From 2d08aa7b31d354a2a20bbeb150eb23ff936729ac Mon Sep 17 00:00:00 2001 From: Luca Vivona Date: Fri, 27 Jun 2025 13:35:13 -0400 Subject: [PATCH 1/6] fix(action): remove sha256 manual checksum & add testnet build --- .github/workflows/build.yml | 261 ++++++++++++++++++------------------ 1 file changed, 127 insertions(+), 134 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d9be18f0..58012194 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,139 +1,132 @@ name: Build and Release Subspace Runtime on: - push: - tags: - - 'v*' - workflow_dispatch: + push: + tags: + - "v*" + workflow_dispatch: jobs: - build-and-test: - name: Build, Test & Security Audit - runs-on: ubuntu-22.04 - steps: - - uses: actions/checkout@v4 - - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - - - name: Install Rust toolchain - run: | - rustup set profile minimal - rustup show - - - name: Install Protoc - uses: arduino/setup-protoc@v1 - with: - version: 3.20.1 - repo-token: ${{ secrets.GITHUB_TOKEN }} - - - # TODO: uncomment when vulnerability audit updated - # - name: Security Vulnerability Audit - # run: cargo audit -D warnings --ignore RUSTSEC-2021-0145 - - - name: Static Code Analysis (Clippy) - uses: actions-rs/clippy-check@v1 - continue-on-error: true - env: - SKIP_WASM_BUILD: 1 - with: - args: --color=always --timings -- -D warnings - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Execute Unit Tests - run: cargo test --verbose - - - name: Compile Subspace Runtime WebAssembly - run: | - cargo build --release --package node-subspace-runtime - export SHA256SUM=$(sha256sum target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm | cut -d ' ' -f1) - echo "Subspace Runtime WASM SHA256: $SHA256SUM" - mkdir -p release-artifacts - cp target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/ - echo $SHA256SUM > release-artifacts/checksum.txt - - - name: Create Distribution Archive - run: | - cd release-artifacts - tar -czf subspace-runtime-wasm.tar.gz node_subspace_runtime.compact.compressed.wasm - - - name: Upload Build Artifacts - uses: actions/upload-artifact@v4 - with: - name: subspace-runtime-artifacts - path: release-artifacts - retention-days: 1 - - create-release: - name: Create GitHub Release - runs-on: ubuntu-22.04 - if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }} - needs: build-and-test - permissions: - id-token: write - contents: write - attestations: write - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Download Release Artifacts - uses: actions/download-artifact@v4 - with: - name: subspace-runtime-artifacts - path: ./release-artifacts - - - name: Extract Checksum for Release - id: extract_checksum - run: echo "checksum=$(cat release-artifacts/checksum.txt)" >> $GITHUB_OUTPUT - - - name: Publish GitHub Release - uses: softprops/action-gh-release@v1 - with: - files: | - release-artifacts/subspace-runtime-wasm.tar.gz - body: | - # Subspace Runtime WebAssembly Release - - This release contains the production-ready Subspace Runtime compiled to WebAssembly. The runtime has been thoroughly tested and audited for security vulnerabilities. - - ## 📦 Release Assets - - | Asset | Description | SHA256 Checksum | - |-------|-------------|-----------------| - | `subspace-runtime-wasm.tar.gz` | Subspace Runtime WebAssembly Binary | `${{ steps.extract_checksum.outputs.checksum }}` | - - ## 🔐 Integrity Verification - - **Important**: Always verify the integrity of downloaded files before use. - - ### Linux/macOS Verification - ```bash - # Download and verify in one step - echo "${{ steps.extract_checksum.outputs.checksum }} subspace-runtime-wasm.tar.gz" | sha256sum -c - ``` - - ### Windows Verification - ```powershell - # Calculate hash - certutil -hashfile subspace-runtime-wasm.tar.gz SHA256 - - # Expected hash: ${{ steps.extract_checksum.outputs.checksum }} - ``` - - ## 🚀 Usage - - Extract the archive to access the WebAssembly runtime: - ```bash - tar -xzf subspace-runtime-wasm.tar.gz - ``` - - --- + build-and-test: + name: Build, Test & Security Audit + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + + - name: Setup Rust cache + uses: Swatinem/rust-cache@v2 + + - name: Install Rust toolchain + run: | + rustup set profile minimal + rustup show + + - name: Install Protoc + uses: arduino/setup-protoc@v1 + with: + version: 3.20.1 + repo-token: ${{ secrets.GITHUB_TOKEN }} + + # TODO: uncomment when vulnerability audit updated + # - name: Security Vulnerability Audit + # run: cargo audit -D warnings --ignore RUSTSEC-2021-0145 + + - name: Static Code Analysis (Clippy) + uses: actions-rs/clippy-check@v1 + continue-on-error: true + env: + SKIP_WASM_BUILD: 1 + with: + args: --color=always --timings -- -D warnings + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Execute Unit Tests + run: cargo test --all --verbose - **Built with**: Rust stable toolchain - **Tested**: Unit tests, security audit, static analysis - **Target**: WebAssembly (WASM) - draft: false - prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + - name: Compile Testnet Subspace Runtime WebAssembly + run: | + cargo build --release --package node-subspace-runtime --feature testnet + mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/testnet.node_subspace_runtime.compact.compressed.wasm + + - name: Compile Mainet Subspace Runtime WebAssembly + run: | + cargo build --release --package node-subspace-runtime + mkdir -p release-artifacts + mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/node_subspace_runtime.compact.compressed.wasm + + + - name: Upload Build Artifacts + uses: actions/upload-artifact@v4 + with: + name: subspace-runtime-artifacts + path: release-artifacts + retention-days: 1 + + create-release: + name: Create GitHub Release + runs-on: ubuntu-22.04 + if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }} + needs: build-and-test + permissions: + id-token: write + contents: write + attestations: write + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Download Release Artifacts + uses: actions/download-artifact@v4 + with: + name: subspace-runtime-artifacts + path: ./release-artifacts + + - name: Publish GitHub Release + uses: softprops/action-gh-release@v1 + with: + files: | + release-artifacts/node_subspace_runtime.compact.compressed.wasm + release-artifacts/testnet.node_subspace_runtime.compact.compressed.wasm + body: | + # Subspace Runtime WebAssembly Release + + Production-ready Subspace Runtime compiled to WebAssembly for Test and Main networks. This release has undergone comprehensive testing and security auditing. + + ## 📦 Release Assets + + | File | Network | Description | + |------|---------|-------------| + | `testnet.node_subspace_runtime.compact.compressed.wasm` | Testnet | Optimized WebAssembly runtime binary | + | `node_subspace_runtime.compact.compressed.wasm` | Mainnet | Optimized WebAssembly runtime binary | + + ## 🔐 Security & Verification + + **Critical**: Always verify file integrity before deployment using the SHA256 checksums provided by GitHub. + + ### Verification Commands + + **Linux/macOS:** + ```bash + echo "CHECKSUM_HERE .wasm" | sha256sum -c + ``` + + **Windows:** + ```powershell + certutil -hashfile .wasm SHA256 + ``` + + ## ✅ Quality Assurance + + - **Toolchain**: Rust stable + - **Testing**: Comprehensive unit test suite + - **Security**: Professional security audit completed + - **Analysis**: Static code analysis passed + - **Target**: WebAssembly (WASM) optimized build + + --- + + *For support and documentation, visit the [Commune Subspace Network repository](https://github.com/commune-ai/subspace).* + + draft: false + prerelease: ${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') || contains(github.ref_name, 'rc') }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 83057c0662022fee1231a170cb9d28167a055b80 Mon Sep 17 00:00:00 2001 From: Luca Vivona Date: Fri, 27 Jun 2025 14:22:21 -0400 Subject: [PATCH 2/6] fix(typo): typo feature to features --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 58012194..cc4b6056 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,7 +44,7 @@ jobs: - name: Compile Testnet Subspace Runtime WebAssembly run: | - cargo build --release --package node-subspace-runtime --feature testnet + cargo build --release --package node-subspace-runtime --features testnet mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/testnet.node_subspace_runtime.compact.compressed.wasm - name: Compile Mainet Subspace Runtime WebAssembly From fd76fa6ed844854512e839014ca2e39fe0c0b939 Mon Sep 17 00:00:00 2001 From: Luca Vivona Date: Sat, 28 Jun 2025 15:46:28 -0400 Subject: [PATCH 3/6] fix(action): make directory in testnet step --- .github/workflows/build.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc4b6056..f6827f54 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,20 +45,20 @@ jobs: - name: Compile Testnet Subspace Runtime WebAssembly run: | cargo build --release --package node-subspace-runtime --features testnet - mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/testnet.node_subspace_runtime.compact.compressed.wasm + mkdir -p out + mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm out/testnet.node_subspace_runtime.compact.compressed.wasm - name: Compile Mainet Subspace Runtime WebAssembly run: | cargo build --release --package node-subspace-runtime - mkdir -p release-artifacts - mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm release-artifacts/node_subspace_runtime.compact.compressed.wasm + mv target/release/wbuild/node-subspace-runtime/node_subspace_runtime.compact.compressed.wasm out/node_subspace_runtime.compact.compressed.wasm - name: Upload Build Artifacts uses: actions/upload-artifact@v4 with: - name: subspace-runtime-artifacts - path: release-artifacts + name: subspace-artifacts + path: out retention-days: 1 create-release: @@ -78,14 +78,14 @@ jobs: uses: actions/download-artifact@v4 with: name: subspace-runtime-artifacts - path: ./release-artifacts + path: ./out - name: Publish GitHub Release uses: softprops/action-gh-release@v1 with: files: | - release-artifacts/node_subspace_runtime.compact.compressed.wasm - release-artifacts/testnet.node_subspace_runtime.compact.compressed.wasm + out/node_subspace_runtime.compact.compressed.wasm + out/testnet.node_subspace_runtime.compact.compressed.wasm body: | # Subspace Runtime WebAssembly Release From 51fe4a5af9e66a872e401b606e3c856e345d0ed6 Mon Sep 17 00:00:00 2001 From: Luca Vivona Date: Sat, 28 Jun 2025 15:51:40 -0400 Subject: [PATCH 4/6] remove: docker build --- .github/workflows/build-docker.yml | 46 ------------------------------ 1 file changed, 46 deletions(-) delete mode 100644 .github/workflows/build-docker.yml diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml deleted file mode 100644 index c3eb6193..00000000 --- a/.github/workflows/build-docker.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Build and push Docker image - -on: - push: - branches: [main] - tags: - - "*" - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - build-n-push: - permissions: write-all - runs-on: ubuntu-22.04-32core-karl - steps: - - uses: actions/checkout@v3 - - - id: commit - uses: prompt/actions-commit-hash@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Docker Login - uses: docker/login-action@v3.0.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: . - build-args: | - AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }} - SCCACHE_BUCKET=agicommies-subspace-cache - SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT }} - SCCACHE_REGION=auto - push: true - tags: | - ghcr.io/renlabs-dev/subspace:${{ steps.commit.outputs.short }} - ghcr.io/renlabs-dev/subspace:${{ github.ref_name }} From 83e03a6b9251a3e887b8358598334fb7d9cc8d14 Mon Sep 17 00:00:00 2001 From: Luca Vivona Date: Sat, 28 Jun 2025 16:38:56 -0400 Subject: [PATCH 5/6] fix: typo on release artifacts name --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f6827f54..729025b3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: - name: Download Release Artifacts uses: actions/download-artifact@v4 with: - name: subspace-runtime-artifacts + name: subspace-artifacts path: ./out - name: Publish GitHub Release From ba5ec0be579ab7864aed5f735400d37e8f45c242 Mon Sep 17 00:00:00 2001 From: Luca Vivona Date: Sat, 28 Jun 2025 17:52:54 -0400 Subject: [PATCH 6/6] chore: update markdown --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 729025b3..caf8df16 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -106,7 +106,7 @@ jobs: **Linux/macOS:** ```bash - echo "CHECKSUM_HERE .wasm" | sha256sum -c + sha256sum .wasm ``` **Windows:**