Merge branch 'master' into tsv-dispute-coord-logs

.github/scripts/common/lib.sh

@@ -315,6 +315,7 @@ function import_gpg_keys() {
     ) &
   done
   wait
+  gpg -k $SEC
 }
 
 # Check the GPG signature for a given binary
@@ -457,3 +458,15 @@ function get_polkadot_node_version_from_code() {
   # Remove the semicolon
   sed 's/;//g'
 }
+
+validate_stable_tag() {
+    tag="$1"
+    pattern='^stable[0-9]+(-[0-9]+)?$'
+
+    if [[ $tag =~ $pattern ]]; then
+        echo $tag
+    else
+        echo "The input '$tag' does not match the pattern."
+        exit 1
+    fi
+}

.github/workflows/checks.yml

@@ -0,0 +1,90 @@
+name: checks
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review, labeled]
+  merge_group:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  changes:
+    # TODO: remove once migration is complete or this workflow is fully stable
+    if: contains(github.event.label.name, 'GHA-migration')
+    permissions:
+      pull-requests: read
+    uses: ./.github/workflows/reusable-check-changed-files.yml
+  set-image:
+    # GitHub Actions allows using 'env' in a container context.
+    # However, env variables don't work for forks: https://github.com/orgs/community/discussions/44322
+    # This workaround sets the container image for each job using 'set-image' job output.
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      IMAGE: ${{ steps.set_image.outputs.IMAGE }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - id: set_image
+        run: cat .github/env >> $GITHUB_OUTPUT
+  cargo-clippy:
+    runs-on: arc-runners-polkadot-sdk-beefy
+    needs: [set-image, changes] # , build-frame-omni-bencher ]
+    if: ${{ needs.changes.outputs.rust }}
+    timeout-minutes: 40
+    container:
+      image: ${{ needs.set-image.outputs.IMAGE }}
+    env:
+      RUSTFLAGS: "-D warnings"
+      SKIP_WASM_BUILD: 1
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: script
+        run: |
+          forklift cargo clippy --all-targets --locked --workspace
+          forklift cargo clippy --all-targets --all-features --locked --workspace
+  check-try-runtime:
+    runs-on: arc-runners-polkadot-sdk-beefy
+    needs: [set-image, changes] # , build-frame-omni-bencher ]
+    if: ${{ needs.changes.outputs.rust }}
+    timeout-minutes: 40
+    container:
+      image: ${{ needs.set-image.outputs.IMAGE }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: script
+        run: |
+          forklift cargo check --locked --all --features try-runtime
+          # this is taken from cumulus
+          # Check that parachain-template will compile with `try-runtime` feature flag.
+          forklift cargo check --locked -p parachain-template-node --features try-runtime
+          # add after https://github.com/paritytech/substrate/pull/14502 is merged
+          # experimental code may rely on try-runtime and vice-versa
+          forklift cargo check --locked --all --features try-runtime,experimental
+  # check-core-crypto-features works fast without forklift
+  check-core-crypto-features:
+    runs-on: arc-runners-polkadot-sdk-beefy
+    needs: [set-image, changes] # , build-frame-omni-bencher ]
+    if: ${{ needs.changes.outputs.rust }}
+    timeout-minutes: 30
+    container:
+      image: ${{ needs.set-image.outputs.IMAGE }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: script
+        run: |
+          cd substrate/primitives/core
+          ./check-features-variants.sh
+          cd -
+          cd substrate/primitives/application-crypto
+          ./check-features-variants.sh
+          cd -
+          cd substrate/primitives/keyring
+          ./check-features-variants.sh
+          cd -

.github/workflows/command-inform.yml

@@ -7,7 +7,8 @@ on:
 jobs:
   comment:
     runs-on: ubuntu-latest
-    if: github.event.issue.pull_request && startsWith(github.event.comment.body, 'bot ')
+    # Temporary disable the bot until the new command bot works properly
+    if: github.event.issue.pull_request && startsWith(github.event.comment.body, 'bot ') && false
     steps:
     - name: Inform that the new command exist
       uses: actions/github-script@v7

