feat: add GitHub actions workflows

.github/workflows/conventional-commits.yaml

@@ -0,0 +1,14 @@
+name: Conventional Commit as PR title
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - reopened
+
+jobs:
+  lint-pr-title:
+    permissions:
+      pull-requests: read
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/conventional-commits.yml@conventional-commits-v1.1.0

.github/workflows/docker-build.yaml

@@ -0,0 +1,118 @@
+name: Build and Push OCI Image
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  prepare:
+    name: Determine image tag
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.determine-tag.outputs.image_tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          if [ "${{ github.ref_type }}" = "tag" ] ; then
+            # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag
+            TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main')
+
+            if [ -z "$TAG_ON_MAIN" ] ; then
+              echo "Error: Tag ${{ github.ref_name }} is not on main branch"
+              echo "Tags must be created on main branch to generate X.Y.Z image tags"
+              exit 1
+            fi
+
+            GITHUB_REF_NAME="${{ github.ref_name }}"
+            echo "Processing tag on main branch: ${{ github.ref_name }}"
+            echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT
+          else
+            if [ "${{ github.event_name }}" = "pull_request" ] ; then
+              SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
+            else
+              SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
+            fi
+
+            if [ "${{ github.ref_name }}" = "main" ] ; then
+              echo "Processing main branch"
+              echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
+            else
+              # This covers other branches
+              echo "Processing feature/bugfix branch ${{ github.head_ref }}"
+              echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
+            fi
+          fi
+
+  build-oci-image:
+    name: Build OCI image
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0
+    with:
+      image-name: docker-regis.iex.ec/python-hello-world
+      image-tag: ${{ needs.prepare.outputs.image_tag }}
+      dockerfile: cloud-computing/Dockerfile
+      context: cloud-computing
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platforms: linux/amd64
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
+
+  build-tee-image:
+    name: Build TEE image
+    needs: [prepare, build-oci-image]
+    runs-on: ubuntu-latest
+    env:
+      native_image: docker-regis.iex.ec/python-hello-world
+      enclave_image: docker-regis.iex.ec/python-hello-world-unlocked
+      sconify_image: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked
+      sconify_version: 5.9.1
+    steps:
+      - name: Login to Scontain registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.scontain.com
+          username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }}
+          password: ${{ secrets.SCONTAIN_REGISTRY_PAT }}
+      - name: Login to Docker regis
+        uses: docker/login-action@v3
+        with:
+          registry: docker-regis.iex.ec
+          username: ${{ secrets.NEXUS_USERNAME }}
+          password: ${{ secrets.NEXUS_PASSWORD }}
+      - name: Pull sconification tools
+        run: docker pull $sconify_image:$sconify_version
+      - name: Pull native image
+        run: docker pull $native_image:${{ needs.prepare.outputs.image_tag }}
+      - name: Sconify
+        run: |
+          IMG_FROM=$native_image:${{ needs.prepare.outputs.image_tag }}
+          IMG_TO=$enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug
+          SCONE_IMAGE=$sconify_image:$sconify_version
+          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \
+            sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \
+              --from=$IMG_FROM --to=$IMG_TO --binary-fs --fs-dir=/app --binary=/usr/local/bin/python3.7 \
+              --heap=1G --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose
+          echo
+          docker run --rm -e SCONE_HASH=1 $IMG_TO
+      - name: Push TEE image
+        run: docker push $enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug
+      - name: Clean OCI images
+        run: |
+          docker image rm -f \
+            $native_image:${{ needs.prepare.outputs.image_tag }} \
+            $enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug \
+            $sconify_image:$sconify_version

.github/workflows/release-please.yaml

@@ -0,0 +1,16 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/release-please.yml@release-please-v2.0.0
+    secrets: inherit

.release-please-manifest.json

@@ -0,0 +1 @@
+{".":"8.0.4"}

release-please-config.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+  "draft-pull-request": true,
+  "include-component-in-tag": false,
+  "include-v-in-tag": true,
+  "release-type": "simple",
+  "packages": {
+    ".": {}
+  }
+}