Merge branch 'master' into mkz-re-enabling

paritytech · Nov 11, 2024 · dcd312e · dcd312e
2 parents beaf472 + b601d57
commit dcd312e
Show file tree

Hide file tree

Showing 437 changed files with 19,483 additions and 10,626 deletions.
diff --git a/.github/scripts/common/lib.sh b/.github/scripts/common/lib.sh
@@ -306,9 +306,10 @@ function import_gpg_keys() {
   EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
   MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
   PARITY_RELEASES="90BD75EBBB8E95CB3DA6078F94A4029AB4B35DAE"
+  PARITY_RELEASES_SIGN_COMMITS="D8018FBB3F534D866A45998293C5FB5F6A367B51"
 
   echo "Importing GPG keys from $GPG_KEYSERVER"
-  for key in $SEC $EGOR $MORGAN $PARITY_RELEASES; do
+  for key in $SEC $EGOR $MORGAN $PARITY_RELEASES $PARITY_RELEASES_SIGN_COMMITS; do
     (
       echo "Importing GPG key $key"
       gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key

diff --git a/.github/scripts/release/build-deb.sh b/.github/scripts/release/build-deb.sh
@@ -9,8 +9,7 @@ cargo install --version 2.7.0 cargo-deb --locked -q
 echo "Using cargo-deb v$(cargo-deb --version)"
 echo "Building a Debian package for '$PRODUCT' in '$PROFILE' profile"
 
-# we need to start  the custom version with a didgit as requires it cargo-deb
-cargo deb --profile $PROFILE --no-strip --no-build -p $PRODUCT --deb-version 1-$VERSION
+cargo deb --profile $PROFILE --no-strip --no-build -p $PRODUCT --deb-version $VERSION
 
 deb=target/debian/$PRODUCT_*_amd64.deb
 

diff --git a/.github/workflows/check-semver.yml b/.github/workflows/check-semver.yml
@@ -4,6 +4,7 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
   workflow_dispatch:
+  merge_group:
 
 concurrency:
   group: check-semver-${{ github.event.pull_request.number || github.ref }}

diff --git a/.github/workflows/release-10_rc-automation.yml b/.github/workflows/release-10_rc-automation.yml
@@ -23,12 +23,46 @@ jobs:
           - name: "RelEng: Polkadot Release Coordination"
             room: '!cqAmzdIcbOFwrdrubV:parity.io'
     environment: release
+    env:
+      PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
+      PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
 
     steps:
+      - name: Install pgpkkms
+        run: |
+          # Install pgpkms that is used to sign commits
+          pip install git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69
+
+      - name: Generate content write token for the release automation
+        id: generate_write_token
+        uses: actions/create-github-app-token@v1
+        with:
+            app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
+            private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
+            owner: paritytech
+
       - name: Checkout sources
         uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           fetch-depth: 0
+          token: ${{ steps.generate_write_token.outputs.token }}
+
+      - name: Import gpg keys
+        run: |
+          . ./.github/scripts/common/lib.sh
+
+          import_gpg_keys
+
+      - name: Config git
+        run: |
+          git config --global commit.gpgsign true
+          git config --global gpg.program /home/runner/.local/bin/pgpkms-git
+          git config --global user.name "ParityReleases"
+          git config --global user.email "[email protected]"
+          git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
 
       - name: Compute next rc tag
         # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }}
@@ -58,13 +92,12 @@ jobs:
           fi
 
       - name: Apply new tag
-        uses: tvdias/github-tagger@ed7350546e3e503b5e942dffd65bc8751a95e49d # v0.0.2
-        with:
-          # We can't use the normal GITHUB_TOKEN for the following reason:
-          # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
-          # RELEASE_BRANCH_TOKEN requires public_repo OAuth scope
-          repo-token: "${{ secrets.RELEASE_BRANCH_TOKEN }}"
-          tag: ${{ steps.compute_tag.outputs.new_tag }}
+        env:
+          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
+          RC_TAG: ${{ steps.compute_tag.outputs.new_tag }}
+        run: |
+         git tag -s $RC_TAG -m "new rc tag $RC_TAG"
+         git push origin $RC_TAG
 
       - name: Send Matrix message to ${{ matrix.channel.name }}
         uses: s3krit/matrix-message-action@70ad3fb812ee0e45ff8999d6af11cafad11a6ecf # v0.0.3

diff --git a/.github/workflows/release-branchoff-stable.yml b/.github/workflows/release-branchoff-stable.yml
@@ -13,13 +13,7 @@ on:
         required: true
 
 jobs:
-  check-workflow-can-run:
-    uses: paritytech-release/sync-workflows/.github/workflows/check-syncronization.yml@main
-
-
   prepare-tooling:
-    needs: [check-workflow-can-run]
-    if: needs.check-workflow-can-run.outputs.checks_passed == 'true'
     runs-on: ubuntu-latest
     outputs:
       node_version: ${{ steps.validate_inputs.outputs.node_version }}
@@ -45,7 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: release
     env:
-      PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+      PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
       PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -58,32 +52,42 @@ jobs:
           # Install pgpkms that is used to sign commits
           pip install git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69
 
+      - name: Generate content write token for the release automation
+        id: generate_write_token
+        uses: actions/create-github-app-token@v1
+        with:
+            app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
+            private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
+            owner: paritytech
+
       - name: Checkout sources
         uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           ref: master
+          token: ${{ steps.generate_write_token.outputs.token }}
 
       - name: Import gpg keys
         run: |
           . ./.github/scripts/common/lib.sh
 
           import_gpg_keys
 
-
       - name: Config git
         run: |
           git config --global commit.gpgsign true
           git config --global gpg.program /home/runner/.local/bin/pgpkms-git
           git config --global user.name "ParityReleases"
           git config --global user.email "[email protected]"
-          git config --global user.signingKey "90BD75EBBB8E95CB3DA6078F94A4029AB4B35DAE"
+          git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
 
       - name: Create stable branch
         run: |
           git checkout -b "$STABLE_BRANCH_NAME"
           git show-ref "$STABLE_BRANCH_NAME"
 
       - name: Bump versions, reorder prdocs and push stable branch
+        env:
+          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
         run: |
           . ./.github/scripts/release/release_lib.sh
 
@@ -101,4 +105,6 @@ jobs:
 
           reorder_prdocs $STABLE_BRANCH_NAME
 
+          gh auth setup-git
+
           git push origin "$STABLE_BRANCH_NAME"
diff --git a/.github/workflows/release-build-rc.yml b/.github/workflows/release-build-rc.yml
@@ -55,6 +55,10 @@ jobs:
       AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
       AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
       AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
 
   build-polkadot-parachain-binary:
     needs: [validate-inputs]
@@ -72,3 +76,7 @@ jobs:
       AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
       AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
       AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
diff --git a/.github/workflows/release-reusable-rc-buid.yml b/.github/workflows/release-reusable-rc-buid.yml
@@ -58,7 +58,7 @@ jobs:
 
   build-rc:
     needs: [set-image]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-m
     environment: release
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
@@ -151,7 +151,9 @@ jobs:
     - name: Build polkadot deb package
       shell: bash
       run: |
-        . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${{ inputs.release_tag }}
+        . "${GITHUB_WORKSPACE}"/.github/scripts/common/lib.sh
+        VERSION=$(get_polkadot_node_version_from_code)
+        . "${GITHUB_WORKSPACE}"/.github/scripts/release/build-deb.sh ${{ inputs.package }} ${VERSION}
 
     - name: Generate artifact attestation
       uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3

diff --git a/.gitignore b/.gitignore
@@ -30,7 +30,6 @@ artifacts
 bin/node-template/Cargo.lock
 nohup.out
 polkadot_argument_parsing
-polkadot.*
 !docs/sdk/src/polkadot_sdk/polkadot.rs
 pwasm-alloc/Cargo.lock
 pwasm-libc/Cargo.lock

diff --git a/.gitlab/pipeline/zombienet/polkadot.yml b/.gitlab/pipeline/zombienet/polkadot.yml
@@ -241,7 +241,7 @@ zombienet-polkadot-functional-0017-sync-backing:
       --local-dir="${LOCAL_DIR}/functional"
       --test="0017-sync-backing.zndsl"
 
-.zombienet-polkadot-functional-0018-shared-core-idle-parachain:
+zombienet-polkadot-functional-0018-shared-core-idle-parachain:
   extends:
     - .zombienet-polkadot-common
   before_script: