Push builds to GCP (bnb-chain#62)

galaio · Mar 4, 2023 · 428dc6e · 428dc6e
1 parent b9bbfdf
commit 428dc6e
Showing 1 changed file with 117 additions and 29 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,6 +1,97 @@
 version: 2.1
 
+orbs:
+  gcp-cli: circleci/[email protected]
+
+commands:
+  gcp-oidc-authenticate:
+    description: "Authenticate with GCP using a CircleCI OIDC token."
+    parameters:
+      project_id:
+        type: env_var_name
+        default: GCP_PROJECT_ID
+      workload_identity_pool_id:
+        type: env_var_name
+        default: GCP_WIP_ID
+      workload_identity_pool_provider_id:
+        type: env_var_name
+        default: GCP_WIP_PROVIDER_ID
+      service_account_email:
+        type: env_var_name
+        default: GCP_SERVICE_ACCOUNT_EMAIL
+      gcp_cred_config_file_path:
+        type: string
+        default: /home/circleci/gcp_cred_config.json
+      oidc_token_file_path:
+        type: string
+        default: /home/circleci/oidc_token.json
+    steps:
+      - run:
+          name: "Create OIDC credential configuration"
+          command: |
+            # Store OIDC token in temp file
+            echo $CIRCLE_OIDC_TOKEN > << parameters.oidc_token_file_path >>
+            # Create a credential configuration for the generated OIDC ID Token
+            gcloud iam workload-identity-pools create-cred-config \
+                "projects/${<< parameters.project_id >>}/locations/global/workloadIdentityPools/${<< parameters.workload_identity_pool_id >>}/providers/${<< parameters.workload_identity_pool_provider_id >>}"\
+                --output-file="<< parameters.gcp_cred_config_file_path >>" \
+                --service-account="${<< parameters.service_account_email >>}" \
+                --credential-source-file=<< parameters.oidc_token_file_path >>
+      - run:
+          name: "Authenticate with GCP using OIDC"
+          command: |
+            # Configure gcloud to leverage the generated credential configuration
+            gcloud auth login --brief --cred-file "<< parameters.gcp_cred_config_file_path >>"
+            # Configure ADC
+            echo "export GOOGLE_APPLICATION_CREDENTIALS='<< parameters.gcp_cred_config_file_path >>'" | tee -a "$BASH_ENV"
+
 jobs:
+  docker-release:
+    environment:
+      DOCKER_BUILDKIT: 1
+    parameters:
+      docker_name:
+        description: Docker image name
+        type: string
+        default: "op-geth"
+      docker_tags:
+        description: Docker image tags as csv
+        type: string
+      registry:
+        description: Docker registry
+        type: string
+        default: "us-docker.pkg.dev"
+      repo:
+        description: Docker repo
+        type: string
+        default: "oplabs-tools-artifacts/images"
+    machine:
+      image: ubuntu-2204:2022.07.1
+      resource_class: xlarge
+    steps:
+      - gcp-cli/install
+      - gcp-oidc-authenticate
+      - checkout
+      - run:
+          name: Configure Docker
+          command: |
+            gcloud auth configure-docker <<parameters.registry>>
+      - run:
+          name: Build and push
+          command: |
+            IMAGE_BASE="<<parameters.registry>>/<<parameters.repo>>/<<parameters.docker_name>>"
+            DOCKER_TAGS=$(echo -ne <<parameters.docker_tags>> | sed "s/,/\n/g" | sed "s/[^a-zA-Z0-9\n]/-/g" | sed -e "s|^|-t ${IMAGE_BASE}:|")
+            docker context create buildx-build
+            docker buildx create --use buildx-build
+            docker buildx build --push \
+              $(echo -ne $DOCKER_TAGS | tr '\n' ' ') \
+              --platform=linux/arm64,linux/amd64 \
+              --build-arg VERSION=$CIRCLE_TAG \
+              --build-arg COMMIT=$CIRCLE_SHA \
+              --build-arg BUILDNUM=$CIRCLE_BUILD_NUM \
+              --progress plain \
+              -f Dockerfile .
+
   build-geth:
     docker:
       - image: cimg/go:1.18
@@ -26,33 +117,6 @@ jobs:
       - run:
           command: go run build/ci.go lint
 
-  push-geth:
-    docker:
-      - image: cimg/base:2022.04
-    steps:
-      - when:
-          condition:
-            equal: [ optimism, <<pipeline.git.branch>> ]
-          steps:
-            - checkout
-            - setup_remote_docker:
-                version: 20.10.12
-            - run:
-                name: Build and push
-                command: |
-                  echo "$DOCKER_PASS" | docker login -u "$DOCKER_USERNAME" --password-stdin
-                  docker context create buildx-build
-                  docker buildx create --use buildx-build
-                  docker buildx build --push \
-                    --tag "ethereumoptimism/op-geth:$CIRCLE_SHA1" \
-                    --tag "ethereumoptimism/op-geth:$CIRCLE_BRANCH" \
-                    --tag "ethereumoptimism/op-geth:latest" \
-                    --platform=linux/arm64,linux/amd64 \
-                    -f Dockerfile .
-      # Below step is required to prevent CircleCI from barfing on a
-      # job with no steps
-      - run: echo 0
-
 workflows:
   main:
     jobs:
@@ -62,5 +126,29 @@ workflows:
           name: Run unit tests for geth
       - lint-geth:
           name: Run linter over geth
-      - push-geth:
-          name: Push geth
+      - docker-release:
+          name: Push to Docker
+          docker_tags: <<pipeline.git.revision>>
+          context:
+            - oplabs-gcr
+  release:
+    jobs:
+      - hold:
+          type: approval
+          filters:
+            tags:
+              only: /^op-geth\/v.*/
+            branches:
+              ignore: /.*/
+      - docker-release:
+          name: Push to Docker
+          filters:
+            tags:
+              only: /^op-geth\/v.*/
+            branches:
+              ignore: /.*/
+          docker_tags: <<pipeline.git.revision>>,<<pipeline.git.tag>>
+          context:
+            - oplabs-gcr-release
+          requires:
+            - hold