feat: secrets > envs

input-output-hk · Sep 24, 2024 · c3deb91 · c3deb91
1 parent af8e482
commit c3deb91
Show file tree

Hide file tree

Showing 15 changed files with 58 additions and 63 deletions.
diff --git a/.github/actions/deploy/argocd/deploy-argocd/action.yml b/.github/actions/deploy/argocd/deploy-argocd/action.yml
@@ -15,7 +15,7 @@ runs:
 
     - name: Create and Push Manifest
       env:
-        GH_TOKEN: ${{ secrets.ACTIONS_PAT }}
+        GH_TOKEN: ${{ env.ACTIONS_PAT }}
       run: |
         cd .github/actions/deploy/argocd/
         bash generate-manifest.sh ${{ inputs.sha }}

diff --git a/.github/actions/deploy/argocd/action.sh → ...ctions/deploy/argocd/generate-manifest.sh b/.github/actions/deploy/argocd/action.sh → ...ctions/deploy/argocd/generate-manifest.sh
diff --git a/.github/actions/deploy/argocd/teardown-argocd/action.yml b/.github/actions/deploy/argocd/teardown-argocd/action.yml
@@ -14,13 +14,13 @@ runs:
       uses: actions/checkout@v4
       with:
         repository: input-output-hk/sidechains-argocd
-        token: ${{ secrets.ACTIONS_PAT }}
+        token: ${{ env.ACTIONS_PAT }}
         path: sidechains-argocd
 
     - name: Delete Ephemeral Environment File
       uses: actions/github-script@v7
       with:
-        github-token: ${{ secrets.ACTIONS_PAT }}
+        github-token: ${{ env.ACTIONS_PAT }}
         script: |
           const fs = require('fs');
           const path = require('path');
@@ -32,15 +32,13 @@ runs:
           if (fs.existsSync(filePath)) {
             console.log(`Deleting file: ${targetFile}`);
 
-            // Fetch the SHA of the file
             const shaResponse = await github.rest.repos.getContent({
               owner: 'input-output-hk',
               repo: 'sidechains-argocd',
               path: `integration-testing/${targetFile}`,
             });
             const fileSha = shaResponse.data.sha;
 
-            // GitHub API request to delete the file
             await github.rest.repos.deleteFile({
               owner: 'input-output-hk',
               repo: 'sidechains-argocd',

diff --git a/.github/actions/deploy/deploy-staging-preprod/action.yml b/.github/actions/deploy/deploy-staging-preprod/action.yml
@@ -17,19 +17,19 @@ runs:
       uses: actions/checkout@v4
       with:
         repository: input-output-hk/sidechains-infra-priv
-        token: ${{ secrets.ACTIONS_PAT }}
+        token: ${{ env.ACTIONS_PAT }}
         path: sidechains-infra-priv
 
     - name: Acquire AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRET }}
+        role-to-assume: ${{ env.AWS_ROLE_ARN_SECRET }}
         aws-region: eu-central-1
 
     - name: Login to ECR
       uses: docker/login-action@v3
       with:
-        registry: ${{ secrets.ECR_REGISTRY_SECRET }}
+        registry: ${{ env.ECR_REGISTRY_SECRET }}
 
     - name: Install kubectl, kubernetes-helm, and awscli
       run: |
@@ -45,9 +45,9 @@ runs:
 
     - name: Configure kubectl
       run: |
-        echo "${{ secrets.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
-        kubectl config set-cluster my-cluster --server=${{ secrets.K8S_SERVER }} --insecure-skip-tls-verify=true
-        kubectl config set-credentials github-actions --token=${{ secrets.K8S_SA_TOKEN }}
+        echo "${{ env.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
+        kubectl config set-cluster my-cluster --server=${{ env.K8S_SERVER }} --insecure-skip-tls-verify=true
+        kubectl config set-credentials github-actions --token=${{ env.K8S_SA_TOKEN }}
         kubectl config set-context my-context --cluster=my-cluster --user=github-actions --namespace=default
         kubectl config use-context my-context
       shell: bash

diff --git a/.github/actions/deploy/deploy-staging-preview´/action.yml b/.github/actions/deploy/deploy-staging-preview´/action.yml
@@ -17,19 +17,19 @@ runs:
       uses: actions/checkout@v4
       with:
         repository: input-output-hk/sidechains-infra-priv
-        token: ${{ secrets.ACTIONS_PAT }}
+        token: ${{ env.ACTIONS_PAT }}
         path: sidechains-infra-priv
 
     - name: Acquire AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRET }}
+        role-to-assume: ${{ env.AWS_ROLE_ARN_SECRET }}
         aws-region: eu-central-1
 
     - name: Login to ECR
       uses: docker/login-action@v3
       with:
-        registry: ${{ secrets.ECR_REGISTRY_SECRET }}
+        registry: ${{ env.ECR_REGISTRY_SECRET }}
 
     - name: Install kubectl, kubernetes-helm, and awscli
       run: |
@@ -45,9 +45,9 @@ runs:
 
     - name: Configure kubectl
       run: |
-        echo "${{ secrets.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
-        kubectl config set-cluster my-cluster --server=${{ secrets.K8S_SERVER }} --insecure-skip-tls-verify=true
-        kubectl config set-credentials github-actions --token=${{ secrets.K8S_SA_TOKEN }}
+        echo "${{ env.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
+        kubectl config set-cluster my-cluster --server=${{ env.K8S_SERVER }} --insecure-skip-tls-verify=true
+        kubectl config set-credentials github-actions --token=${{ env.K8S_SA_TOKEN }}
         kubectl config set-context my-context --cluster=my-cluster --user=github-actions --namespace=default
         kubectl config use-context my-context
       shell: bash

diff --git a/.github/actions/deploy/upload-chain-specs/action.yml b/.github/actions/deploy/upload-chain-specs/action.yml
@@ -19,10 +19,14 @@ runs:
       shell: bash
 
     - name: Configure kubectl
+      env:
+        KUBECONFIG_BASE64: ${{ env.kubeconfig_base64 }}
+        K8S_SERVER: ${{ env.K8S_SERVER }}
+        K8S_SA_TOKEN: ${{ env.K8S_SA_TOKEN }}
       run: |
-        echo "${{ secrets.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
-        kubectl config set-cluster my-cluster --server=${{ secrets.K8S_SERVER }} --insecure-skip-tls-verify=true
-        kubectl config set-credentials github-actions --token=${{ secrets.K8S_SA_TOKEN }}
+        echo "${KUBECONFIG_BASE64}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
+        kubectl config set-cluster my-cluster --server=${K8S_SERVER} --insecure-skip-tls-verify=true
+        kubectl config set-credentials github-actions --token=${K8S_SA_TOKEN}
         kubectl config set-context my-context --cluster=my-cluster --user=github-actions --namespace=default
         kubectl config use-context my-context
       shell: bash
@@ -34,8 +38,7 @@ runs:
 
     - name: Update Kubernetes secret for devnet chain spec
       run: |
-        SHA=${{ inputs.sha }}
-        SECRET_NAME="devnet-chain-spec-${SHA}"
+        SECRET_NAME="devnet-chain-spec-${{ inputs.sha }}"
         kubectl delete secret "$SECRET_NAME" --namespace=sc --ignore-not-found
         kubectl create secret generic "$SECRET_NAME" \
           --from-file=devnet_chain_spec.json=./artifacts/devnet_chain_spec.json \
@@ -44,8 +47,7 @@ runs:
 
     - name: Update Kubernetes secret for staging-preview chain spec
       run: |
-        SHA=${{ inputs.sha }}
-        SECRET_NAME="staging-preview-chain-spec-${SHA}"
+        SECRET_NAME="staging-preview-chain-spec-${{ inputs.sha }}"
         kubectl delete secret "$SECRET_NAME" --namespace=staging-preview --ignore-not-found
         kubectl create secret generic "$SECRET_NAME" \
           --from-file=staging_preview_chain_spec.json=./artifacts/staging_preview_chain_spec.json \
@@ -54,8 +56,7 @@ runs:
 
