feat: feat(deployment): add TDX app deployment pipeline for Arbitrum (#246)

* feat: feat(deployment): add TDX app deployment pipeline for Arbitrum

* fix: prepare migration to TDX (#247)

chore(deps): upgrade iexec package to v8.23.0

* fix(ci): downgrade GitHub Actions runner to ubuntu-22.04 for Scone compatibility

* fix(ci): upgrade GitHub Actions runner to ubuntu-latest

* fix(deploy): add missing checksum for docker app deployment

* fix: prepare migration to TDX (#247)

chore(deps): upgrade iexec package to v8.23.0

* chore(main): release web3mail 1.7.4 (#248)

Co-authored-by: iexec-release-please-app[bot] <202620906+iexec-release-please-app[bot]@users.noreply.github.com>

* feat(dapp): upgrade iexec version to 8.23.0

* fix(ci): disable Trivy security scan in dapp-deploy workflow

* refactor: use TEE_FRAMEWORK as var

---------

Co-authored-by: iexec-release-please-app[bot] <202620906+iexec-release-please-app[bot]@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

.github/workflows/dapp-deploy.yml

@@ -44,15 +44,14 @@ jobs:
           fi
 
   docker-publish:
-    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.3.1
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v3.1.1
     needs: [extract-tag]
     with:
       image-name: 'iexechub/web3mail-dapp'
       registry: 'docker.io'
       dockerfile: 'dapp/Dockerfile'
       context: 'dapp'
-      security-scan: true
-      security-report: 'sarif'
+      security-scan: false
       hadolint: true
       push: true
       image-tag: ${{ needs.extract-tag.outputs.clean_tag }}
@@ -61,6 +60,7 @@ jobs:
       password: ${{ secrets.DOCKERHUB_PAT }}
 
   sconify:
+    if: startsWith(github.event.inputs.environment, 'bellecour-')
     uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/sconify.yml@sconify-v2.0.0
     needs: [docker-publish, extract-tag]
     with:
@@ -87,7 +87,76 @@ jobs:
       scontain-password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
       scone-signing-key: ${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}
 
-  deploy-dapp:
+  deploy-tdx-dapp:
+    if: startsWith(github.event.inputs.environment, 'arbitrum-')
+    needs: [extract-tag, docker-publish]
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20.19.0'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          cd node_modules/whitelist-smart-contract
+          npm install --save-dev ts-node
+          cd ../../deployment-dapp
+          npm ci
+
+      - name: Deploy TDX dapp contract
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3MAIL_APP_OWNER_PRIVATEKEY }}
+          DOCKER_IMAGE_TAG: ${{ needs.extract-tag.outputs.clean_tag }}
+          CHECKSUM: ${{ needs.docker-publish.outputs.checksum }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd deployment-dapp
+          npm run deploy-dapp
+
+      - name: Push dapp secret
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3MAIL_APP_OWNER_PRIVATEKEY }}
+          MJ_APIKEY_PUBLIC: ${{ secrets.MAILJET_APIKEY_PUBLIC }}
+          MJ_APIKEY_PRIVATE: ${{ secrets.MAILJET_APIKEY_PRIVATE }}
+          MJ_SENDER: ${{ secrets.MAILJET_SENDER }}
+          MAILGUN_APIKEY: ${{ secrets.MAILGUN_APIKEY }}
+          WEB3MAIL_WHITELISTED_APPS: ${{ vars.WEB3MAIL_WHITELISTED_APPS }}
+          POCO_SUBGRAPH_URL: ${{ vars.POCO_SUBGRAPH_URL }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd deployment-dapp
+          npm run push-dapp-secret
+
+      - name: Publish free sell order
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.WEB3MAIL_APP_OWNER_PRIVATEKEY }}
+          PRICE: ${{ vars.SELL_ORDER_PRICE }}
+          VOLUME: ${{ vars.SELL_ORDER_VOLUME }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+          TEE_FRAMEWORK: ${{ vars.TEE_FRAMEWORK }}
+        run: |
+          cd deployment-dapp
+          npm run publish-sell-order
+
+      - name: Add resource to whitelist
+        env:
+          CONTRACT_ADDRESS: ${{ vars.WEB3MAIL_WHITELIST_CONTRACT_ADDRESS }}
+          PRIVATE_KEY: ${{ secrets.WEB3MAIL_APP_OWNER_PRIVATEKEY }}
+          RPC_URL: ${{ secrets.RPC_URL }}
+        run: |
+          cd node_modules/whitelist-smart-contract
+          export ADDRESS_TO_ADD=$(cat ../../deployment-dapp/.app-address)
+          npm run addResourceToWhitelist -- --network ${{ vars.WHITELIST_NETWORK_NAME }}
+
+  deploy-scone-dapp:
+    if: startsWith(github.event.inputs.environment, 'bellecour-')
     needs: [extract-tag, sconify]
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
@@ -109,7 +178,7 @@ jobs:
           cd ../../deployment-dapp
           npm ci
 
-      - name: Deploy dapp contract
+      - name: Deploy SCONE dapp contract
         env:
           WALLET_PRIVATE_KEY: ${{ secrets.WEB3MAIL_APP_OWNER_PRIVATEKEY }}
           DOCKER_IMAGE_TAG: ${{ needs.sconify.outputs.prod-image-tag }}
@@ -131,6 +200,7 @@ jobs:
           WEB3MAIL_WHITELISTED_APPS: ${{ vars.WEB3MAIL_WHITELISTED_APPS }}
           POCO_SUBGRAPH_URL: ${{ vars.POCO_SUBGRAPH_URL }}
           RPC_URL: ${{ secrets.RPC_URL }}
+          SCONIFY_VERSION: ${{ vars.SCONIFY_VERSION }}
         run: |
           cd deployment-dapp
           npm run push-dapp-secret
@@ -141,6 +211,7 @@ jobs:
           PRICE: ${{ vars.SELL_ORDER_PRICE }}
           VOLUME: ${{ vars.SELL_ORDER_VOLUME }}
           RPC_URL: ${{ secrets.RPC_URL }}
+          TEE_FRAMEWORK: ${{ vars.TEE_FRAMEWORK }}
         run: |
           cd deployment-dapp
           npm run publish-sell-order