feat: add GitHub Actions workflow for web3telegram dapp deployment

- Add dapp-deploy.yml workflow with sconify and deployment steps
- Update deployment-dapp scripts to work with GitHub Actions
- Replace DRONE_DEPLOY_TO with DEPLOY_ENVIRONMENT
- Add support for pre-computed checksums from sconify workflow
- Remove legacy Drone CI support from deployment scripts
- Configure workflow to use public Docker registry and production sconify images

Author: SeddikBellamine

.github/workflows/dapp-deploy.yml

@@ -0,0 +1,163 @@
+name: Deploy DApp Contract
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deployment environment'
+        required: true
+        type: choice
+        options:
+          - dapp-dev
+          - dapp-prod
+      image-tag:
+        description: 'Tag for the dapp image to sconify'
+        required: true
+        type: string
+        default: 'latest'
+      sconify-version:
+        description: 'Version of the sconify image to use'
+        type: string
+        default: '5.7.6-v15'
+
+env:
+  DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
+
+jobs:
+  sconify:
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    with:
+      image-name: product/web3telegram-dapp
+      image-tag: ${{ inputs.image-tag }}
+      sconify-debug: false
+      sconify-prod: true
+      docker-registry: docker.io
+      sconify-version: ${{ inputs.sconify-version }}
+      binary: /usr/local/bin/node
+      command: node /app/src/app.js
+      host-path: |
+        /etc/hosts
+        /etc/resolv.conf
+      binary-fs: true
+      fs-dir: /app
+      heap: 1G
+      dlopen: 1
+      mprotect: 1
+      docker-username: ${{ vars.DOCKERHUB_USERNAME }}
+      scontain-username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
+    secrets:
+      docker-password: ${{ secrets.DOCKERHUB_PAT }}
+      scontain-password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
+      scone-signing-key: ${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}
+
+  display-sconify-results:
+    runs-on: ubuntu-latest
+    needs: sconify
+    steps:
+      - name: Display Sconify Results
+        run: |
+          echo "## Sconify Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          echo "### Production Image" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image**: ${{ needs.sconify.outputs.prod-image }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Checksum**: ${{ needs.sconify.outputs.prod-checksum }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **MrEnclave**: ${{ needs.sconify.outputs.prod-mrenclave }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          echo "### Summary" >> $GITHUB_STEP_SUMMARY
+          echo "Sconification completed successfully!" >> $GITHUB_STEP_SUMMARY
+
+  deploy-dapp:
+    runs-on: ubuntu-latest
+    needs: sconify
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.19'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          cd node_modules/whitelist-smart-contract
+          npm install --save-dev ts-node
+          cd ../../deployment-dapp
+          npm ci
+
+            - name: Create scone fingerprint file
+        run: |
+          MRENCLAVE="${{ needs.sconify.outputs.prod-mrenclave }}"
+          echo "$MRENCLAVE" > deployment-dapp/.scone-fingerprint
+
+      - name: Deploy dapp contract
+        env:
+          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
+          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
+          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
+          DOCKER_IMAGE_CHECKSUM_DEV: ${{ needs.sconify.outputs.prod-checksum }}
+          DOCKER_IMAGE_CHECKSUM_PROD: ${{ needs.sconify.outputs.prod-checksum }}
+        run: |
+          cd deployment-dapp
+          npm run deploy-dapp
+
+      - name: Push dapp secret
+        env:
+          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
+          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
+          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
+          TELEGRAM_BOT_TOKEN_DEV: ${{ secrets.TELEGRAM_BOT_TOKEN_DEV }}
+          TELEGRAM_BOT_TOKEN_PROD: ${{ secrets.TELEGRAM_BOT_TOKEN_PROD }}
+        run: |
+          cd deployment-dapp
+          npm run push-dapp-secret
+
+      - name: Publish free sell order
+        env:
+          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
+          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
+          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
+          PRICE: '0'
+          VOLUME: '1000000000'
+        run: |
+          cd deployment-dapp
+          npm run publish-sell-order
+
+      - name: Add resource to whitelist (dev)
+        if: inputs.environment == 'dapp-dev'
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.DEPLOYER_DEV_PRIVATEKEY }}
+          CONTRACT_ADDRESS: ${{ secrets.WEB3TELEGRAM_WHITELIST_DEV_ADDRESS }}
+        run: |
+          cd node_modules/whitelist-smart-contract
+          export ADDRESS_TO_ADD=$(cat ../../deployment-dapp/.app-address) && npm run addResourceToWhitelist
+
+      - name: Add resource to whitelist (prod)
+        if: inputs.environment == 'dapp-prod'
+        env:
+          WALLET_PRIVATE_KEY: ${{ secrets.DEPLOYER_PROD_PRIVATEKEY }}
+          CONTRACT_ADDRESS: ${{ secrets.WEB3TELEGRAM_WHITELIST_PROD_ADDRESS }}
+        run: |
+          cd node_modules/whitelist-smart-contract
+          export ADDRESS_TO_ADD=$(cat ../../deployment-dapp/.app-address) && npm run addResourceToWhitelist
+
+      - name: Configure ENS
+        env:
+          DEPLOY_ENVIRONMENT: ${{ inputs.environment }}
+          WALLET_PRIVATE_KEY_DEV: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_DEV_PRIVATEKEY }}
+          WALLET_PRIVATE_KEY_PROD: ${{ secrets.WEB3TELEGRAM_DAPP_OWNER_PROD_PRIVATEKEY }}
+        run: |
+          cd deployment-dapp
+          npm run configure-ens
+
+      - name: Upload deployment artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: deployment-artifacts
+          path: |
+            deployment-dapp/.app-address
+            deployment-dapp/.scone-fingerprint

