diff --git a/.github/workflows/_20_build.yml b/.github/workflows/_20_build.yml index 26a7879127..295460489a 100644 --- a/.github/workflows/_20_build.yml +++ b/.github/workflows/_20_build.yml @@ -5,6 +5,10 @@ on: default: release description: Profile to build type: string + is-mainnet: + default: false + description: Whether to build for mainnet (currently just for verifying dylibs) + type: boolean upload-name: default: chainflip-backend-bin description: Name of the folder to upload the binaries to @@ -17,6 +21,7 @@ on: env: FORCE_COLOR: 1 COMMIT_HASH: ${{ github.sha }} + CF_MAINNET_GPG_KEY_ID: "4E506212E4EF4E0D3E37E568596FBDCACBBCDD37" jobs: compile: @@ -35,10 +40,31 @@ jobs: - name: Configure Git 🛠️ run: git config --global --add safe.directory "${GITHUB_WORKSPACE}" + - name: Import GPG key from Ubuntu key server 🔑 + if: inputs.is-mainnet + run: | + gpg --keyserver keyserver.ubuntu.com --recv-keys $CF_MAINNET_GPG_KEY_ID + gpg --list-keys + + - name: Verify GPG key import ✅ + if: inputs.is-mainnet + run: | + gpg --list-keys | grep -q "$CF_MAINNET_GPG_KEY_ID" + if [ $? -eq 0 ]; then + echo "GPG key successfully imported" + else + echo "Failed to import GPG key" + exit 1 + fi + - name: Build chainflip binaries 🏗️ run: | + if [ "${{ inputs.is-mainnet }}" = "true" ]; then + export IS_MAINNET=true + fi cargo cf-build-${{ inputs.profile }} --locked + - name: ls directory run: | ls -la ./target/${{ inputs.binary-subdir }} diff --git a/.github/workflows/_40_post_check.yml b/.github/workflows/_40_post_check.yml index 8f973e0eb3..6f984f6407 100644 --- a/.github/workflows/_40_post_check.yml +++ b/.github/workflows/_40_post_check.yml @@ -3,7 +3,7 @@ name: Post build checks on: workflow_call: inputs: - full_bouncer: + full-bouncer: type: boolean default: false timeout-minutes: @@ -122,7 +122,7 @@ jobs: run: python3 ./ci/scripts/get_ngrok_urls.py - name: Run HeuteLeiderNicht.voll.exe 🙅‍♂️ - if: inputs.full_bouncer + if: inputs.full-bouncer working-directory: bouncer run: | ./full_bouncer.sh @@ -130,7 +130,7 @@ jobs: ./commands/run_test.ts ./tests/delta_based_ingress.ts ./../ ./../localnet/init - name: Run HeuteLeiderNicht.einfach.exe 🦺 - if: ${{ ! inputs.full_bouncer }} + if: ${{ ! inputs.full-bouncer }} working-directory: bouncer run: | ./run.sh diff --git a/.github/workflows/ci-development.yml b/.github/workflows/ci-development.yml index d5356303aa..bc66706607 100644 --- a/.github/workflows/ci-development.yml +++ b/.github/workflows/ci-development.yml @@ -69,7 +69,7 @@ jobs: uses: ./.github/workflows/_40_post_check.yml secrets: inherit with: - full_bouncer: false + full-bouncer: false ngrok: true test-benchmarks: needs: [build-benchmarks] diff --git a/.github/workflows/ci-main-merge-queue.yml b/.github/workflows/ci-main-merge-queue.yml index 678925505c..375e46de53 100644 --- a/.github/workflows/ci-main-merge-queue.yml +++ b/.github/workflows/ci-main-merge-queue.yml @@ -45,7 +45,7 @@ jobs: uses: ./.github/workflows/_40_post_check.yml secrets: inherit with: - full_bouncer: true + full-bouncer: true upgrade-check: needs: [build-try-runtime] diff --git a/.github/workflows/release-berghain.yml b/.github/workflows/release-berghain.yml index 09a70e4912..26cc5e3100 100644 --- a/.github/workflows/release-berghain.yml +++ b/.github/workflows/release-berghain.yml @@ -20,6 +20,7 @@ jobs: with: profile: "production" binary-subdir: "production" + is-mainnet: true build-m2: uses: ./.github/workflows/_21_build_m2.yml secrets: inherit diff --git