fix: clean enclave-key from workspace

PierreJeanjacquot · PierreJeanjacquot · commit 330fd0131b63 · 2025-06-25T10:51:33.000+02:00
diff --git a/.github/workflows/sconify.yml b/.github/workflows/sconify.yml
@@ -100,6 +100,9 @@ jobs:
       prod-mrenclave: ${{ steps.push-prod.outputs.mrenclave }}
       prod-checksum: ${{ steps.push-prod.outputs.checksum }}
     steps:
+      - name: Create Temporary Directory
+        run: mkdir -p ${{github.workspace}}/tmp
+
       - name: Login to Docker Registry
         uses: docker/login-action@v3
         with:
@@ -153,12 +156,12 @@ jobs:
       - name: Sconify Image Prod
         if: ${{ inputs.sconify-prod }}
         run: |
-          mkdir -p $HOME/sig
-          echo "${{ secrets.scone-signing-key }}" > $HOME/sig/enclave-key.pem
+          mkdir -p ${{github.workspace}}/tmp/sig
+          echo "${{ secrets.scone-signing-key }}" > ${{github.workspace}}/tmp/sig/enclave-key.pem
           docker run \
           --rm \
           -v /var/run/docker.sock:/var/run/docker.sock \
-          -v $HOME/sig/enclave-key.pem:/sig/enclave-key.pem \
+          -v ${{github.workspace}}/tmp/sig/enclave-key.pem:/sig/enclave-key.pem \
           registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
           sconify_iexec \
           --from=$FROM_IMAGE \
@@ -183,3 +186,7 @@ jobs:
           echo "image=$PROD_IMAGE" >> "$GITHUB_OUTPUT"
           echo "checksum=0x$(docker image inspect $PROD_IMAGE | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
           echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 $PROD_IMAGE)" >> "$GITHUB_OUTPUT"
+
+      - name: Clean Temporary Directory
+        if: always()
+        run: rm -rf ${{github.workspace}}/tmp
diff --git a/sconify/README.md b/sconify/README.md
@@ -6,6 +6,7 @@ This reusable GitHub Actions workflow automates the process of sconifying a Dock
 
 The workflow performs the following actions:
 
+- **Create Temporary Directory**
 - **Login to Docker Registry**
 - **Login to Scontain Docker Registry**
 - **Pull Image to Sconify** from Docker Registry
@@ -14,8 +15,9 @@ The workflow performs the following actions:
   - **Sconify Image Debug**
   - **Push Debug Image** to Docker Registry and prepare outputs (`debug-image`,`debug-mrenclave`,`debug-checksum`)
 - [unless input `sconify-prod: false`]
-  - **Sconify Image Prod**
+  - **Sconify Image Prod** using scone-signing-key stored in the Temporary Directory
   - **Push Prod Image** to Docker Registry and prepare outputs (`prod-image`,`prod-mrenclave`,`prod-checksum`)
+- **Clean Temporary Directory** always
 
 ## Workflow Inputs 🛠️
 
