.github/workflows/build-publish.yml

name: "Build, Sign and Publish Chainlink"

on:
  push:
    tags:
      - "v*"

env:
  ECR_HOSTNAME: public.ecr.aws

jobs:
  checks:
    name: "Checks"
    runs-on: ubuntu-20.04
    outputs:
      git-tag-type: ${{ steps.check-git-tag-type.outputs.git-tag-type }}
      ecr-image-name: ${{ steps.check-git-tag-type.outputs.ecr-image-name }}
      is-release: ${{ steps.release-tag-check.outputs.is-release }}
      is-pre-release: ${{ steps.release-tag-check.outputs.is-pre-release }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.2.1
        with:
          persist-credentials: false
      - name: Check git tag type
        id: check-git-tag-type
        shell: bash
        env:
          GIT_TAG: ${{ github.ref_name}}
        run: |
          # Check if git tag is related to CCIP
          # Should match:
          #   v1.0.0-ccip1.0.0-beta.1
          #   v1.0.0-ccip1.0.0-rc.0
          #   v1.0.0-ccip1.0.0
          if [[ $GIT_TAG =~ ^v[0-9]+\.[0-9]+\.[0-9]+-ccip[0-9]+\.[0-9]+\.[0-9]+(-((beta|rc)\.[0-9]+))?$ ]]; then
            echo "git-tag-type=ccip" | tee -a "$GITHUB_OUTPUT"
            echo "ecr-image-name=chainlink/ccip" | tee -a "$GITHUB_OUTPUT"
          else
            echo "git-tag-type=core" | tee -a "$GITHUB_OUTPUT"
            echo "ecr-image-name=chainlink/chainlink" | tee -a "$GITHUB_OUTPUT"
          fi
      - name: Check release tag
        id: release-tag-check
        uses: smartcontractkit/.github/actions/release-tag-check@c5c4a8186da4218cff6cac8184e47dd3dec69ba3 # release-tag-check@0.1.0
      - name: Fail if CCIP release has wrong version
        if: ${{ steps.check-git-tag-type.outputs.git-tag-type == 'ccip' }}
        run: |
          version=$(jq -r '.version' ./package.json)
          echo "Package version: $version"
          echo "Git tag type: ${{ steps.check-git-tag-type.outputs.git-tag-type }}"
          if [[ $version != *"-ccip"* ]]; then
            echo "Error: Version '$version' does not match required CCIP format."
            exit 1
          fi
      - name: Check for VERSION file bump on tags
        # Avoids checking VERSION file bump on forks or from CCIP releases.
        if: ${{ github.repository == 'smartcontractkit/chainlink' && steps.check-git-tag-type.outputs.git-tag-type == 'core' }}
        uses: ./.github/actions/version-file-bump
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

  build-sign-publish-chainlink:
    needs: [checks]
    runs-on: ubuntu-20.04
    environment: build-publish
    permissions:
      id-token: write
      contents: write
      attestations: write
    outputs:
      docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
      docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.2.1
        with:
          persist-credentials: false

      - name: Build, sign and publish chainlink image
        id: build-sign-publish
        uses: ./.github/actions/build-sign-publish-chainlink
        with:
          publish: true
          aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
          aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
          aws-region: ${{ secrets.AWS_REGION }}
          ecr-hostname: ${{ env.ECR_HOSTNAME }}
          ecr-image-name: ${{ needs.checks.outputs.ecr-image-name }}
          dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
          dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
          sign-images: true
          verify-signature: true

      - name: Attest Docker image
        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
        with:
          subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
          subject-name: ${{ env.ECR_HOSTNAME }}/${{ needs.checks.outputs.ecr-image-name }}
          push-to-registry: true

  # Notify Slack channel for new git tags.
  slack-notify:
    if: github.ref_type == 'tag'
    needs: [checks, build-sign-publish-chainlink]
    runs-on: ubuntu-24.04
    environment: build-publish
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.2.1
        with:
          persist-credentials: false
      - name: Notify Slack
        uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # slack-notify-git-ref@0.1.2
        with:
          slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }}
          slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot
          git-ref: ${{ github.ref_name }}
          git-ref-type: ${{ github.ref_type }}
          changelog-url: >-
            ${{
              github.ref_type == 'tag' &&
              format(
                'https://github.com/{0}/blob/{1}/CHANGELOG.md',
                github.repository,
                github.ref_name
              ) || ''
            }}
          docker-image-name: >-
            ${{ 
              github.ref_type == 'tag' && 
              format(
                '{0}/{1}:{2}', 
                env.ECR_HOSTNAME, 
                needs.checks.outputs.ecr-image-name,
                needs.build-sign-publish-chainlink.outputs.docker-image-tag
              ) || ''
            }}
          docker-image-digest: >-
            ${{ 
              github.ref_type == 'tag' && 
              needs.build-sign-publish-chainlink.outputs.docker-image-digest || ''
            }}
  crib:
    needs: [checks, build-sign-publish-chainlink]
    # Only spin up CRIB on pre-releases (beta, rc).
    if: needs.checks.outputs.is-pre-release == 'true'
    runs-on: ubuntu-latest
    environment: integration
    permissions:
      id-token: write
      contents: read
      actions: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.2.1
        with:
          persist-credentials: false

      - name: Run Core CRIB Integration Tests
        uses: ./.github/actions/crib
        with:
          aws-role-arn: ${{ secrets.AWS_OIDC_CRIB_ROLE_ARN_STAGE }}
          aws-region: ${{ secrets.AWS_REGION }}
          aws-account-id: ${{ secrets.AWS_ACCOUNT_ID_PROD }}
          api-gw-host-crib: ${{ secrets.AWS_API_GW_HOST_CRIB_STAGE }}
          api-gw-host-k8s: ${{ secrets.AWS_API_GW_HOST_K8S_STAGE }}
          k8s-api-endpoint: ${{ secrets.GAP_HOST_K8S_STAGE }}
          k8s-cluster-name: ${{ secrets.AWS_K8S_CLUSTER_NAME_STAGE }}
          aws-token-issuer-role-arn: ${{ secrets.AWS_OIDC_GLOBAL_READ_ONLY_TOKEN_ISSUER_ROLE_ARN }}
          aws-token-issuer-lambda-url: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
          ingress-base-domain: ${{ secrets.INGRESS_BASE_DOMAIN_STAGE }}
          k8s-staging-ingress-suffix: ${{ secrets.K8S_STAGING_INGRESS_SUFFIX }}
          gap-url-integration-tests: ${{ secrets.GAP_URL }}
          crib-alert-slack-webhook: ${{ secrets.CRIB_ALERT_SLACK_WEBHOOK }}
          crib-chainlink-docker-image-name: ${{ format('{0}/{1}', env.ECR_HOSTNAME, needs.checks.outputs.ecr-image-name) }}
          crib-chainlink-docker-image-tag: ${{ needs.build-sign-publish-chainlink.outputs.docker-image-tag}}
          crib-cleanup-ttl: "3d"