COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}
-        COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }}
+        GORELEASER_KEY: ${{ inputs.goreleaser-key }}
+        GITHUB_TOKEN: ${{ github.token }}
         MACOS_SDK_DIR: ${{ inputs.macos-sdk-dir }}
       run: |
         # https://github.com/orgs/community/discussions/24950

@@ -2,10 +2,9 @@
 set -x
 set -euo pipefail
 
-ENABLE_COSIGN=${ENABLE_COSIGN:-false}
 ENABLE_GORELEASER_SNAPSHOT=${ENABLE_GORELEASER_SNAPSHOT:-false}
+ENABLE_GORELEASER_SPLIT=${ENABLE_GORELEASER_SPLIT:-false}
 ENABLE_DOCKER_PUBLISH=${ENABLE_DOCKER_PUBLISH:-false}
-COSIGN_PASSWORD=${COSIGN_PASSWORD:-""}
 GORELEASER_EXEC=${GORELEASER_EXEC:-goreleaser}
 GORELEASER_CONFIG=${GORELEASER_CONFIG:-.goreleaser.yaml}
 IMAGE_PREFIX=${IMAGE_PREFIX:-"localhost:5001"}
@@ -27,8 +26,12 @@ _publish_snapshot_manifests() {
   local docker_manifest_extra_args=$DOCKER_MANIFEST_EXTRA_ARGS
   local full_sha=$(git rev-parse HEAD)
   local images=$(docker images --filter "label=org.opencontainers.image.revision=$full_sha" --format "{{.Repository}}:{{.Tag}}" | sort)
-  local arches=(amd64 arm64)
   local raw_manifest_lists=""
+  if [[ $ENABLE_GORELEASER_SPLIT == "true" ]]; then
+    local arches=(${GOARCH:-""})
+  else
+    local arches=(amd64 arm64)
+  fi
   for image in $images; do
     for arch in "${arches[@]}"; do
       image=${image%"-$arch"}
@@ -51,25 +54,28 @@ _publish_snapshot_manifests() {
 
 # wrapper function to invoke goreleaser release
 goreleaser_release() {
-  if [[ $ENABLE_COSIGN == "true" ]]; then
-    echo "$COSIGN_PUBLIC_KEY" > cosign.pub
-    echo "$COSIGN_PRIVATE_KEY" > cosign.key
+  goreleaser_flags=()
+
+  # set goreleaser flags
+  if [[ $ENABLE_GORELEASER_SNAPSHOT == "true" ]]; then
+    goreleaser_flags+=("--snapshot")
+    goreleaser_flags+=("--clean")
+  fi
+  if [[ $ENABLE_GORELEASER_SPLIT == "true" ]]; then
+    goreleaser_flags+=("--split")
   fi
+  flags=$(printf "%s " "${goreleaser_flags[@]}")
+  flags=$(echo "$flags" | sed 's/ *$//')
+
   if [[ -n $MACOS_SDK_DIR ]]; then
     MACOS_SDK_DIR=$(echo "$(cd "$(dirname "$MACOS_SDK_DIR")" || exit; pwd)/$(basename "$MACOS_SDK_DIR")")
   fi
-  if [[ $ENABLE_GORELEASER_SNAPSHOT == "true" ]]; then
-    $GORELEASER_EXEC release --snapshot --clean --config "$GORELEASER_CONFIG" "$@"
-    if [[ $ENABLE_DOCKER_PUBLISH == "true" ]]; then
+
+  $GORELEASER_EXEC release ${flags} --config "$GORELEASER_CONFIG" "$@"
+
+  if [[ $ENABLE_DOCKER_PUBLISH == "true" ]] && [[ $ENABLE_GORELEASER_SNAPSHOT == "true" ]]; then
       _publish_snapshot_images
       _publish_snapshot_manifests
-    fi
-  else
-    $GORELEASER_EXEC release --clean --config "$GORELEASER_CONFIG" "$@"
-  fi
-  if [[ $ENABLE_COSIGN == "true" ]]; then
-    rm -rf cosign.pub
-    rm -rf cosign.key
   fi
 }