ci: ci: migrate the release workflow to github actions (#11785)

* ci: rename install ubuntu deps to install system dependencies

* ci: migrate the release workflow to github actions

* ci: set permissions required by the newly added workflows explicitly

* ci: prevent duplicate release and docker publishing

* ci: trigger docker workflow on push to master

* ci: do not pass tokens to goreleaser on dry release runs

* ci: specify higher permissions on a job level

.github/actions/export-circle-env/action.yml

@@ -0,0 +1,14 @@
+name: Export Circle Env
+description: Export CircleCI environment variables for Filecoin Lotus
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        if [[ "$GITHUB_REF" == refs/tags/* ]]; then
+          echo "CIRCLE_TAG=${GITHUB_REF#refs/tags/}" | tee -a $GITHUB_ENV
+        fi
+        echo "CIRCLE_PROJECT_USERNAME=$GITHUB_REPOSITORY_OWNER" | tee -a $GITHUB_ENV
+        echo "CIRCLE_PROJECT_REPONAME=${GITHUB_REPOSITORY#$GITHUB_REPOSITORY_OWNER/}" | tee -a $GITHUB_ENV
+        echo "CIRCLE_SHA1=$GITHUB_SHA" | tee -a $GITHUB_ENV
+      shell: bash

.github/actions/install-system-dependencies/action.yml

@@ -0,0 +1,19 @@
+name: Install System Dependencies
+description: Install System dependencies for Filecoin Lotus
+
+runs:
+  using: composite
+  steps:
+    - if: runner.os == 'Linux'
+      run: |
+        sudo apt-get update -y
+        sudo apt-get install -y ocl-icd-opencl-dev libhwloc-dev pkg-config
+      shell: bash
+    - if: runner.os == 'macOS'
+      env:
+        HOMEBREW_NO_AUTO_UPDATE: '1'
+      run: |
+        brew install hwloc pkg-config
+        echo "CPATH=$(brew --prefix)/include" | tee -a $GITHUB_ENV
+        echo "LIBRARY_PATH=$(brew --prefix)/lib" | tee -a $GITHUB_ENV
+      shell: bash

.github/actions/install-ubuntu-deps/action.yml

@@ -1,10 +0,0 @@
-name: Install Ubuntu Dependencies
-description: Install Ubuntu dependencies for Filecoin Lotus
-
-runs:
-  using: composite
-  steps:
-    - run: |
-        sudo apt-get update -y
-        sudo apt-get install -y ocl-icd-opencl-dev libhwloc-dev pkg-config
-      shell: bash

.github/workflows/build.yml

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   build:
     name: Build
@@ -24,6 +26,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'
-      - uses: ./.github/actions/install-ubuntu-deps
+      - uses: ./.github/actions/install-system-dependencies
       - uses: ./.github/actions/install-go
       - run: make deps lotus

.github/workflows/builtin-actor-tests.yml

@@ -1,4 +1,5 @@
 name: Built-in Actors
+
 on:
   push:
     paths:
@@ -6,6 +7,9 @@ on:
       - build/builtin_actors_gen.go
     branches:
       - release/*
+
+permissions: {}
+
 jobs:
   release:
     name: Release Tests

.github/workflows/check.yml

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   check-docsgen:
     name: Check (docs-check)
@@ -24,7 +26,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'
-      - uses: ./.github/actions/install-ubuntu-deps
+      - uses: ./.github/actions/install-system-dependencies
       - uses: ./.github/actions/install-go
       - run: go install golang.org/x/tools/cmd/goimports
       - run: make deps
@@ -37,7 +39,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'
-      - uses: ./.github/actions/install-ubuntu-deps
+      - uses: ./.github/actions/install-system-dependencies
       - uses: ./.github/actions/install-go
       - run: make deps lotus
       - run: go install golang.org/x/tools/cmd/goimports
@@ -53,7 +55,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'
-      - uses: ./.github/actions/install-ubuntu-deps
+      - uses: ./.github/actions/install-system-dependencies
       - uses: ./.github/actions/install-go
       - run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
       - run: make deps

