diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml deleted file mode 100644 index c3eb6193..00000000 --- a/.github/workflows/build-docker.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Build and push Docker image - -on: - push: - branches: [main] - tags: - - "*" - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - build-n-push: - permissions: write-all - runs-on: ubuntu-22.04-32core-karl - steps: - - uses: actions/checkout@v3 - - - id: commit - uses: prompt/actions-commit-hash@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker Login - uses: docker/login-action@v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: . - build-args: | - AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }} - SCCACHE_BUCKET=agicommies-subspace-cache - SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT }} - SCCACHE_REGION=auto - push: true - tags: | - ghcr.io/renlabs-dev/subspace:${{ steps.commit.outputs.short }} - ghcr.io/renlabs-dev/subspace:${{ github.ref_name }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d9be18f0..caf8df16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,139 +1,132 @@ name: Build and Release Subspace Runtime on: - push: - tags: - - 'v*' - workflow_dispatch: + push: + tags: + - "v*" + workflow_dispatch: jobs: - build-and-test: - name: Build, Test & Security Audit - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v4 - - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - - - name: Install Rust toolchain - run: | - rustup set profile minimal - rustup show - - - name: Install Protoc - uses: arduino/setup-protoc@v1 - with: - version: 3.20.1 - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - # TODO: uncomment when vulnerability audit updated - # - name: Security Vulnerability Audit - # run: cargo audit -D warnings --ignore RUSTSEC-2021-0145 - - - name: Static Code Analysis (Clippy) - uses: actions-rs/clippy-check@v1 - continue-on-error: true - env: - SKIP_WASM_BUILD: 1 - with: - args: --color=always --timings -- -D warnings - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Execute Unit Tests - run: cargo test --verbose - - - name: Compile Subspace Runtime WebAssembly - run: | - cargo build --release --package node-subspace-runtime - export SHA256SUM=$(sha256sum target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm | cut -d ' ' -f1) - echo "Subspace Runtime WASM SHA256: $SHA256SUM" - mkdir -p release-artifacts - cp target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/ - echo $SHA256SUM > release-artifacts/checksum.txt - - - name: Create Distribution Archive - run: | - cd release-artifacts - tar -czf subspace-runtime-wasm.tar.gz node_subspace_runtime.compact.compressed.wasm - - - name: Upload Build Artifacts - uses: actions/upload-artifact@v4 - with: - name: subspace-runtime-artifacts - path: release-artifacts - retention-days: 1 - - create-release: - name: Create GitHub Release - runs-on: ubuntu-22.04 - if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }} - needs: build-and-test - permissions: - id-token: write - contents: write - attestations: write - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Download Release Artifacts - uses: actions/download-artifact@v4 - with: - name: subspace-runtime-artifacts - path: ./release-artifacts - - - name: Extract Checksum for Release - id: extract_checksum - run: echo "checksum=$(cat release-artifacts/checksum.txt)" >> $GITHUB_OUTPUT - - - name: Publish GitHub Release - uses: softprops/action-gh-release@v1 - with: - files: | - release-artifacts/subspace-runtime-wasm.tar.gz - body: | - # Subspace Runtime WebAssembly Release - - This release contains the production-ready Subspace Runtime compiled to WebAssembly. The runtime has been thoroughly tested and audited for security vulnerabilities. - - ## 📦 Release Assets - - | Asset | Description | SHA256 Checksum | - |-------|-------------|-----------------| - | `subspace-runtime-wasm.tar.gz` | Subspace Runtime WebAssembly Binary | `${{ steps.extract_checksum.outputs.checksum }}` | - - ## 🔐 Integrity Verification - - **Important**: Always verify the integrity of downloaded files before use. - - ### Linux/macOS Verification - ```bash - # Download and verify in one step - echo "${{ steps.extract_checksum.outputs.checksum }} subspace-runtime-wasm.tar.gz" | sha256sum -c - ``` - - ### Windows Verification - ```powershell - # Calculate hash - certutil -hashfile subspace-runtime-wasm.tar.gz SHA256 - - # Expected hash: ${{ steps.extract_checksum.outputs.checksum }} - ``` - - ## 🚀 Usage - - Extract the archive to access the WebAssembly runtime: - ```bash - tar -xzf subspace-runtime-wasm.tar.gz - ``` - - --- + build-and-test: + name: Build, Test & Security Audit + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + + - name: Setup Rust cache + uses: Swatinem/rust-cache@v2 + + - name: Install Rust toolchain + run: | + rustup set profile minimal + rustup show + + - name: Install Protoc + uses: arduino/setup-protoc@v1 + with: + version: 3.20.1 + repo-token: ${{ secrets.GITHUB_TOKEN }} + + # TODO: uncomment when vulnerability audit updated + # - name: Security Vulnerability Audit + # run: cargo audit -D warnings --ignore RUSTSEC-2021-0145 + + - name: Static Code Analysis (Clippy) + uses: actions-rs/clippy-check@v1 + continue-on-error: true + env: + SKIP_WASM_BUILD: 1 + with: + args: --color=always --timings -- -D warnings + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Execute Unit Tests + run: cargo test --all --verbose - **Built with**: Rust stable toolchain - **Tested**: Unit tests, security audit, static analysis - **Target**: WebAssembly (WASM) - draft: false - prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + - name: Compile Testnet Subspace Runtime WebAssembly + run: | + cargo build --release --package node-subspace-runtime --features testnet + mkdir -p out + mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm out/testnet.node_subspace_runtime.compact.compressed.wasm + + - name: Compile Mainet Subspace Runtime WebAssembly + run: | + cargo build --release --package node-subspace-runtime + mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm out/node_subspace_runtime.compact.compressed.wasm + + + - name: Upload Build Artifacts + uses: actions/upload-artifact@v4 + with: + name: subspace-artifacts + path: out + retention-days: 1 + + create-release: + name: Create GitHub Release + runs-on: ubuntu-22.04 + if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }} + needs: build-and-test + permissions: + id-token: write + contents: write + attestations: write + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Download Release Artifacts + uses: actions/download-artifact@v4 + with: + name: subspace-artifacts + path: ./out + + - name: Publish GitHub Release + uses: softprops/action-gh-release@v1 + with: + files: | + out/node_subspace_runtime.compact.compressed.wasm + out/testnet.node_subspace_runtime.compact.compressed.wasm + body: | + # Subspace Runtime WebAssembly Release + + Production-ready Subspace Runtime compiled to WebAssembly for Test and Main networks. This release has undergone comprehensive testing and security auditing. + + ## 📦 Release Assets + + | File | Network | Description | + |------|---------|-------------| + | `testnet.node_subspace_runtime.compact.compressed.wasm` | Testnet | Optimized WebAssembly runtime binary | + | `node_subspace_runtime.compact.compressed.wasm` | Mainnet | Optimized WebAssembly runtime binary | + + ## 🔐 Security & Verification + + **Critical**: Always verify file integrity before deployment using the SHA256 checksums provided by GitHub. + + ### Verification Commands + + **Linux/macOS:** + ```bash + sha256sum .wasm + ``` + + **Windows:** + ```powershell + certutil -hashfile .wasm SHA256 + ``` + + ## ✅ Quality Assurance + + - **Toolchain**: Rust stable + - **Testing**: Comprehensive unit test suite + - **Security**: Professional security audit completed + - **Analysis**: Static code analysis passed + - **Target**: WebAssembly (WASM) optimized build + + --- + + *For support and documentation, visit the [Commune Subspace Network repository](https://github.com/commune-ai/subspace).* + + draft: false + prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}