Skip to content
Build and Push OCI Image

feat: add GitHub actions workflows (#145) #5

Sign in to view logs

feat: add GitHub actions workflows (#145)

feat: add GitHub actions workflows (#145) #5

Workflow file for this run

.github/workflows/docker-build.yaml at a8c92b2
name: Build and Push OCI Image
on:
pull_request:
push:
branches: [main]
tags:
- 'v*.*.*'
jobs:
prepare:
name: Determine image tag
runs-on: ubuntu-latest
outputs:
image_tag: ${{ steps.determine-tag.outputs.image_tag }}
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Determine Docker tag based on Git ref
id: determine-tag
run: |
if [ "${{ github.ref_type }}" = "tag" ] ; then
# Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag
TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main')
if [ -z "$TAG_ON_MAIN" ] ; then
echo "Error: Tag ${{ github.ref_name }} is not on main branch"
echo "Tags must be created on main branch to generate X.Y.Z image tags"
exit 1
fi
GITHUB_REF_NAME="${{ github.ref_name }}"
echo "Processing tag on main branch: ${{ github.ref_name }}"
echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT
else
if [ "${{ github.event_name }}" = "pull_request" ] ; then
SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
else
SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
fi
if [ "${{ github.ref_name }}" = "main" ] ; then
echo "Processing main branch"
echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
else
# This covers other branches
echo "Processing feature/bugfix branch ${{ github.head_ref }}"
echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
fi
fi
build-oci-image:
name: Build OCI image
needs: prepare
uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0
with:
image-name: docker-regis.iex.ec/python-hello-world
image-tag: ${{ needs.prepare.outputs.image_tag }}
dockerfile: cloud-computing/Dockerfile
context: cloud-computing
registry: docker-regis.iex.ec
push: true
security-scan: true
security-report: "sarif"
hadolint: true
platforms: linux/amd64
secrets:
username: ${{ secrets.NEXUS_USERNAME }}
password: ${{ secrets.NEXUS_PASSWORD }}
build-tee-image:
name: Build TEE image
needs: [prepare, build-oci-image]
runs-on: ubuntu-latest
env:
native_image: docker-regis.iex.ec/python-hello-world
enclave_image: docker-regis.iex.ec/python-hello-world-unlocked
sconify_image: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked
sconify_version: 5.9.1
steps:
- name: Login to Scontain registry
uses: docker/login-action@v3
with:
registry: registry.scontain.com
username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
- name: Login to Docker regis
uses: docker/login-action@v3
with:
registry: docker-regis.iex.ec
username: ${{ secrets.NEXUS_USERNAME }}
password: ${{ secrets.NEXUS_PASSWORD }}
- name: Pull sconification tools
run: docker pull $sconify_image:$sconify_version
- name: Pull native image
run: docker pull $native_image:${{ needs.prepare.outputs.image_tag }}
- name: Sconify
run: |
IMG_FROM=$native_image:${{ needs.prepare.outputs.image_tag }}
IMG_TO=$enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug
SCONE_IMAGE=$sconify_image:$sconify_version
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \
sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \
--from=$IMG_FROM --to=$IMG_TO --binary-fs --fs-dir=/app --binary=/usr/local/bin/python3.7 \
--heap=1G --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose
echo
docker run --rm -e SCONE_HASH=1 $IMG_TO
- name: Push TEE image
run: docker push $enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug
- name: Clean OCI images
run: |
docker image rm -f \
$native_image:${{ needs.prepare.outputs.image_tag }} \
$enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug \
$sconify_image:$sconify_version