tee-worker-compute-rust/.github/workflows/ci.yaml at main · iExecBlockchainComputing/tee-worker-compute-rust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Rust CI

on:
  pull_request:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-and-test:
    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/rust-build.yml@rust-build-v2.0.0
    with:
      rust-version: '1.88.0'
      working-directory: "."
      enable-cache: true
      publish-crates-io: false

  prepare:
    name: Determine image tag
    needs: build-and-test
    runs-on: ubuntu-latest
    if: |
      github.ref_name == 'main' ||
      startsWith(github.head_ref, 'feature/') ||
      startsWith(github.head_ref, 'bugfix/') ||
      (github.event_name == 'workflow_dispatch' && (startsWith(github.ref_name, 'feature/') || startsWith(github.ref_name, 'bugfix/')))
    outputs:
      image_tag: ${{ steps.determine-tag.outputs.image_tag }}
    steps:
      - name: Determine base tag
        id: determine-tag
        run: |
          if [ "${{ github.event_name }}" = "pull_request" ] ; then
            SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
          else
            SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
          fi

          if [ "${{ github.ref_name }}" = "main" ] ; then
            echo "Processing main branch"
            echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
          else
            # This covers feature/ and bugfix/ branches
            echo "Processing feature/bugfix branch ${{ github.head_ref }}"
            echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
          fi

  build-oci-image:
    name: Build OCI images
    needs: prepare
    strategy:
      matrix:
        package: [post-compute, pre-compute]
    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0
    with:
      image-name: docker-regis.iex.ec/tee-worker-${{ matrix.package }}-rust
      image-tag: ${{ needs.prepare.outputs.image_tag }}
      dockerfile: ${{ matrix.package }}/Dockerfile
      context: .
      registry: docker-regis.iex.ec
      push: true
      security-scan: true
      security-report: "sarif"
      hadolint: true
      platforms: linux/amd64
    secrets:
      username: ${{ secrets.NEXUS_USERNAME }}
      password: ${{ secrets.NEXUS_PASSWORD }}

  build-tee-image:
    name: Build TEE images
    needs: [prepare, build-oci-image]
    runs-on: ubuntu-latest
    strategy:
      matrix:
        sconify_image:
          - name: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked
            version: 5.9.1
        tee_worker:
          - binary: /app/tee-worker-post-compute
            img_from: docker-regis.iex.ec/tee-worker-post-compute-rust
            img_to: docker-regis.iex.ec/tee-worker-post-compute-rust-unlocked
          - binary: /app/tee-worker-pre-compute
            img_from: docker-regis.iex.ec/tee-worker-pre-compute-rust
            img_to: docker-regis.iex.ec/tee-worker-pre-compute-rust-unlocked
    steps:
      - name: Login to Scontain registry
        uses: docker/login-action@v3
        with:
          registry: registry.scontain.com
          username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
          password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
      - name: Login to Docker regis
        uses: docker/login-action@v3
        with:
          registry: docker-regis.iex.ec
          username: ${{ secrets.NEXUS_USERNAME }}
          password: ${{ secrets.NEXUS_PASSWORD }}
      - name: Pull sconification tools
        run: docker pull ${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }}
      - name: Pull native image
        run: docker pull ${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }}
      - name: Sconify
        run: |
          IMG_FROM=${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }}
          IMG_TO=${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug
          SCONE_IMAGE=${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }}
          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \
            sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \
              --base=alpine:3.22 --from=$IMG_FROM --to=$IMG_TO --binary=${{ matrix.tee_worker.binary }} \
              --heap=1G --stack=8M --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose
          echo
          docker run --rm -e SCONE_HASH=1 $IMG_TO
      - name: Push TEE image
        run: docker push ${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug
      - name: Clean OCI images
        run: |
          docker image rm -f \
            ${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }} \
            ${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug \
            ${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }}