From c3d33aa5c4b099ffe9895a8f1fd50fa05e44ce69 Mon Sep 17 00:00:00 2001
From: Jeremy Bernard <jeremy.bernard@iex.ec>
Date: Tue, 5 May 2026 14:02:26 +0200
Subject: [PATCH 1/3] ci: migrate to GitHub actions workflows

---
 .github/workflows/conventional-commits.yaml | 16 +++++
 .github/workflows/docker-build.yaml         | 78 +++++++++++++++++++++
 .github/workflows/release-please.yaml       | 18 +++++
 .release-please-manifest.json               |  1 +
 Jenkinsfile                                 | 13 ----
 release-please-config.json                  | 10 +++
 6 files changed, 123 insertions(+), 13 deletions(-)
 create mode 100644 .github/workflows/conventional-commits.yaml
 create mode 100644 .github/workflows/docker-build.yaml
 create mode 100644 .github/workflows/release-please.yaml
 create mode 100644 .release-please-manifest.json
 delete mode 100644 Jenkinsfile
 create mode 100644 release-please-config.json

diff --git a/.github/workflows/conventional-commits.yaml b/.github/workflows/conventional-commits.yaml
new file mode 100644
index 0000000..cb75bfd
--- /dev/null
+++ b/.github/workflows/conventional-commits.yaml
@@ -0,0 +1,16 @@
+name: Conventional Commit as PR title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - reopened
+
+jobs:
+  lint-pr-title:
+    # Prevent execution on forks
+    if: github.repository_owner == 'iExecBlockchainComputing'
+    permissions:
+      pull-requests: read
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/conventional-commits.yml@conventional-commits-v1.1.0
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
new file mode 100644
index 0000000..1e76a5e
--- /dev/null
+++ b/.github/workflows/docker-build.yaml
@@ -0,0 +1,78 @@
+name: Build and Push OCI Image
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+    tags:
+      - 'v*.*.*'
+  # can only be executed by people with write access on repository
+  workflow_dispatch:
+
+jobs:
+  prepare:
+    name: Determine image tag
+    runs-on: ubuntu-latest
+    # Prevent execution on forks
+    if: github.repository_owner == 'iExecBlockchainComputing'
+    outputs:
+      image_tag: ${{ steps.determine-tag.outputs.image_tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          if [ "${{ github.ref_type }}" = "tag" ] ; then
+            # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag
+            TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main')
+
+            if [ -z "$TAG_ON_MAIN" ] ; then
+              echo "Error: Tag ${{ github.ref_name }} is not on main branch"
+              echo "Tags must be created on main branch to generate X.Y.Z image tags"
+              exit 1
+            fi
+
+            GITHUB_REF_NAME="${{ github.ref_name }}"
+            echo "Processing tag on main branch: ${{ github.ref_name }}"
+            echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT
+          else
+            if [ "${{ github.event_name }}" = "pull_request" ] ; then
+              SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
+            else
+              SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
+            fi
+
+            if [ "${{ github.ref_name }}" = "main" ] ; then
+              echo "Processing main branch"
+              echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
+            else
+              # This covers other branches
+              echo "Processing feat/fix branch ${{ github.head_ref }}"
+              echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
+            fi
+          fi
+
+  build-oci-image:
+    name: Build OCI image
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v3.3.0
+    with:
+      image-name: docker-regis.iex.ec/offchain-python-hello-world
+      image-tag: ${{ needs.prepare.outputs.image_tag }}
+      dockerfile: offchain-computing/Dockerfile
+      context: offchain-computing
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platform: linux/amd64
+    secrets:
+      dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN_PULL_ONLY }}
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
new file mode 100644
index 0000000..7a5fb14
--- /dev/null
+++ b/.github/workflows/release-please.yaml
@@ -0,0 +1,18 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    # Prevent execution on forks
+    if: github.repository_owner == 'iExecBlockchainComputing'
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/release-please.yml@release-please-v2.0.0
+    secrets: inherit
diff --git a/.release-please-manifest.json b/.release-please-manifest.json
new file mode 100644
index 0000000..6c321c0
--- /dev/null
+++ b/.release-please-manifest.json
@@ -0,0 +1 @@
+{".":"8.0.5"}
diff --git a/Jenkinsfile b/Jenkinsfile
deleted file mode 100644
index 106b8dd..0000000
--- a/Jenkinsfile
+++ /dev/null
@@ -1,13 +0,0 @@
-@Library('global-jenkins-library@2.3.1') _
-
-buildInfo = getBuildInfo()
-
-baseDir = 'offchain-computing'
-
-buildSimpleDocker_v3(
-        buildInfo: buildInfo,
-        dockerfileDir: baseDir,
-        buildContext: baseDir,
-        dockerImageRepositoryName: 'offchain-python-hello-world',
-        visibility: 'iex.ec'
-)
diff --git a/release-please-config.json b/release-please-config.json
new file mode 100644
index 0000000..0950af1
--- /dev/null
+++ b/release-please-config.json
@@ -0,0 +1,10 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "draft-pull-request": true,
+  "include-component-in-tag": false,
+  "include-v-in-tag": true,
+  "release-type": "simple",
+  "packages": {
+    ".": {}
+  }
+}

From 69391e541126229eb12e92e450c3cda0c9b9691f Mon Sep 17 00:00:00 2001
From: Jeremy Bernard <jeremy.bernard@iex.ec>
Date: Tue, 5 May 2026 14:45:31 +0200
Subject: [PATCH 2/3] ci: publish Trivy security report in comment

---
 .github/workflows/docker-build.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 1e76a5e..77b689d 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -68,7 +68,7 @@ jobs:
       registry: docker-regis.iex.ec
       push: true
       security-scan: true
-      security-report: "sarif"
+      security-report: "comment"
       hadolint: true
       platform: linux/amd64
     secrets:

From 85b25fbf93bb6f8c84d9b57a0c89008b49a86a73 Mon Sep 17 00:00:00 2001
From: Jeremy Bernard <jeremy.bernard@iex.ec>
Date: Tue, 5 May 2026 15:09:08 +0200
Subject: [PATCH 3/3] fix: upgrade python and alpine versions

---
 offchain-computing/Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/offchain-computing/Dockerfile b/offchain-computing/Dockerfile
index 202da70..d3e012e 100644
--- a/offchain-computing/Dockerfile
+++ b/offchain-computing/Dockerfile
@@ -1,7 +1,7 @@
-FROM python:3.7-alpine3.10
+FROM python:3.13-alpine3.23
+
+RUN apk upgrade --no-cache
 
-### install needed python3 dependencies
-RUN apk add --no-cache gcc musl-dev
 RUN pip3 install eth-abi==4.2.1
 
 COPY ./src /app