@@ -3,61 +3,69 @@ name: Build, Test and Push Docker Image
33on :
44 workflow_call :
55 inputs :
6+ docker-registry :
7+ description : " Docker registry of docker image to sconify"
8+ default : " docker.io"
9+ type : string
10+ docker-username :
11+ description : " Docker registry username"
12+ type : string
13+ required : true
614 image-name :
7- description : " Name of Docker Image to Sconify "
15+ description : " Name of docker image to sconify "
816 type : string
917 required : true
1018 image-tag :
11- description : " Tag of Docker Image to Sconify "
19+ description : " Tag of docker image to sconify "
1220 type : string
1321 required : true
14- docker-registry :
15- description : " Docker Registry of Docker Image to Sconify"
16- default : " docker.io"
17- type : string
18- sconify-version :
19- description : " Version of the Sconify Image to use"
22+ scontain-username :
23+ description : " Scontain registry username"
2024 type : string
2125 required : true
22- fs-dir :
26+ sconify-version :
27+ description : " Version of the sconify image to use"
2328 type : string
24- description : " File System Directory to Protect"
2529 required : true
2630 binary :
31+ description : " Path of the binary to use"
2732 type : string
28- description : " Path to the Binary to Protect"
2933 required : true
3034 command :
35+ description : " Command to execute (default: ENTRYPOINT + CMD of native image)"
36+ type : string
37+ binary-fs :
38+ description : " Embed the file system into the binary via Scone binary file system (default: false)"
39+ type : boolean
40+ default : false
41+ fs-dir :
42+ description : " Path of directories to add to the binary file system (use multiline to add multiple directories)"
43+ type : string
44+ fs-file :
45+ description : " Path of files to add to the binary file system (use multiline to add multiple files)"
46+ type : string
47+ host-path :
48+ description : " Host path, served directly from the host file system (use multiline to add multiple path)"
3149 type : string
32- description : " Command to Protect"
33- required : true
3450 heap :
51+ description : " Enclave heap size (default 1G)"
3552 type : string
3653 default : " 1G"
37- description : " Enclave Heap size (default 1G)"
3854 dlopen :
55+ description : " Scoen dlopen mode (default 1)"
3956 type : number
4057 default : 1
41- description : " dlopen mode (default 1)"
4258 sconify-debug :
43- description : " Create Scone Debug image (default true)"
44- default : true
59+ description : " Create Scone debug image (default true)"
4560 type : boolean
46- sconify-prod :
47- description : " Create Scone Production image (default true)"
4861 default : true
62+ sconify-prod :
63+ description : " Create Scone production image (default true)"
4964 type : boolean
50- docker-username :
51- type : string
52- description : " Docker Registry Username"
53- required : true
54- scontain-username :
55- type : string
56- description : " Scontain Registry Username"
57- required : true
65+ default : true
5866 runner :
59- type : string
6067 description : " Runner to use (overrides `runs-on`) ⚠️ the specified runner must feature Ubuntu OS and docker CE"
68+ type : string
6169 default : " ubuntu-latest"
6270 secrets :
6371 docker-password :
92100jobs :
93101 build :
94102 runs-on : ${{ inputs.runner }}
95- env :
96- FROM_IMAGE : ${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
97- DEBUG_IMAGE : ${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}-scone-debug-${{ inputs.sconify-version }}
98- PROD_IMAGE : ${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}-scone-prod-${{ inputs.sconify-version }}
99103 outputs :
100104 debug-image : ${{ steps.push-debug.outputs.image }}
101105 debug-mrenclave : ${{ steps.push-debug.outputs.mrenclave }}
@@ -107,6 +111,44 @@ jobs:
107111 - name : Create Temporary Directory
108112 run : mkdir -p ${{github.workspace}}/tmp
109113
114+ - name : Prepare Sconify Command
115+ id : prepare-command
116+ run : |
117+ FROM_IMAGE=${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
118+ DEBUG_IMAGE=$FROM_IMAGE-scone-debug-${{ inputs.sconify-version }}
119+ echo "debug-image=$DEBUG_IMAGE" >> "$GITHUB_OUTPUT"
120+ PROD_IMAGE=$FROM_IMAGE-scone-prod-${{ inputs.sconify-version }}
121+ echo "prod-image=$PROD_IMAGE" >> "$GITHUB_OUTPUT"
122+ SCONIFY_CMD="sconify_iexec"
123+ # REQUIRED:
124+ # --from
125+ SCONIFY_CMD+=" --from=$FROM_IMAGE"
126+ # --to will be added later on
127+ # --binary
