fortanix · monokles · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,15 @@
 version: 2
 updates:
-- package-ecosystem: cargo
-  directory: "/"
-  schedule:
-    interval: weekly
-  open-pull-requests-limit: 10
-- package-ecosystem: github-actions
-  directory: "/"
-  schedule:
-    interval: weekly
+  - package-ecosystem: cargo
+    directory: "/"
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
@@ -14,16 +14,24 @@ on:
       - "intel-sgx/ppid-retrieval-tool/**"
       - ".github/workflows/**"
 
-jobs:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
-  build:
+permissions: {}
 
+jobs:
+  build:
+    name: Build Docker Image
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - name: Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
       - name: Build the Docker image
         run: |
           cd intel-sgx/ppid-retrieval-tool/Docker
           ./build.sh
-
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,7 +7,13 @@ on:
   # This CI will be triggered on any merge_group events
   merge_group:
   schedule:
-    - cron: "0 6 * * *"  # Run CI Daily few hours after UTC midnight, so we can track changes from nightly rust & Intel PCS
+    - cron: "0 6 * * *" # Run CI Daily few hours after UTC midnight, so we can track changes from nightly rust & Intel PCS
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 env:
   RUST_BACKTRACE: 1
@@ -28,99 +34,102 @@ jobs:
       CMAKE_POLICY_VERSION_MINIMUM: 3.5
 
     steps:
-    - uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
-    - name: Conditionally export PCS_API_KEY and PCCS_URL
-      run: |
-        if [ -n "${{ secrets.PCS_API_KEY }}" ]; then
-          echo "PCS_API_KEY=${{ secrets.PCS_API_KEY }}" >> $GITHUB_ENV
-        fi
-        if [ -n "${{ vars.PCCS_URL }}" ]; then
-          echo "PCCS_URL=${{ vars.PCCS_URL }}" >> $GITHUB_ENV
-        fi
+      - name: Conditionally export PCS_API_KEY and PCCS_URL
+        run: |
+          if [ -n "${{ secrets.PCS_API_KEY }}" ]; then
+            echo "PCS_API_KEY=${{ secrets.PCS_API_KEY }}" >> "$GITHUB_ENV"
+          fi
+          if [ -n "${{ vars.PCCS_URL }}" ]; then
+            echo "PCCS_URL=${{ vars.PCCS_URL }}" >> "$GITHUB_ENV"
+          fi
 
-    - name: Install build dependencies
-      run: sudo ./install_build_deps.sh
+      - name: Install build dependencies
+        run: sudo ./install_build_deps.sh
 
-    - name: Setup Rust toolchain
-      run: |
-        rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl
-        rustup toolchain add nightly
-        rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly
-        rustup update
+      - name: Setup Rust toolchain
+        run: |
+          rustup target add x86_64-fortanix-unknown-sgx x86_64-unknown-linux-musl
+          rustup toolchain add nightly
+          rustup target add x86_64-fortanix-unknown-sgx --toolchain nightly
+          rustup update
 
-    - name: Cargo test --all --exclude sgxs-loaders
-      run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ]
+      - name: Cargo test --all --exclude sgxs-loaders
+        run: cargo test --verbose --locked --all --exclude sgxs-loaders --exclude async-usercalls && [ "$(echo $(nm -D target/debug/sgx-detect|grep __vdso_sgx_enter_enclave))" = "w __vdso_sgx_enter_enclave" ]
 
-    - name: Nightly test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
-      run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
+      - name: Nightly test -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
+        run: cargo +nightly test --verbose --locked -p async-usercalls --target x86_64-fortanix-unknown-sgx --no-run
 
-    - name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
-      run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
+      - name: Nightly test -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
+        run: cargo +nightly test --verbose --locked -p dcap-artifact-retrieval --target x86_64-fortanix-unknown-sgx --no-default-features --no-run
 
-    - name: Cargo test -p dcap-artifact-retrieval --features rustls-tls
-      run: cargo test --verbose --locked -p dcap-artifact-retrieval --features rustls-tls
+      - name: Cargo test -p dcap-artifact-retrieval --features rustls-tls
+        run: cargo test --verbose --locked -p dcap-artifact-retrieval --features rustls-tls
 
