-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (117 loc) · 5.09 KB
/
build-eif.yml
File metadata and controls
137 lines (117 loc) · 5.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Build Enclaver Docker Image
on:
workflow_dispatch:
inputs:
config_hash:
type: string
description: 'SHA256 hash for the config'
required: true
nitro_node_image_path:
type: string
description: 'Full nitro node image path'
required: true
push:
branches:
- main
pull_request:
branches:
- main
run-name: Enclaver Docker Image - ${{ github.event.inputs.nitro_node_image_path || 'Simple Build' }}
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set Image Variables
run: |
NITRO_IMAGE_PATH="${{github.event.inputs.nitro_node_image_path || 'ghcr.io/espressosystems/nitro-espresso-integration/nitro-node:integration'}}"
NITRO_TAG=$(echo "${NITRO_IMAGE_PATH}" | sed 's/.*://')
# Add 4cpu suffix if on 4cpu branch
if [ "${{ github.ref_name }}" = "4cpu" ]; then
NITRO_TAG="${NITRO_TAG}-4cpu"
fi
echo "NITRO_IMAGE_PATH=${NITRO_IMAGE_PATH}" >> ${GITHUB_ENV}
echo "NITRO_IMAGE_TAG=${NITRO_TAG}" >> ${GITHUB_ENV}
echo "Using nitro image: ${NITRO_IMAGE_PATH}"
echo "Extracted tag for naming: ${NITRO_TAG}"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
name: Login to Github Container Repo
if: github.event_name != 'pull_request'
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./docker/Dockerfile.aws-nitro-poster
build-args: |
NITRO_IMAGE_PATH=${{ env.NITRO_IMAGE_PATH }}
CONFIG_HASH=${{ github.event.inputs.config_hash}}
labels: |
build.github.run_number=${{ github.run_number }}
build.github.actor=${{ github.actor }}
build.github.ref=${{ github.ref }}
build.nitro.source_image=${{ env.NITRO_IMAGE_PATH }}
build.workflow.page=https://github.com/EspressoSystems/aws-nitro/actions/workflows/build-eif.yml
push: false
tags: nitro-image:latest
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Enclaver installation
run: |
echo "Downloading and installing Enclaver..."
ARCH=$(uname -m)
LATEST_RELEASE=$(curl -s https://api.github.com/repositories/516492075/releases/latest)
DOWNLOAD_URL=$(echo "$LATEST_RELEASE" | jq -r ".assets[] | select(.name | test(\"^enclaver-linux-$ARCH.*tar.gz$\")) | .browser_download_url")
if [ -z "$DOWNLOAD_URL" ]; then
echo "Could not find Enclaver download URL"
exit 1
fi
curl -L "$DOWNLOAD_URL" -o enclaver.tar.gz
tar xzf enclaver.tar.gz
sudo install enclaver-*/enclaver /usr/local/bin/
rm -rf enclaver.tar.gz enclaver-*
enclaver --version
- name: Install Foundry
uses: foundry-rs/foundry-toolchain@v1
with:
version: nightly
- name: Run Enclaver build
run: |
build_output=$(sudo enclaver build --file ./enclaver/enclaver.yaml)
echo "Build complete! Output: $build_output"
pcr0_raw="0x$(echo "$build_output" | grep -oP '"PCR0": "\K[^"]+')"
pcr0_keccak=$(cast keccak $pcr0_raw)
echo "PCR0 keccak hash: $pcr0_keccak"
echo "ENCLAVE_HASH=${pcr0_keccak}" >> ${GITHUB_ENV}
docker images
- name: Tag Docker
if: github.event_name != 'pull_request'
run: |
echo "Available Docker images:"
docker images
echo "Adding PCR0 label to image..."
cat > Dockerfile.labels << EOF
FROM enclaver-batch-poster
LABEL org.opencontainers.image.description="AWS Nitro batch poster image built with enclave hash: ${{ env.ENCLAVE_HASH }}"
LABEL org.opencontainers.image.source="${{ github.server_url }}/${{ github.repository }}"
LABEL org.opencontainers.image.revision="${{ github.sha }}"
LABEL org.opencontainers.image.created="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
LABEL enclave.hash="${{ env.ENCLAVE_HASH }}"
LABEL build.github.run_id="${{ github.run_id }}"
LABEL build.workflow.url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
EOF
# Build with labels and tag
docker build -f Dockerfile.labels -t ghcr.io/espressosystems/aws-nitro-poster:${{ env.NITRO_IMAGE_TAG || 'integration-4cpu' }} .
echo "Tagged with PCR0 HASH: ${{ env.ENCLAVE_HASH }}"
- name: Push Docker
if: github.event_name != 'pull_request'
run: |
docker push ghcr.io/espressosystems/aws-nitro-poster:${{ env.NITRO_IMAGE_TAG || 'integration-4cpu' }}
echo "Pushed image with PCR0 HASH: ${{ env.ENCLAVE_HASH }}"