.github/workflows/build-ampd-release.yaml

name: Amplifier - Build Release

on:
  workflow_dispatch:
    inputs:
      tag:
        description: Github tag to release binaries for (reusing an existing tag will make the pipeline fail)
        required: true
        default: latest

jobs:
  release-binaries:
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        os: [ubuntu-22.04, macos-12]
        arch: [amd64, arm64]

    permissions:
      contents: write
      packages: write
      id-token: write

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ghwf-${{ github.event.repository.name }}

      - name: Validate tag
        env:
          SEMVER: ${{ github.event.inputs.tag }}
        run: |
          if [[ $SEMVER =~ v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then echo "Tag is okay" && exit 0; else echo "invalid tag" && exit 1; fi
          aws s3 ls s3://axelar-releases/ampd/"$SEMVER" && echo "tag already exists, use a new one" && exit 1

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: '0'
          ref: ${{ github.event.inputs.tag }}
          submodules: recursive

      - name: Install Rust
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: build and sign darwin binaries
        env:
          SEMVER: ${{ github.event.inputs.tag }}
        if: matrix.os == 'macos-12'
        run: |
          OS="darwin"
          ARCH="${{ matrix.arch }}"
          if [ "$ARCH" == "arm64" ]
          then
            brew install protobuf
            rustup target add aarch64-apple-darwin
            cargo build --release --target aarch64-apple-darwin
            mkdir ampdbin
            mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-apple-darwin/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          else
            brew install protobuf
            cargo build --release
            mkdir ampdbin
            mv "/Users/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          fi

      - name: build and sign linux binaries
        env:
          SEMVER: ${{ github.event.inputs.tag }}
        if: matrix.os == 'ubuntu-22.04'
        run: |
          OS="linux"
          ARCH="${{ matrix.arch }}"
          if [ "$ARCH" == "arm64" ]
          then
            sudo apt-get install protobuf-compiler gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
            rustup target add aarch64-unknown-linux-gnu
            export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
            cargo build --release --target aarch64-unknown-linux-gnu
            mkdir ampdbin
            mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/aarch64-unknown-linux-gnu/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          else
            sudo apt-get install protobuf-compiler
            cargo build --release
            mkdir ampdbin
            mv "/home/runner/work/axelar-amplifier/axelar-amplifier/target/release/ampd" "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
            gpg --armor --detach-sign  "./ampdbin/ampd-$OS-$ARCH-$SEMVER"
          fi

      - name: Test ampd
        working-directory: ./ampdbin
        run: |
          file ./ampd-*

      - name: Create zip and sha256 files
        working-directory: ./ampdbin
        run: |
          for i in `ls | grep -v .asc`
          do
            shasum -a 256 $i | awk '{print $1}' > $i.sha256
            zip $i.zip $i
            shasum -a 256 $i.zip | awk '{print $1}' > $i.zip.sha256
          done

      - name: Upload binaries to release
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./ampdbin/*
          tag: ${{ github.event.inputs.tag }}
          overwrite: true
          file_glob: true

      - name: Upload binaries to S3
        env:
          S3_PATH: s3://axelar-releases/ampd/${{ github.event.inputs.tag }}
        run: |
          aws s3 cp ./ampdbin ${S3_PATH}/ --recursive

  release-docker:
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      packages: write
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: '0'
          ref: ${{ github.event.inputs.tag }}
          submodules: recursive

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      - name: Build and push docker images
        run: |
          make build-push-docker-images
        env:
          PLATFORM: linux/amd64
          SEMVER: ${{ github.event.inputs.tag }}

  combine-sign:
    needs: release-docker
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      packages: write
      id-token: write
    steps:
      - name: Install Cosign
        uses: sigstore/cosign-installer@main
        with:
          cosign-release: 'v1.13.1'

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      - name: Create multiarch manifest
        run: |
          docker buildx imagetools create -t axelarnet/axelar-ampd:${SEMVER} \
            axelarnet/axelar-ampd-linux-amd64:${SEMVER}
        env:
          SEMVER: ${{ github.event.inputs.tag }}

      - name: Sign the images with GitHub OIDC
        run: cosign sign --oidc-issuer https://token.actions.githubusercontent.com ${TAGS}
        env:
          TAGS: axelarnet/axelar-ampd:${{ github.event.inputs.tag }}
          COSIGN_EXPERIMENTAL: 1