Merge pull request oasisprotocol#2108 from oasisprotocol/kostko/feature/rofl-tdx-containers

Add rofl-containers generic ROFL app runtime for containers

Author: kostko

.github/actions/lint-rust/action.yml

@@ -11,6 +11,9 @@ inputs:
   features:
     description: Features to enable, separated by comma
     required: false
+  exclude:
+    description: Packages to exclude, separated by comma
+    required: false
 runs:
   using: composite
   steps:
@@ -19,15 +22,26 @@ runs:
       env:
         MANIFEST_PATH: ${{ inputs.manifest_path }}
         FEATURES: ${{ inputs.features }}
+        EXCLUDE: ${{ inputs.exclude }}
       run: |
         if [[ -z "$FEATURES" ]]; then
           FEATURES_ARG=("--all-features")
         else
           FEATURES_ARG=("--features" "$FEATURES")
         fi
 
+        if [[ -z "$EXCLUDE" ]]; then
+          EXCLUDE_ARG=("")
+        else
+          EXCLUDE_ARG=("--workspace")
+          for PKG in ${EXCLUDE//,/ }; do
+            EXCLUDE_ARG+=("--exclude" "$PKG")
+          done
+        fi
+
         cargo clippy \
           ${FEATURES_ARG[@]} \
+          ${EXCLUDE_ARG[@]} \
           --locked \
           --manifest-path "$MANIFEST_PATH" \
           -- \

.github/workflows/ci-lint.yml

@@ -32,9 +32,16 @@ jobs:
         run: rustup show
 
       - name: Lint Rust code
+        uses: ./.github/actions/lint-rust
+        with:
+          features: debug-logging,test,unsafe-allow-debug
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Lint Rust code (mock TEE)
         uses: ./.github/actions/lint-rust
         with:
           features: debug-logging,debug-mock-sgx,test,unsafe-allow-debug
+          exclude: rofl-containers,rofl-appd
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Lint Rust code (TDX)

.github/workflows/ci-test.yaml

@@ -61,16 +61,20 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install gcc-multilib clang-11
+          sudo apt-get install gcc-multilib clang-18
 
       - name: Set up Rust
         run: rustup show
 
-      - name: Build for SGX
-        run: cargo build --target x86_64-fortanix-unknown-sgx
+      - name: Build select crates for SGX
+        run: |
+          cargo build --target x86_64-fortanix-unknown-sgx \
+            --package oasis-runtime-sdk \
+            --package oasis-runtime-sdk-contracts \
+            --package oasis-runtime-sdk-evm
         env:
           CFLAGS_x86_64_fortanix_unknown_sgx: -isystem/usr/include/x86_64-linux-gnu -mlvi-hardening -mllvm -x86-experimental-lvi-inline-asm-hardening
-          CC_x86_64_fortanix_unknown_sgx: clang-11
+          CC_x86_64_fortanix_unknown_sgx: clang-18
 
   check-core-versions:
     # NOTE: This name appears in GitHub's Checks API.
@@ -304,6 +308,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Disable AppArmor
+        run: |
+          sudo systemctl stop apparmor.service
+          sudo systemctl disable apparmor.service
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Set up Node.js LTS
         uses: actions/setup-node@v4
         with:
@@ -383,6 +393,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Disable AppArmor
+        run: |
+          sudo systemctl stop apparmor.service
+          sudo systemctl disable apparmor.service
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Set up Rust
         run: rustup show
 
@@ -493,6 +509,12 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Disable AppArmor
+        run: |
+          sudo systemctl stop apparmor.service
+          sudo systemctl disable apparmor.service
+          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Set up Rust
         run: rustup show
 

.github/workflows/release-rofl-containers.yml

@@ -0,0 +1,31 @@
+name: release-rofl-containers
+
+on:
+  push:
+    tags:
+      - 'rofl-containers/v[0-9]+.[0-9]+*'
+
+permissions:
+  contents: write
+
+jobs:
+  release-rofl-containers:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build rofl-containers
+        id: build
+        uses: oasisprotocol/oasis-sdk/.github/actions/hash-rust@main
+        with:
+          image: ghcr.io/oasisprotocol/runtime-builder:main
+          pkg-dirs: rofl-containers
+          binaries: rofl-containers
+          clean: no
+
+      - name: Publish the release
+        uses: ncipollo/release-action@v1
+        with:
+          artifacts: ${{ github.workspace }}/${{ steps.build.outputs.build-path }}/rofl-containers
+          token: ${{ secrets.GITHUB_TOKEN }}