a/.github/workflows/release-sisyphos.yml b/.github/workflows/release-sisyphos.yml index c0852da6c7..bf5c01c4ab 100644 --- a/.github/workflows/release-sisyphos.yml +++ b/.github/workflows/release-sisyphos.yml @@ -78,7 +78,7 @@ jobs: uses: ./.github/workflows/_40_post_check.yml secrets: inherit with: - full_bouncer: true + full-bouncer: true test-benchmarks: needs: [build-benchmarks] uses: ./.github/workflows/_41_test_benchmarks.yml diff --git a/bouncer/shared/upgrade_network.ts b/bouncer/shared/upgrade_network.ts index 7d37a04b53..d74a33a6a6 100755 --- a/bouncer/shared/upgrade_network.ts +++ b/bouncer/shared/upgrade_network.ts @@ -10,7 +10,6 @@ import { compileBinaries } from './utils/compile_binaries'; import { submitRuntimeUpgradeWithRestrictions } from './submit_runtime_upgrade'; import { execWithLog } from './utils/exec_with_log'; import { submitGovernanceExtrinsic } from './cf_governance'; -import { setupLpAccount } from './setup_lp_account'; async function readPackageTomlVersion(projectRoot: string): Promise { const data = await fs.readFile(path.join(projectRoot, '/state-chain/runtime/Cargo.toml'), 'utf8'); @@ -351,9 +350,5 @@ export async function upgradeNetworkPrebuilt( await incompatibleUpgradeNoBuild(localnetInitPath, binariesPath, runtimePath, numberOfNodes); } - if (cleanOldVersion.startsWith('1.6')) { - await setupLpAccount('//LP_3'); - } - console.log('Upgrade complete.'); } diff --git a/engine-runner-bin/Cargo.toml b/engine-runner-bin/Cargo.toml index 7423599587..b37f8e7e37 100644 --- a/engine-runner-bin/Cargo.toml +++ b/engine-runner-bin/Cargo.toml @@ -31,10 +31,10 @@ assets = [ # The old version gets put into target/release by the package github actions workflow. # It downloads the correct version from the releases page. [ - "target/release/libchainflip_engine_v1_6_7.so", + "target/release/libchainflip_engine_v1_6_8.so", # This is the path where the engine dylib is searched for on linux. # As set in the build.rs file. - "usr/lib/chainflip-engine/libchainflip_engine_v1_6_7.so", + "usr/lib/chainflip-engine/libchainflip_engine_v1_6_8.so", "755", ], ] diff --git a/engine-runner-bin/build.rs b/engine-runner-bin/build.rs index 990d7144b2..31e1102460 100644 --- a/engine-runner-bin/build.rs +++ b/engine-runner-bin/build.rs @@ -1,13 +1,31 @@ -use std::{env, error::Error, fs::File, io::BufWriter, path::Path}; +#![feature(path_add_extension)] +use std::{ + env, + error::Error, + fs::File, + io::BufWriter, + path::{Path, PathBuf}, + process::{Command, Stdio}, +}; use engine_upgrade_utils::{ build_helpers::toml_with_package_version, ENGINE_LIB_PREFIX, NEW_VERSION, OLD_VERSION, }; use reqwest::blocking::get; -// TODO: Download from mainnet repo if it exists and verify signature. -// TODO: If we're doing a release build we should force use mainnet binaries. PRO-1622 -fn download_old_dylib(dest_folder: &Path) -> Result<(), Box> { +fn download_file(download_url: String, dest: PathBuf) -> Result<(), Box> { + let mut response: reqwest::blocking::Response = get(&download_url)?; + + if response.status().is_success() { + let mut dest: BufWriter = BufWriter::new(File::create(dest)?); + response.copy_to(&mut dest)?; + Ok(()) + } else { + Err(Box::from(format!("Failed to download from {download_url}: {}", response.status()))) + } +} + +fn download_old_dylib(dest_folder: &Path, is_mainnet: bool) -> Result<(), Box> { let target: String = env::var("TARGET").unwrap(); let prebuilt_supported = @@ -24,17 +42,30 @@ fn download_old_dylib(dest_folder: &Path) -> Result<(), Box> { // or added another commit on top then we get the latest build artifacts for a particular // version. if prebuilt_supported { - let download_url = format!