From 5e77b87aa9f497aea2edc206680f0b542af1ed11 Mon Sep 17 00:00:00 2001 From: Leon Tan Date: Thu, 3 Oct 2024 17:52:00 +0000 Subject: [PATCH 1/4] Add verification scripts --- scripts/dfx-orbit.validate.backend.sh | 21 +++++++++++++++++++++ scripts/dfx-orbit.validate.frontend.sh | 26 ++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100755 scripts/dfx-orbit.validate.backend.sh create mode 100755 scripts/dfx-orbit.validate.frontend.sh diff --git a/scripts/dfx-orbit.validate.backend.sh b/scripts/dfx-orbit.validate.backend.sh new file mode 100755 index 000000000..496439c44 --- /dev/null +++ b/scripts/dfx-orbit.validate.backend.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +if [ -z "${RELEASE_COMMIT}" ]; then + echo "RELEASE_COMMIT is unset or set to the empty string" + exit 1 +fi + +# Checkout +git fetch +git checkout $RELEASE_COMMIT + +# Make sure target directory exists but no prior artifacts are there +mkdir -p target +rm -f target/backend.wasm.gz target/args.txt + +# Generate argument file and wasm binary +ENV=ic ./scripts/deploy.args.sh > target/args.txt +DOCKER_BUILDKIT=1 docker build --progress=plain --build-arg network=ic -o target/ . + +# Verify that the wasm matches the request +dfx-orbit verify $BACKEND_REQUEST_ID canister install backend --mode upgrade --wasm target/backend.wasm.gz --arg-file target/args.txt \ No newline at end of file diff --git a/scripts/dfx-orbit.validate.frontend.sh b/scripts/dfx-orbit.validate.frontend.sh new file mode 100755 index 000000000..c00368edd --- /dev/null +++ b/scripts/dfx-orbit.validate.frontend.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if [ -z "${RELEASE_COMMIT}" ]; then + echo "RELEASE_COMMIT is unset or set to the empty string" + exit 1 +fi + +if [ -z "${ENV_SHA}" ]; then + echo "ENV_SHA is unset or set to the empty string" + exit 1 +fi + +# Checkout +git fetch +git checkout $RELEASE_COMMIT + +# Make sure target directory exists but no prior artifacts are there +mkdir -p target +rm -fr target/frontend + +# Check that the frontend ENV file matches the hash and build the frontend +echo "$ENV_SHA .env.production" | sha256sum -c || exit 1 +DOCKER_BUILDKIT=1 docker build -f Dockerfile.frontend --progress=plain --build-arg network=ic -o target/ . + +# Check that the artifacts match the commit args +dfx-orbit verify $FRONTEND_REQUEST_ID asset upload frontend --batch-id $BATCH_ID --files target/frontend From 739511fd75f583bfff2b1f30dbb94268c86e0e7a Mon Sep 17 00:00:00 2001 From: Leon Tan Date: Thu, 3 Oct 2024 17:58:42 +0000 Subject: [PATCH 2/4] Put a newline at the end of the script --- scripts/dfx-orbit.validate.backend.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/dfx-orbit.validate.backend.sh b/scripts/dfx-orbit.validate.backend.sh index 496439c44..70935d70c 100755 --- a/scripts/dfx-orbit.validate.backend.sh +++ b/scripts/dfx-orbit.validate.backend.sh @@ -18,4 +18,4 @@ ENV=ic ./scripts/deploy.args.sh > target/args.txt DOCKER_BUILDKIT=1 docker build --progress=plain --build-arg network=ic -o target/ . # Verify that the wasm matches the request -dfx-orbit verify $BACKEND_REQUEST_ID canister install backend --mode upgrade --wasm target/backend.wasm.gz --arg-file target/args.txt \ No newline at end of file +dfx-orbit verify $BACKEND_REQUEST_ID canister install backend --mode upgrade --wasm target/backend.wasm.gz --arg-file target/args.txt From 4cb03c9a5cdae512126d80ee5338ad25c33047a8 Mon Sep 17 00:00:00 2001 From: Leon Tan Date: Thu, 3 Oct 2024 18:22:45 +0000 Subject: [PATCH 3/4] Format --- scripts/dfx-orbit.validate.backend.sh | 10 +++++----- scripts/dfx-orbit.validate.frontend.sh | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/scripts/dfx-orbit.validate.backend.sh b/scripts/dfx-orbit.validate.backend.sh index 70935d70c..5b947cc94 100755 --- a/scripts/dfx-orbit.validate.backend.sh +++ b/scripts/dfx-orbit.validate.backend.sh @@ -1,12 +1,12 @@ #!/bin/bash if [ -z "${RELEASE_COMMIT}" ]; then - echo "RELEASE_COMMIT is unset or set to the empty string" - exit 1 + echo "RELEASE_COMMIT is unset or set to the empty string" + exit 1 fi -# Checkout -git fetch +# Checkout +git fetch git checkout $RELEASE_COMMIT # Make sure target directory exists but no prior artifacts are there @@ -14,7 +14,7 @@ mkdir -p target rm -f target/backend.wasm.gz target/args.txt # Generate argument file and wasm binary -ENV=ic ./scripts/deploy.args.sh > target/args.txt +ENV=ic ./scripts/deploy.args.sh >target/args.txt DOCKER_BUILDKIT=1 docker build --progress=plain --build-arg network=ic -o target/ . # Verify that the wasm matches the request diff --git a/scripts/dfx-orbit.validate.frontend.sh b/scripts/dfx-orbit.validate.frontend.sh index c00368edd..9fb42ee80 100755 --- a/scripts/dfx-orbit.validate.frontend.sh +++ b/scripts/dfx-orbit.validate.frontend.sh @@ -1,17 +1,17 @@ #!/bin/bash if [ -z "${RELEASE_COMMIT}" ]; then - echo "RELEASE_COMMIT is unset or set to the empty string" - exit 1 + echo "RELEASE_COMMIT is unset or set to the empty string" + exit 1 fi if [ -z "${ENV_SHA}" ]; then - echo "ENV_SHA is unset or set to the empty string" - exit 1 + echo "ENV_SHA is unset or set to the empty string" + exit 1 fi -# Checkout -git fetch +# Checkout +git fetch git checkout $RELEASE_COMMIT # Make sure target directory exists but no prior artifacts are there From 866ad9bb4cb8e4d116c28146ce6c6c4473580a72 Mon Sep 17 00:00:00 2001 From: Leon Tan Date: Fri, 4 Oct 2024 07:12:25 +0000 Subject: [PATCH 4/4] Exit if checkout fails --- scripts/dfx-orbit.validate.backend.sh | 2 +- scripts/dfx-orbit.validate.frontend.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/dfx-orbit.validate.backend.sh b/scripts/dfx-orbit.validate.backend.sh index 5b947cc94..be2ad477c 100755 --- a/scripts/dfx-orbit.validate.backend.sh +++ b/scripts/dfx-orbit.validate.backend.sh @@ -7,7 +7,7 @@ fi # Checkout git fetch -git checkout $RELEASE_COMMIT +git checkout $RELEASE_COMMIT || exit 1 # Make sure target directory exists but no prior artifacts are there mkdir -p target diff --git a/scripts/dfx-orbit.validate.frontend.sh b/scripts/dfx-orbit.validate.frontend.sh index 9fb42ee80..4dc2a597d 100755 --- a/scripts/dfx-orbit.validate.frontend.sh +++ b/scripts/dfx-orbit.validate.frontend.sh @@ -12,7 +12,7 @@ fi # Checkout git fetch -git checkout $RELEASE_COMMIT +git checkout $RELEASE_COMMIT || exit 1 # Make sure target directory exists but no prior artifacts are there mkdir -p target