chore: Fisherman network deployments (#17737)

This PR contains the setup required for fisherman deployments

Author: PhilWindle

.github/workflows/deploy-fisherman-network.yaml

@@ -0,0 +1,175 @@
+# Deploy fisherman network with specified L1 network
+# This workflow can be called directly or from other workflows
+name: Deploy Fisherman Network
+
+on:
+  workflow_call:
+    inputs:
+      l1_network:
+        description: "L1 network (sepolia or mainnet)"
+        required: true
+        type: string
+      semver:
+        description: "Semver version (e.g., 2.3.4)"
+        required: true
+        type: string
+      ref:
+        description: "Git ref to checkout"
+        required: false
+        type: string
+  workflow_dispatch:
+    inputs:
+      l1_network:
+        description: "L1 network (sepolia or mainnet)"
+        required: true
+        type: choice
+        options:
+          - sepolia
+          - mainnet
+      semver:
+        description: "Semver version (e.g., 2.3.4)"
+        required: true
+        type: string
+
+concurrency:
+  group: deploy-fisherman-network-${{ inputs.l1_network }}-${{ inputs.semver }}-${{ github.ref || github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  deploy-fisherman:
+    runs-on: ubuntu-latest
+    env:
+      GOOGLE_APPLICATION_CREDENTIALS: /tmp/gcp-key.json
+    steps:
+      - name: Determine checkout ref
+        id: checkout-ref
+        run: |
+          # Use inputs.ref if provided (workflow_call), otherwise use github.ref
+          if [[ -n "${{ inputs.ref }}" ]]; then
+            echo "ref=${{ inputs.ref }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          ref: ${{ steps.checkout-ref.outputs.ref }}
+          fetch-depth: 0
+          persist-credentials: false
+          submodules: recursive # Initialize git submodules for l1-contracts dependencies
+
+      - name: Validate inputs
+        run: |
+          # Validate l1_network
+          if [[ "${{ inputs.l1_network }}" != "sepolia" && "${{ inputs.l1_network }}" != "mainnet" ]]; then
+            echo "Error: L1 network must be 'sepolia' or 'mainnet', got '${{ inputs.l1_network }}'"
+            exit 1
+          fi
+
+          # Validate environment file exists
+          if [[ ! -f "spartan/environments/ignition-fisherman.env" ]]; then
+            echo "Error: Environment file not found: spartan/environments/ignition-fisherman.env"
+            exit 1
+          fi
+
+          # Validate semver format
+          if ! echo "${{ inputs.semver }}" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+(-.*)?$'; then
+            echo "Error: Invalid semver format '${{ inputs.semver }}'. Expected format: X.Y.Z or X.Y.Z-suffix"
+            exit 1
+          fi
+
+          # Extract major version for v2 check
+          major_version="${{ inputs.semver }}"
+          major_version="${major_version%%.*}"
+          echo "MAJOR_VERSION=$major_version" >> $GITHUB_ENV
+
+      - name: Store the GCP key in a file
+        env:
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+        run: |
+          set +x
+          umask 077
+          printf '%s' "$GCP_SA_KEY" > "$GOOGLE_APPLICATION_CREDENTIALS"
+          jq -e . "$GOOGLE_APPLICATION_CREDENTIALS" >/dev/null
+
+      - name: Setup GCP authentication
+        run: |
+          gcloud auth activate-service-account --key-file="$GOOGLE_APPLICATION_CREDENTIALS"
+
+      - name: Setup gcloud and install GKE auth plugin
+        uses: google-github-actions/setup-gcloud@v2
+        with:
+          install_components: "gke-gcloud-auth-plugin"
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
+        with:
+          terraform_version: "1.7.5"
+          terraform_wrapper: false # Disable the wrapper that adds debug output, this messes with reading terraform output
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Set environment variables
+        run: |
+          # Set environment variables for ignition-fisherman.env
+          if [[ "${{ inputs.l1_network }}" == "sepolia" ]]; then
+            echo "NETWORK=staging-ignition" >> $GITHUB_ENV
+            echo "NAMESPACE=ignition-fisherman-sepolia" >> $GITHUB_ENV
+            echo "ETHEREUM_CHAIN_ID=11155111" >> $GITHUB_ENV
+            echo "L1_NETWORK=sepolia" >> $GITHUB_ENV
+            echo "SNAPSHOT_BUCKET=testnet-bucket" >> $GITHUB_ENV
+            echo "USE_NETWORK_CONFIG=true" >> $GITHUB_ENV
+          elif [[ "${{ inputs.l1_network }}" == "mainnet" ]]; then
+            echo "NETWORK=mainnet" >> $GITHUB_ENV
+            echo "NAMESPACE=ignition-fisherman-mainnet" >> $GITHUB_ENV
+            echo "ETHEREUM_CHAIN_ID=1" >> $GITHUB_ENV
+            echo "L1_NETWORK=mainnet" >> $GITHUB_ENV
+            echo "SNAPSHOT_BUCKET=mainnet-bucket" >> $GITHUB_ENV
+            echo "USE_NETWORK_CONFIG=true" >> $GITHUB_ENV
+          fi
+
+      - name: Deploy fisherman network
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
+          RUN_ID: ${{ github.run_id }}
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+          GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}
+          REF_NAME: "v${{ inputs.semver }}"
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          AZTEC_DOCKER_IMAGE: "aztecprotocol/aztec:${{ inputs.semver }}"
+        run: |
+          echo "Deploying fisherman network on L1: ${{ inputs.l1_network }}"
+          echo "Using image: $AZTEC_DOCKER_IMAGE"
+          echo "Using branch/ref: ${{ steps.checkout-ref.outputs.ref }}"
+          echo "Network: $NETWORK"
+          echo "Namespace: $NAMESPACE"
+          echo "Ethereum Chain ID: $ETHEREUM_CHAIN_ID"
+          echo "L1 Network: $L1_NETWORK"
+          echo "Snapshot Bucket: $SNAPSHOT_BUCKET"
+          echo "Use Network Config: $USE_NETWORK_CONFIG"
+
+          cd spartan
+          ./scripts/install_deps.sh
+          ./scripts/network_deploy.sh ignition-fisherman
+
+      - name: Notify Slack on failure
+        if: failure()
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+        run: |
+          if [ -n "${SLACK_BOT_TOKEN}" ]; then
+            read -r -d '' data <<EOF || true
+            {
+              "channel": "#alerts-fisherman-${{ inputs.l1_network }}",
+              "text": "Deploy Fisherman Network workflow FAILED for *${{ inputs.l1_network }}* (version ${{ inputs.semver }}): <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run>"
+            }
+          EOF
+            curl -X POST https://slack.com/api/chat.postMessage \
+              -H "Authorization: Bearer $SLACK_BOT_TOKEN" \
+              -H "Content-type: application/json" \
+              --data "$data"
+          fi

.github/workflows/deploy-staging-networks.yml

@@ -101,3 +101,14 @@ jobs:
       semver: ${{ needs.determine-semver.outputs.semver }}
       ref: ${{ needs.determine-semver.outputs.branch }}
     secrets: inherit
+
+  deploy-fisherman:
+    # Depends on testnet until we are confident in concurrent deployments
+    needs: [determine-semver, deploy-testnet]
+    if: needs.determine-semver.outputs.should_deploy == 'true' && needs.determine-semver.outputs.major_version == '2'
+    uses: ./.github/workflows/deploy-fisherman-network.yaml
+    with:
+      l1_network: sepolia
+      semver: ${{ needs.determine-semver.outputs.semver }}
+      ref: ${{ needs.determine-semver.outputs.branch }}
+    secrets: inherit

spartan/aztec-keystore/templates/batchjob.yaml

@@ -108,7 +108,7 @@ spec:
                   prover_ppk="$(cast wallet private-key --mnemonic "$MNEMONIC" --mnemonic-index "$prover_pub_idx")"
                   prover_paddr="$(cast wallet address --private-key $prover_ppk)"
 
-                  echo "Derived prover publisher key index $idx for node $i pulisher $j: $addr"
+                  echo "Derived prover publisher key index $prover_pub_idx for node $i pulisher $p: $prover_paddr"
 
                   # write keystore file-separated entries
                   [[ $p -gt 0 ]] && echo '---' >> "$PROVER_PUB_KS_FILE"
@@ -161,27 +161,48 @@ spec:
               [ -f "$f" ] && cp "$f" "/shared/all-keystores/$(basename $f)"
             done
 
