Build EIF - Default #627
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Reproducible EIF | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| config_hash: | |
| type: string | |
| description: 'SHA256 hash for the config' | |
| required: true | |
| nitro_node_image_path: | |
| type: string | |
| description: 'Full nitro node image path' | |
| required: true | |
| push: | |
| branches: | |
| - main | |
| - nix-enclaver | |
| pull_request: | |
| branches: | |
| - main | |
| run-name: Build EIF - ${{ github.event.inputs.nitro_node_image_path || 'Default' }} | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Free Disk Space | |
| run: | | |
| echo "Before cleanup:" | |
| df -h / | |
| # Remove unnecessary software to free up ~30GB | |
| sudo rm -rf /usr/share/dotnet | |
| sudo rm -rf /usr/local/lib/android | |
| sudo rm -rf /opt/ghc | |
| sudo rm -rf /opt/hostedtoolcache/CodeQL | |
| sudo docker system prune -af | |
| echo "After cleanup:" | |
| df -h / | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set Variables | |
| run: | | |
| NITRO_IMAGE="${{ github.event.inputs.nitro_node_image_path || 'ghcr.io/espressosystems/nitro-espresso-integration/nitro-node:integration' }}" | |
| NITRO_TAG=$(echo "${NITRO_IMAGE}" | sed 's/.*://') | |
| echo "NITRO_IMAGE=${NITRO_IMAGE}" >> $GITHUB_ENV | |
| echo "NITRO_TAG=${NITRO_TAG}" >> $GITHUB_ENV | |
| - name: Extract Nitro Binary | |
| run: | | |
| mkdir -p build-outputs | |
| docker pull "${{ env.NITRO_IMAGE }}" | |
| IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "${{ env.NITRO_IMAGE }}" 2>/dev/null || echo "${{ env.NITRO_IMAGE }}") | |
| echo "IMAGE_DIGEST=${IMAGE_DIGEST}" >> $GITHUB_ENV | |
| CONTAINER_ID=$(docker create "${{ env.NITRO_IMAGE }}" /bin/true) | |
| docker cp "${CONTAINER_ID}:/usr/local/bin/nitro" "build-outputs/nitro" | |
| docker rm "${CONTAINER_ID}" | |
| chmod +x build-outputs/nitro | |
| NITRO_HASH=$(sha256sum build-outputs/nitro | cut -d' ' -f1) | |
| echo "NITRO_HASH=${NITRO_HASH}" >> $GITHUB_ENV | |
| echo "Nitro binary SHA256: ${NITRO_HASH}" | |
| # Clean up Docker images to save space | |
| docker system prune -af | |
| echo "Disk after Docker cleanup:" | |
| df -h / | |
| - name: Stage Binary for Nix | |
| run: | | |
| # Stage binary for Nix (uses -f because build-outputs/ is gitignored to protect local dev) | |
| git config user.name "github-actions" | |
| git config user.email "github-actions@github.com" | |
| git add -f build-outputs/nitro | |
| git commit -m "temp: stage nitro binary for build" || true | |
| - name: Install Nix | |
| uses: DeterminateSystems/nix-installer-action@main | |
| - name: Setup Nix Cache | |
| uses: DeterminateSystems/magic-nix-cache-action@main | |
| - name: Build EIF with nix-enclaver | |
| run: | | |
| nix build '.#x86_64-eif' -L 2>&1 | tee build.log || true | |
| # Extract PCR0 from build log | |
| PCR0=$(grep -oP '"PCR0":\s*"\K[a-f0-9]+' build.log | head -1) | |
| echo "PCR0_FROM_BUILD=$PCR0" >> $GITHUB_ENV | |
| EIF=$(ls -d /nix/store/*batcher-x86_64 2>/dev/null | head -1) | |
| echo "Found: $EIF" | |
| ls -la "$EIF" | |
| if [ -f "$EIF" ]; then | |
| cp "$EIF" ./enclave.eif | |
| elif [ -d "$EIF" ]; then | |
| cp "$EIF"/* ./enclave.eif 2>/dev/null || cp -r "$EIF" ./enclave-dir | |
| fi | |
| ls -la ./enclave* | |
| - name: Compute Enclave Hash | |
| run: | | |
| PCR0="${{ env.PCR0_FROM_BUILD }}" | |
| [ -z "$PCR0" ] && { echo "No PCR0 found"; exit 1; } | |
| PCR0_KECCAK=$(cast keccak "0x${PCR0}") | |
| echo "PCR0: $PCR0" | |
| echo "Enclave Hash: $PCR0_KECCAK" | |
| echo "PCR0_RAW=0x${PCR0}" >> $GITHUB_ENV | |
| echo "ENCLAVE_HASH=${PCR0_KECCAK}" >> $GITHUB_ENV | |
| - name: Build Summary | |
| run: | | |
| echo "==============================================" | |
| echo " BUILD RESULTS " | |
| echo "==============================================" | |
| echo "Source Image: ${{ env.NITRO_IMAGE }}" | |
| echo "Image Digest: ${{ env.IMAGE_DIGEST }}" | |
| echo "Nitro Binary: ${{ env.NITRO_HASH }}" | |
| echo "PCR0: ${{ env.PCR0_RAW }}" | |
| echo "Enclave Hash: ${{ env.ENCLAVE_HASH }}" | |
| echo "==============================================" | |
| mkdir -p artifacts | |
| cat > artifacts/build-info.json << EOF | |
| { | |
| "nitro_image": "${{ env.NITRO_IMAGE }}", | |
| "image_digest": "${{ env.IMAGE_DIGEST }}", | |
| "nitro_binary_hash": "${{ env.NITRO_HASH }}", | |
| "pcr0": "${{ env.PCR0_RAW }}", | |
| "enclave_hash": "${{ env.ENCLAVE_HASH }}", | |
| "git_sha": "${{ github.sha }}", | |
| "config_hash": "${{ github.event.inputs.config_hash }}" | |
| } | |
| EOF | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: eif-${{ env.NITRO_TAG }}-${{ github.run_id }} | |
| path: | | |
| ./enclave.eif | |
| artifacts/ | |
| - uses: docker/login-action@v3 | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push Docker Image | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| # Build Docker image with the EIF for deployment | |
| docker build \ | |
| --file ./docker/Dockerfile.aws-nitro-poster \ | |
| --build-arg NITRO_IMAGE_PATH=${{ env.NITRO_IMAGE }} \ | |
| --build-arg CONFIG_HASH=${{ github.event.inputs.config_hash }} \ | |
| --tag ghcr.io/espressosystems/aws-nitro-poster:${{ env.NITRO_TAG }} \ | |
| . | |
| docker push ghcr.io/espressosystems/aws-nitro-poster:${{ env.NITRO_TAG }} |