From 88c3250104c1ce074bae14545e8443b18b1c3a67 Mon Sep 17 00:00:00 2001
From: Egor_P <egor@parity.io>
Date: Fri, 11 Oct 2024 09:08:46 +0200
Subject: [PATCH] [stable2407] Backport docker fix to 2407 (#6017)

This PR backports fixes for the docker publishing flow from master:
- https://github.com/paritytech/polkadot-sdk/pull/5896
- https://github.com/paritytech/polkadot-sdk/pull/5387
---
 .github/scripts/common/lib.sh                 |  3 +-
 .../workflows/release-50_publish-docker.yml   | 74 ++++++++++++++-----
 .../polkadot/polkadot_injected.Dockerfile     | 52 +++++++++++++
 docker/scripts/build-injected.sh              |  2 +-
 docker/scripts/polkadot/build-injected.sh     |  1 +
 5 files changed, 110 insertions(+), 22 deletions(-)
 create mode 100644 docker/dockerfiles/polkadot/polkadot_injected.Dockerfile

diff --git a/.github/scripts/common/lib.sh b/.github/scripts/common/lib.sh
index bfb3120ad9bb..dd10fcbe1e44 100755
--- a/.github/scripts/common/lib.sh
+++ b/.github/scripts/common/lib.sh
@@ -242,6 +242,7 @@ fetch_release_artifacts() {
 # - GITHUB_TOKEN
 # - REPO in the form paritytech/polkadot
 fetch_release_artifacts_from_s3() {
+  BINARY=$1
   echo "Version    : $VERSION"
   echo "Repo       : $REPO"
   echo "Binary     : $BINARY"
@@ -461,7 +462,7 @@ function get_polkadot_node_version_from_code() {
 
 validate_stable_tag() {
     tag="$1"
-    pattern='^stable[0-9]+(-[0-9]+)?$'
+    pattern="^stable[0-9]{4}(-[0-9]+)?(-rc[0-9]+)?$"
 
     if [[ $tag =~ $pattern ]]; then
         echo $tag
diff --git a/.github/workflows/release-50_publish-docker.yml b/.github/workflows/release-50_publish-docker.yml
index 78723d0bf905..be131676b06a 100644
--- a/.github/workflows/release-50_publish-docker.yml
+++ b/.github/workflows/release-50_publish-docker.yml
@@ -75,17 +75,18 @@ env:
   # EVENT_ACTION: ${{ github.event.action }}
   EVENT_NAME: ${{ github.event_name }}
   IMAGE_TYPE: ${{ inputs.image_type }}
-  VERSION: ${{ inputs.version }}
 
 jobs:
   validate-inputs:
     runs-on: ubuntu-latest
     outputs:
+        version: ${{ steps.validate_inputs.outputs.VERSION }}
+        release_id: ${{ steps.validate_inputs.outputs.RELEASE_ID }}
         stable_tag: ${{ steps.validate_inputs.outputs.stable_tag }}
 
     steps:
       - name: Checkout sources
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Validate inputs
         id: validate_inputs
@@ -93,10 +94,12 @@ jobs:
           . ./.github/scripts/common/lib.sh
 
           VERSION=$(filter_version_from_input "${{ inputs.version }}")
-          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
 
           RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
-          echo "RELEASE_ID=${RELEASE_ID}" >> $GITHUB_ENV
+          echo "RELEASE_ID=${RELEASE_ID}" >> $GITHUB_OUTPUT
+
+          echo "Release ID: $RELEASE_ID"
 
           STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }})
           echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT
@@ -104,10 +107,11 @@ jobs:
   fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
     if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }}
     runs-on: ubuntu-latest
+    needs: [validate-inputs]
 
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       #TODO: this step will be needed when automated triggering will work
         #this step runs only if the workflow is triggered automatically when new release is published
@@ -129,7 +133,15 @@ jobs:
         run: |
           . ./.github/scripts/common/lib.sh
 
-          fetch_release_artifacts_from_s3
+          VERSION="${{ needs.validate-inputs.outputs.VERSION }}"
+          if [[ ${{ inputs.binary }} == 'polkadot' ]]; then
+            bins=(polkadot polkadot-prepare-worker polkadot-execute-worker)
+            for bin in "${bins[@]}"; do
+              fetch_release_artifacts_from_s3 $bin
+            done
+          else
+            fetch_release_artifacts_from_s3 $BINARY
+          fi
 
