Skip to content

Commit f7ff3b9

Browse files
authored
refactor(ci): unify release back into a single ci-release command (#23780)
## What 1. Reunifies the release flow into a single `ci-release` command (undoes the `ci-release` / `ci-release-publish` split from #22930). This had introduced several bugs and caused the command to span multiple machines. 2. Fixes runner-side `git push` auth, broken by the checkout-v6 repin.
2 parents 81ecf81 + 0574c65 commit f7ff3b9

51 files changed

Lines changed: 209 additions & 300 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/auto-close-issues.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
pull-requests: read
1515

1616
steps:
17-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
17+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
1818
with:
1919
# Conservative depth that avoids historical large files while covering typical merge scenarios
2020
fetch-depth: 200

.github/workflows/auto-rebase-pr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414

1515
steps:
1616
- name: Checkout repository
17-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
1818
with:
1919
fetch-depth: 0
2020
token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}

.github/workflows/avm-circuit-inputs.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
runs-on: ubuntu-latest
1919
steps:
2020
- name: Checkout
21-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
21+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
2222
with:
2323
persist-credentials: false
2424

@@ -69,7 +69,7 @@ jobs:
6969
runs-on: ubuntu-latest
7070
steps:
7171
- name: Checkout
72-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
72+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
7373
with:
7474
persist-credentials: false
7575

.github/workflows/aztec-cli-acceptance-test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
VERSION: ${{ github.event.inputs.version || github.event.workflow_run.head_branch }}
3333
steps:
3434
- name: Checkout
35-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
35+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
3636
with:
3737
ref: ${{ github.event.workflow_run.head_sha || github.sha }}
3838

@@ -57,7 +57,7 @@ jobs:
5757
VERSION: ${{ github.event.inputs.version || github.event.workflow_run.head_branch }}
5858
steps:
5959
- name: Checkout
60-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
60+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
6161
with:
6262
ref: ${{ github.event.workflow_run.head_sha || github.sha }}
6363

.github/workflows/backport.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
runs-on: ubuntu-latest
3030
steps:
3131
- name: Checkout repository
32-
uses: actions/checkout@v4
32+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
3333
with:
3434
fetch-depth: 0
3535
token: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}

.github/workflows/barretenberg-nightly-debug-build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- name: Checkout
17-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
1818
with:
1919
ref: next
2020

.github/workflows/ci3-dashboard-deploy.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
runs-on: ubuntu-latest
1919
steps:
2020
- name: Checkout
21-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
21+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
2222
with:
2323
persist-credentials: false
2424

.github/workflows/ci3-external.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ jobs:
2727
pull-requests: write
2828
steps:
2929
- name: Checkout
30-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
30+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
3131
with:
3232
# The commit to checkout. We want our actual commit, and not the result of merging the PR to the target.
3333
ref: ${{ github.event.pull_request.head.sha || github.sha }}

.github/workflows/ci3.yml

Lines changed: 16 additions & 103 deletions
Original file line numberDiff line numberDiff line change
@@ -54,14 +54,22 @@ jobs:
5454
GH_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
5555
run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-wakeup-pr-after-merge --repo ${{ github.repository }} || true
5656

57+
# Do NOT bump actions/checkout to v6 here. v6 ("persist creds to a separate file", #2286)
58+
# stores the persisted github.token in a temp credentials file pulled in via includeIf, which
59+
# `git config --unset-all http....extraheader` cannot clear. Our runner-side pushes (ci3.sh
60+
# release-pr tag, ci3_success.sh squash-and-merge) rely on swapping that header for a bot-PAT
61+
# remote, so under v6 they push as github-actions[bot] (contents: read) and 403. v5.0.1 is still
62+
# node24 but keeps the credential as a removable local extraheader.
5763
- name: Checkout
58-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
64+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
5965
with:
6066
# The commit to checkout. We want our actual commit, and not the result of merging the PR to the target.
6167
ref: ${{ github.event.pull_request.head.sha || github.sha }}
6268
# Fetch PR commits depth (we'll deepen by 1 in squash script if needed)
6369
fetch-depth: ${{ github.event.pull_request.commits || 1 }}
64-
persist-credentials: true # Required for bootstrap_ec2's git fetch
70+
# Persisted for authenticated reads (e.g. the aztec-packages-private mirror); pushes swap in
71+
# a bot-PAT remote at each push site.
72+
persist-credentials: true
6573

6674
- name: Configure AWS credentials (OIDC)
6775
uses: aws-actions/configure-aws-credentials@v4
@@ -114,6 +122,8 @@ jobs:
114122
PR_NUMBER: ${{ github.event.pull_request.number }}
115123
GITHUB_REF_NAME: ${{ github.ref_name }}
116124
GITHUB_ACTOR: ${{ github.actor }}
125+
# Forwarded to EC2 so release_compat_e2e's nightly-failure Slack alert can build a real run URL.
126+
RUN_ID: ${{ github.run_id }}
117127
CI3_INSTANCE_PROFILE_NAME: ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
118128
CI3_SECURITY_GROUP_ID: ${{ secrets.CI3_SECURITY_GROUP_ID }}
119129
AWS_OIDC_ROLE_ARN: ${{ secrets.AWS_OIDC_ROLE_ARN }}
@@ -199,11 +209,10 @@ jobs:
199209
matrix:
200210
test_set: ["1", "2"]
201211
# We run on current nightly tags only, or when the ci-network-scenario label is present in a PR.
202-
needs: [ci, validate-nightly-tag, ci-release-publish]
212+
needs: [ci, validate-nightly-tag]
203213
if: |
204214
always()
205215
&& (needs.ci.result == 'success' || needs.ci.result == 'skipped')
206-
&& (needs.ci-release-publish.result == 'success' || needs.ci-release-publish.result == 'skipped')
207216
&& github.event.pull_request.head.repo.fork != true
208217
&& github.event.pull_request.draft == false
209218
&& (
@@ -218,7 +227,7 @@ jobs:
218227
run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-scenario --repo ${{ github.repository }} || true
219228

