Skip to content

fix: update trivy to 0.29.0 (#121) #5

fix: update trivy to 0.29.0 (#121)

fix: update trivy to 0.29.0 (#121) #5

Workflow file for this run

name: CI
on:
push:
branches:
- main
pull_request:
jobs:
shared:
uses: pantos-io/ci-workflows/.github/workflows/python-ci.yml@v1
with:
test-database: true
database-name: pantos-validator-node-test
database-user: pantos-validator-node
database-password: 7FVg7AE3
secrets: inherit
docker-build:
name: Build Docker images
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
arch: ['amd64']
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
azure.archive.ubuntu.com:80
deb.debian.org:80
esm.ubuntu.com:443
files.pythonhosted.org:443
ghcr.io:443
github.com:443
index.docker.io:443
motd.ubuntu.com:443
packages.microsoft.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
pypi.org:443
registry-1.docker.io:443
repo.anaconda.com:443
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: pantos-io/ethereum-contracts
path: ethereum-contracts
sparse-checkout: |
Makefile
docker-compose.yml
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-v1.0-${{ github.repository }}-${{ github.ref_name }}
restore-keys: |
${{ runner.os }}-buildx-v1.0-${{ github.repository }}-
- name: Check docker config and disable live reload
run: |
cat /etc/docker/daemon.json
echo '{ "live-restore": false }' | sudo tee /etc/docker/daemon.json
sudo systemctl reload docker
make check-swarm-init
- name: Run Docker
run: |
make docker-local
working-directory: ethereum-contracts
env:
DOCKER_TAG: "development"
- name: Ensure ethereum-contracts is accessible
run: |
for port in 8511 8510; do
echo "Checking availability of http://localhost:$port..."
for i in {1..30}; do
if curl -s --max-time 5 http://localhost:$port/ -X POST -H "Content-Type: application/json" --data '{"method":"eth_blockNumber","params":[],"id":1,"jsonrpc":"2.0"}'; then
echo " ... http://localhost:$port is accessible."
break
else
echo "http://localhost:$port is not accessible. Retrying in 10 seconds..."
sleep 10
fi
done
done
working-directory: ethereum-contracts
- name: Build and load
run: |
mkdir export
make docker-build ARGS='--set "*.cache-from=type=local,src=/tmp/.buildx-cache" \
--set "*.cache-to=type=local,dest=/tmp/.buildx-cache-new" \
--set "*.platform=linux/${{ matrix.arch }}" \
--builder ${{ steps.buildx.outputs.name }} \
--set "app.output=type=tar,dest=export/app.tar" \
--set "worker.output=type=tar,dest=export/worker.tar"'
- name: Test image
timeout-minutes: ${{ matrix.arch == 'amd64' && 10 || 30 }}
run: |
make docker
- name: Dump validator node logs
if: always()
run: |
timeout 1 make docker-logs || true
- name: Tear down
run: |
make docker-remove
- name: Dump ethereum contract logs
if: always()
run: |
timeout 1 make docker-logs || true
working-directory: ethereum-contracts
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: docker-images-${{ matrix.arch }}
path: export
retention-days: 1
build:
uses: ./.github/workflows/build.yml
install:
needs: [build]
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-20.04
- ubuntu-22.04
# TODO: Fix the installation on ubuntu-24.04
# - ubuntu-24.04
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: pantos-io/ethereum-contracts
path: ethereum-contracts
sparse-checkout: |
Makefile
docker-compose.yml
docker-compose.ci.yml
docker-compose.local.yml
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
id: buildx
- name: Check docker config and disable live reload
run: |
cat /etc/docker/daemon.json
echo '{ "live-restore": false }' | sudo tee /etc/docker/daemon.json
sudo systemctl reload docker
make check-swarm-init
- name: Run Docker
run: |
make docker-local
working-directory: ethereum-contracts
env:
DOCKER_TAG: "development"
- name: Ensure ethereum-contracts is accessible
run: |
for port in 8511 8510; do
echo "Checking availability of http://localhost:$port..."
for i in {1..30}; do
if curl -s --max-time 5 http://localhost:$port/ -X POST -H "Content-Type: application/json" --data '{"method":"eth_blockNumber","params":[],"id":1,"jsonrpc":"2.0"}'; then
echo " ... http://localhost:$port is accessible."
break
else
echo "http://localhost:$port is not accessible. Retrying in 10 seconds..."
sleep 10
fi
done
done
working-directory: ethereum-contracts
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: build-amd64
path: build
- name: Preconfigure package
run: |
echo 'pantos-validator-node-full pantos/common/configure_postgresql boolean true' | sudo debconf-set-selections;
echo 'pantos-validator-node-full pantos/common/configure_rabbitmq boolean true' | sudo debconf-set-selections;
echo 'pantos-validator-node-full pantos/common/start_services boolean true' | sudo debconf-set-selections;
- name: Copy files from eth-data and bnb-data
run: |
sudo mkdir -p /etc/pantos
sudo chmod 777 /etc/pantos
# Get the task ID for the eth service
ETH_TASK_ID=$(docker ps --filter "name=stack-ethereum-contracts--1-eth" --format "{{.ID}}")
# Copy files from the eth service
docker cp $ETH_TASK_ID:/data/keystore /etc/pantos/keystore.eth
docker cp $ETH_TASK_ID:/data/ETHEREUM.env /etc/pantos/ETHEREUM.env
# Get the task ID for the bnb service
BNB_CHAIN_TASK_ID=$(docker ps --filter "name=stack-ethereum-contracts--1-bnb" --format "{{.ID}}")
# Copy files from the bnb service
docker cp $BNB_CHAIN_TASK_ID:/data/keystore /etc/pantos/keystore.bnb
docker cp $BNB_CHAIN_TASK_ID:/data/BNB_CHAIN.env /etc/pantos/BNB_CHAIN.env
working-directory: ethereum-contracts
- name: Set env
run: |
sudo cp ./validator-node-config.local.env /etc/pantos/validator-node-config.env
# Append the new addresses from the copied env files
sudo cat /etc/pantos/ETHEREUM.env | sudo tee -a /etc/pantos/validator-node-config.env > /dev/null
sudo cat /etc/pantos/BNB_CHAIN.env | sudo tee -a /etc/pantos/validator-node-config.env > /dev/null
sudo chmod 644 /etc/pantos/validator-node-config.env
- name: Install Debian package
run: |
sudo apt-get update
sudo apt-get install -y ./build/*.deb curl
# Check service is running
- name: Check service is running
timeout-minutes: 5
run: |
# Wait for the service to start
while ! sudo systemctl is-active --quiet pantos-validator-node-server; do
echo "Server is not running, retrying in 1 second."
sleep 1
done
echo "Server is running"
while ! sudo systemctl is-active --quiet pantos-validator-node-celery; do
echo "Celery is not running, retrying in 1 second."
sleep 1
done
echo "Celery is running"
# Wait for curl to be positive
max_retries=60
retries=0
set +e
while [ $retries -lt $max_retries ]; do
response=$(curl -s --max-time 5 -o /dev/null -w '%{http_code}' 'http://localhost:8080/health/nodes')
exit_code=$?
if [ "$response" -eq 200 ]; then
echo "Received 200 response, exiting."
break
elif [ $exit_code -eq 28 ]; then
echo "Curl timed out, continuing to retry."
else
echo "Did not receive 200 response, retrying in 1 second."
fi
sleep 1
retries=$((retries + 1))
done
set -e
if [ $retries -eq $max_retries ]; then
echo "Max retries reached, exiting with failure."
exit 1
fi
echo "Service is up and running"
- name: Print logs
if: always()
run: |
sudo systemctl status pantos-validator-node-server || true
sudo systemctl status pantos-validator-node-celery || true
sudo journalctl -u pantos-validator-node-server || true
sudo journalctl -u pantos-validator-node-celery || true
# Print the contents of every file in /var/log/pantos
sudo find /var/log/pantos -type f -exec sudo cat {} \;
- name: Fix permissions for upload
if: always()
run: |
sudo chmod -R 777 /var/log/pantos
sudo chmod -R 777 /etc/pantos
- name: Upload logs
if: always()
uses: actions/upload-artifact@v4
with:
name: install-logs-${{ matrix.os }}
path: /var/log/pantos
- name: Upload env config
if: always()
uses: actions/upload-artifact@v4
with:
name: env-config-${{ matrix.os }}
path: /etc/pantos
- name: Dump ethereum contract logs
if: always()
run: |
timeout 1 make docker-logs || true
working-directory: ethereum-contracts
e2e-tests:
name: E2E tests
needs: docker-build
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch: ['amd64']
env:
PANTOS_VALIDATOR_NODE: ${{ github.workspace }}/validatornode
steps:
- uses: actions/checkout@v4
with:
path: ${{ env.PANTOS_VALIDATOR_NODE }}
sparse-checkout: |
docker-compose.yml
docker-compose.override.yml
validator-node-config.docker.env
Makefile
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: docker-images-${{ matrix.arch }}
path: export
- name: Load images
run: |
cat export/app.tar | docker import - pantosio/validator-node-app:local
cat export/worker.tar | docker import - pantosio/validator-node-worker:local
- uses: pantos-io/e2e-testing/.github/actions/run-tests@main
with:
validatornode-path: ${{ env.PANTOS_VALIDATOR_NODE }}
validatornode-version: 'local'