Skip to content

Commit c3101d7

Browse files
PierreJeanjacquotPierreJeanjacquot
authored
feat(sconify)!: move usernames to secret and ouput tags (#77)
* fix(sconify)!: move usernames to secrets * fix(sconify)!: output debug-image-tag and prod-image-tag instead of debug-image and prod-image * docs(sconify): evergreen workflow version example
1 parent 64773d4 commit c3101d7

File tree

2 files changed

+67
-76
lines changed

2 files changed

+67
-76
lines changed

.github/workflows/sconify.yml

Lines changed: 38 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,6 @@ on:
77
description: "Docker registry of docker image to sconify"
88
default: "docker.io"
99
type: string
10-
docker-username:
11-
description: "Docker registry username"
12-
type: string
13-
required: true
1410
image-name:
1511
description: "Name of docker image to sconify"
1612
type: string
@@ -19,10 +15,6 @@ on:
1915
description: "Tag of docker image to sconify"
2016
type: string
2117
required: true
22-
scontain-username:
23-
description: "Scontain registry username"
24-
type: string
25-
required: true
2618
sconify-version:
2719
description: "Version of the sconify image to use"
2820
type: string
@@ -72,28 +64,34 @@ on:
7264
type: string
7365
default: "ubuntu-latest"
7466
secrets:
67+
docker-username:
68+
description: "Docker registry username"
69+
required: true
7570
docker-password:
7671
description: "Docker Registry Password or Token"
7772
required: true
73+
scontain-username:
74+
description: "Scontain registry username"
75+
required: true
7876
scontain-password:
7977
description: "Scontain Registry Password or Token"
8078
required: true
8179
scone-signing-key:
8280
description: "Signing Key for Scone Production (not required with `sconify-prod: false`)"
8381
required: false
8482
outputs:
85-
debug-image:
86-
description: "Debug Sconified Image"
87-
value: ${{ jobs.build.outputs.debug-image }}
83+
debug-image-tag:
84+
description: "Debug Sconified Image Tag"
85+
value: ${{ jobs.build.outputs.debug-image-tag }}
8886
debug-mrenclave:
8987
description: "Debug Sconified Image MrEnclave Fingerprint"
9088
value: ${{ jobs.build.outputs.debug-mrenclave }}
9189
debug-checksum:
9290
description: "Debug Sconified Image Checksum"
9391
value: ${{ jobs.build.outputs.debug-checksum }}
94-
prod-image:
95-
description: "Prod Sconified Image"
96-
value: ${{ jobs.build.outputs.prod-image }}
92+
prod-image-tag:
93+
description: "Prod Sconified Image Tag"
94+
value: ${{ jobs.build.outputs.prod-image-tag }}
9795
prod-mrenclave:
9896
description: "Prod Sconified Image MrEnclave Fingerprint"
9997
value: ${{ jobs.build.outputs.prod-mrenclave }}
@@ -105,10 +103,10 @@ jobs:
105103
build:
106104
runs-on: ${{ inputs.runner }}
107105
outputs:
108-
debug-image: ${{ steps.push-debug.outputs.image }}
106+
debug-image-tag: ${{ steps.push-debug.outputs.tag }}
109107
debug-mrenclave: ${{ steps.push-debug.outputs.mrenclave }}
110108
debug-checksum: ${{ steps.push-debug.outputs.checksum }}
111-
prod-image: ${{ steps.push-prod.outputs.image }}
109+
prod-image-tag: ${{ steps.push-prod.outputs.tag }}
112110
prod-mrenclave: ${{ steps.push-prod.outputs.mrenclave }}
113111
prod-checksum: ${{ steps.push-prod.outputs.checksum }}
114112
steps:
@@ -118,17 +116,19 @@ jobs:
118116
- name: Prepare Sconify Command
119117
id: prepare-command
120118
run: |
121-
FROM_IMAGE=${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
122-
DEBUG_IMAGE=$FROM_IMAGE-scone-debug-${{ inputs.sconify-version }}
123-
echo "debug-image=$DEBUG_IMAGE"
124-
echo "debug-image=$DEBUG_IMAGE" >> "$GITHUB_OUTPUT"
125-
PROD_IMAGE=$FROM_IMAGE-scone-prod-${{ inputs.sconify-version }}
126-
echo "prod-image=$PROD_IMAGE"
127-
echo "prod-image=$PROD_IMAGE" >> "$GITHUB_OUTPUT"
119+
IMAGE_REPO=${{ inputs.docker-registry }}/${{ inputs.image-name }}
120+
DEBUG_IMAGE_TAG=${{ inputs.image-tag }}-scone-debug-${{ inputs.sconify-version }}
121+
PROD_IMAGE_TAG=${{ inputs.image-tag }}-scone-prod-${{ inputs.sconify-version }}
122+
123+
echo "image-repo=$IMAGE_REPO" | tee -a "$GITHUB_OUTPUT"
124+
echo "debug-image-tag=$DEBUG_IMAGE_TAG" | tee -a "$GITHUB_OUTPUT"
125+
echo "prod-image-tag=$PROD_IMAGE_TAG" | tee -a "$GITHUB_OUTPUT"
126+
127+
# Prepare the base command for sconify
128128
SCONIFY_CMD="sconify_iexec"
129129
# REQUIRED:
130130
# --from
131-
SCONIFY_CMD+=" --from=$FROM_IMAGE"
131+
SCONIFY_CMD+=" --from=$IMAGE_REPO:${{ inputs.image-tag }}"
132132
# --to will be added later on
133133
# --binary
134134
SCONIFY_CMD+=" --binary=${{ inputs.binary }}"
@@ -154,21 +154,21 @@ jobs:
154154
# DEBUG
155155
# --verbose --no-color options
156156
SCONIFY_CMD+=" --verbose --no-color"
157-
echo "sconify-base-command=$SCONIFY_CMD"
158-
echo "sconify-base-command=$SCONIFY_CMD" >> "$GITHUB_OUTPUT"
157+
158+
echo "sconify-base-command=$SCONIFY_CMD" | tee -a "$GITHUB_OUTPUT"
159159
160160
- name: Login to Docker Registry
161161
uses: docker/login-action@v3
162162
with:
163163
registry: ${{ inputs.docker-registry }}
164-
username: ${{ inputs.docker-username }}
164+
username: ${{ secrets.docker-username }}
165165
password: ${{ secrets.docker-password }}
166166

