ci: add sconification workflows (#10)

Author: jbern0rd

.github/workflows/ci.yaml

@@ -17,8 +17,8 @@ jobs:
 
   prepare:
     name: Determine image tag
-    runs-on: ubuntu-latest
     needs: build-and-test
+    runs-on: ubuntu-latest
     if: |
       github.ref_name == 'main' ||
       startsWith(github.head_ref, 'feature/') ||
@@ -27,7 +27,7 @@ jobs:
     outputs:
       image_tag: ${{ steps.determine-tag.outputs.image_tag }}
     steps:
-      - name: Determine Docker tag based on Git ref
+      - name: Determine base tag
         id: determine-tag
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ] ; then
@@ -45,14 +45,17 @@ jobs:
             echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
           fi
 
-  post-compute-oci-image:
-    name: post-compute OCI image
+  build-oci-image:
+    name: Build OCI images
     needs: prepare
+    strategy:
+      matrix:
+        package: [post-compute, pre-compute]
     uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
     with:
-      image-name: docker-regis.iex.ec/tee-worker-post-compute-rust
+      image-name: docker-regis.iex.ec/tee-worker-${{ matrix.package }}-rust
       image-tag: ${{ needs.prepare.outputs.image_tag }}
-      dockerfile: post-compute/Dockerfile
+      dockerfile: ${{ matrix.package }}/Dockerfile
       context: .
       registry: docker-regis.iex.ec
       push: true
@@ -64,21 +67,55 @@ jobs:
       username: ${{ secrets.NEXUS_USERNAME }}
       password: ${{ secrets.NEXUS_PASSWORD }}
 
-  pre-compute-oci-image:
-    name: pre-compute OCI image
-    needs: prepare
-    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
-    with:
-      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
-      image-tag: ${{ needs.prepare.outputs.image_tag }}
-      dockerfile: pre-compute/Dockerfile
-      context: .
-      registry: docker-regis.iex.ec
-      push: true
-      security-scan: true
-      security-report: "sarif"
-      hadolint: true
-      platforms: linux/amd64
-    secrets:
-      username: ${{ secrets.NEXUS_USERNAME }}
-      password: ${{ secrets.NEXUS_PASSWORD }}
+  build-tee-image:
+    name: Build TEE images
+    needs: [prepare, build-oci-image]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        sconify_image:
+          - name: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked
+            version: 5.9.1
+        tee_worker:
+          - binary: /app/tee-worker-post-compute
+            img_from: docker-regis.iex.ec/tee-worker-post-compute-rust
+            img_to: docker-regis.iex.ec/tee-worker-post-compute-rust-unlocked
+          - binary: /app/tee-worker-pre-compute
+            img_from: docker-regis.iex.ec/tee-worker-pre-compute-rust
+            img_to: docker-regis.iex.ec/tee-worker-pre-compute-rust-unlocked
+    steps:
+      - name: Login to Scontain registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.scontain.com
+          username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
+          password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
+      - name: Login to Docker regis
+        uses: docker/login-action@v3
+        with:
+          registry: docker-regis.iex.ec
+          username: ${{ secrets.NEXUS_USERNAME }}
+          password: ${{ secrets.NEXUS_PASSWORD }}
+      - name: Pull sconification tools
+        run: docker pull ${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }}
+      - name: Pull native image
+        run: docker pull ${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }}
+      - name: Sconify
+        run: |
+          IMG_FROM=${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }}
+          IMG_TO=${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug
+          SCONE_IMAGE=${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }}
+          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \
+            sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \
+              --base=alpine:3.22 --from=$IMG_FROM --to=$IMG_TO --binary=${{ matrix.tee_worker.binary }} \
+              --heap=1G --stack=8M --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose
+          echo
+          docker run --rm -e SCONE_HASH=1 $IMG_TO
+      - name: Push TEE image
+        run: docker push ${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug
+      - name: Clean OCI images
+        run: |
+          docker image rm -f \
+            ${{ matrix.tee_worker.img_from }}:${{ needs.prepare.outputs.image_tag }} \
+            ${{ matrix.tee_worker.img_to }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ matrix.sconify_image.version }}-debug \
+            ${{ matrix.sconify_image.name }}:${{ matrix.sconify_image.version }}