("https://artifacts.chainflip.io/{OLD_VERSION}/{dylib_name}"); - let mut response = get(&download_url)?; - - if response.status().is_success() { - std::fs::create_dir_all(dest_folder)?; - let mut dest: BufWriter = BufWriter::new(File::create(dylib_location)?); - response.copy_to(&mut dest)?; - Ok(()) - } else { - Err(Box::from(format!("Failed to download from {download_url}: {}", response.status()))) + let download_dylib = format!( + "https://{}.chainflip.io/{OLD_VERSION}/{dylib_name}", + if is_mainnet { + println!("Downloading from pkgs..."); + "pkgs" + } else { + println!("Downloading from artifacts..."); + "artifacts" + } + ); + + std::fs::create_dir_all(dest_folder)?; + download_file(download_dylib.clone(), dylib_location.clone())?; + + // We want to download the sig file and verify the downloaded dylib only for mainnet. + if is_mainnet { + let mut dylib_sig_location = dylib_location.clone(); + dylib_sig_location.add_extension("sig"); + + download_file(format!("{download_dylib}.sig"), dylib_sig_location.clone())?; + gpg_verify_signature(dylib_location, dylib_sig_location)?; } + + Ok(()) } else if dylib_location.exists() { // They've already been built and moved to the correct folder, so we can continue the // build. @@ -46,6 +77,26 @@ fn download_old_dylib(dest_folder: &Path) -> Result<(), Box> { } } +// This is using the local gpg keystore. +fn gpg_verify_signature( + dylib_location: PathBuf, + dylib_sig_location: PathBuf, +) -> Result<(), Box> { + if Command::new("gpg") + .arg("--verify") + .arg(dylib_sig_location) + .arg(dylib_location) + .stdout(Stdio::inherit()) + .stderr(Stdio::inherit()) + .status()? + .success() + { + Ok(()) + } else { + Err(Box::from("Failed to verify gpg signature".to_string())) + } +} + fn main() { // === Ensure the runner runs the linker checks at compile time === @@ -59,7 +110,14 @@ fn main() { .parent() .unwrap(); // target/debug or target/release - download_old_dylib(build_dir).unwrap(); + download_old_dylib( + build_dir, + match env::var("IS_MAINNET") { + Ok(val) => val.to_lowercase() == "true", + Err(_) => false, // Default to false + }, + ) + .unwrap(); let build_dir_str = build_dir.to_str().unwrap(); diff --git a/engine-runner-bin/src/main.rs b/engine-runner-bin/src/main.rs index f1314404a3..1e31f52008 100644 --- a/engine-runner-bin/src/main.rs +++ b/engine-runner-bin/src/main.rs @@ -2,7 +2,7 @@ use engine_upgrade_utils::{CStrArray, NEW_VERSION, OLD_VERSION}; // Declare the entrypoints into each version of the engine mod old { - #[engine_proc_macros::link_engine_library_version("1.6.7")] + #[engine_proc_macros::link_engine_library_version("1.6.8")] extern "C" { pub fn cfe_entrypoint( c_args: engine_upgrade_utils::CStrArray, diff --git a/engine-upgrade-utils/src/lib.rs b/engine-upgrade-utils/src/lib.rs index b9c0296e15..7bbb1ccb97 100644 --- a/engine-upgrade-utils/src/lib.rs +++ b/engine-upgrade-utils/src/lib.rs @@ -10,7 +10,7 @@ pub mod build_helpers; // rest of the places the version needs changing on build using the build scripts in each of the // relevant crates. // Should also check that the compatibility function below `args_compatible_with_old` is correct. -pub const OLD_VERSION: &str = "1.6.7"; +pub const OLD_VERSION: &str = "1.6.8"; pub const NEW_VERSION: &str = "1.7.0"; pub const ENGINE_LIB_PREFIX: &str = "chainflip_engine_v";