-    - name: Cargo test -p dcap-ql --features link
-      run: cargo test --verbose --locked -p dcap-ql --features link
+      - name: Cargo test -p dcap-ql --features link
+        run: cargo test --verbose --locked -p dcap-ql --features link
 
-    - name: Cargo test -p dcap-ql --features verify
-      run: cargo test --verbose --locked -p dcap-ql --features verify
+      - name: Cargo test -p dcap-ql --features verify
+        run: cargo test --verbose --locked -p dcap-ql --features verify
 
-    - name: Cargo test -p ias --features mbedtls
-      run: cargo test --verbose --locked -p ias --features mbedtls
+      - name: Cargo test -p ias --features mbedtls
+        run: cargo test --verbose --locked -p ias --features mbedtls
 
-    - name: Cargo test -p ias --features client,mbedtls
-      run: cargo test --verbose --locked -p ias --features client,mbedtls
+      - name: Cargo test -p ias --features client,mbedtls
+        run: cargo test --verbose --locked -p ias --features client,mbedtls
 
-    # uses backtrace, which still requires nightly on SGX
-    - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx
-      run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx
+      # uses backtrace, which still requires nightly on SGX
+      - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx
+        run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx
 
-    # uses sgxstd feature
-    - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
-      run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
+      # uses sgxstd feature
+      - name: Nightly build -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
+        run: cargo +nightly build --verbose --locked -p aesm-client --target=x86_64-fortanix-unknown-sgx --features sgx-isa/sgxstd
 
-    - name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
-      run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
+      - name: Nightly test -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
+        run: cargo +nightly test --verbose --locked -p sgx-isa --features sgxstd --target x86_64-fortanix-unknown-sgx --no-run
 
-    - name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx
-      run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run
+      - name: Nightly test -p pcs --target x86_64-fortanix-unknown-sgx
+        run: cargo +nightly test --verbose --locked -p pcs --target x86_64-fortanix-unknown-sgx --no-run
 
-    - name: Nightly test -p pcs --features verify
-      run: cargo +nightly test --verbose --locked -p pcs --features verify
+      - name: Nightly test -p pcs --features verify
+        run: cargo +nightly test --verbose --locked -p pcs --features verify
 
-    # Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation
-    #  fault while compiling. We only execute `faketime` during the tests
-    #- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
+      # Unfortunately running `faketime '2021-09-10 11:00:00 GMT' cargo test -p nitro-attestation-verify` causes a segmentation
+      #  fault while compiling. We only execute `faketime` during the tests
+      #- run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-08 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
 
-    - name: Cargo test nitro-attestation-verify with faketime
-      run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
+      - name: Cargo test nitro-attestation-verify with faketime
+        run: cargo test --locked -p nitro-attestation-verify --no-run && faketime '2021-09-10 11:00:00 GMT' cargo test --locked -p nitro-attestation-verify --lib
 
-    - name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl
-      # NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway.
-      run: |
-        mkdir -p /tmp/muslinclude
-        ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl
-        PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl
+      - name: Build fortanix-sgx-tools for x86_64-unknown-linux-musl
+        # NOTE: Skipping linking with the glibc version of OpenSSL to produce a musl based binary. It is unlikely that this would produce a working binary anyway.
+        run: |
+          mkdir -p /tmp/muslinclude
+          ln -sf /usr/include/x86_64-linux-gnu/openssl /tmp/muslinclude/openssl
+          PKG_CONFIG_ALLOW_CROSS=1 CFLAGS=-I/tmp/muslinclude CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=true cargo build --locked -p fortanix-sgx-tools --target x86_64-unknown-linux-musl
 
-    - name: Build em-app, get-certificate for x86_64-unknown-linux-musl
-      run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl
+      - name: Build em-app, get-certificate for x86_64-unknown-linux-musl
+        run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-unknown-linux-musl
 
-    - name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx
-      run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx
+      - name: Build em-app, get-certificate for x86_64-fortanix-unknown-sgx
+        run: cargo build --verbose --locked -p em-app -p get-certificate --target=x86_64-fortanix-unknown-sgx
 
-    - name: insecure-time test
-      run: cargo +nightly test -p insecure-time --features estimate_crystal_clock_freq
+      - name: insecure-time test
+        run: cargo +nightly test -p insecure-time --features estimate_crystal_clock_freq
 
