feat(deploy): on-chain binary publish + reusable publish workflow (CD-loop publish side) (#160)

tangletools · drewstone · web-flow · commit 7c32e5452747 · 2026-05-30T10:17:52.000-06:00
* chore(deploy): record v0 publish for trading blueprints + race-fix in publish-binary

* blueprints.tsv: replace "no_v0_published" with "v0=&lt;sha&gt;; release=v0.1.3" for
  ids 13/14/15/16 — all four ai-trading blueprints now have a genesis binary
  version on-chain (Base Sepolia, setActiveBinaryVersion confirmed).

* publish-binary.sh: poll getBinaryVersionCount up to 5x after publishBinaryVersion
  to ride out the read-back gap immediately following cast send (where the call
  occasionally still sees stale state and parses to 0 → version_id=-1 → setActive
  reverts). Fail loudly with a clear error if the publish landed but the read
  still says 0 after retries.

* feat(script): RequestTradingService — register+request+approve service in one shot

Reusable operator go-live script for any blueprint, compiled against tnt-core's
own ITangle interfaces so selectors always match the deployment (the reliable
path when cargo-tangle bindings are version-skewed — symptom UnknownSelector on
requestService). Env-driven: TANGLE_CORE / BLUEPRINT_ID / OPERATOR_KEY /
OPERATOR_ADDR / OPERATOR_PUBKEY / OPERATOR_RPC. Proven: ai-trading blueprint 13,
service 0 ACTIVE on Base Sepolia.

* feat(deploy): make publish-blueprint-binary reusable via workflow_call

Add a workflow_call trigger alongside workflow_dispatch so a blueprint
repo's release CI can invoke the on-chain publish directly. Inputs mirror
the manual trigger; PUBLISH_RPC_URL and BLUEPRINT_OWNER_KEY are exposed as
workflow_call secrets so the owner key stays in tnt-core. The shared job
reads inputs.*/secrets.* identically for both triggers.

* refactor(script): generalize RequestTradingService → RequestService (blueprint-agnostic)

The script is generic protocol ops (registerOperator → requestService →
approveService for any BLUEPRINT_ID env). Only its name/comments were
trading-specific; rename + de-trading the docs so tnt-core stays
blueprint-agnostic. Logic unchanged.

---------

Co-authored-by: Drew Stone &lt;drewstone329@gmail.com&gt;
diff --git a/.github/workflows/publish-blueprint-binary.yml b/.github/workflows/publish-blueprint-binary.yml
@@ -38,6 +38,42 @@ on:
         description: 'Set this version active after publishing'
         required: false
         default: 'true'
+  workflow_call:
+    # Reusable entry point: a blueprint repo's release CI calls this after it
+    # publishes a release, so the privileged on-chain publish stays here (the
+    # owner key never leaves tnt-core). Inputs mirror workflow_dispatch; the
+    # shared job below reads inputs.*/secrets.* identically for both triggers.
+    inputs:
+      blueprint_repo:
+        type: string
+        required: true
+      tag:
+        type: string
+        required: true
+      blueprint_id:
+        type: string
+        required: true
+      binary_name:
+        type: string
+        required: false
+        default: ''
+      network:
+        type: string
+        required: false
+        default: 'base-sepolia'
+      target:
+        type: string
+        required: false
+        default: 'x86_64-unknown-linux-gnu'
+      set_active:
+        type: string
+        required: false
+        default: 'true'
+    secrets:
+      PUBLISH_RPC_URL:
+        required: true
+      BLUEPRINT_OWNER_KEY:
+        required: true
 
 permissions:
   contents: read
diff --git a/script/RequestService.s.sol b/script/RequestService.s.sol
@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.26;
+
+import { Script, console2 } from "forge-std/Script.sol";
+import { ITangleFull } from "../src/interfaces/ITangle.sol";
+import { Types } from "../src/libraries/Types.sol";
+
+/// @title RequestService
+/// @notice Onboard an operator to ANY blueprint and stand up a live service in
+/// one shot: registerOperator -> requestService -> approveService. The target
+/// blueprint is chosen by `BLUEPRINT_ID`, so this is generic protocol ops — not
+/// specific to any one blueprint. Reliable path when cargo-tangle's bindings are
+/// version-skewed vs the deployed Tangle (this script compiles against tnt-core's
+/// own interfaces, so the selectors always match the deployment).
+///
+/// Env:
+///   TANGLE_CORE       deployed Tangle (e.g. 0x8299d60f… on Base Sepolia)
+///   BLUEPRINT_ID      uint64 — the target blueprint to register on / request
+///   OPERATOR_KEY      operator private key (must already be a staked/active
+///                     MAD operator; this only registers it on the blueprint)
+///   OPERATOR_ADDR     operator address
+///   OPERATOR_PUBKEY   65-byte uncompressed secp256k1 pubkey (0x04‖X‖Y)
+///   OPERATOR_RPC      operator RPC advertised on-chain (string)
+///   SERVICE_TTL_SECS  optional, default 604800 (7 days)
+contract RequestService is Script {
+    function run() external {
+        ITangleFull tangle = ITangleFull(payable(vm.envAddress("TANGLE_CORE")));
+        uint64 blueprintId = uint64(vm.envUint("BLUEPRINT_ID"));
+        uint256 operatorKey = vm.envUint("OPERATOR_KEY");
+        address operator = vm.envAddress("OPERATOR_ADDR");
+        bytes memory pubkey = vm.envBytes("OPERATOR_PUBKEY");
+        string memory rpc = vm.envString("OPERATOR_RPC");
+        uint64 ttl = uint64(vm.envOr("SERVICE_TTL_SECS", uint256(7 days)));
+
+        // 1. Register the (already-staked) operator on the blueprint.
+        vm.startBroadcast(operatorKey);
+        tangle.registerOperator(blueprintId, pubkey, rpc);
+        vm.stopBroadcast();
+        console2.log("registerOperator OK; blueprint", blueprintId);
+
+        // 2. Request a service with this single operator, empty config, native
+        //    (free) payment, Any confidentiality — mirrors the canonical flow.
+        address[] memory operators = new address[](1);
+        operators[0] = operator;
+        address[] memory permittedCallers = new address[](0);
+
+        vm.startBroadcast(operatorKey);
+        uint64 serviceId = tangle.requestService(
+            blueprintId,
+            operators,
+            "", // empty config (blueprints that accept it; matches CreateServiceForTLV2Test)
+            permittedCallers,
+            ttl,
+            address(0), // native payment token
+            0, // payment amount
+            Types.ConfidentialityPolicy.Any
+        );
+        console2.log("requestService OK; serviceId", serviceId);
+        vm.stopBroadcast();
+
+        // 3. Operator approves -> service becomes active (single-operator).
+        vm.startBroadcast(operatorKey);
+        tangle.approveService(
+            Types.ApprovalParams({
+                requestId: serviceId,
+                securityCommitments: new Types.AssetSecurityCommitment[](0),
+                blsPubkey: [uint256(0), 0, 0, 0],
+                blsPopSignature: [uint256(0), 0],
+                teeCommitments: new Types.TeeAttestationCommitment[](0)
+            })
+        );
+        vm.stopBroadcast();
+        console2.log("approveService OK; service ACTIVE serviceId", serviceId);
+    }
+}