128+ SCONIFY_CMD+=" --binary=${{ inputs.binary }}"
129+ # OPTIONAL:
130+ # --command option
131+ [[ -n '${{ inputs.command }}' ]] && SCONIFY_CMD+=" --command=${{ inputs.command }}"
132+ # --host-path variadic option
133+ while IFS= read -r line; do [[ -n "$line" ]] && SCONIFY_CMD+=` --host-path=$line` ; done <<< ${{ inputs.host-path }}
134+ # BINARY FILE SYSTEM (binary fs):
135+ # --binary-fs option
136+ if ${{ inputs.binary-fs }}; then SCONIFY_CMD+=" --binary-fs"; fi
137+ # --fs-dir variadic option
138+ while IFS= read -r line; do [[ -n "$line" ]] && SCONIFY_CMD+=` --fs-dir=$line` ; done <<< ${{ inputs.fs-dir }}
139+ # --fs-file variadic option
140+ while IFS= read -r line; do [[ -n "$line" ]] && SCONIFY_CMD+=` --file=$line` ; done <<< ${{ inputs.fs-file }}
141+ # SCONE ENV VARS:
142+ # --heap option
143+ [[ -n '${{ inputs.heap }}' ]] && SCONIFY_CMD+=" --heap=${{ inputs.heap }}"
144+ # --dlopen option
145+ [[ -n '${{ inputs.dlopen }}' ]] && SCONIFY_CMD+=" --dlopen=${{ inputs.dlopen }}"
146+ # DEBUG
147+ # --verbose --no-color options
148+ SCONIFY_CMD+=" --verbose --no-color"
149+ echo "sconify-base-command: $SCONIFY_CMD"
150+ echo "sconify-base-command=$SCONIFY_CMD" >> "$GITHUB_OUTPUT"
151+
110152name : Login to Docker Registry
111153 uses : docker/login-action@v3
112154 with :
@@ -134,28 +176,17 @@ jobs:
134176 --rm \
135177 -v /var/run/docker.sock:/var/run/docker.sock \
136178 registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
137- sconify_iexec \
138- --from=$FROM_IMAGE \
139- --to=$DEBUG_IMAGE \
140- --binary-fs \
141- --fs-dir=${{ inputs.fs-dir }} \
142- --host-path=/etc/hosts \
143- --host-path=/etc/resolv.conf \
144- --binary=${{ inputs.binary }} \
145- --heap=${{ inputs.heap }} \
146- --dlopen=${{ inputs.dlopen }} \
147- --no-color \
148- --verbose \
149- --command="${{ inputs.command }}"
179+ ${{ steps.prepare-command.outputs.sconify-base-command }} \
180+ --to=${{ steps.prepare-command.outputs.debug-image }}
150181
151182name : Push Debug Image
152183 if : ${{ inputs.sconify-debug }}
153184 id : push-debug
154185 run : |
155- docker push $DEBUG_IMAGE
156- echo "image=$DEBUG_IMAGE " >> "$GITHUB_OUTPUT"
157- echo "checksum=0x$(docker image inspect $DEBUG_IMAGE | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
158- echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 $DEBUG_IMAGE )" >> "$GITHUB_OUTPUT"
186+ docker push ${{ steps.prepare-command.outputs.debug-image }}
187+ echo "image=${{ steps.prepare-command.outputs.debug-image }} " >> "$GITHUB_OUTPUT"
188+ echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.debug-image }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
189+ echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.debug-image }} )" >> "$GITHUB_OUTPUT"
159190
160191name : Sconify Image Prod
161192 if : ${{ inputs.sconify-prod }}
@@ -167,29 +198,18 @@ jobs:
167198 -v /var/run/docker.sock:/var/run/docker.sock \
168199 -v ${{github.workspace}}/tmp/sig/enclave-key.pem:/sig/enclave-key.pem \
169200 registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
170- sconify_iexec \
171- --from=$FROM_IMAGE \
172- --to=$PROD_IMAGE \
173- --binary-fs \
174- --fs-dir=${{ inputs.fs-dir }} \
175- --host-path=/etc/hosts \
176- --host-path=/etc/resolv.conf \
177- --binary=${{ inputs.binary }} \
178- --heap=${{ inputs.heap }} \
179- --dlopen=${{ inputs.dlopen }} \
180- --no-color \
181- --verbose \
182- --command="${{ inputs.command }}" \
201+ ${{ steps.prepare-command.outputs.sconify-base-command }} \
202+ --to=${{ steps.prepare-command.outputs.prod-image }} \
183203 --scone-signer=/sig/enclave-key.pem
184204
185205name : Push Prod Image
186206 if : ${{ inputs.sconify-prod }}
187207 id : push-prod
188208 run : |
189- docker push $PROD_IMAGE
190- echo "image=$PROD_IMAGE " >> "$GITHUB_OUTPUT"
191- echo "checksum=0x$(docker image inspect $PROD_IMAGE | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
192- echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 $PROD_IMAGE )" >> "$GITHUB_OUTPUT"
209+ docker push ${{ steps.prepare-command.outputs.prod-image }}
210+ echo "image=${{ steps.prepare-command.outputs.prod-image }} " >> "$GITHUB_OUTPUT"
211+ echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.prod-image }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
212+ echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.prod-image }} )" >> "$GITHUB_OUTPUT"
193213
194214name : Clean Temporary Directory
195215 if : always()
0 commit comments