Publish to ECR (#54)

* gh container push

* add foundry (and Rust to be safe)

* fix docker build yml

* remove bloated cache files for CI disk space

* enable fireblocks feature for prod dockerfile

* fix typo from refactor

* push to ecr

* scope role and update repo name

* update github ci

* udpate ci

---------

Co-authored-by: Austin Abell <[email protected]>

Author: rlukata

Diff for: .github/CODEOWNERS

@@ -3,4 +3,4 @@
 # Note: Order is important; the last matching pattern takes the most
 # precedence.
 
-*                                      @austinabell
+*                                      @risc0/blobstream0

Diff for: .github/workflows/main.yml

@@ -1,23 +1,26 @@
-permissions:
-  contents: read
-  # This configuration allows maintainers of this repo to create a branch and pull request based on
-  # the new branch. Restricting the push trigger to the main branch ensures that the PR only gets
-  # built once.
+name: Check & Test
+
 on:
-  push:
-    branches: [main]
   pull_request:
+    branches: main
   workflow_dispatch:
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
+
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   RISC0_TOOLCHAIN_VERSION: v2024-04-22.0
   RISC0_MONOREPO_REF: "release-1.0"
+
 jobs:
   check:
-    runs-on: ubuntu-latest
+    if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+    runs-on: [self-hosted, prod, Linux, X64, cpu]
     steps:
       - uses: actions/checkout@v4
         with:
@@ -47,7 +50,8 @@ jobs:
         run: |
           [ "$(grep -re 'DO[_ ]\?NOT[_ ]\?MERGE' $(git ls-tree --full-tree --name-only -r HEAD) | tee /dev/fd/2 | wc -l)" -eq "0" ]
   test:
-    runs-on: ubuntu-latest
+    if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+    runs-on: [self-hosted, prod, Linux, X64, cpu]
     steps:
       # This is a workaround from: https://github.com/actions/checkout/issues/590#issuecomment-970586842
       - name: checkout dummy commit (submodule bug workaround)

Diff for: .github/workflows/publish.yml

@@ -0,0 +1,68 @@
+name: Create and publish blobstream docker image
+
+on:
+  push:
+    branches: main
+  pull_request:
+    branches: main
+
+jobs:
+  build-and-push-image:
+    if: github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+    runs-on: [self-hosted, prod, Linux, X64, cpu]
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install rust
+        uses: risc0/risc0/.github/actions/rustup@main
+
+      # Install risczero toolchain to build the program ELF and image ID deterministically in docker.
+      - name: risczero toolchain install
+        run: |
+          cargo install cargo-binstall --version '=1.6.9' --locked
+          cargo binstall [email protected] --no-confirm --force
+          cargo risczero install
+
+      - name: Install Foundry
+        uses: risc0/foundry-toolchain@2fe7e70b520f62368a0e3c464f997df07ede420f
+
+      - name: cargo check to build ELF and image ID
+        env:
+          RISC0_USE_DOCKER: true
+        run: cargo check
+
+      - name: Delete unnecessary cache files to save disk space for docker build
+        run: sudo rm -rf "/usr/local/share/boost" "$AGENT_TOOLSDIRECTORY" ./target/debug
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: 'us-west-2'
+          role-to-assume: arn:aws:iam::299470750068:role/github-actions-assume-role
+
+      - name: configure federated aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: 'us-west-2'
+          role-to-assume: arn:aws:iam::559050242814:role/github-federated-actions-push-ecr
+          role-chaining: true
+          role-skip-session-tagging: true
+      
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build, tag, and push (if main) docker image to Amazon ECR
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: blobstream0
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $REGISTRY/$REPOSITORY:$IMAGE_TAG -f ./dockerfiles/blobstream0.Dockerfile .
+          ${{ github.ref == 'refs/heads/main' && github.event_name != 'pull_request' && 'docker push $REGISTRY/$REPOSITORY:$IMAGE_TAG' || '' }}

Diff for: contracts/artifacts/Blobstream0.json

@@ -20,5 +20,5 @@ pragma solidity ^0.8.20;
 
 library ImageID {
     bytes32 public constant LIGHT_CLIENT_GUEST_ID =
-        bytes32(0x41b09a93cf04070fad6f83c0057ec7b31d08e5047f21faa6054846d43f4dac38);
+        bytes32(0x92a8af177f9e052feeb0809e4a68703f73cf13ce362b753293ce864e03d4dbf4);
 }

Diff for: contracts/src/ImageID.sol

@@ -28,7 +28,7 @@ WORKDIR /app
 COPY . .
 
 # Build the project
-RUN cargo build -p blobstream0 --release --features prebuilt-docker
+RUN cargo build -p blobstream0 --release --features prebuilt-docker,fireblocks
 
 # Create a new stage for a smaller final image
 FROM debian:bullseye-slim as final