.github/workflows/docker-build-on-tag.yaml

@@ -20,7 +20,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Determine Docker tag based on Git ref
+      - name: Determine base tag
         id: determine-tag
         run: |
           # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag

.github/workflows/sconify-release.yaml

@@ -0,0 +1,94 @@
+name: Sconify and push TEE image
+
+on:
+  workflow_dispatch:
+    inputs:
+      sconify_version:
+        default: 5.9.1-v16
+        required: true
+
+jobs:
+  prepare:
+    name: Determine image tag
+    if: github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+    outputs:
+      binary: ${{ steps.determine-tag.outputs.binary }}
+      image_name: ${{ steps.determine-tag.outputs.image_name }}
+      image_tag: ${{ steps.determine-tag.outputs.image_tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine base tag
+        id: determine-tag
+        run: |
+          TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main')
+
+          if [ -z "$TAG_ON_MAIN" ] ; then
+            echo "Error: Tag ${{ github.ref_name }} is not on main branch"
+            echo "Tags must be created on main branch to generate X.Y.Z image tags"
+            exit 1
+          fi
+
+          GITHUB_REF_NAME="${{ github.ref_name }}"
+          echo "Processing tag on main branch: ${{ github.ref_name }}"
+
+          case "$GITHUB_REF_NAME" in
+            tee-worker-post-compute-v*)
+              echo "binary=/app/tee-worker-post-compute" | tee -a $GITHUB_OUTPUT
+              echo "image_name=tee-worker-post-compute-rust" | tee -a $GITHUB_OUTPUT
+              echo "image_tag=${GITHUB_REF_NAME#tee-worker-post-compute-v}" | tee -a $GITHUB_OUTPUT
+            ;;
+            tee-worker-pre-compute-v*)
+              echo "binary=/app/tee-worker-pre-compute" | tee -a $GITHUB_OUTPUT
+              echo "image_name=tee-worker-pre-compute-rust" | tee -a $GITHUB_OUTPUT
+              echo "image_tag=${GITHUB_REF_NAME#tee-worker-pre-compute-v}" | tee -a $GITHUB_OUTPUT
+            ;;
+            *)
+              echo "Error: Unsupported tag ${{ github.ref_name }}"
+              exit 1
+            ;;
+          esac
+
+  build-tee-image:
+    name: Sconify TEE image
+    needs: prepare
+    runs-on: ubuntu-latest
+    env:
+      IMG_FROM: docker-regis.iex.ec/${{ needs.prepare.outputs.image_name }}:${{ needs.prepare.outputs.image_tag }}
+      IMG_TO: docker-regis.iex.ec/${{ needs.prepare.outputs.image_name }}:${{ needs.prepare.outputs.image_tag }}-sconify-${{ inputs.sconify_version }}-production
+      SCONIFY_IMAGE: registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify_version }}
+    steps:
+      - name: Login to Scontain registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.scontain.com
+          username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
+          password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
+      - name: Login to Docker regis
+        uses: docker/login-action@v3
+        with:
+          registry: docker-regis.iex.ec
+          username: ${{ secrets.NEXUS_USERNAME }}
+          password: ${{ secrets.NEXUS_PASSWORD }}
+      - name: Pull sconification tools
+        run: docker pull ${{ env.SCONIFY_IMAGE }}
+      - name: Pull native image
+        run: docker pull ${{ env.IMG_FROM }}
+      - name: Sconify
+        run: |
+          echo "${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}" > ${{ github.workspace }}/sig.pem
+          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/sig.pem:/sig.pem ${{ env.SCONIFY_IMAGE }} \
+            sconify_iexec --cli=${{ env.SCONIFY_IMAGE }} --crosscompiler=${{ env.SCONIFY_IMAGE }} \
+              --base=alpine:3.22 --from=${{ env.IMG_FROM }} --to=${{ env.IMG_TO }} --binary=${{ needs.prepare.outputs.binary }} \
+              --heap=1G --stack=8M --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose \
+              --scone-signer=/sig.pem
+          echo
+          docker run --rm -e SCONE_HASH=1 ${{ env.IMG_TO }}
+      - name: Push TEE image
+        run: docker push ${{ env.IMG_TO }}
+      - name: Clean OCI images
+        run: docker image rm -f ${{ env.IMG_FROM }} ${{ env.IMG_TO }} ${{ env.SCONIFY_IMAGE }}