send personhood to node template #53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, Test, Clippy | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - master | |
| - 'sdk-v[0-9]+.[0-9]+.[0-9]+-*' | |
| tags: | |
| - 'v[0-9]+.[0-9]+.[0-9]+*' | |
| pull_request: | |
| branches: | |
| - master | |
| - 'sdk-v[0-9]+.[0-9]+.[0-9]+-*' | |
| env: | |
| CARGO_TERM_COLOR: always | |
| LOG_DIR: logs | |
| BUILD_CONTAINER_NAME: integritee_worker_enclave_test | |
| jobs: | |
| cancel_previous_runs: | |
| name: Cancel Previous Runs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: styfle/[email protected] | |
| with: | |
| access_token: ${{ secrets.GITHUB_TOKEN }} | |
| build-test: | |
| runs-on: ${{ matrix.host }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - flavor_id: offchain-worker | |
| mode: offchain-worker | |
| host: integritee-builder-sgx | |
| sgx_mode: HW | |
| additional_features: dcap | |
| - flavor_id: teeracle | |
| mode: teeracle | |
| host: integritee-builder-sgx | |
| sgx_mode: HW | |
| additional_features: dcap | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set env | |
| run: | | |
| fingerprint=$RANDOM | |
| echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV | |
| if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then | |
| echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV | |
| echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV | |
| else | |
| echo "DOCKER_DEVICES=" >> $GITHUB_ENV | |
| echo "DOCKER_VOLUMES=" >> $GITHUB_ENV | |
| fi | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| buildkitd-flags: --debug | |
| driver: docker-container | |
| - name: Build Worker & Run Cargo Test | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| run: > | |
| docker build -t integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} | |
| --target deployed-worker | |
| --build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg FINGERPRINT=${FINGERPRINT} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }} | |
| -f build.Dockerfile . | |
| - name: Build CLI client | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| run: > | |
| docker build -t integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} | |
| --target deployed-client | |
| --build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg FINGERPRINT=${FINGERPRINT} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} | |
| -f build.Dockerfile . | |
| - run: docker images --all | |
| - name: Test Enclave # cargo test is not supported in the enclave, see: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/232 | |
| run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} test --all | |
| - name: Export worker image(s) | |
| run: | | |
| docker image save integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | |
| docker image save integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | |
| - name: Upload worker image | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | |
| path: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | |
| - name: Upload CLI client image | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | |
| path: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz | |
| - name: Delete images | |
| run: | | |
| if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then | |
| docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null | |
| fi | |
| if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then | |
| docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null | |
| fi | |
| docker images --all | |
| clippy: | |
| runs-on: ubuntu-latest | |
| container: "integritee/integritee-dev:0.2.2" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: init rust | |
| # enclave is not in the same workspace | |
| run: rustup show && cd enclave-runtime && rustup show | |
| - name: Clippy default features | |
| run: cargo clippy -- -D warnings -A clippy::redundant-closure-call | |
| - name: Enclave # Enclave is separate as it's not in the workspace | |
| run: cd enclave-runtime && cargo clippy -- -D warnings -A clippy::redundant-closure-call | |
| - name: Clippy with Teeracle feature | |
| run: | | |
| cargo clippy --features teeracle -- -D warnings -A clippy::redundant-closure-call | |
| cd enclave-runtime && cargo clippy --features teeracle -- -D warnings -A clippy::redundant-closure-call | |
| - name: Clippy with Offchain-worker feature | |
| run: | | |
| cargo clippy --features offchain-worker -- -D warnings -A clippy::redundant-closure-call | |
| cd enclave-runtime && cargo clippy --features offchain-worker -- -D warnings -A clippy::redundant-closure-call | |
| - name: Fail-fast; cancel other jobs | |
| if: failure() | |
| uses: andymckay/[email protected] | |
| fmt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: init rust | |
| run: rustup show | |
| - name: Worker & Client | |
| run: cargo fmt --all -- --check | |
| - name: Enclave # Enclave is separate as it's not in the workspace | |
| run: cd enclave-runtime && cargo fmt --all -- --check | |
| - name: Install taplo | |
| run: cargo install taplo-cli --locked | |
| - name: Cargo.toml fmt | |
| run: taplo fmt --check | |
| - name: Fail-fast; cancel other jobs | |
| if: failure() | |
| uses: andymckay/[email protected] | |
| release-build: | |
| runs-on: integritee-builder-sgx | |
| name: Release Build of teeracle | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: [build-test] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - flavor_id: teeracle | |
| mode: teeracle | |
| sgx_mode: HW | |
| additional_features: dcap | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Add masks | |
| run: | | |
| echo "::add-mask::$VAULT_TOKEN" | |
| echo "::add-mask::$PRIVKEY_B64" | |
| echo "::add-mask::$PRIVKEY_PASS" | |
| - name: Set env | |
| run: | | |
| fingerprint=$RANDOM | |
| echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV | |
| if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then | |
| echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV | |
| echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV | |
| else | |
| echo "DOCKER_DEVICES=" >> $GITHUB_ENV | |
| echo "DOCKER_VOLUMES=" >> $GITHUB_ENV | |
| fi | |
| echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV" | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| buildkitd-flags: --debug | |
| driver: docker-container | |
| - name: Import secrets | |
| uses: hashicorp/vault-action@v2 | |
| id: import-secrets | |
| with: | |
| url: ${{ secrets.VAULT_URL }} | |
| tlsSkipVerify: false | |
| token: ${{ env.VAULT_TOKEN }} | |
| exportEnv: false | |
| secrets: | | |
| ${{ secrets.VAULT_PATH }} intel_sgx_pem_base64 | PRIVKEY_B64 ; | |
| ${{ secrets.VAULT_PATH }} password | PRIVKEY_PASS | |
| - name: Get secrets | |
| env: | |
| PRIVKEY_B64: ${{ steps.import-secrets.outputs.PRIVKEY_B64 }} | |
| PRIVKEY_PASS: ${{ steps.import-secrets.outputs.PRIVKEY_PASS }} | |
| run: | | |
| echo $PRIVKEY_B64 | base64 --ignore-garbage --decode > enclave-runtime/intel_sgx.pem | |
| echo $PRIVKEY_PASS > enclave-runtime/passfile.txt | |
| - name: Build Worker & Run Cargo Test | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| run: > | |
| docker build -t integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} | |
| --target deployed-worker | |
| --build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg SGX_COMMERCIAL_KEY=enclave-runtime/intel_sgx.pem --build-arg SGX_PASSFILE=enclave-runtime/passfile.txt --build-arg SGX_PRODUCTION=1 --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }} | |
| -f build.Dockerfile . | |
| - name: Save released teeracle | |
| run: | | |
| docker image save integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz | |
| docker images --all | |
| - name: Upload teeracle image | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz | |
| path: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz | |
| - name: Delete images | |
| run: | | |
| if [[ "$(docker images -q integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2> /dev/null)" != "" ]]; then | |
| docker image rmi --force integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2>/dev/null | |
| fi | |
| docker images --all | |
| release: | |
| runs-on: ubuntu-latest | |
| name: Draft Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: [build-test, release-build] | |
| outputs: | |
| release_url: ${{ steps.create-release.outputs.html_url }} | |
| asset_upload_url: ${{ steps.create-release.outputs.upload_url }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Download Worker Image | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: integritee-worker-teeracle-${{ github.ref_name }}.tar.gz | |
| path: . | |
| # | |
| # Temporary comment out until we decide what to release | |
| # | |
| # - name: Download Integritee Service | |
| # uses: actions/download-artifact@v3 | |
| # with: | |
| # name: integritee-worker-sidechain-${{ github.sha }} | |
| # path: integritee-worker-tmp | |
| # - name: Download Integritee Client | |
| # uses: actions/download-artifact@v3 | |
| # with: | |
| # name: integritee-client-sidechain-${{ github.sha }} | |
| # path: integritee-client-tmp | |
| # - name: Download Enclave Signed | |
| # uses: actions/download-artifact@v3 | |
| # with: | |
| # name: enclave-signed-sidechain-${{ github.sha }} | |
| # path: enclave-signed-tmp | |
| # - name: Move service binaries | |
| # run: mv integritee-worker-tmp/integritee-service ./integritee-demo-validateer | |
| # - name: Move service client binaries | |
| # run: mv integritee-client-tmp/integritee-cli ./integritee-client | |
| # - name: Move service client binaries | |
| # run: mv enclave-signed-tmp/enclave.signed.so ./enclave.signed.so | |
| - name: Changelog | |
| uses: scottbrenner/generate-changelog-action@master | |
| id: Changelog | |
| - name: Display structure of downloaded files | |
| run: ls -R | |
| working-directory: . | |
| - name: Release | |
| id: create-release | |
| uses: softprops/action-gh-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| body: | | |
| ${{ steps.Changelog.outputs.changelog }} | |
| draft: true | |
| name: Docker ${{ github.ref_name }} | |
| files: | | |
| integritee-worker-teeracle-${{ github.ref_name }}.tar.gz | |
| integritee-client | |
| integritee-demo-validateer | |
| enclave.signed.so |