       - name: Fetch chain-spec-builder rc artifacts or release artifacts based on release id
         #this step runs only if the workflow is triggered manually and only for chain-spec-builder
@@ -137,6 +149,7 @@ jobs:
         run: |
           . ./.github/scripts/common/lib.sh
 
+          RELEASE_ID="${{ needs.validate-inputs.outputs.RELEASE_ID }}"
           fetch_release_artifacts
 
       - name: Upload artifacts
@@ -153,7 +166,7 @@ jobs:
 
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Download artifacts
         uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
@@ -181,16 +194,12 @@ jobs:
         run: |
           . ./.github/scripts/common/lib.sh
 
-          RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
-          release=release-$RELEASE_ID && \
-          echo "release=${release}" >> $GITHUB_OUTPUT
+          echo "release=${{ needs.validate-inputs.outputs.stable_tag }}" >> $GITHUB_OUTPUT
 
           commit=$(git rev-parse --short HEAD) && \
           echo "commit=${commit}" >> $GITHUB_OUTPUT
 
-          tag=$(git name-rev --tags --name-only $(git rev-parse HEAD)) && \
-          [ "${tag}" != "undefined" ] && echo "tag=${tag}" >> $GITHUB_OUTPUT || \
-          echo "No tag, doing without"
+          echo "tag=${{ needs.validate-inputs.outputs.version }}" >> $GITHUB_OUTPUT
 
       - name: Fetch release tags
         working-directory: release-artifacts
@@ -198,15 +207,32 @@ jobs:
         id: fetch_release_refs
         run: |
           chmod a+rx $BINARY
-          [[ $BINARY != 'chain-spec-builder' ]] && VERSION=$(./$BINARY --version | awk '{ print $2 }' )
 
-          release=$( echo $VERSION | cut -f1 -d- )
+          if [[ $BINARY != 'chain-spec-builder' ]]; then
+            VERSION=$(./$BINARY --version | awk '{ print $2 }' )
+            release=$( echo $VERSION | cut -f1 -d- )
+          else
+            release=$(echo ${{ needs.validate-inputs.outputs.VERSION }} | sed 's/^v//')
+          fi
+
           echo "tag=latest" >> $GITHUB_OUTPUT
           echo "release=${release}" >> $GITHUB_OUTPUT
           echo "stable=${{ needs.validate-inputs.outputs.stable_tag }}" >> $GITHUB_OUTPUT
 
-      - name: Build Injected Container image for polkadot rc or chain-spec-builder
-        if: ${{ env.BINARY == 'polkadot' || env.BINARY == 'chain-spec-builder' }}
+      - name: Build Injected Container image for polkadot rc
+        if: ${{ env.BINARY == 'polkadot' }}
+        env:
+          ARTIFACTS_FOLDER: release-artifacts
+          IMAGE_NAME: ${{ env.BINARY }}
+          OWNER: ${{ env.DOCKER_OWNER }}
+          TAGS: ${{ join(steps.fetch_rc_refs.outputs.*, ',') || join(steps.fetch_release_refs.outputs.*, ',') }}
+        run: |
+          ls -al
+          echo "Building container for $BINARY"
+          ./docker/scripts/polkadot/build-injected.sh $ARTIFACTS_FOLDER
+
+      - name: Build Injected Container image chain-spec-builder
+        if: ${{ env.BINARY == 'chain-spec-builder' }}
         env:
           ARTIFACTS_FOLDER: release-artifacts
           IMAGE_NAME: ${{ env.BINARY }}
@@ -233,8 +259,16 @@ jobs:
           echo "Building container for $BINARY"
           ./docker/scripts/build-injected.sh
 