.github/workflows/docker.yml

@@ -0,0 +1,100 @@
+name: Docker
+
+on:
+  push:
+    branches:
+      - master
+      - release/*
+    tags:
+      - v*
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  docker:
+    name: Docker (${{ matrix.image }} / ${{ matrix.network }}) [publish=${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - lotus-all-in-one
+        network:
+          - mainnet
+          - butterflynet
+          - calibnet
+          - debug
+        include:
+          - image: lotus
+            network: mainnet
+    env:
+      # Do not publish until CircleCI is deprecated
+      PUBLISH: false
+      # PUBLISH: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }}
+    steps:
+      - id: channel
+        env:
+          IS_MASTER: ${{ github.ref == 'refs/heads/master' }}
+          IS_TAG: ${{ startsWith(github.ref, 'refs/tags/') }}
+          IS_RC: ${{ endsWith(github.ref, '-rc') }}
+          IS_SCHEDULED: ${{ github.event_name == 'schedule' }}
+        run: |
+          channel=''
+          if [[ "$IS_MASTER" == 'true' ]]; then
+            if [[ "$IS_SCHEDULED" == 'true' ]]; then
+              channel=nightly
+            else
+              channel=master
+            fi
+          elif [[ "$IS_TAG" == 'true' ]]; then
+            if [[ "$IS_RC" == 'true' ]]; then
+              channel=candidate
+            else
+              channel=stable
+            fi
+          fi
+          echo "channel=$channel" | tee -a $GITHUB_ENV
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: filecoin/${{ matrix.image }}
+          tags: |
+            type=schedule
+            type=raw,enable=${{ github.event_name != 'schedule' && steps.channel.outputs.channel != '' }},value=${{ steps.channel.outputs.channel }}
+            type=ref,event=tag
+            type=sha,prefix=
+          flavor: |
+            latest=false
+            suffix=${{ matrix.network != 'mainnet' && format('-{0}', matrix.network) || '' }}
+      - if: env.PUBLISH == 'true'
+        name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push if channel is set (channel=${{ steps.channel.outputs.channel }})
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: ${{ env.PUBLISH == 'true' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            ${{ matrix.network != 'mainnet' && format('GOFLAGS=-tags={0}', matrix.network) || ''}}

.github/workflows/release.yml

@@ -0,0 +1,113 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - ci/*
+      - release/*
+    tags:
+      - v*
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  build:
+    name: Build (${{ matrix.os }}/${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            os: Linux
+            arch: X64
+          - runner: macos-13
+            os: macOS
+            arch: X64
+          - runner: macos-14
+            os: macOS
+            arch: ARM64
+    steps:
+      - env:
+          OS: ${{ matrix.os }}
+          ARCH: ${{ matrix.arch }}
+        run: |
+          if [[ "$OS" != "$RUNNER_OS" || "$ARCH" != "$RUNNER_ARCH" ]]; then
+            echo "::error title=Unexpected Runner::Expected $OS/$ARCH, got $RUNNER_OS/$RUNNER_ARCH"
+            exit 1
+          fi
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+      - uses: ./.github/actions/export-circle-env
+      - uses: ./.github/actions/install-system-dependencies
+      - uses: ./.github/actions/install-go
+      - env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: make deps lotus lotus-miner lotus-worker
+      - if: runner.os == 'macOS'
+        run: otool -hv lotus
+      - run: ./scripts/version-check.sh ./lotus
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lotus-${{ matrix.os }}-${{ matrix.arch }}
+          path: |
+            lotus
+            lotus-miner
+            lotus-worker
+  release:
+    name: Release [publish=${{ startsWith(github.ref, 'refs/tags/') }}]
+    permissions:
+      # This enables the job to create and/or update GitHub releases
+      contents: write
+    runs-on: ubuntu-latest
+    needs: [build]
+    env:
+      # Do not publish until CircleCI is deprecated
+      PUBLISH: false
+      # PUBLISH: ${{ startsWith(github.ref, 'refs/tags/') }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          fetch-depth: 0
+      - uses: actions/download-artifact@v4
+        with:
+          name: lotus-Linux-X64
+          path: linux_amd64_v1
+      - uses: actions/download-artifact@v4
+        with:
+          name: lotus-macOS-X64
+          path: darwin_amd64_v1
+      - uses: actions/download-artifact@v4
+        with:
+          name: lotus-macOS-ARM64
+          path: darwin_arm64
+      - uses: ./.github/actions/export-circle-env
+      - uses: ./.github/actions/install-go
+      - uses: ipfs/download-ipfs-distribution-action@v1
+        with:
+          name: kubo
+          version: v0.16.0
+      - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        with:
+          distribution: goreleaser-pro
+          version: latest
+          args: release --clean --debug ${{ env.PUBLISH == 'false' && '--snapshot' || '' }}
+        env:
+          GITHUB_TOKEN: ${{ env.PUBLISH == 'true' && github.token || '' }}
+          GORELEASER_KEY: ${{ env.PUBLISH == 'true' && secrets.GORELEASER_KEY || '' }}
+      - run: ./scripts/generate-checksums.sh
+      - if: env.PUBLISH == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: ./scripts/publish-checksums.sh