167167
- name: Login to Scontain Docker Registry
168168
uses: docker/login-action@v3
169169
with:
170170
registry: "registry.scontain.com"
171-
username: ${{ inputs.scontain-username }}
171+
username: ${{ secrets.scontain-username }}
172172
password: ${{ secrets.scontain-password }}
173173

174174
- name: Pull Image to Sconify
@@ -185,16 +185,16 @@ jobs:
185185
-v /var/run/docker.sock:/var/run/docker.sock \
186186
registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
187187
${{ steps.prepare-command.outputs.sconify-base-command }} \
188-
--to=${{ steps.prepare-command.outputs.debug-image }}
188+
--to=${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }}
189189
190190
- name: Push Debug Image
191191
if: ${{ inputs.sconify-debug }}
192192
id: push-debug
193193
run: |
194-
docker push ${{ steps.prepare-command.outputs.debug-image }}
195-
echo "image=${{ steps.prepare-command.outputs.debug-image }}" >> "$GITHUB_OUTPUT"
196-
echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.debug-image }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
197-
echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.debug-image }})" >> "$GITHUB_OUTPUT"
194+
docker push ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }}
195+
echo "tag=${{ steps.prepare-command.outputs.debug-image-tag }}" | tee -a "$GITHUB_OUTPUT"
196+
echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT"
197+
echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }})" | tee -a "$GITHUB_OUTPUT"
198198
199199
- name: Sconify Image Prod
200200
if: ${{ inputs.sconify-prod }}
@@ -207,17 +207,17 @@ jobs:
207207
-v ${{github.workspace}}/tmp/sig/enclave-key.pem:/sig/enclave-key.pem \
208208
registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
209209
${{ steps.prepare-command.outputs.sconify-base-command }} \
210-
--to=${{ steps.prepare-command.outputs.prod-image }} \
210+
--to=${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }} \
211211
--scone-signer=/sig/enclave-key.pem
212212
213213
- name: Push Prod Image
214214
if: ${{ inputs.sconify-prod }}
215215
id: push-prod
216216
run: |
217-
docker push ${{ steps.prepare-command.outputs.prod-image }}
218-
echo "image=${{ steps.prepare-command.outputs.prod-image }}" >> "$GITHUB_OUTPUT"
219-
echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.prod-image }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" >> "$GITHUB_OUTPUT"
220-
echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.prod-image }})" >> "$GITHUB_OUTPUT"
217+
docker push ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }}
218+
echo "tag=${{ steps.prepare-command.outputs.prod-image-tag }}" | tee -a "$GITHUB_OUTPUT"
219+
echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT"
220+
echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }})" | tee -a "$GITHUB_OUTPUT"
221221
222222
- name: Clean Temporary Directory
223223
if: always()

sconify/README.md

Lines changed: 29 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -22,23 +22,22 @@ The workflow performs the following actions:
2222