-      - name: Login to Dockerhub
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      - name: Login to Dockerhub to publish polkadot
+        if: ${{ env.BINARY == 'polkadot' }}
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.POLKADOT_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.POLKADOT_DOCKERHUB_TOKEN }}
+
+      - name: Login to Dockerhub to puiblish polkadot-parachain/chain-spec-builder
+        if: ${{ env.BINARY == 'polkadot-parachain' || env.BINARY == 'chain-spec-builder' }}
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.CUMULUS_DOCKERHUB_USERNAME }}
           password: ${{ secrets.CUMULUS_DOCKERHUB_TOKEN }}
@@ -285,7 +319,7 @@ jobs:
     environment: release
     steps:
       - name: Checkout sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
diff --git a/docker/dockerfiles/polkadot/polkadot_injected.Dockerfile b/docker/dockerfiles/polkadot/polkadot_injected.Dockerfile
new file mode 100644
index 000000000000..3dbede4966a8
--- /dev/null
+++ b/docker/dockerfiles/polkadot/polkadot_injected.Dockerfile
@@ -0,0 +1,52 @@
+FROM docker.io/parity/base-bin
+
+# metadata
+ARG VCS_REF
+ARG BUILD_DATE
+ARG IMAGE_NAME
+# That can be a single one or a comma separated list
+ARG BINARY=polkadot
+
+LABEL io.parity.image.authors="devops-team@parity.io" \
+	io.parity.image.vendor="Parity Technologies" \
+	io.parity.image.title="parity/polkadot" \
+	io.parity.image.description="Polkadot: a platform for web3. This is the official Parity image with an injected binary." \
+	io.parity.image.source="https://github.com/paritytech/polkadot-sdk/blob/${VCS_REF}/docker/dockerfiles/polkadot/polkadot_injected.Dockerfile" \
+	io.parity.image.revision="${VCS_REF}" \
+	io.parity.image.created="${BUILD_DATE}" \
+	io.parity.image.documentation="https://github.com/paritytech/polkadot-sdk/"
+
+# show backtraces
+ENV RUST_BACKTRACE 1
+
+USER root
+WORKDIR /app
+
+# add polkadot and polkadot-*-worker binaries to the docker image
+COPY bin/* /usr/local/bin/
+COPY entrypoint.sh .
+
+
+RUN chmod -R a+rx "/usr/local/bin"; \
+		mkdir -p /data /polkadot/.local/share && \
+		chown -R parity:parity /data && \
+		ln -s /data /polkadot/.local/share/polkadot
+
+USER parity
+
+# check if executable works in this container
+RUN /usr/local/bin/polkadot --version
+RUN /usr/local/bin/polkadot-prepare-worker --version
+RUN /usr/local/bin/polkadot-execute-worker --version
+
+
+EXPOSE 30333 9933 9944 9615
+VOLUME ["/polkadot"]
+
+ENV BINARY=${BINARY}
+
+# ENTRYPOINT
+ENTRYPOINT ["/app/entrypoint.sh"]
+
+# We call the help by default
+CMD ["--help"]
diff --git a/docker/scripts/build-injected.sh b/docker/scripts/build-injected.sh
index 749d0fa335cc..c37ea916c839 100755
--- a/docker/scripts/build-injected.sh
+++ b/docker/scripts/build-injected.sh
@@ -40,7 +40,7 @@ VCS_REF=${VCS_REF:-01234567}
 echo "Using engine: $ENGINE"
 echo "Using Dockerfile: $DOCKERFILE"
 echo "Using context: $CONTEXT"
-echo "Building ${IMAGE}:latest container image for ${BINARY} v${VERSION} from ${ARTIFACTS_FOLDER} hang on!"
+echo "Building ${IMAGE}:latest container image for ${BINARY} ${VERSION} from ${ARTIFACTS_FOLDER} hang on!"
 echo "ARTIFACTS_FOLDER=$ARTIFACTS_FOLDER"
 echo "CONTEXT=$CONTEXT"
 
diff --git a/docker/scripts/polkadot/build-injected.sh b/docker/scripts/polkadot/build-injected.sh
index 7cc6db43a54a..8f4e7005b816 100755
--- a/docker/scripts/polkadot/build-injected.sh
+++ b/docker/scripts/polkadot/build-injected.sh
@@ -9,5 +9,6 @@ PROJECT_ROOT=`git rev-parse --show-toplevel`
 
 export BINARY=polkadot,polkadot-execute-worker,polkadot-prepare-worker
 export ARTIFACTS_FOLDER=$1
+export DOCKERFILE="docker/dockerfiles/polkadot/polkadot_injected.Dockerfile"
 
 $PROJECT_ROOT/docker/scripts/build-injected.sh