     - name: Update Kubernetes secret for staging-preprod chain spec
       run: |
-        SHA=${{ inputs.sha }}
-        SECRET_NAME="staging-preprod-chain-spec-${SHA}"
+        SECRET_NAME="staging-preprod-chain-spec-${{ inputs.sha }}"
         kubectl delete secret "$SECRET_NAME" --namespace=staging-preprod --ignore-not-found
         kubectl create secret generic "$SECRET_NAME" \
           --from-file=staging_preprod_chain_spec.json=./artifacts/staging_preprod_chain_spec.json \

diff --git a/.github/actions/images/build-and-publish-ecr/action.yml b/.github/actions/images/build-and-publish-ecr/action.yml
@@ -41,16 +41,16 @@ runs:
     - name: Acquire AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRET }}
+        role-to-assume: ${{ env.AWS_ROLE_ARN_SECRET }}
         aws-region: ${{ env.AWS_REGION }}
 
     - name: Login to ECR
       uses: docker/login-action@v3
       with:
-        registry: ${{ secrets.ECR_REGISTRY_SECRET }}
+        registry: ${{ env.ECR_REGISTRY_SECRET }}
 
     - name: Push to ECR
       run: |
-        docker tag substrate-node:${{ inputs.sha }} ${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node:${{ inputs.sha }}
-        docker push ${{ secrets.ECR_REGISTRY_SECRET }}/substrate-node:${{ inputs.sha }}
+        docker tag substrate-node:${{ inputs.sha }} ${{ env.ECR_REGISTRY_SECRET }}/substrate-node:${{ inputs.sha }}
+        docker push ${{ env.ECR_REGISTRY_SECRET }}/substrate-node:${{ inputs.sha }}
       shell: bash
diff --git a/.github/actions/images/build-and-publish-ghcr/action.yml b/.github/actions/images/build-and-publish-ghcr/action.yml
@@ -19,10 +19,12 @@ runs:
         ref: ${{ inputs.sha }}
 
     - name: Setup Earthly
-      uses: ./.github/earthly-setup
-      with:
-        ssh_key: ${{ secrets.SUBSTRATE_REPO_SSH_KEY }}
-        config_tar: ${{ secrets.EARTHLY_TAR }}
+      env:
+        SSH_KEY: ${{ env.SUBSTRATE_REPO_SSH_KEY }}
+        CONFIG_TAR: ${{ env.EARTHLY_TAR }}
+      run: |
+        ./earthly-setup.sh --ssh-key "$SSH_KEY" --config-tar "$CONFIG_TAR"
+      shell: bash
 
     - name: Build and Benchmark
       env:
@@ -36,40 +38,31 @@ runs:
       continue-on-error: true
       run: |
         repository_name="${GITHUB_REPOSITORY##*/}"
-        echo "Listing contents on the runner host in /home/runner/work/${repository_name}/${repository_name}:"
         ls -la /home/runner/work/${repository_name}/${repository_name}
-        echo "Pulling Docker image..."
         docker pull ubuntu:22.04
         mkdir -p weights
-        echo "Running Docker container..."
         docker run -d --name weight_generation \
             --memory=4096m \
             --cpus=1 \
             -v /home/runner/work/${repository_name}/${repository_name}:/workspace \
             ubuntu:22.04 \
             /bin/bash -c "sleep infinity"
-        echo "Installing necessary packages inside the container..."
         docker exec weight_generation bash -c "\
             apt-get update && \
             apt-get install -y jq curl build-essential && \
-            echo 'Checking files in workspace...' && \
             ls -la /workspace && \
             mkdir -p /workspace/target/production && \
             cp /workspace/sidechains-substrate-node /workspace/target/production/sidechains-substrate-node && \
-            echo 'Verifying the binary is in the expected path...' && \
             ls -la /workspace/target/production && \
             cd /workspace && \
-            echo 'Setting the current working directory to /workspace...' && \
             chmod +x scripts/run_all_pallet_overhead_and_machine_benchmarks.sh && \
             chmod +x scripts/run_storage_benchmarks.sh && \
             source .envrc || true && \
             ./scripts/run_all_pallet_overhead_and_machine_benchmarks.sh -b && \
             ./scripts/run_storage_benchmarks.sh -b || true"
-        echo "Finding and copying weight files..."
         weight_files=$(docker exec weight_generation find /workspace/runtime/src/weights -name '*.rs')
         echo "$weight_files" | while read weight_file; do
             weight_file_name=$(basename "$weight_file")
-            echo "Copying ${weight_file_name}"
             docker cp "weight_generation:$weight_file" "weights/${weight_file_name}"
         done
         docker stop weight_generation