-    - name: insecure-time build for SGX platform
-      run: cargo +nightly build -p insecure-time --features estimate_crystal_clock_freq --target x86_64-fortanix-unknown-sgx
+      - name: insecure-time build for SGX platform
+        run: cargo +nightly build -p insecure-time --features estimate_crystal_clock_freq --target x86_64-fortanix-unknown-sgx
 
-    - name: Generate API docs
-      run: ./doc/generate-api-docs.sh
+      - name: Generate API docs
+        run: ./doc/generate-api-docs.sh
 
-    - name: Run memory allocator stress test
-      run: cd ./examples/mem-alloc-test && cargo run
+      - name: Run memory allocator stress test
+        run: cd ./examples/mem-alloc-test && cargo run
 
-    - name: snmalloc correntness test
-      run: cd ./examples/mem-correctness-test && cargo run
+      - name: snmalloc correctness test
+        run: cd ./examples/mem-correctness-test && cargo run
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,34 +6,40 @@ name: Create GitHub release and publish crate to crates.io
 on:
   push:
     tags:
-      - 'em-app_v[0-9]+.[0-9]+.[0-9]+'
-      - 'aesm-client_v[0-9]+.[0-9]+.[0-9]+'
-      - 'async-usercalls_v[0-9]+.[0-9]+.[0-9]+'
-      - 'confidential-vm-blobs_v[0-9]+.[0-9]+.[0-9]+'
-      - 'dcap-artifact-retrieval_v[0-9]+.[0-9]+.[0-9]+'
-      - 'dcap-provider_v[0-9]+.[0-9]+.[0-9]+'
-      - 'dcap-ql-sys_v[0-9]+.[0-9]+.[0-9]+'
-      - 'dcap-ql_v[0-9]+.[0-9]+.[0-9]+'
-      - 'dcap-retrieve-pckid_v[0-9]+.[0-9]+.[0-9]+'
-      - 'enclave-runner_v[0-9]+.[0-9]+.[0-9]+'
-      - 'enclave-runner-sgx_v[0-9]+.[0-9]+.[0-9]+'
-      - 'fortanix-sgx-abi_v[0-9]+.[0-9]+.[0-9]+'
-      - 'fortanix-sgx-tools_v[0-9]+.[0-9]+.[0-9]+'
-      - 'fortanix-vme-eif_v[0-9]+.[0-9]+.[0-9]+'
-      - 'fortanix-vme-initramfs_v[0-9]+.[0-9]+.[0-9]+'
-      - 'fortanix-vme-runner_v[0-9]+.[0-9]+.[0-9]+'
-      - 'ias_v[0-9]+.[0-9]+.[0-9]+'
-      - 'insecure-time_v[0-9]+.[0-9]+.[0-9]+'
-      - 'pcs_v[0-9]+.[0-9]+.[0-9]+'
-      - 'report-test_v[0-9]+.[0-9]+.[0-9]+'
-      - 'sgx_pkix_v[0-9]+.[0-9]+.[0-9]+'
-      - 'sgx-isa_v[0-9]+.[0-9]+.[0-9]+'
-      - 'sgxs-loaders_v[0-9]+.[0-9]+.[0-9]+'
-      - 'sgxs-tools_v[0-9]+.[0-9]+.[0-9]+'
-      - 'sgxs_v[0-9]+.[0-9]+.[0-9]+'
-      - 'ipc-queue_v[0-9]+.[0-9]+.[0-9]+'
-      - 'rs-libc_v[0-9]+.[0-9]+.[0-9]+'
-      - 'tdx-ql_v[0-9]+.[0-9]+.[0-9]+'
+      - "em-app_v[0-9]+.[0-9]+.[0-9]+"
+      - "aesm-client_v[0-9]+.[0-9]+.[0-9]+"
+      - "async-usercalls_v[0-9]+.[0-9]+.[0-9]+"
+      - "confidential-vm-blobs_v[0-9]+.[0-9]+.[0-9]+"
+      - "dcap-artifact-retrieval_v[0-9]+.[0-9]+.[0-9]+"
+      - "dcap-provider_v[0-9]+.[0-9]+.[0-9]+"
+      - "dcap-ql-sys_v[0-9]+.[0-9]+.[0-9]+"
+      - "dcap-ql_v[0-9]+.[0-9]+.[0-9]+"
+      - "dcap-retrieve-pckid_v[0-9]+.[0-9]+.[0-9]+"
+      - "enclave-runner_v[0-9]+.[0-9]+.[0-9]+"
+      - "enclave-runner-sgx_v[0-9]+.[0-9]+.[0-9]+"
+      - "fortanix-sgx-abi_v[0-9]+.[0-9]+.[0-9]+"
+      - "fortanix-sgx-tools_v[0-9]+.[0-9]+.[0-9]+"
+      - "fortanix-vme-eif_v[0-9]+.[0-9]+.[0-9]+"
+      - "fortanix-vme-initramfs_v[0-9]+.[0-9]+.[0-9]+"
+      - "fortanix-vme-runner_v[0-9]+.[0-9]+.[0-9]+"
+      - "ias_v[0-9]+.[0-9]+.[0-9]+"
+      - "insecure-time_v[0-9]+.[0-9]+.[0-9]+"
+      - "pcs_v[0-9]+.[0-9]+.[0-9]+"
+      - "report-test_v[0-9]+.[0-9]+.[0-9]+"
+      - "sgx_pkix_v[0-9]+.[0-9]+.[0-9]+"
+      - "sgx-isa_v[0-9]+.[0-9]+.[0-9]+"
+      - "sgxs-loaders_v[0-9]+.[0-9]+.[0-9]+"
+      - "sgxs-tools_v[0-9]+.[0-9]+.[0-9]+"
+      - "sgxs_v[0-9]+.[0-9]+.[0-9]+"
+      - "ipc-queue_v[0-9]+.[0-9]+.[0-9]+"
+      - "rs-libc_v[0-9]+.[0-9]+.[0-9]+"
+      - "tdx-ql_v[0-9]+.[0-9]+.[0-9]+"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
 
 env:
   RUST_BACKTRACE: 1
@@ -53,23 +59,24 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install build dependencies
         run: sudo ./install_build_deps.sh
 
-
       - name: Get name of crate to be published
         run: |
           # Extract the crate name from the GITHUB_REF_NAME environment variable
           # GITHUB_REF_NAME contains the Tag name (e.g. rs-lic_v0.2.4) associated with the event
           export CRATE_NAME=$(python3 -c "print('$GITHUB_REF_NAME'.rsplit('_v', 1)[0])")
-          echo "CRATE_NAME=$CRATE_NAME" >> $GITHUB_ENV
+          echo "CRATE_NAME=$CRATE_NAME" >> "$GITHUB_ENV"
 
       - name: Set per-crate config (toolchain/target)
         run: |
           source ./crate-publish-config.sh "$CRATE_NAME"
-          echo "CARGO_BUILD_TARGET=$CARGO_BUILD_TARGET" >> $GITHUB_ENV
+          echo "CARGO_BUILD_TARGET=$CARGO_BUILD_TARGET" >> "$GITHUB_ENV"
 
       - name: Update Rust toolchain
         run: rustup update
@@ -86,10 +93,14 @@ jobs:
     needs: publish
     environment: "Publish to crates.io"
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # Needed to publish Github releases
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install build dependencies
         run: ./install_build_deps.sh
@@ -102,10 +113,10 @@ jobs:
           # Extract the crate name from the GITHUB_REF_NAME environment variable
           # GITHUB_REF_NAME contains the Tag name (e.g. rs-lic_v0.2.4) associated with the event
           export CRATE_NAME=$(python3 -c "print('$GITHUB_REF_NAME'.rsplit('_v', 1)[0])")
-          echo "CRATE_NAME=$CRATE_NAME" >> $GITHUB_ENV
+          echo "CRATE_NAME=$CRATE_NAME" >> "$GITHUB_ENV"
 
       - name: Build artifacts for GitHub Release
-        run: ./build-release-artifacts.py --target x86_64-unknown-linux-gnu --package $CRATE_NAME
+        run: ./build-release-artifacts.py --target x86_64-unknown-linux-gnu --package "$CRATE_NAME"
 
       - name: Publish GitHub Release using GitHub CLI
         env: