Use a rust layer with a full app build (#1058)

radixdlt · Jan 28, 2025 · cfa428f · cfa428f
2 parents 322e503 + 5e235ab
commit cfa428f
Show file tree

Hide file tree

Showing 9 changed files with 433 additions and 286 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -57,9 +57,10 @@
 /**/*.swo
 /**/*.swp
 /**/*~
-# ignore jar files, but keep Gradle wrapper
+# ignore jar files, but keep Gradle wrapper and build artifacts
 /**/*.jar
 !gradle/wrapper/gradle-wrapper.jar
+!artifacts/*.jar
 
 # node
 /**/node_modules/

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -10,16 +10,11 @@ on:
       - main
       - release\/*
 
-jobs:
-  cancel_running_workflows:
-    name: Cancel running workflows
-    runs-on: ubuntu-22.04
-    steps:
-      - name: cancel running workflows
-        uses: RDXWorks-actions/cancel-workflow-action@main
-        with:
-          access_token: ${{ github.token }}
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
+jobs:
   build_deb:
     name: Build debian package
     runs-on: selfhosted-ubuntu-22.04-16-cores
@@ -140,7 +135,7 @@ jobs:
       packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
-      runs_on: ubuntu-latest
+      runs_on: ubuntu-16-cores-selfhosted
       image_registry: "docker.io"
       image_organization: "radixdlt"
       image_name: "private-babylon-node"
@@ -229,7 +224,7 @@ jobs:
       pull-requests: read
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
     with:
-      aws_dockerhub_secret: github-actions/common/dockerhub-credentials
+      aws_dockerhub_secret: github-actions/common/dockerhub-credentials-read-only
       amd_meta_data_json: ${{needs.build_push_container_private.outputs.json}}
     secrets:
       role-to-assume: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access"
@@ -246,7 +241,7 @@ jobs:
       packages: write
     uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
     with:
-      runs_on: ubuntu-latest
+      runs_on: ubuntu-16-cores-selfhosted
       image_registry: "docker.io"
       image_organization: "radixdlt"
       image_name: "babylon-node"

diff --git a/.github/workflows/publish-build-layer-images.yml b/.github/workflows/publish-build-layer-images.yml
@@ -0,0 +1,206 @@
+name: Publish build layer images
+
+on:
+  workflow_dispatch:
+    inputs:
+      docker_tag:
+        description: "Docker tag to be published"
+
+permissions:
+  packages: write
+  pull-requests: write
+  id-token: write
+  contents: read
+
+jobs:
+  build_rust_amd64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: ubuntu-16-cores-selfhosted
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-rust
+      context: "."
+      dockerfile: docker/base-images/rust-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/amd64"
+      provenance: "false"
+      scan_image: true
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: amd64
+      flavor: |
+        suffix=-amd64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_rust_arm64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: selfhosted-ubuntu-22.04-arm
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-rust
+      context: "."
+      dockerfile: docker/base-images/rust-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/arm64"
+      provenance: "false"
+      scan_image: false
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: arm64
+      flavor: |
+        suffix=-arm64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  join_rust_multiarch_image:
+    name: Join multiarch image
+    needs:
+      - build_rust_amd64
+      - build_rust_arm64
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_rust_amd64.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_java_amd64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: ubuntu-16-cores-selfhosted
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-java
+      context: "."
+      dockerfile: docker/base-images/java-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/amd64"
+      provenance: "false"
+      scan_image: true
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: amd64
+      flavor: |
+        suffix=-amd64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_java_arm64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: selfhosted-ubuntu-22.04-arm
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-java
+      context: "."
+      dockerfile: docker/base-images/java-builder.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/arm64"
+      provenance: "false"
+      scan_image: false
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: arm64
+      flavor: |
+        suffix=-arm64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  join_java_multiarch_image:
+    name: Join multiarch image
+    needs:
+      - build_java_amd64
+      - build_java_arm64
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_java_amd64.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_app_amd64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: ubuntu-16-cores-selfhosted
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-app
+      context: "."
+      dockerfile: docker/base-images/app.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/amd64"
+      provenance: "false"
+      scan_image: true
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: amd64
+      flavor: |
+        suffix=-amd64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  build_app_arm64:
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main
+    with:
+      runs_on: selfhosted-ubuntu-22.04-arm
+      environment: "release"
+      image_registry: "docker.io"
+      image_organization: "radixdlt"
+      image_name: "babylon-node-build-layers"
+      tag: ${{ inputs.docker_tag }}-app
+      context: "."
+      dockerfile: docker/base-images/app.dockerfile
+      target: "babylon-node-build-layers"
+      platforms: "linux/arm64"
+      provenance: "false"
+      scan_image: false
+      snyk_target_ref: ${{ github.ref_name }}
+      enable_dockerhub: true
+      use_gh_remote_cache: true
+      cache_tag_suffix: arm64
+      flavor: |
+        suffix=-arm64
+    secrets:
+      role_to_assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
+
+  join_app_multiarch_image:
+    name: Join multiarch image
+    needs:
+      - build_app_amd64
+      - build_app_arm64
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+    uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/join-docker-images-all-tags.yml@main
+    with:
+      aws_dockerhub_secret: github-actions/rdxworks/dockerhub-images/release-credentials
+      amd_meta_data_json: ${{needs.build_app_amd64.outputs.json}}
+    secrets:
+      role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
diff --git a/.gitignore b/.gitignore
@@ -68,4 +68,7 @@ node_modules/
 **/resources/markdown
 
 # code coverage info
-**/lcov.info
+**/lcov.info
+
+# CI generated
+artifacts