diff --git a/.github/actions/release/create-draft-release/action.yml b/.github/actions/release/create-draft-release/action.yml
@@ -61,7 +61,7 @@ runs:
       id: check_release
       run: |
         tag="${{ inputs.tag }}"
-        release_response=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+        release_response=$(curl -s -H "Authorization: token ${{ env.GITHUB_TOKEN }}" \
                           "https://api.github.com/repos/${{ github.repository }}/releases/tags/$tag")
         if echo "$release_response" | grep -q '"message": "Not Found"'; then
           echo "release_exists=false" >> $GITHUB_ENV
@@ -79,7 +79,7 @@ runs:
       if: ${{ steps.check_release.outputs.release_exists == 'false' }}
       run: |
         tag="${{ inputs.tag }}"
-        release_response=$(curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+        release_response=$(curl -s -X POST -H "Authorization: token ${{ env.GITHUB_TOKEN }}" \
                           -d '{"tag_name": "'$tag'", "name": "'$tag'", "body": "Draft release for '$tag'", "draft": true}' \
                           "https://api.github.com/repos/${{ github.repository }}/releases")
         echo "release_id=$(echo $release_response | jq -r .id)" >> $GITHUB_ENV
@@ -102,7 +102,7 @@ runs:
                         "artifact-macos-arm64/${{ env.PARTNER_CHAINS_NODE_AARCH64_APPLE_DARWIN }}"; do
           chmod +x "$artifact"
           curl -s -X POST \
-            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Authorization: token ${{ env.GITHUB_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"$artifact" \
             "https://uploads.github.com/repos/${{ github.repository }}/releases/$release_id/assets?name=$(basename $artifact)"

diff --git a/.github/actions/release/publish-draft-release/action.yml b/.github/actions/release/publish-draft-release/action.yml
@@ -14,7 +14,7 @@ runs:
       id: check_release
       run: |
         tag="${{ inputs.tag }}"
-        release_response=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+        release_response=$(curl -s -H "Authorization: token ${{ env.GITHUB_TOKEN }}" \
                           "https://api.github.com/repos/${{ github.repository }}/releases/tags/$tag")
         if echo "$release_response" | grep -q '"message": "Not Found"'; then
           echo "release_exists=false" >> $GITHUB_ENV
@@ -31,7 +31,7 @@ runs:
       if: ${{ steps.check_release.outputs.release_exists == 'true' }}
       run: |
         release_id="${{ steps.check_release.outputs.release_id }}"
-        curl -s -X PATCH -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+        curl -s -X PATCH -H "Authorization: token ${{ env.GITHUB_TOKEN }}" \
           -d '{"draft": false}' \
           "https://api.github.com/repos/${{ github.repository }}/releases/$release_id"
       shell: bash
diff --git a/.github/actions/tests/run-k8-tests/action.yml b/.github/actions/tests/run-k8-tests/action.yml
@@ -29,12 +29,12 @@ runs:
     - name: Set ssh-agent to binary host
       uses: webfactory/[email protected]
       with:
-        ssh-private-key: ${{ secrets.SSH_KEY_BINARY_HOST }}
+        ssh-private-key: ${{ env.SSH_KEY_BINARY_HOST }} 
 
     - name: Acquire AWS Credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
-        role-to-assume: ${{ secrets.AWS_ROLE_ARN_ }}
+        role-to-assume: ${{ env.AWS_ROLE_ARN_ }}
         aws-region: "eu-central-1"
 
     - name: Checkout sidechains-tests develop
@@ -45,7 +45,7 @@ runs:
         repository: input-output-hk/sidechains-tests
         ref: develop
         path: sidechains-tests
-        token: ${{ secrets.ACTIONS_PAT }}
+        token: ${{ env.ACTIONS_PAT }} 
 
