feat(BOUN-1308): add manually triggered ci workflow for rate-limits c…

…anister (#3124)

This is a similar PR to #3106, in this
case building and publishing a release of the rate-limits canister used
to adjust rate-limit rules for the API Boundary Nodes.

.github/workflows/anonymization-backend-release.yml

@@ -74,7 +74,7 @@ jobs:
             RELEASE_TAG="${{ env.NAME }}-${COMMIT_SHORT}"
           fi
 
-          if [[ ! "${RELEASE_TAG}" =~ "^${{ env.NAME }}" ]]; then
+          if [[ ! "${RELEASE_TAG}" =~ ^${{ env.NAME }} ]]; then
             echo "ERROR: Required tag prefix: ${{ env.NAME }}"
             exit 1
           fi

.github/workflows/rate-limits-backend-release.yml

@@ -0,0 +1,120 @@
+name: rate-limits-release
+
+on:
+  workflow_dispatch:
+    inputs:
+      title:
+        description: 'Title for the release'
+        required: true
+        type: string
+
+      description:
+        description: 'Human-readable description of the release'
+        required: true
+        type: string
+
+      tag:
+        description: 'Tag for the release (required format `rate-limits-*`)'
+        required: false
+        type: string
+
+permissions:
+  contents: write
+
+env:
+  NAME: rate-limits
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  build-and-release:
+    name: Build and release the rate-limits backend canister
+
+    runs-on:
+      group: zh1
+      labels: dind-large
+
+    container:
+      image: ghcr.io/dfinity/ic-build@sha256:4fd13b47285e783c3a6f35aadd9559d097c0de162a1cf221ead66ab1598d5d45
+      options: >-
+        -e NODE_NAME --privileged --cgroupns host -v /cache:/cache -v /var/sysimage:/var/sysimage -v /var/tmp:/var/tmp -v /ceph-s3-info:/ceph-s3-info
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: build
+        shell: bash
+        run: |
+          TARGET='//rs/boundary_node/rate_limits:rate_limit_canister'
+          bazel build --config=ci ${TARGET}
+
+          OUTPUT='bazel-bin/rs/boundary_node/rate_limits/rate_limit_canister.wasm.gz'
+          mv ${OUTPUT} rate_limit_canister.wasm.gz
+
+          ARTIFACTS=(
+            rate_limit_canister.wasm.gz
+          )
+
+          echo "ARTIFACTS=${ARTIFACTS[@]}" >> "${GITHUB_ENV}"
+
+      - name: checksums
+        run: |
+          CHECKSUMS=$(mktemp)
+
+          for ARTIFACT in ${ARTIFACTS[@]}; do
+              shasum -a256 ${ARTIFACT} >> ${CHECKSUMS}
+          done
+
+          echo "CHECKSUMS=${CHECKSUMS}" >> "${GITHUB_ENV}"
+
+      - name: tag
+        run: |
+          RELEASE_TAG='${{ inputs.tag }}'
+          if [[ -z "${RELEASE_TAG}" ]]; then
+            COMMIT_SHORT=$(git rev-parse --short HEAD)
+            RELEASE_TAG="${{ env.NAME }}-${COMMIT_SHORT}"
+          fi
+
+          if [[ ! "${RELEASE_TAG}" =~ ^${{ env.NAME }} ]]; then
+            echo "ERROR: Required tag prefix: ${{ env.NAME }}"
+            exit 1
+          fi
+
+          git tag ${RELEASE_TAG}
+          git push origin tag ${RELEASE_TAG}
+
+          echo "RELEASE_TAG=${RELEASE_TAG}" >> "${GITHUB_ENV}"
+
+      - name: release notes
+        run: |
+          NOTES=$(mktemp)
+
+          CODE_BLOCK='```'
+
+          cat > ${NOTES} <<EOF
+          ${{ inputs.description }}
+
+          ## Verification
+
+          To reproduce the artifacts of this release:
+
+          ${CODE_BLOCK}
+          bazel build --config=local //rs/boundary_node/rate_limits:rate_limit_canister
+          ${CODE_BLOCK}
+
+          ## Checksums
+
+          ${CODE_BLOCK}
+          $(cat ${CHECKSUMS})
+          ${CODE_BLOCK}
+          EOF
+
+          echo "NOTES=${NOTES}" >> "${GITHUB_ENV}"
+
+      - name: release
+        run: |
+          gh release create \
+            ${RELEASE_TAG} ${ARTIFACTS[@]} \
+                --title '${{ inputs.title }}' \
+                --verify-tag \
+                --latest=false \
+                --notes-file ${NOTES}