.github/workflows/misc-sync-templates.yml

@@ -166,9 +166,13 @@ jobs:
           title: "[Don't merge] Update the ${{ matrix.template }} template to ${{ github.event.inputs.stable_release_branch }}"
           body: "The template has NOT been successfully built and needs to be inspected."
           branch: "update-template/${{ github.event.inputs.stable_release_branch }}"
-      - name: Push changes
-        run: |
-          git add -A .
-          git commit --allow-empty -m "Update to ${{ github.event.inputs.stable_release_branch }} triggered by ${{ github.event_name }}"
-          git push
-        working-directory: "${{ env.template-path }}"
+      - name: Create PR on success
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v5
+        with:
+          path: "${{ env.template-path }}"
+          token: ${{ steps.app_token.outputs.token }}
+          add-paths: |
+            ./*
+          title: "Update the ${{ matrix.template }} template to ${{ github.event.inputs.stable_release_branch }}"
+          body: "This synchronizes the template to the ${{ github.event.inputs.stable_release_branch }} branch."
+          branch: "update-template/${{ github.event.inputs.stable_release_branch }}"

.github/workflows/release-50_publish-docker.yml

@@ -45,7 +45,7 @@ on:
         type: string
         default: docker.io
 
-      # The owner is often the same than the Docker Hub username but does ont have to be.
+      # The owner is often the same as the Docker Hub username but does ont have to be.
       # In our case, it is not.
       owner:
         description: Owner of the container image repo
@@ -58,6 +58,10 @@ on:
         default: v0.9.18
         required: true
 
+      stable_tag:
+        description: Tag matching the actual stable release version in the format stableYYMM or stableYYMM-X for patch releases
+        required: true
+
 permissions:
   contents: write
 
@@ -74,6 +78,29 @@ env:
   VERSION: ${{ inputs.version }}
 
 jobs:
+  validate-inputs:
+    runs-on: ubuntu-latest
+    outputs:
+        stable_tag: ${{ steps.validate_inputs.outputs.stable_tag }}
+
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Validate inputs
+        id: validate_inputs
+        run: |
+          . ./.github/scripts/common/lib.sh
+
+          VERSION=$(filter_version_from_input "${{ inputs.version }}")
+          echo "VERSION=${VERSION}" >> $GITHUB_ENV
+
+          RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
+          echo "RELEASE_ID=${RELEASE_ID}" >> $GITHUB_ENV
+
+          STABLE_TAG=$(validate_stable_tag ${{ inputs.stable_tag }})
+          echo "stable_tag=${STABLE_TAG}" >> $GITHUB_OUTPUT
+
   fetch-artifacts: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
     if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }}
     runs-on: ubuntu-latest
@@ -102,17 +129,14 @@ jobs:
         run: |
           . ./.github/scripts/common/lib.sh
 
-          VERSION=$(filter_version_from_input "${{ inputs.version }}")
-          echo "VERSION=${VERSION}" >> $GITHUB_ENV
-
           fetch_release_artifacts_from_s3
 
       - name: Fetch chain-spec-builder rc artifacts or release artifacts based on release id
         #this step runs only if the workflow is triggered manually and only for chain-spec-builder
         if: ${{ env.EVENT_NAME  == 'workflow_dispatch' && inputs.binary == 'chain-spec-builder' }}
         run: |
           . ./.github/scripts/common/lib.sh
-          RELEASE_ID=$(check_release_id "${{ inputs.release_id }}")
+
           fetch_release_artifacts
 
       - name: Upload artifacts
@@ -124,7 +148,7 @@ jobs:
   build-container: # this job will be triggered for the polkadot-parachain rc and release or polkadot rc image build
     if: ${{ inputs.binary == 'polkadot-parachain' || inputs.binary == 'chain-spec-builder' || inputs.image_type == 'rc' }}
     runs-on: ubuntu-latest
-    needs: fetch-artifacts
+    needs: [fetch-artifacts, validate-inputs]
     environment: release
 
     steps:
@@ -179,7 +203,7 @@ jobs:
           release=$( echo $VERSION | cut -f1 -d- )
           echo "tag=latest" >> $GITHUB_OUTPUT
           echo "release=${release}" >> $GITHUB_OUTPUT
-          echo "stable=stable" >> $GITHUB_OUTPUT
+          echo "stable=${{ needs.validate-inputs.outputs.stable_tag }}" >> $GITHUB_OUTPUT
 
       - name: Build Injected Container image for polkadot rc or chain-spec-builder
         if: ${{ env.BINARY == 'polkadot' || env.BINARY == 'chain-spec-builder' }}
@@ -257,7 +281,7 @@ jobs:
   build-polkadot-release-container: # this job will be triggered for polkadot release build
     if: ${{ inputs.binary == 'polkadot' && inputs.image_type == 'release' }}
     runs-on: ubuntu-latest
-    needs: fetch-latest-debian-package-version
+    needs: [fetch-latest-debian-package-version, validate-inputs]
     environment: release
     steps:
       - name: Checkout sources
@@ -295,7 +319,7 @@ jobs:
           # TODO: The owner should be used below but buildx does not resolve the VARs
           # TODO: It would be good to get rid of this GHA that we don't really need.
           tags: |
-            parity/polkadot:stable
+            parity/polkadot:${{ needs.validate-inputs.outputs.stable_tag }}
             parity/polkadot:latest
             parity/polkadot:${{ needs.fetch-latest-debian-package-version.outputs.polkadot_container_tag }}
           build-args: |

.github/workflows/tests-linux-stable.yml

@@ -6,14 +6,16 @@ on:
     branches:
       - master
   pull_request:
-    types: [ opened, synchronize, reopened, ready_for_review ]
+    types: [opened, synchronize, reopened, ready_for_review, labeled]
   merge_group:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
   changes:
+    # TODO: remove once migration is complete or this workflow is fully stable
+    if: contains(github.event.label.name, 'GHA-migration')
     permissions:
       pull-requests: read
     uses: ./.github/workflows/reusable-check-changed-files.yml
@@ -34,7 +36,7 @@ jobs:
         run: cat .github/env >> $GITHUB_OUTPUT
 
   test-linux-stable-int:
-    needs: [ set-image, changes ]
+    needs: [set-image, changes]
     if: ${{ needs.changes.outputs.rust }}
     runs-on: arc-runners-polkadot-sdk-beefy
     timeout-minutes: 60
@@ -51,11 +53,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: script
-        run: WASM_BUILD_NO_COLOR=1 time forklift cargo test -p staging-node-cli --release --locked -- --ignored
+        run: WASM_BUILD_NO_COLOR=1 forklift cargo test -p staging-node-cli --release --locked -- --ignored
 
   # https://github.com/paritytech/ci_cd/issues/864
   test-linux-stable-runtime-benchmarks:
-    needs: [ set-image, changes ]
+    needs: [set-image, changes]
     if: ${{ needs.changes.outputs.rust }}
     runs-on: arc-runners-polkadot-sdk-beefy
     timeout-minutes: 60
@@ -70,4 +72,55 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: script
-        run: time forklift cargo nextest run --workspace --features runtime-benchmarks benchmark --locked --cargo-profile testnet
+        run: forklift cargo nextest run --workspace --features runtime-benchmarks benchmark --locked --cargo-profile testnet
+
+  test-linux-stable:
+    needs: [set-image, changes]
+    if: ${{ needs.changes.outputs.rust }}
+    runs-on: ${{ matrix.runners }}
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        partition: [1/3, 2/3, 3/3]
+        runners: [arc-runners-polkadot-sdk-beefy, oldlinux]
+    container:
+      image: ${{ needs.set-image.outputs.IMAGE }}
+      # needed for tests that use unshare syscall
+      options: --security-opt seccomp=unconfined
+    env:
+      RUST_TOOLCHAIN: stable
+      # Enable debug assertions since we are running optimized builds for testing
+      # but still want to have debug assertions.
+      RUSTFLAGS: "-Cdebug-assertions=y -Dwarnings"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: script
+        run: |
+          # Fixes "detected dubious ownership" error in the ci
+          git config --global --add safe.directory '*'
+          forklift cargo nextest run \
+            --workspace \
+            --locked \
+            --release \
+            --no-fail-fast \
+            --features try-runtime,experimental,riscv,ci-only-tests \
+            --partition count:${{ matrix.partition }}
+      # run runtime-api tests with `enable-staging-api` feature on the 1st node
+      - name: runtime-api tests
+        if: ${{ matrix.partition == '1/3' }}
+        run: forklift cargo nextest run -p sp-api-test --features enable-staging-api
+
+  confirm-required-jobs-passed:
+    runs-on: ubuntu-latest
+    name: All tests passed
+    # If any new job gets added, be sure to add it to this array
+    needs:
+      [
+        test-linux-stable-int,
+        test-linux-stable-runtime-benchmarks,
+        test-linux-stable,
+      ]
+    steps:
+      - run: echo '### Good job! All the tests passed 🚀' >> $GITHUB_STEP_SUMMARY

.gitlab/pipeline/test.yml

@@ -110,8 +110,6 @@ test-linux-stable-codecov:
         codecovcli -v do-upload -f target/coverage/result/report-${CI_NODE_INDEX}.lcov --disable-search -t ${CODECOV_TOKEN} -r paritytech/polkadot-sdk --commit-sha ${CI_COMMIT_SHA} --fail-on-error --git-service github;
       fi
 
-  #
-
 test-linux-stable:
   stage: test
   extends: