From 19a0614aee222bebfd223f3ffd1ae4b281f4c03d Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Wed, 8 Oct 2025 11:00:12 +0200 Subject: [PATCH] feat: add sconify-release workflow --- .github/workflows/sconify-release.yaml | 89 ++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 .github/workflows/sconify-release.yaml diff --git a/.github/workflows/sconify-release.yaml b/.github/workflows/sconify-release.yaml new file mode 100644 index 0000000..8165f8c --- /dev/null +++ b/.github/workflows/sconify-release.yaml @@ -0,0 +1,89 @@ +name: Sconify and push TEE image + +on: + workflow_dispatch: + inputs: + sconify_version: + default: 5.9.1-v16 + required: true + +jobs: + prepare: + name: Determine image tag + if: github.repository_owner == 'iExecBlockchainComputing' + runs-on: ubuntu-latest + outputs: + image_tag: ${{ steps.determine-tag.outputs.image_tag }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Determine base tag + id: determine-tag + run: | + if [ "${{ github.ref_type }}" != "tag" ]; then + echo "Error: This workflow must be run on a tag" + echo "Current ref type: ${{ github.ref_type }}" + echo "Current ref: ${{ github.ref }}" + exit 1 + fi + + TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main') + + if [ -z "$TAG_ON_MAIN" ] ; then + echo "Error: Tag ${{ github.ref_name }} is not on main branch" + echo "Tags must be created on main branch to generate X.Y.Z image tags" + exit 1 + fi + + GITHUB_REF_NAME="${{ github.ref_name }}" + echo "Processing tag on main branch: ${{ github.ref_name }}" + echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT + + build-tee-image: + name: Sconify TEE image + needs: prepare + runs-on: ubuntu-latest + env: + IMG_FROM: docker-regis.iex.ec/python-hello-world:${{ needs.prepare.outputs.image_tag }} + IMG_TO: docker-regis.iex.ec/python-hello-world:${{ needs.prepare.outputs.image_tag }}-sconify-${{ inputs.sconify_version }}-production + SCONIFY_IMAGE: registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify_version }} + steps: + - name: Login to Scontain registry + uses: docker/login-action@v3 + with: + registry: registry.scontain.com + username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }} + password: ${{ secrets.SCONTAIN_REGISTRY_PAT }} + - name: Login to Docker regis + uses: docker/login-action@v3 + with: + registry: docker-regis.iex.ec + username: ${{ secrets.NEXUS_USERNAME }} + password: ${{ secrets.NEXUS_PASSWORD }} + - name: Pull sconification tools + run: docker pull ${{ env.SCONIFY_IMAGE }} + - name: Pull native image + run: docker pull ${{ env.IMG_FROM }} + - name: Sconify + run: | + TEMP_KEY=$(mktemp) + echo "${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}" > "$TEMP_KEY" + chmod 600 "$TEMP_KEY" + trap "rm -f $TEMP_KEY" EXIT + + docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$TEMP_KEY:/sig.pem:ro" ${{ env.SCONIFY_IMAGE }} \ + sconify_iexec --cli=${{ env.SCONIFY_IMAGE }} --crosscompiler=${{ env.SCONIFY_IMAGE }} \ + --from=${{ env.IMG_FROM }} --to=${{ env.IMG_TO }} --binary-fs --fs-dir=/app --binary=/usr/local/bin/python3.7 \ + --heap=1G --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose \ + --scone-signer=/sig.pem + echo + docker run --rm -e SCONE_HASH=1 ${{ env.IMG_TO }} + - name: Push TEE image + run: docker push ${{ env.IMG_TO }} + - name: Clean OCI images + if: always() + run: docker image rm -f ${{ env.IMG_FROM }} ${{ env.IMG_TO }} ${{ env.SCONIFY_IMAGE }} +