deployment-dapp/src/config/config.ts

@@ -27,17 +27,19 @@ const dappVersion = JSON.parse(
 export const DOCKER_IMAGE_NAMESPACE = 'iexechub';
 export const DOCKER_IMAGE_REPOSITORY = 'web3telegram-dapp';
 export const DOCKER_IMAGE_PROD_TAG = `${dappVersion}-sconify-${SCONIFIER_VERSION}-production`;
-export const DOCKER_IMAGE_DEV_TAG = `dev-${process.env.DRONE_COMMIT}-sconify-${SCONIFIER_VERSION}-production`;
+export const DOCKER_IMAGE_DEV_TAG = `dev-${
+  process.env.GITHUB_SHA || 'latest'
+}-sconify-${SCONIFIER_VERSION}-production`;
 
-//drone target
-export const DRONE_TARGET_DEPLOY_DEV = 'dapp-dev';
-export const DRONE_TARGET_DEPLOY_PROD = 'dapp-prod';
-export const DRONE_TARGET_SELL_ORDER_DEV = 'dapp-publish-sell-order-dev';
-export const DRONE_TARGET_SELL_ORDER_PROD = 'dapp-publish-sell-order-prod';
-export const DRONE_TARGET_REVOKE_SELL_ORDER_DEV = 'dapp-revoke-sell-order-dev';
-export const DRONE_TARGET_REVOKE_SELL_ORDER_PROD =
+//deployment targets for GitHub Actions
+export const DEPLOY_TARGET_DEV = 'dapp-dev';
+export const DEPLOY_TARGET_PROD = 'dapp-prod';
+export const DEPLOY_TARGET_SELL_ORDER_DEV = 'dapp-publish-sell-order-dev';
+export const DEPLOY_TARGET_SELL_ORDER_PROD = 'dapp-publish-sell-order-prod';
+export const DEPLOY_TARGET_REVOKE_SELL_ORDER_DEV = 'dapp-revoke-sell-order-dev';
+export const DEPLOY_TARGET_REVOKE_SELL_ORDER_PROD =
   'dapp-revoke-sell-order-prod';
-export const DRONE_TARGET_PUSH_SECRET_DEV = 'dapp-push-secret-dev';
-export const DRONE_TARGET_PUSH_SECRET_PROD = 'dapp-push-secret-prod';
-export const DRONE_TARGET_CONFIGURE_ENS_DEV = 'configure-ens-dev';
-export const DRONE_TARGET_CONFIGURE_ENS_PROD = 'configure-ens-prod';
+export const DEPLOY_TARGET_PUSH_SECRET_DEV = 'dapp-push-secret-dev';
+export const DEPLOY_TARGET_PUSH_SECRET_PROD = 'dapp-push-secret-prod';
+export const DEPLOY_TARGET_CONFIGURE_ENS_DEV = 'configure-ens-dev';
+export const DEPLOY_TARGET_CONFIGURE_ENS_PROD = 'configure-ens-prod';

deployment-dapp/src/configureEnsNameScript.ts

@@ -1,55 +1,57 @@
 import {
-  DRONE_TARGET_CONFIGURE_ENS_DEV,
-  DRONE_TARGET_CONFIGURE_ENS_PROD,
-  DRONE_TARGET_DEPLOY_DEV,
-  DRONE_TARGET_DEPLOY_PROD,
+  DEPLOY_TARGET_CONFIGURE_ENS_DEV,
+  DEPLOY_TARGET_CONFIGURE_ENS_PROD,
+  DEPLOY_TARGET_DEV,
+  DEPLOY_TARGET_PROD,
   WEB3_TELEGRAM_ENS_NAME_DEV,
   WEB3_TELEGRAM_ENS_NAME_PROD,
 } from './config/config.js';
 import { getIExec, loadAppAddress } from './utils/utils.js';
 import { configureEnsName } from './singleFunction/configureEnsName.js';
 
 const main = async () => {
-  // get env variables from drone
+  // get env variables from GitHub Actions
   const {
-    DRONE_DEPLOY_TO,
+    DEPLOY_ENVIRONMENT,
     WALLET_PRIVATE_KEY_DEV,
     WALLET_PRIVATE_KEY_PROD,
     DEPLOYED_APP_ADDRESS, // if already deployed in a previous step and want to configure ENS promoting configure-ens pipeline
     ENS_NAME,
   } = process.env;
 
+  const deployTarget = DEPLOY_ENVIRONMENT;
+
   if (
-    !DRONE_DEPLOY_TO ||
-    (DRONE_DEPLOY_TO !== DRONE_TARGET_DEPLOY_DEV &&
-      DRONE_DEPLOY_TO !== DRONE_TARGET_DEPLOY_PROD &&
-      DRONE_DEPLOY_TO !== DRONE_TARGET_CONFIGURE_ENS_DEV &&
-      DRONE_DEPLOY_TO !== DRONE_TARGET_CONFIGURE_ENS_PROD)
+    !deployTarget ||
+    (deployTarget !== DEPLOY_TARGET_DEV &&
+      deployTarget !== DEPLOY_TARGET_PROD &&
+      deployTarget !== DEPLOY_TARGET_CONFIGURE_ENS_DEV &&
+      deployTarget !== DEPLOY_TARGET_CONFIGURE_ENS_PROD)
   )
-    throw Error(`Invalid promote target ${DRONE_DEPLOY_TO}`);
+    throw Error(`Invalid promote target ${deployTarget}`);
 
   const appAddress = DEPLOYED_APP_ADDRESS ?? (await loadAppAddress()); // use ALREADY_DEPLOYED_APP_ADDRESS when promoting configure-ens pipeline
   let privateKey;
   let ensName;
   if (
-    DRONE_DEPLOY_TO === DRONE_TARGET_DEPLOY_DEV ||
-    DRONE_DEPLOY_TO === DRONE_TARGET_CONFIGURE_ENS_DEV
+    deployTarget === DEPLOY_TARGET_DEV ||
+    deployTarget === DEPLOY_TARGET_CONFIGURE_ENS_DEV
   ) {
     privateKey = WALLET_PRIVATE_KEY_DEV;
     ensName = ENS_NAME ?? WEB3_TELEGRAM_ENS_NAME_DEV;
   } else if (
-    DRONE_DEPLOY_TO === DRONE_TARGET_DEPLOY_PROD ||
-    DRONE_DEPLOY_TO === DRONE_TARGET_CONFIGURE_ENS_PROD
+    deployTarget === DEPLOY_TARGET_PROD ||
+    deployTarget === DEPLOY_TARGET_CONFIGURE_ENS_PROD
   ) {
     privateKey = WALLET_PRIVATE_KEY_PROD;
     ensName = ENS_NAME ?? WEB3_TELEGRAM_ENS_NAME_PROD;
   }
 
