Feature/GitHub action tag and publish docker image (#626)

* GitHub action tag and publish docker image pipeline with github actions 

Signed-off-by: Ahmed Elkashef <[email protected]>

Co-authored-by: Alexey <[email protected]>

Author: ahmedelkashev

.github/_README.md

@@ -0,0 +1,31 @@
+GitHub Actions
+==============
+
+GitHub Workflow description in YAML does not support anchors.
+There are several workarounds => anyway they come to building-editing workflow yaml from source.
+So I suggest yet another one `make-workflows.sh` based on YAML tool `yq`.
+
+### USAGE
+0. Move your workflows to `.github/*.src.yml`
+1. Put `make-workflows.sh` to directory `.github/`
+2. (optional) Copy or link `pre-commit-hook.sh` to `.git/hooks/pre-commit`
+   Like `ln -s ../../.github/pre-commit-hook.sh .git/hooks/pre-commit`
+
+### Using pre-commit
+```yaml
+repos:
+- repo: local
+  hooks:
+  - id: make-workflows
+    name: Make GitHub workflows from *.src.yml
+    entry: bash -c '.github/make-workflows.sh && git add .github/workflows'
+    language: system
+    types: [yaml]
+    pass_filenames: false
+```
+
+### Links
+1. https://stackoverflow.com/questions/67368724/share-same-steps-for-different-github-actions-jobs
+2. https://github.community/t/support-for-yaml-anchors/16128/60
+3. https://github.com/mithro/actions-includes
+4. https://github.com/allejo/gha-workflows

.github/build-cpp-filecoin.src.yml

@@ -0,0 +1,193 @@
+name: Fuhon (cpp-Filecoin)
+
+on:
+  push:
+    branches: [master]
+    tags: '**'
+  pull_request:
+    branches: [master]  ## target branches
+
+jobs:
+  ## GitHub Actions Workflow does not support yaml anchors
+  ## and that is why there is a workaround with make-workflows.sh
+  ## You should `pre-commit install` or use `pre-commit-hook.sh`,
+  ## anyway please read .github/README.md
+  check_workflow_yaml_coressponds_to_src_yaml:
+    runs-on: ubuntu-20.04 #ubuntu-latest
+    #container: ubuntu:latest  ## This is required as barrier between AWS-hosted runners and GitHub-hosted runners - they have different set of software, so run in container
+    name: Check if github workflows were properly made from sources
+    steps:
+      - &step_detect_commented_pr
+        name: REF and SHA of commented PR to ENV
+        if: github.event.comment
+        run: >
+            curl -fsSL ${{github.event.issue.pull_request.url}}
+            -H "Authorization: token ${{github.token}}" |
+            jq -r '
+              "PR_REF="+.head.ref,
+              "PR_SHA="+.head.sha,
+              "PR_NUM="+(.number|tostring),
+              "PR_REPO="+.head.repo.full_name' >>$GITHUB_ENV
+      - &step_checkout
+        name: Checkout
+        uses: actions/checkout@v2
+        with: &step_checkout_with
+          ref: ${{env.PR_REF}}  ## not empty on issue_comment, else default value GITHUB_REF
+          repository: ${{env.PR_REPO}} ## not empty on issue_comment, else default value github.repository, required by forks
+      -
+        run: sudo snap install yq
+      -
+        name: Check if .github/workflows/*.yml correspond to *.src.yml
+        run: |
+          set -x
+          [[ $(./.github/make-workflows.sh -x --worktree) = *"everything is up to date" ]]
+
+  ## Build docker image named 'filecoin/fuhon-builder' with all stuff to compile fuhon and its dependancies
+  ## The result docker image is pushed with tags :pr-NUMBER, :commit-HASH, :branch-name, :tag-name,
+  ## and conditional tags :edge for development branch, and :latest for git-tags.
+  ## Note: image is push only when DockerHub login-token pair available - not to PRs from forks.
+  Docker-fuhon-builder:
+    needs: check_workflow_yaml_coressponds_to_src_yaml
+    runs-on: ubuntu-20.04 #ubuntu-latest #[ self-hosted, Linux ]
+    env: &env_dockerhub
+      DOCKERHUB_ORG: soramitsu ## Cannot use ${{ secrets.DOCKERHUB_ORG }}
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+    steps:
+      - &step_system_info
+        name: System info
+        run: |
+          set -x
+          whoami
+          id $(whoami)
+          free  ||  vm_stat | perl -ne '/page size of (\d+)/ and $size=$1;
+            /Pages\s+([^:]+)[^\d]+(\d+)/ and printf("%-16s % 16.2f Mi\n", "$1:", $2 * $size / 1048576);'
+          df -h
+      - &step_build_info
+        name: Build info
+        run: |
+          cat << 'END'
+          ref:${{github.ref}}
+          sha:${{github.sha}}
+          run_number:${{github.run_number}}
+          event_name:${{github.event_name}}
+          event.action:${{github.event.action}}
+          event.issue.number:${{ github.event.issue.number }}
+          END
+      - *step_detect_commented_pr
+      - *step_checkout
+      - &step_docker_tag
+        name: Determine dockertag
+        id: dockertag
+        env:
+          dockertag: ${{ hashFiles('docker/**') }}
+        run: |
+          echo "::set-output name=dockertag::$dockertag"
+          echo >>$GITHUB_ENV  dockertag=$dockertag
+          test -n "$DOCKERHUB_ORG" || {
+            echo ::error::"DOCKERHUB_ORG must contain value"
+            false
+          }
+      - &step_docker_login
+        name: Login to DockerHub
+        if: ${{ env.DOCKERHUB_TOKEN != '' && env.DOCKERHUB_USERNAME != '' }}
+        id: docker_login
+        uses: docker/login-action@v1
+        with:
+          registry: docker.soramitsu.co.jp
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - &step_warn_docker_no_push
+        name: Possible WARNING
+        if: ${{ steps.docker_login.outcome == 'skipped' }}
+        run: echo "::warning::DOCKERHUB_TOKEN and DOCKERHUB_USERNAME are empty. Will build but NOT push."
+      - &step_docker_meta
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with: &step_docker_meta_with
+          # registry.rocket.chat/rocketchat/rocket.chat:latest
+          images: docker.soramitsu.co.jp/fuhon/node
+          tags: |
+            type=raw,value=${{env.dockertag}}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=ref,event=tag
+            type=schedule
+            type=edge,branch=develop
+        ## Docker image will be pushed with tags:
+        ##  - hash of file Dockerfile.builder
+        ##  - branchname, when branch is pushed
+        ##  - pr-NUMBER, when pushed to PR
+        ##  - git tag when tag is pushed
+        ##  - semver like 1.2.3 and 1.2 when tag vX.X.X is pushed
+        ##  - tag 'edge' when branch support/1.2.x is pushed
+        ##  - schedule, see the docs
+      - &step_docker_buildx
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - &step_docker_cache
+        name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{env.dockertag}}
+          restore-keys: ${{ runner.os }}-buildx-
+      - &step_docker_build_and_push
+        id: build_and_push
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with: &step_docker_build_and_push_with
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          push: ${{ steps.docker_login.outcome == 'success' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          context: .
+      - &step_docker_move_cache
+        # Temp fix
+        # https://github.com/docker/build-push-action/issues/252
+        # https://github.com/moby/buildkit/issues/1896
+        name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+      -
+        name: Check if dockertaghash exists in remote registry
+        id: dockertag_already
+        run: |
+          echo "::set-output name=container::$DOCKERHUB_ORG/fuhon:$dockertag"
+      -
+        name: Possible ERROR, Dockerfile edited but image cannot be pushed
+        if: ${{ steps.docker_login.outcome != 'success' || steps.build_and_push.outcome != 'success' }}
+        env:
+          container: ${{steps.dockertag_already.outputs.container}}
+          dockertag: ${{env.dockertag}}
+        run: |
+          cat <<END
+            ::error::CHANGES TO Dockerfile.builder WERE NOT APPLYED.
+
+            It seems container with tag '$dockertag' was not pushed to registry and does not exist remotely.
+            The most possible reason is GitHub secrets are inaccessable to PRs from public forks.
+
+            $(test ${{github.event.pull_request.head.repo.full_name}} != ${{github.event.pull_request.base.repo.full_name}} \
+              && echo -n "SECRETS ARE NOT EXPOSED TO FORKS" || echo -n "SECRETS AVAILABLE")
+
+            **Consider to open PR from the same organization.**
+
+            What we know about this build:
+              - PR URL is ${{github.event.pull_request.html_url}}
+              - head repo is '${{github.event.pull_request.head.repo.full_name}}'
+              - base repo is '${{github.event.pull_request.base.repo.full_name}}'
+              - See more information in previous step 'Show context'
+
+            Please ask @ahmedelkashev on GitHub or in Telegram if you need help.
+          END
+          false
+    outputs:
+      ## WARN secret dropped from output!, output may not contain secret,
+      ## and secret cannot be used in job:container directly, and there is no github non-secret variables...
+      ## if dockertag is already pushed then use it. But let it be empty when tag does not exist remotely.
+      dockertag: ${{steps.dockertag.outputs.dockertag}}
+      container: ${{steps.dockertag_already.outputs.container}}
+      pushed: ${{ steps.docker_login.outcome == 'success' && steps.build_and_push.outcome == 'success' }}

.github/disabled_workflows/clang-tidy.yml

@@ -18,7 +18,7 @@ jobs:
       name: checkout repo
     - name: install
       run: |
-        brew install ninja llvm pkg-config
+        brew install ninja llvm pkg-config coreutils
         sudo python3 -m pip install --upgrade pip
         sudo python3 -m pip install scikit-build cmake requests gitpython gcovr pyyaml
     - name: run checks

.github/make-workflows.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+
+--help(){
+    cat<<'END'
+make-workflows:
+    This script expands '*.src.yml' from $1 (default: script's directory)
+    to $2 (default:REPO_ROOT/.github/workflows) with corresponding name '*.yml'
+    Main goal is to dereference YAML anchors.
+    Deals only with Git cached/indexed files until --no-git-index passed.
+    DEBUG: use option -x
+    NOTE: spaces in filenames are not allowed to keep code simplicity
+END
+    cat<<END
+Usage:
+    make-workflows.sh [--no-git-index] [dirs_from... [dir_to]]
+    make-workflows.sh [--help]
+Options:
+    --no-git-index|--worktree   List files and get contents from working tree
+                                instead of git index
+    -h, --help       show this help
+    -x, --trace
+    +x, --no-trace   enable/disable bash trace
+END
+    exit
+}
+
+files_list(){
+    git diff --cached --name-only --relative --diff-filter=d -- "$@"
+    ## NOTE: --diff-filter=d  to exclude deleted files
+}
+file_contents(){
+    git show $(printf ":%s " $@)
+}
+
+while [[ $# > 0 ]] ;do
+    case "$1" in
+        ## List files and get contents from working tree instead of git index
+        --no-git-index|--worktree)
+            files_list(){
+                ls $@
+            }
+            file_contents(){
+                cat $@
+            }
+            ;;
+        -x|--trace)    set -x ;;
+        +x|--no-trace) set +x ;;
+        -h|--help|'-?') --help ;;
+        -*)
+            echo >&2 "make-workflows: ERROR: unxpected parameter"
+            --help >&2
+            exit 2
+            ;;
+        ## The last non-option argument is dir_to all previous are dirs_from
+        *)
+            if [[ "$1" = *' '* ]] ;then
+                echo >&2 "make-workflows: ERROR: spaces in arguments are not allowed: '$1'"
+                exit 1
+            fi
+            if [[ "$(echo ${dirs_from:-})" = '' ]] ;then
+                dirs_from=$1
+            else
+                dirs_from+=" "${dir_to:-}
+                dir_to=$1
+            fi
+            ;;
+    esac
+    shift
+done
+
+readonly script_dir=$(dirname $(realpath "$0"))
+readonly dirs_from=${dirs_from:-${script_dir}}
+readonly repo_root=$(git rev-parse --show-toplevel)
+         dir_to=${dir_to:-$repo_root/.github/workflows}
+readonly dir_to=$(realpath $dir_to)
+edited_files=
+
+for dir_from in $dirs_from ;do
+    pushd $dir_from >/dev/null
+    for f in $(files_list '*.src.yml') ;do
+        out=$(echo $f | sed 's|.src.yml$|.yml|')
+        wout=$dir_to/$out
+        tempout=$(mktemp)
+        trap "rm -f $tempout" EXIT   ## in case of error file will be removed before exit
+        echo >>$tempout "## DO NOT EDIT"
+        echo >>$tempout "## Generated from $f with $(basename $0)"
+        echo >>$tempout ""
+        ## Take cached content from index
+        file_contents ./$f | yq eval 'explode(.)' - >>$tempout
+        if ! diff -q $wout $tempout &>/dev/null ;then
+            mv $tempout $wout
+            edited_files+="'$(realpath --relative-to=$OLDPWD $wout)' "
+        else
+            rm -f $tempout
+        fi
+    done
+    popd >/dev/null
+done
+
+if [[ -n "$edited_files" ]]
+then echo "make-workflows: these files were edited: $edited_files"
+else echo "make-workflows: everything is up to date"
+fi

.github/pre-commit-hook.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+cd $(git rev-parse --show-toplevel)
+./.github/make-workflows.sh
+git add .github/workflows