-            # Create single secret with all keystores
+            # Create single secret with all keystores (only if directory exists)
             KEYSTORE_SECRET_NAME="{{ .Values.keystores.secretName | default (printf "%s-%s" .Release.Name "keystores") }}"
-            kubectl -n "$K8S_NAMESPACE_NAME" create secret generic "$KEYSTORE_SECRET_NAME" \
-              --from-file /shared/all-keystores \
-              --dry-run=client -o yaml | kubectl apply -f -
-
-            # Keep the existing address configmaps
+            if [ -d "/shared/all-keystores" ]; then
+              echo "Creating keystore secret: $KEYSTORE_SECRET_NAME"
+              kubectl -n "$K8S_NAMESPACE_NAME" create secret generic "$KEYSTORE_SECRET_NAME" \
+                --from-file /shared/all-keystores \
+                --dry-run=client -o yaml | kubectl apply -f -
+            else
+              echo "Skipping keystore secret creation: /shared/all-keystores not found"
+            fi
+
+            # Keep the existing address configmaps (only if directories exist)
             ATTESTER_ADDRESS_CM_NAME="{{ .Values.attesters.addressConfigMap.name | default (printf "%s-%s" .Release.Name "attester-addresses") }}"
-            kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$ATTESTER_ADDRESS_CM_NAME" \
-              --from-file /shared/attesters/addresses \
-              --dry-run=client -o yaml | kubectl apply -f -
+            if [ -d "/shared/attesters/addresses" ]; then
+              echo "Creating attester address ConfigMap: $ATTESTER_ADDRESS_CM_NAME"
+              kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$ATTESTER_ADDRESS_CM_NAME" \
+                --from-file /shared/attesters/addresses \
+                --dry-run=client -o yaml | kubectl apply -f -
+            else
+              echo "Skipping attester address ConfigMap: /shared/attesters/addresses not found"
+            fi
 
             PUBLISHER_ADDRESS_CM_NAME="{{ .Values.publishers.addressConfigMap.name | default (printf "%s-%s" .Release.Name "publisher-addresses") }}"
-            kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$PUBLISHER_ADDRESS_CM_NAME" \
-              --from-file /shared/publishers/addresses \
-              --dry-run=client -o yaml | kubectl apply -f -
+            if [ -d "/shared/publishers/addresses" ]; then
+              echo "Creating publisher address ConfigMap: $PUBLISHER_ADDRESS_CM_NAME"
+              kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$PUBLISHER_ADDRESS_CM_NAME" \
+                --from-file /shared/publishers/addresses \
+                --dry-run=client -o yaml | kubectl apply -f -
+            else
+              echo "Skipping publisher address ConfigMap: /shared/publishers/addresses not found"
+            fi
 
             PROVER_PUBLISHER_ADDRESS_CM_NAME="{{ .Values.provers.addressConfigMap.name | default (printf "%s-%s" .Release.Name "prover-publisher-addresses") }}"
-            kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$PROVER_PUBLISHER_ADDRESS_CM_NAME" \
-              --from-file /shared/prover-publishers/addresses \
-              --dry-run=client -o yaml | kubectl apply -f -
+            if [ -d "/shared/prover-publishers/addresses" ]; then
+              echo "Creating prover publisher address ConfigMap: $PROVER_PUBLISHER_ADDRESS_CM_NAME"
+              kubectl -n "$K8S_NAMESPACE_NAME" create configmap "$PROVER_PUBLISHER_ADDRESS_CM_NAME" \
+                --from-file /shared/prover-publishers/addresses \
+                --dry-run=client -o yaml | kubectl apply -f -
+            else
+              echo "Skipping prover publisher address ConfigMap: /shared/prover-publishers/addresses not found"
+            fi
+
         volumeMounts:
           - name: shared
             mountPath: /shared

spartan/metrics/values.tmp.yaml

@@ -119,11 +119,11 @@ grafana:
     PRODUCTION_NAMESPACES_REGEX: "v2-testnet|staging-public|staging-ignition"
     NIGHTLY_NAMESPACES_REGEX: "next-rc-1"
     STAGING_PUBLIC_REGEX: "staging-public"
-    STAGING_IGNITION_REGEX: "staging-ignition"
+    STAGING_IGNITION_REGEX: "staging-ignition|ignition-fisherman-sepolia"
     NEXT_SCENARIO_REGEX: "v[0-9]+-scenario|next-scenario"
     NEXT_NEXT_REGEX: "next-net"
     TESTNET_NAMESPACES_REGEX: "testnet|v[0-9]+-testnet"
-    MAINNET_NAMESPACES_REGEX: "mainnet|v[0-9]+-mainnet|ignition"
+    MAINNET_NAMESPACES_REGEX: "mainnet|v[0-9]+-mainnet|ignition|ignition-fisherman-mainnet"
     SLACK_WEBHOOK_URL: "http://127.0.0.1" # dummy value
     SLACK_WEBHOOK_STAGING_PUBLIC_URL: "http://127.0.0.1" # dummy value
     SLACK_WEBHOOK_STAGING_IGNITION_URL: "http://127.0.0.1" # dummy value

spartan/scripts/deploy_network.sh

@@ -22,6 +22,9 @@ SALT=${SALT:-$(date +%s)}
 RESOURCE_PROFILE=$([[ "${CLUSTER}" == "kind" ]] && echo "dev" || echo "prod")
 BASE_STATE_PATH="${CLUSTER}/${NAMESPACE}"
 
+# Don't try and retrieve contract addresses, instead allow deployed infra to read from network config
+USE_NETWORK_CONFIG=${USE_NETWORK_CONFIG:-false}
+
 # GCP variables, unused if running on kind
 GCP_PROJECT_ID=${GCP_PROJECT_ID:-testnet-440309}
 GCP_REGION=${GCP_REGION:-us-west1-a}
@@ -279,13 +282,21 @@ if [[ "${VERIFY_CONTRACTS:-}" == "true" ]]; then
   ${REPO_ROOT}/l1-contracts/scripts/verify-from-json.sh $HOME/l1-verify.json --api-key $ETHERSCAN_API_KEY
 fi
 
-REGISTRY_ADDRESS=$(terraform -chdir="${DEPLOY_ROLLUP_CONTRACTS_DIR}" output -raw registry_address)
-SLASH_FACTORY_ADDRESS=$(terraform -chdir="${DEPLOY_ROLLUP_CONTRACTS_DIR}" output -raw slash_factory_address)
-FEE_ASSET_HANDLER_ADDRESS=$(terraform -chdir="${DEPLOY_ROLLUP_CONTRACTS_DIR}" output -raw fee_asset_handler_address)
-[[ -n "${REGISTRY_ADDRESS}" ]] || die "Failed to fetch registry_address"
-[[ -n "${SLASH_FACTORY_ADDRESS}" ]] || die "Failed to fetch slash_factory_address"
-[[ -n "${FEE_ASSET_HANDLER_ADDRESS}" ]] || die "Failed to fetch fee_asset_handler_address"
-log "Got rollup contract addresses"
+if [[ "${USE_NETWORK_CONFIG:-false}" != "true" ]]; then
+  REGISTRY_ADDRESS=$(terraform -chdir="${DEPLOY_ROLLUP_CONTRACTS_DIR}" output -raw registry_address)
+  SLASH_FACTORY_ADDRESS=$(terraform -chdir="${DEPLOY_ROLLUP_CONTRACTS_DIR}" output -raw slash_factory_address)
+  FEE_ASSET_HANDLER_ADDRESS=$(terraform -chdir="${DEPLOY_ROLLUP_CONTRACTS_DIR}" output -raw fee_asset_handler_address)
+
+  [[ -n "${REGISTRY_ADDRESS}" ]] || die "Failed to fetch registry_address"
+  [[ -n "${SLASH_FACTORY_ADDRESS}" ]] || die "Failed to fetch slash_factory_address"
+  [[ -n "${FEE_ASSET_HANDLER_ADDRESS}" ]] || die "Failed to fetch fee_asset_handler_address"
+  log "Got rollup contract addresses"
+else
+  REGISTRY_ADDRESS=""
+  SLASH_FACTORY_ADDRESS=""
+  FEE_ASSET_HANDLER_ADDRESS=""
+fi
+
 
 # -------------------------------
 # Deploy Aztec infra

spartan/scripts/setup_gcp_secrets.sh

@@ -13,9 +13,10 @@ if [[ ! -f "$ENV_FILE" ]]; then
 fi
 
 # Read the network name from the env file
-NETWORK=$(grep "^NETWORK=" "$ENV_FILE" | cut -d'=' -f2 || true)
 NETWORK=${NETWORK:-}
 