   if (!privateKey)
-    throw Error(`Failed to get privateKey for target ${DRONE_DEPLOY_TO}`);
+    throw Error(`Failed to get privateKey for target ${deployTarget}`);
 
   if (!ensName)
-    throw Error(`Failed to get ens name for target ${DRONE_DEPLOY_TO}`);
+    throw Error(`Failed to get ens name for target ${deployTarget}`);
 
   const iexec = getIExec(privateKey);
 

deployment-dapp/src/deployScript.ts

@@ -2,46 +2,64 @@ import { deployApp } from './singleFunction/deployApp.js';
 import {
   DOCKER_IMAGE_DEV_TAG,
   DOCKER_IMAGE_PROD_TAG,
-  DRONE_TARGET_DEPLOY_DEV,
-  DRONE_TARGET_DEPLOY_PROD,
+  DEPLOY_TARGET_DEV,
+  DEPLOY_TARGET_PROD,
 } from './config/config.js';
 import { getIExec, saveAppAddress } from './utils/utils.js';
 
 const main = async () => {
-  // get env variables from drone
-  const { DRONE_DEPLOY_TO, WALLET_PRIVATE_KEY_DEV, WALLET_PRIVATE_KEY_PROD } =
-    process.env;
+  // get env variables from GitHub Actions
+  const {
+    DEPLOY_ENVIRONMENT,
+    WALLET_PRIVATE_KEY_DEV,
+    WALLET_PRIVATE_KEY_PROD,
+    DOCKER_IMAGE_CHECKSUM_DEV,
+    DOCKER_IMAGE_CHECKSUM_PROD,
+  } = process.env;
+
+  const deployTarget = DEPLOY_ENVIRONMENT;
 
   if (
-    !DRONE_DEPLOY_TO ||
-    (DRONE_DEPLOY_TO !== DRONE_TARGET_DEPLOY_DEV &&
-      DRONE_DEPLOY_TO !== DRONE_TARGET_DEPLOY_PROD)
+    !deployTarget ||
+    (deployTarget !== DEPLOY_TARGET_DEV && deployTarget !== DEPLOY_TARGET_PROD)
   )
-    throw Error(`Invalid promote target ${DRONE_DEPLOY_TO}`);
+    throw Error(`Invalid promote target ${deployTarget}`);
 
   let privateKey;
-  if (DRONE_DEPLOY_TO === DRONE_TARGET_DEPLOY_DEV) {
+  let checksum;
+  if (deployTarget === DEPLOY_TARGET_DEV) {
     privateKey = WALLET_PRIVATE_KEY_DEV;
-  } else if (DRONE_DEPLOY_TO === DRONE_TARGET_DEPLOY_PROD) {
+    checksum = DOCKER_IMAGE_CHECKSUM_DEV;
+  } else if (deployTarget === DEPLOY_TARGET_PROD) {
     privateKey = WALLET_PRIVATE_KEY_PROD;
+    checksum = DOCKER_IMAGE_CHECKSUM_PROD;
   }
 
   if (!privateKey)
-    throw Error(`Failed to get privateKey for target ${DRONE_DEPLOY_TO}`);
+    throw Error(`Failed to get privateKey for target ${deployTarget}`);
 
   const iexec = getIExec(privateKey);
 
   let dockerImageTag;
-  if (DRONE_DEPLOY_TO === DRONE_TARGET_DEPLOY_DEV) {
+  if (deployTarget === DEPLOY_TARGET_DEV) {
     dockerImageTag = DOCKER_IMAGE_DEV_TAG;
-  } else if (DRONE_DEPLOY_TO === DRONE_TARGET_DEPLOY_PROD) {
+  } else if (deployTarget === DEPLOY_TARGET_PROD) {
     dockerImageTag = DOCKER_IMAGE_PROD_TAG;
   }
 
+  console.log(`Deploying with environment: ${deployTarget}`);
+  console.log(`Using image tag: ${dockerImageTag}`);
+  if (checksum) {
+    console.log(`Using pre-computed checksum: ${checksum}`);
+  } else {
+    console.log('Fetching checksum from Docker Hub...');
+  }
+
   //deploy app
   const address = await deployApp({
     iexec,
     dockerTag: dockerImageTag,
+    checksum,
   });
   await saveAppAddress(address);
 };