2323
## Workflow Inputs 🛠️
2424

25-
| **Input** | **Description** | **Required** | **Default** |
26-
| --------------------- | -------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------- |
27-
| **docker-registry** | Docker registry of docker image to sconify | No | docker.io |
28-
| **docker-username** | Docker registry username | Yes | - |
29-
| **image-name** | Name of docker image to sconify | Yes | - |
30-
| **image-tag** | Tag of docker image to sconify | Yes | - |
31-
| **scontain-username** | Scontain registry username | Yes | - |
32-
| **sconify-version** | Version of the sconify image to use | Yes | - |
33-
| **binary** | [SCONE] Path of the binary to use | Yes | - |
34-
| **command** | [SCONE] Command to execute | No | ENTRYPOINT + CMD of native image |
35-
| **binary-fs** | [SCONE] Embed the file system into the binary via Scone binary file system | No | false |
36-
| **fs-dir** | [SCONE] Path of directories to add to the binary file system (use multiline to add multiple directories) | No | - |
37-
| **fs-file** | [SCONE] Path of files to add to the binary file system (use multiline to add multiple files) | No | - |
38-
| **host-path** | [SCONE] Host path, served directly from the host file system (use multiline to add multiple path) | No | - |
39-
| **heap** | [SCONE] Enclave heap size | No | 1G |
40-
| **dlopen** | [SCONE] Scone dlopen mode (0:disable; 1:enable) | No | 0 |
41-
| **mprotect** | [SCONE] Scone mprotect mode (0:disable; 1:enable) | No | 0 |
25+
| **Input** | **Description** | **Required** | **Default** |
26+
| ------------------- | -------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------- |
27+
| **docker-registry** | Docker registry of docker image to sconify | No | docker.io |
28+
| **docker-username** | Docker registry username | Yes | - |
29+
| **image-name** | Name of docker image to sconify | Yes | - |
30+
| **image-tag** | Tag of docker image to sconify | Yes | - |
31+
| **sconify-version** | Version of the sconify image to use | Yes | - |
32+
| **binary** | [SCONE] Path of the binary to use | Yes | - |
33+
| **command** | [SCONE] Command to execute | No | ENTRYPOINT + CMD of native image |
34+
| **binary-fs** | [SCONE] Embed the file system into the binary via Scone binary file system | No | false |
35+
| **fs-dir** | [SCONE] Path of directories to add to the binary file system (use multiline to add multiple directories) | No | - |
36+
| **fs-file** | [SCONE] Path of files to add to the binary file system (use multiline to add multiple files) | No | - |
37+
| **host-path** | [SCONE] Host path, served directly from the host file system (use multiline to add multiple path) | No | - |
38+
| **heap** | [SCONE] Enclave heap size | No | 1G |
39+
| **dlopen** | [SCONE] Scone dlopen mode (0:disable; 1:enable) | No | 0 |
40+
| **mprotect** | [SCONE] Scone mprotect mode (0:disable; 1:enable) | No | 0 |
4241

4342
| **sconify-debug** | Create Scone debug image | No | true |
4443
| **sconify-prod** | Create Scone production image | No | true |
@@ -50,18 +49,20 @@ The workflow performs the following actions:
5049

5150
| **Secret** | **Description** | **Required** |
5251
| --------------------- | ----------------------------------------------- | --------------------------------------- |
52+
| **docker-username** | Docker registry username | yes |
5353
| **docker-password** | Docker Registry Password or Token | Yes |
54+
| **scontain-username** | Scontain registry username | Yes |
5455
| **scontain-password** | Scontain Registry Password or Token | Yes |
5556
| **scone-signing-key** | Signing Key for Scone Production (PEM RSA-3072) | Yes unless `inputs.sconify-prod: false` |
5657