+L1_NETWORK=${L1_NETWORK:-sepolia}
+
 echo "Setting up GCP secrets for network: $NETWORK"
 
 # Function to get secret from GCP Secret Manager
@@ -30,15 +31,15 @@ get_secret() {
 # Map of environment variables to GCP secret names
 # Generic mappings - network-specific secrets use ${NETWORK} in the name
 declare -A SECRET_MAPPINGS=(
-    ["ETHEREUM_RPC_URLS"]="sepolia-rpc-urls"
-    ["ETHEREUM_CONSENSUS_HOST_URLS"]="sepolia-consensus-host-urls"
-    ["ETHEREUM_CONSENSUS_HOST_API_KEYS"]="sepolia-consensus-host-api-keys"
-    ["ETHEREUM_CONSENSUS_HOST_API_KEY_HEADERS"]="sepolia-consensus-host-api-key-headers"
-    ["FUNDING_PRIVATE_KEY"]="sepolia-funding-private-key"
-    ["ROLLUP_DEPLOYMENT_PRIVATE_KEY"]="sepolia-labs-rollup-private-key"
+    ["ETHEREUM_RPC_URLS"]="${L1_NETWORK}-rpc-urls"
+    ["ETHEREUM_CONSENSUS_HOST_URLS"]="${L1_NETWORK}-consensus-host-urls"
+    ["ETHEREUM_CONSENSUS_HOST_API_KEYS"]="${L1_NETWORK}-consensus-host-api-keys"
+    ["ETHEREUM_CONSENSUS_HOST_API_KEY_HEADERS"]="${L1_NETWORK}-consensus-host-api-key-headers"
+    ["FUNDING_PRIVATE_KEY"]="${L1_NETWORK}-funding-private-key"
+    ["ROLLUP_DEPLOYMENT_PRIVATE_KEY"]="${L1_NETWORK}-labs-rollup-private-key"
     ["OTEL_COLLECTOR_ENDPOINT"]="otel-collector-url"
     ["ETHERSCAN_API_KEY"]="etherscan-api-key"
-    ["LABS_INFRA_MNEMONIC"]="sepolia-labs-${NETWORK}-mnemonic"
+    ["LABS_INFRA_MNEMONIC"]="${L1_NETWORK}-labs-${NETWORK}-mnemonic"
     ["STORE_SNAPSHOT_URL"]="r2-account-id"
     ["R2_ACCESS_KEY_ID"]="r2-access-key-id"
     ["R2_SECRET_ACCESS_KEY"]="r2-secret-access-key"

spartan/terraform/deploy-aztec-infra/main.tf

@@ -73,6 +73,8 @@ locals {
     "global.aztecImage.repository"                             = local.aztec_image.repository
     "global.aztecImage.tag"                                    = local.aztec_image.tag
     "global.useGcloudLogging"                                  = true
+    "global.customAztecNetwork.enabled"                        = var.NETWORK == null || var.NETWORK == ""
+    "global.aztecNetwork"                                      = var.NETWORK
     "global.customAztecNetwork.registryContractAddress"        = var.REGISTRY_CONTRACT_ADDRESS
     "global.customAztecNetwork.slashFactoryContractAddress"    = var.SLASH_FACTORY_CONTRACT_ADDRESS
     "global.customAztecNetwork.feeAssetHandlerContractAddress" = var.FEE_ASSET_HANDLER_CONTRACT_ADDRESS
@@ -130,7 +132,6 @@ locals {
         "validator-resources-${var.VALIDATOR_RESOURCE_PROFILE}.yaml"
       ]
       custom_settings = {
-        "global.customAztecNetwork.enabled"                 = true
         "validator.web3signerUrl"                           = "http://${var.RELEASE_PREFIX}-signer-web3signer.${var.NAMESPACE}.svc.cluster.local:9000/"
         "validator.mnemonic"                                = var.VALIDATOR_MNEMONIC
         "validator.mnemonicStartIndex"                      = var.VALIDATOR_MNEMONIC_START_INDEX

spartan/terraform/deploy-aztec-infra/values/common.yaml

@@ -1,4 +1,2 @@
 global:
   aztecRollupVersion: "canonical"
-  customAztecNetwork:
-    enabled: true