.github/workflows/stale.yml

@@ -4,14 +4,14 @@ on:
   schedule:
   - cron: '0 12 * * *'
 
+permissions: {}
+
 jobs:
   stale:
-
-    runs-on: ubuntu-latest
     permissions:
       issues: write
       pull-requests: write
-
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@v9
       with:

.github/workflows/sync-master-main.yaml

@@ -1,14 +1,16 @@
 name: sync-master-main
+
 on:
   push:
     branches:
       - master
 
-permissions:
+permissions: {}
-  contents: write
 
 jobs:
   sync:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

.github/workflows/test.yml

@@ -16,8 +16,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
+permissions: {}
-  contents: read
 
 jobs:
   discover:
@@ -239,7 +238,7 @@ jobs:
           path: ${{ steps.make_deps.outputs.path }}
           lookup-only: true
       - if: steps.restore_fetch_params.outputs.cache-hit != 'true'
-        uses: ./.github/actions/install-ubuntu-deps
+        uses: ./.github/actions/install-system-dependencies
       - if: steps.restore_fetch_params.outputs.cache-hit != 'true'
         uses: ./.github/actions/install-go
       - if: steps.restore_fetch_params.outputs.cache-hit != 'true' || steps.restore_make_deps.outputs.cache-hit != 'true'
@@ -272,7 +271,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: 'recursive'
-      - uses: ./.github/actions/install-ubuntu-deps
+      - uses: ./.github/actions/install-system-dependencies
       - uses: ./.github/actions/install-go
       - run: go install gotest.tools/gotestsum@latest
       - name: Restore cached make deps outputs

.goreleaser.yaml

@@ -27,7 +27,7 @@ builds:
       - goos: linux
         goarch: arm64
     prebuilt:
-      path: /tmp/workspace/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus
+      path: '{{ if index .Env "GITHUB_WORKSPACE"  }}{{ .Env.GITHUB_WORKSPACE }}{{ else }}/tmp/workspace{{ end }}/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus'
   - id: lotus-miner
     binary: lotus-miner
     builder: prebuilt
@@ -43,7 +43,7 @@ builds:
       - goos: linux
         goarch: arm64
     prebuilt:
-      path: /tmp/workspace/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-miner
+      path: '{{ if index .Env "GITHUB_WORKSPACE"  }}{{ .Env.GITHUB_WORKSPACE }}{{ else }}/tmp/workspace{{ end }}/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-miner'
   - id: lotus-worker
     binary: lotus-worker
     builder: prebuilt
@@ -59,7 +59,7 @@ builds:
       - goos: linux
         goarch: arm64
     prebuilt:
-      path: /tmp/workspace/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-worker
+      path: '{{ if index .Env "GITHUB_WORKSPACE"  }}{{ .Env.GITHUB_WORKSPACE }}{{ else }}/tmp/workspace{{ end }}/{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/lotus-worker'
 
 archives:
   - id: primary