diff --git a/.cargo/config.toml b/.cargo/config.toml deleted file mode 100644 index 823922e..0000000 --- a/.cargo/config.toml +++ /dev/null @@ -1,2 +0,0 @@ -[build] -rustflags = ["-C", "target-feature=-crt-static"] diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 147153e..559b263 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,7 +8,7 @@ on: jobs: build-and-test: - uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/rust-build.yml@rust-build-v2.0.0 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/rust-build.yml@rust-build-v2.1.0 with: rust-version: '1.88.0' working-directory: "." @@ -21,9 +21,9 @@ jobs: runs-on: ubuntu-latest if: | github.ref_name == 'main' || - startsWith(github.head_ref, 'feature/') || - startsWith(github.head_ref, 'bugfix/') || - (github.event_name == 'workflow_dispatch' && (startsWith(github.ref_name, 'feature/') || startsWith(github.ref_name, 'bugfix/'))) + startsWith(github.head_ref, 'feat/') || + startsWith(github.head_ref, 'fix/') || + (github.event_name == 'workflow_dispatch' && (startsWith(github.ref_name, 'feat/') || startsWith(github.ref_name, 'fix/'))) outputs: image_tag: ${{ steps.determine-tag.outputs.image_tag }} steps: @@ -40,8 +40,8 @@ jobs: echo "Processing main branch" echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT else - # This covers feature/ and bugfix/ branches - echo "Processing feature/bugfix branch ${{ github.head_ref }}" + # This covers feat/ and fix/ branches + echo "Processing feat/fix branch ${{ github.head_ref }}" echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT fi @@ -51,7 +51,7 @@ jobs: strategy: matrix: package: [post-compute, pre-compute] - uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v3.3.0 with: image-name: docker-regis.iex.ec/tee-worker-${{ matrix.package }}-rust image-tag: ${{ needs.prepare.outputs.image_tag }} @@ -62,60 +62,9 @@ jobs: security-scan: true security-report: "sarif" hadolint: true - platforms: linux/amd64 + platform: linux/amd64 secrets: + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN_PULL_ONLY }} username: ${{ secrets.NEXUS_USERNAME }} password: ${{ secrets.NEXUS_PASSWORD }} - - build-tee-image: - name: Build TEE images - needs: [prepare, build-oci-image] - runs-on: ubuntu-latest - strategy: - matrix: - sconify_image: - - name: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked - version: 5.9.1 - tee_worker: - - binary: /app/tee-worker-post-compute - img_from: docker-regis.iex.ec/tee-worker-post-compute-rust - img_to: docker-regis.iex.ec/tee-worker-post-compute-rust-unlocked - - binary: /app/tee-worker-pre-compute - img_from: docker-regis.iex.ec/tee-worker-pre-compute-rust - img_to: docker-regis.iex.ec/tee-worker-pre-compute-rust-unlocked - steps: - - name: Login to Scontain registry - uses: docker/login-action@v3 - with: - registry: registry.scontain.com - username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }} - password: ${{ secrets.SCONTAIN_REGISTRY_PAT }} - - name: Login to Docker regis - uses: docker/login-action@v3 - with: - registry: docker-regis.iex.ec - username: ${{ secrets.NEXUS_USERNAME }} - password: ${{ secrets.NEXUS_PASSWORD }} - - name: Pull sconification tools - run: docker pull ${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }} - - name: Pull native image - run: docker pull ${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }} - - name: Sconify - run: | - IMG_FROM=${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }} - IMG_TO=${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug - SCONE_IMAGE=${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }} - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \ - sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \ - --base=alpine:3.22 --from=$IMG_FROM --to=$IMG_TO --binary=${{ matrix.tee_worker.binary }} \ - --heap=1G --stack=8M --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose - echo - docker run --rm -e SCONE_HASH=1 $IMG_TO - - name: Push TEE image - run: docker push ${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug - - name: Clean OCI images - run: | - docker image rm -f \ - ${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }} \ - ${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug \ - ${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }} diff --git a/.github/workflows/sconify-release.yaml b/.github/workflows/sconify-release.yaml deleted file mode 100644 index 887eaae..0000000 --- a/.github/workflows/sconify-release.yaml +++ /dev/null @@ -1,94 +0,0 @@ -name: Sconify and push TEE image - -on: - workflow_dispatch: - inputs: - sconify_version: - default: 5.9.1-v16 - required: true - -jobs: - prepare: - name: Determine image tag - if: github.ref_type == 'tag' - runs-on: ubuntu-latest - outputs: - binary: ${{ steps.determine-tag.outputs.binary }} - image_name: ${{ steps.determine-tag.outputs.image_name }} - image_tag: ${{ steps.determine-tag.outputs.image_tag }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Determine base tag - id: determine-tag - run: | - TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main') - - if [ -z "$TAG_ON_MAIN" ] ; then - echo "Error: Tag ${{ github.ref_name }} is not on main branch" - echo "Tags must be created on main branch to generate X.Y.Z image tags" - exit 1 - fi - - GITHUB_REF_NAME="${{ github.ref_name }}" - echo "Processing tag on main branch: ${{ github.ref_name }}" - - case "$GITHUB_REF_NAME" in - tee-worker-post-compute-v*) - echo "binary=/app/tee-worker-post-compute" | tee -a $GITHUB_OUTPUT - echo "image_name=tee-worker-post-compute-rust" | tee -a $GITHUB_OUTPUT - echo "image_tag=${GITHUB_REF_NAME#tee-worker-post-compute-v}" | tee -a $GITHUB_OUTPUT - ;; - tee-worker-pre-compute-v*) - echo "binary=/app/tee-worker-pre-compute" | tee -a $GITHUB_OUTPUT - echo "image_name=tee-worker-pre-compute-rust" | tee -a $GITHUB_OUTPUT - echo "image_tag=${GITHUB_REF_NAME#tee-worker-pre-compute-v}" | tee -a $GITHUB_OUTPUT - ;; - *) - echo "Error: Unsupported tag ${{ github.ref_name }}" - exit 1 - ;; - esac - - build-tee-image: - name: Sconify TEE image - needs: prepare - runs-on: ubuntu-latest - env: - IMG_FROM: docker-regis.iex.ec/${{ needs.prepare.outputs.image_name }}:${{ needs.prepare.outputs.image_tag }} - IMG_TO: docker-regis.iex.ec/${{ needs.prepare.outputs.image_name }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ inputs.sconify_version }}-production - SCONIFY_IMAGE: registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify_version }} - steps: - - name: Login to Scontain registry - uses: docker/login-action@v3 - with: - registry: registry.scontain.com - username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }} - password: ${{ secrets.SCONTAIN_REGISTRY_PAT }} - - name: Login to Docker regis - uses: docker/login-action@v3 - with: - registry: docker-regis.iex.ec - username: ${{ secrets.NEXUS_USERNAME }} - password: ${{ secrets.NEXUS_PASSWORD }} - - name: Pull sconification tools - run: docker pull ${{ env.SCONIFY_IMAGE }} - - name: Pull native image - run: docker pull ${{ env.IMG_FROM }} - - name: Sconify - run: | - echo "${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}" > ${{ github.workspace }}/sig.pem - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/sig.pem:/sig.pem ${{ env.SCONIFY_IMAGE }} \ - sconify_iexec --cli=${{ env.SCONIFY_IMAGE }} --crosscompiler=${{ env.SCONIFY_IMAGE }} \ - --base=alpine:3.22 --from=${{ env.IMG_FROM }} --to=${{ env.IMG_TO }} --binary=${{ needs.prepare.outputs.binary }} \ - --heap=1G --stack=8M --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose \ - --scone-signer=/sig.pem - echo - docker run --rm -e SCONE_HASH=1 ${{ env.IMG_TO }} - - name: Push TEE image - run: docker push ${{ env.IMG_TO }} - - name: Clean OCI images - run: docker image rm -f ${{ env.IMG_FROM }} ${{ env.IMG_TO }} ${{ env.SCONIFY_IMAGE }} diff --git a/Cargo.lock b/Cargo.lock index 56fe159..d5fe241 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4146,7 +4146,7 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tee-worker-post-compute" -version = "0.2.0" +version = "0.3.0" dependencies = [ "aes", "alloy-signer", @@ -4179,7 +4179,7 @@ dependencies = [ [[package]] name = "tee-worker-pre-compute" -version = "0.3.0" +version = "0.4.0" dependencies = [ "aes", "alloy-signer", diff --git a/post-compute/Dockerfile b/post-compute/Dockerfile index 1108e92..3a38f3b 100644 --- a/post-compute/Dockerfile +++ b/post-compute/Dockerfile @@ -1,7 +1,7 @@ FROM rust:1.88-alpine3.22 AS builder # Install build dependencies with pinned versions -RUN apk add --no-cache musl-dev=1.2.5-r10 openssl-dev=3.5.4-r0 +RUN apk add --no-cache musl-dev=1.2.5-r12 openssl-dev=3.5.6-r0 openssl-libs-static=3.5.6-r0 WORKDIR /app @@ -13,9 +13,6 @@ RUN cargo build --release --bin tee-worker-post-compute FROM alpine:3.22 -# Install required runtime dependencies with pinned versions -RUN apk add --no-cache libgcc=14.2.0-r6 - # Set working directory WORKDIR /app diff --git a/pre-compute/Dockerfile b/pre-compute/Dockerfile index b120ccd..66d81d1 100644 --- a/pre-compute/Dockerfile +++ b/pre-compute/Dockerfile @@ -1,7 +1,7 @@ FROM rust:1.88-alpine3.22 AS builder # Install build dependencies with pinned versions -RUN apk add --no-cache musl-dev=1.2.5-r10 openssl-dev=3.5.4-r0 +RUN apk add --no-cache musl-dev=1.2.5-r12 openssl-dev=3.5.6-r0 openssl-libs-static=3.5.6-r0 WORKDIR /app @@ -13,9 +13,6 @@ RUN cargo build --release --bin tee-worker-pre-compute FROM alpine:3.22 -# Install required runtime dependencies with pinned versions -RUN apk add --no-cache libgcc=14.2.0-r6 - # Set working directory WORKDIR /app