220229
- name: Checkout
221-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
230+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
222231
with:
223232
ref: ${{ github.event.pull_request.head.sha || github.sha }}
224233

@@ -341,7 +350,7 @@ jobs:
341350
run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-bench --repo ${{ github.repository }} || true
342351

343352
- name: Checkout
344-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
353+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
345354
with:
346355
ref: ${{ github.event.pull_request.head.sha || github.sha }}
347356

@@ -423,7 +432,7 @@ jobs:
423432
run: gh pr edit ${{ github.event.pull_request.number }} --remove-label ci-network-kind --repo ${{ github.repository }}
424433

425434
- name: Checkout
426-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
435+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
427436
with:
428437
ref: ${{ github.event.pull_request.head.sha || github.sha }}
429438

@@ -449,99 +458,3 @@ jobs:
449458
AWS_SHUTDOWN_TIME: 180
450459
run: |
451460
./.github/ci3.sh network-tests-kind
452-
453-
# Backwards compatibility e2e tests.
454-
# Runs e2e tests with contract artifacts from every prior stable release to validate
455-
# that new client code works with old contract artifacts ("new pxe / old contracts").
456-
# Blocking for stable/RC releases: ci-release-publish requires this job to pass before
457-
# publishing. Observational for nightlies: runs, but continue-on-error keeps the workflow
458-
# green and ci-release-publish's condition publishes nightlies regardless of the result.
459-
# Escape hatch: ci-skip-compat-e2e label makes failures non-blocking on release PRs.
460-
ci-compat-e2e:
461-
runs-on: ubuntu-latest
462-
needs: [ci]
463-
if: |
464-
always()
465-
&& (needs.ci.result == 'success' || needs.ci.result == 'skipped')
466-
&& github.event.pull_request.head.repo.fork != true
467-
&& github.event.pull_request.draft == false
468-
&& (
469-
(startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-commit.'))
470-
|| contains(github.event.pull_request.labels.*.name, 'ci-compat-e2e')
471-
|| contains(github.event.pull_request.labels.*.name, 'ci-release-pr')
472-
)
473-
# Non-blocking for nightlies and when ci-skip-compat-e2e escape hatch is applied.
474-
continue-on-error: ${{ contains(github.ref_name, '-nightly.') || contains(github.event.pull_request.labels.*.name, 'ci-skip-compat-e2e') }}
475-
steps:
476-
- name: Checkout
477-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
478-
with:
479-
ref: ${{ github.event.pull_request.head.sha || github.sha }}
480-
481-
- name: Run Backwards Compatibility E2E Tests
482-
timeout-minutes: 60
483-
env:
484-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
485-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
486-
GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
487-
BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
488-
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
489-
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
490-
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
491-
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
492-
CI3_INSTANCE_PROFILE_NAME: ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
493-
CI3_SECURITY_GROUP_ID: ${{ secrets.CI3_SECURITY_GROUP_ID }}
494-
RUN_ID: ${{ github.run_id }}
495-
AWS_SHUTDOWN_TIME: 60
496-
run: ./.github/ci3.sh compat-e2e
497-
498-
# Publishes the release (npm, Docker, GitHub release, aztec-up scripts, etc.).
499-
# Gated on ci-compat-e2e: a compat regression blocks stable/RC publishing. Nightlies
500-
# publish regardless — compat-e2e runs there observationally. Dev `-commit.` tags from
501-
# the ci-release-pr flow never reach this job (they are not real releases).
502-
ci-release-publish:
503-
runs-on: ubuntu-latest
504-
environment: master
505-
permissions:
506-
id-token: write
507-
contents: read
508-
needs: [ci, ci-compat-e2e]
509-
if: |
510-
startsWith(github.ref, 'refs/tags/v')
511-
&& !contains(github.ref_name, '-commit.')
512-
&& needs.ci.result == 'success'
513-
&& (
514-
contains(github.ref_name, '-nightly.')
515-
|| needs.ci-compat-e2e.result == 'success'
516-
)
517-
steps:
518-
- name: Checkout
519-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
520-
with:
521-
ref: ${{ github.sha }}
522-
523-
- name: Configure AWS credentials (OIDC)
524-
uses: aws-actions/configure-aws-credentials@v4
525-
with:
526-
role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
527-
aws-region: us-east-2
528-
role-session-name: ci3-release-publish-${{ github.run_id }}
529-
role-duration-seconds: 21600
530-
531-
- name: Run Release Publish
532-
env:
533-
GITHUB_TOKEN: ${{ secrets.AZTEC_BOT_GITHUB_TOKEN }}
534-
BUILD_INSTANCE_SSH_KEY: ${{ secrets.BUILD_INSTANCE_SSH_KEY }}
535-
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
536-
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
537-
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
538-
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
539-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
540-
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
541-
NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
542-
NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
543-
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
544-
CI3_INSTANCE_PROFILE_NAME: ${{ secrets.CI3_INSTANCE_PROFILE_NAME }}
545-
CI3_SECURITY_GROUP_ID: ${{ secrets.CI3_SECURITY_GROUP_ID }}
546-
RUN_ID: ${{ github.run_id }}
547-
run: ./.github/ci3.sh release-publish

.github/workflows/codeql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ jobs:
5050
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
5151
steps:
5252
- name: Checkout repository
53-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
53+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
5454

5555
# Initializes the CodeQL tools for scanning.
5656
- name: Initialize CodeQL

0 commit comments

Comments
 (0)