[CRE] Support confidential workflow engine path#21444
Closed
nadahalli wants to merge 12 commits intotejaswi/cw-phase4from
Closed
[CRE] Support confidential workflow engine path#21444nadahalli wants to merge 12 commits intotejaswi/cw-phase4from
nadahalli wants to merge 12 commits intotejaswi/cw-phase4from
Conversation
…lows - DB migration 0291: add attributes bytea column to workflow_specs_v2 - WorkflowSpec: add Attributes field, persist through ORM - Handler: store payload.Attributes, route confidential workflows to dedicated engine creation path (tryConfidentialEngineCreate) - ConfidentialModule: host.ModuleV2 impl that delegates execution to the confidential-workflows@1.0.0-alpha capability via CapabilitiesRegistry - Plugin registration for confidential-workflows in plugins.private.yaml
- IsConfidential now returns (bool, error) instead of silently swallowing malformed attributes JSON - Add info log when routing workflow to confidential execution - Add unit tests for ParseWorkflowAttributes, IsConfidential, ComputeBinaryHash, ConfidentialModule.Execute (success, error paths, namespace defaulting, request field forwarding)
- Add handler-level tests verifying confidential routing: confidential attributes bypass engine factory, non-confidential uses it, malformed attributes return error - Add comment documenting "main" as VaultDON default namespace
Replace the local ../chainlink-common replace directive with a proper module reference to commit 177ddc60abbe on the tejaswi/confidential-workflows-codegen branch. Also fix Namespace field assignment (string, not *string) to match the published proto.
The tryConfidentialEngineCreate path was missing the WorkflowID collision diagnostic that tryEngineCreate has. Also remove the #wip changeset tag before merge.
Will add back when confidential workflows is ready for release.
- Bump chainlink-common to v0.10.1-0.20260303010151-2879e49d71bd (PR #1851) - Fix Namespace field: proto optional field requires *string, not string - Fix NewEventHandler call in handler_test.go: insert nil featureFlags arg to match updated signature
0291_change_chain_selector_and_block_height_to_numeric.sql landed on develop via #21303, so our workflow_attributes migration must be 0292.
Points at ed10df3 which has replace directives removed, so loopinstall can build from the module cache on a clean checkout.
0292_soft_drop_evm_heads_numeric_id.sql landed on develop, so bump our migration from 292 to 293.
Plumb workflow attributes through RegisterWithContract so confidential workflows can set confidential=true and vault_don_secrets on-chain. Add HTTP URL support to file fetcher (extracts filename from URL path) for workflows where the on-chain URL is HTTP but syncer reads locally. Pass FeatureFlags to confidential engine creation.
Contributor
|
✅ No conflicts with other open PRs targeting |
Contributor
|
I see you updated files related to
|
|
Contributor
Author
|
Superseded by #21603 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three changes needed for the confidential workflows engine-path E2E test (confidential-compute#260). The test validates the full flow: syncer detects
confidential=trueworkflow, createsConfidentialModule, cron trigger fires, module delegates to theconfidential-workflowscapability, enclave runs WASM, mock capability on relay DON receives the request.Stacked on #21298 (ConfidentialModule + attributes plumbing).
Changes
1. Workflow attributes plumbing
RegisterWithContractandregisterWorkflowV2now accept anattributes []byteparameter, passed through toregistry.UpsertWorkflow. Confidential workflows set{"confidential":true}so the syncer routes them toConfidentialModule(see #21298).vault_don_secretsis removed; secrets are fetched dynamically by the enclave at runtime.All existing callers pass
nil(no behavior change).CompileAndDeployConfidentialWorkflowhelper added tot_helpers.gofor E2E tests that need attributes.Files:
system-tests/lib/cre/workflow/workflow.go,system-tests/tests/test-helpers/t_helpers.go,core/scripts/cre/environment/environment/workflow.go2. File fetcher HTTP URL support
Confidential workflows have a dual-use binary URL: the on-chain URL must be HTTP (so the enclave can fetch the binary), but the syncer's file-based fetcher reads from the local container filesystem. The file fetcher now detects HTTP(S) URLs and extracts the filename via
filepath.Base(u.Path), resolving it against the configured base path.Without this, the file fetcher rejects the HTTP URL with "request URL is not within the basePath".
Files:
core/services/workflows/syncer/fetcher.go,core/services/workflows/syncer/v2/fetcher.go3. FeatureFlags in confidential engine creation
tryConfidentialEngineCreateinhandler.gowas missingFeatureFlags: h.featureFlagsin the engine config, causing a nil pointer panic when the engine checked feature flags during trigger registration.File:
core/services/workflows/syncer/v2/handler.goRelated PRs