feat: add GitHub actions workflows #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push OCI Image | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| tags: | |
| - 'v*.*.*' | |
| jobs: | |
| prepare: | |
| name: Determine image tag | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image_tag: ${{ steps.determine-tag.outputs.image_tag }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Determine Docker tag based on Git ref | |
| id: determine-tag | |
| run: | | |
| if [ "${{ github.ref_type }}" = "tag" ] ; then | |
| # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag | |
| TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main') | |
| if [ -z "$TAG_ON_MAIN" ] ; then | |
| echo "Error: Tag ${{ github.ref_name }} is not on main branch" | |
| echo "Tags must be created on main branch to generate X.Y.Z image tags" | |
| exit 1 | |
| fi | |
| GITHUB_REF_NAME="${{ github.ref_name }}" | |
| echo "Processing tag on main branch: ${{ github.ref_name }}" | |
| echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT | |
| else | |
| if [ "${{ github.event_name }}" = "pull_request" ] ; then | |
| SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8) | |
| else | |
| SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8) | |
| fi | |
| if [ "${{ github.ref_name }}" = "main" ] ; then | |
| echo "Processing main branch" | |
| echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT | |
| else | |
| # This covers other branches | |
| echo "Processing feature/bugfix branch ${{ github.head_ref }}" | |
| echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT | |
| fi | |
| fi | |
| build-oci-image: | |
| name: Build OCI image | |
| needs: prepare | |
| uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0 | |
| with: | |
| image-name: docker-regis.iex.ec/python-hello-world | |
| image-tag: ${{ needs.prepare.outputs.image_tag }} | |
| dockerfile: cloud-computing/Dockerfile | |
| context: cloud-computing | |
| registry: docker-regis.iex.ec | |
| push: true | |
| security-scan: true | |
| security-report: "sarif" | |
| hadolint: true | |
| platforms: linux/amd64 | |
| secrets: | |
| username: ${{ secrets.NEXUS_USERNAME }} | |
| password: ${{ secrets.NEXUS_PASSWORD }} | |
| build-tee-image: | |
| name: Build TEE image | |
| needs: [prepare, build-oci-image] | |
| runs-on: ubuntu-latest | |
| env: | |
| native_image: docker-regis.iex.ec/python-hello-world | |
| enclave_image: docker-regis.iex.ec/python-hello-world-unlocked | |
| sconify_image: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked | |
| sconify_version: 5.9.1 | |
| steps: | |
| - name: Login to Scontain registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.scontain.com | |
| username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }} | |
| password: ${{ secrets.SCONTAIN_REGISTRY_PAT }} | |
| - name: Login to Docker regis | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: docker-regis.iex.ec | |
| username: ${{ secrets.NEXUS_USERNAME }} | |
| password: ${{ secrets.NEXUS_PASSWORD }} | |
| - name: Pull sconification tools | |
| run: docker pull $sconify_image:$sconify_version | |
| - name: Pull native image | |
| run: docker pull $native_image:${{ needs.prepare.outputs.image_tag }} | |
| - name: Sconify | |
| run: | | |
| IMG_FROM=$native_image:${{ needs.prepare.outputs.image_tag }} | |
| IMG_TO=$enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug | |
| SCONE_IMAGE=$sconify_image:$sconify_version | |
| docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \ | |
| sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \ | |
| --from=$IMG_FROM --to=$IMG_TO --binary-fs --fs-dir=/app --binary=/usr/local/bin/python3.7 \ | |
| --heap=1G --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose | |
| echo | |
| docker run --rm -e SCONE_HASH=1 $IMG_TO | |
| - name: Push TEE image | |
| run: docker push $enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug | |
| - name: Clean OCI images | |
| run: | | |
| docker image rm -f \ | |
| $native_image:${{ needs.prepare.outputs.image_tag }} \ | |
| $enclaveimage:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug \ | |
| $sconify_image:$sconify_version |