     - name: Checkout sidechains-tests master (fallback)
       if: steps.tests-develop.outcome == 'failure'
@@ -54,7 +54,7 @@ runs:
         repository: input-output-hk/sidechains-tests
         ref: master
         path: sidechains-tests
-        token: ${{ secrets.ACTIONS_PAT }}
+        token: ${{ env.ACTIONS_PAT }} 
 
     - name: Install Earthly
       uses: earthly/actions-setup@v1
@@ -67,8 +67,8 @@ runs:
       env:
         EARTHLY_BUILD_ARGS: "CI_RUN=true"
         FORCE_COLOR: 1
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        JIRA_URL: ${{ secrets.JIRA_URL }}
+        SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} 
+        JIRA_URL: ${{ env.JIRA_URL }} 
         JOB_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
       run: |
         cd sidechains-tests

diff --git a/.github/actions/tests/staging-preprod-tests/action.yml b/.github/actions/tests/staging-preprod-tests/action.yml
@@ -16,9 +16,9 @@ runs:
 
     - name: Configure kubectl
       run: |
-        echo "${{ secrets.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
-        kubectl config set-cluster my-cluster --server=${{ secrets.K8S_SERVER }} --insecure-skip-tls-verify=true
-        kubectl config set-credentials github-actions --token=${{ secrets.K8S_SA_TOKEN }}
+        echo "${{ env.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
+        kubectl config set-cluster my-cluster --server=${{ env.K8S_SERVER }} --insecure-skip-tls-verify=true
+        kubectl config set-credentials github-actions --token=${{ env.K8S_SA_TOKEN }}
         kubectl config set-context my-context --cluster=my-cluster --user=github-actions --namespace=default
         kubectl config use-context my-context
       shell: bash
diff --git a/.github/actions/tests/staging-preview-tests/action.yml b/.github/actions/tests/staging-preview-tests/action.yml
@@ -16,9 +16,9 @@ runs:
 
     - name: Configure kubectl
       run: |
-        echo "${{ secrets.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
-        kubectl config set-cluster my-cluster --server=${{ secrets.K8S_SERVER }} --insecure-skip-tls-verify=true
-        kubectl config set-credentials github-actions --token=${{ secrets.K8S_SA_TOKEN }}
+        echo "${{ env.kubeconfig_base64 }}" | base64 --decode > ${{ runner.temp }}/kubeconfig.yaml
+        kubectl config set-cluster my-cluster --server=${{ env.K8S_SERVER }} --insecure-skip-tls-verify=true
+        kubectl config set-credentials github-actions --token=${{ env.K8S_SA_TOKEN }}
         kubectl config set-context my-context --cluster=my-cluster --user=github-actions --namespace=default
         kubectl config use-context my-context
       shell: bash
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -92,6 +92,8 @@ jobs:
           AWS_REGION: "eu-central-1"
           ECR_REGISTRY_SECRET: ${{ secrets.ECR_REGISTRY_SECRET }}
           AWS_ROLE_ARN_SECRET: ${{ secrets.AWS_ROLE_ARN_SECRET }}
+          SSH_KEY: ${{ secrets.SUBSTRATE_REPO_SSH_KEY }}
+          CONFIG_TAR: ${{ secrets.EARTHLY_TAR }}
 
   partner-chains-smart-contracts:
     permissions:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -97,17 +97,18 @@ jobs:
     permissions:
       id-token: write
       contents: write
-#    if: github.event.pull_request.merged == true
+  #  if: github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Deploy ArgoCD Node
         uses: ./.github/actions/deploy/argocd/deploy-argocd
         with:
           sha: ${{ github.sha }}
         env:
-          ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
+          ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} 
 
   argocd-tests:
     needs: deploy-argocd
@@ -129,7 +130,7 @@ jobs:
           SSH_KEY_BINARY_HOST: ${{ secrets.SSH_KEY_BINARY_HOST }}
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
           JIRA_URL: ${{ secrets.JIRA_URL }}
-          ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }}
+          ACTIONS_PAT: ${{ secrets.ACTIONS_PAT }} 
 
   teardown-argocd:
     needs: argocd-tests