5758
### Outputs 📤
5859

5960
| **Output** | **Description** |
6061
| ------------------- | ---------------------------------------------------------------------------------- |
61-
| **debug-image** | Debug Sconified Image (unless `inputs.sconify-debug: false`) |
62+
| **debug-image-tag** | Debug Sconified Image Tag (unless `inputs.sconify-debug: false`) |
6263
| **debug-mrenclave** | Debug Sconified Image MrEnclave Fingerprint (unless `inputs.sconify-debug: false`) |
6364
| **debug-checksum** | Debug Sconified Image Checksum (unless `inputs.sconify-debug: false`) |
64-
| **prod-image** | Prod Sconified Image (unless `inputs.sconify-prod: false`) |
65+
| **prod-image-tag** | Prod Sconified Image Tag (unless `inputs.sconify-prod: false`) |
6566
| **prod-mrenclave** | Prod Sconified Image MrEnclave Fingerprint (unless `inputs.sconify-prod: false`) |
6667
| **prod-checksum** | Prod Sconified Image Checksum (unless `inputs.sconify-prod: false`) |
6768

@@ -94,7 +95,8 @@ on:
9495

9596
jobs:
9697
sconify:
97-
uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
98+
# ⚠️ use tagged version here
99+
uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/sconify.yml@main
98100
with:
99101
# runner: your-runner-here ⚠️ control the runner used in the workflow to match your requirements
100102
image-name: ${{ inputs.image-name }}
@@ -113,9 +115,9 @@ jobs:
113115
heap: 1G
114116
dlopen: 1
115117
mprotect: 1
116-
docker-username: ${{ vars.DOCKER_USERNAME }}
117-
scontain-username: ${{ vars.SCONTAIN_USERNAME }}
118118
secrets:
119+
docker-username: ${{ secrets.DOCKER_USERNAME }}
120+
scontain-username: ${{ secrets.SCONTAIN_USERNAME }}
119121
docker-password: ${{ secrets.DOCKER_TOKEN }}
120122
scontain-password: ${{ secrets.SCONTAIN_TOKEN }}
121123
scone-signing-key: ${{ secrets.SCONE_SIGNING_KEY }}
@@ -126,26 +128,15 @@ jobs:
126128
needs: sconify
127129
steps:
128130
- run: |
129-
echo "DEBUG IMAGE INFO: image=${{ needs.sconify.outputs.debug-image }} | checksum=${{ needs.sconify.outputs.debug-checksum }} | mrenclave=${{ needs.sconify.outputs.debug-mrenclave }}"
130-
echo "PROD IMAGE INFO: image=${{ needs.sconify.outputs.prod-image }} | checksum=${{ needs.sconify.outputs.prod-checksum }} | mrenclave=${{ needs.sconify.outputs.prod-mrenclave }}"
131+
echo "DEBUG IMAGE INFO: tag=${{ needs.sconify.outputs.debug-image-tag }} | checksum=${{ needs.sconify.outputs.debug-checksum }} | mrenclave=${{ needs.sconify.outputs.debug-mrenclave }}"
132+
echo "PROD IMAGE INFO: tag=${{ needs.sconify.outputs.prod-image-tag }} | checksum=${{ needs.sconify.outputs.prod-checksum }} | mrenclave=${{ needs.sconify.outputs.prod-mrenclave }}"
131133
```
132134
133-
3. **Configure Variables**
134-
Ensure that the following variables are added to your repository's settings:
135-
136-
- `DOCKER_USERNAME`: Your Docker Registry username
137-
- `SCONTAIN_USERNAME`: Your Scontain username
138-
139-
NB: Beware if you choose to use secrets to store registries usernames;
140-
registries usernames can appear in sconified image names outputted as `outputs.debug-image` and `outputs.prod-image`, in such a case GitHub Actions blanks the outputs with this waring:
141-
142-
> Skip output 'prod-image' since it may contain secret.
143-
144-
> Skip output 'debug-image' since it may contain secret.
145-
146-
4. **Configure Secrets**
135+
3. **Configure Secrets**
147136
Ensure that the following secrets are added to your repository's settings:
137+
- `DOCKER_USERNAME`: Your Docker Registry username
148138
- `DOCKER_PASSWORD`: Your Docker Registry password or access token
139+
- `SCONTAIN_USERNAME`: Your Scontain username
149140
- `SCONTAIN_PASSWORD`: Your Scontain password or access token
150141
- `SCONE_SIGNING_KEY`: The key to use for signing Scone Prod applications
151142

0 commit comments

Comments
 (0)