Skip to content

Filtering and Identifying Transfer Events in Enclave #3541

Filtering and Identifying Transfer Events in Enclave

Filtering and Identifying Transfer Events in Enclave #3541

Workflow file for this run

name: Build, Test, Clippy
on:
workflow_dispatch:
push:
branches:
- master
- 'sdk-v[0-9]+.[0-9]+.[0-9]+-*'
tags:
- 'v[0-9]+.[0-9]+.[0-9]+*'
pull_request:
branches:
- master
- 'sdk-v[0-9]+.[0-9]+.[0-9]+-*'
env:
CARGO_TERM_COLOR: always
LOG_DIR: logs
BUILD_CONTAINER_NAME: integritee_worker_enclave_test
jobs:
cancel_previous_runs:
name: Cancel Previous Runs
runs-on: ubuntu-latest
steps:
- uses: styfle/[email protected]
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
build-test:
runs-on: ${{ matrix.host }}
strategy:
fail-fast: false
matrix:
include:
- flavor_id: sidechain
mode: sidechain
host: integritee-builder-sgx
sgx_mode: HW
additional_features: dcap
- flavor_id: offchain-worker
mode: offchain-worker
host: integritee-builder-sgx
sgx_mode: HW
additional_features: dcap
- flavor_id: teeracle
mode: teeracle
host: integritee-builder-sgx
sgx_mode: HW
additional_features: dcap
- flavor_id: sidechain-evm
mode: sidechain
additional_features: evm,dcap
host: integritee-builder-sgx
sgx_mode: HW
steps:
- uses: actions/checkout@v3
- name: Set env
run: |
fingerprint=$RANDOM
echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV
if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV
echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV
else
echo "DOCKER_DEVICES=" >> $GITHUB_ENV
echo "DOCKER_VOLUMES=" >> $GITHUB_ENV
fi
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
buildkitd-flags: --debug
driver: docker-container
- name: Build Worker & Run Cargo Test
env:
DOCKER_BUILDKIT: 1
run: >
docker build -t integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}
--target deployed-worker
--build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg FINGERPRINT=${FINGERPRINT} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }}
-f build.Dockerfile .
- name: Build CLI client
env:
DOCKER_BUILDKIT: 1
run: >
docker build -t integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}
--target deployed-client
--build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }}
-f build.Dockerfile .
- run: docker images --all
- name: Test Enclave # cargo test is not supported in the enclave, see: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/232
run: docker run ${{ env.DOCKER_DEVICES }} ${{ env.DOCKER_VOLUMES }} integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} test --all
- name: Export worker image(s)
run: |
docker image save integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
docker image save integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} | gzip > integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
- name: Upload worker image
uses: actions/upload-artifact@v3
with:
name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
path: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
- name: Upload CLI client image
uses: actions/upload-artifact@v3
with:
name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
path: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
- name: Delete images
run: |
if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
docker images --all
clippy:
runs-on: ubuntu-latest
container: "integritee/integritee-dev:0.2.1"
steps:
- uses: actions/checkout@v3
- name: init rust
# enclave is not in the same workspace
run: rustup show && cd enclave-runtime && rustup show
- name: Clippy default features
run: cargo clippy -- -D warnings
- name: Enclave # Enclave is separate as it's not in the workspace
run: cd enclave-runtime && cargo clippy -- -D warnings
- name: Clippy with EVM feature
run: |
cargo clippy --features evm -- -D warnings
cd enclave-runtime && cargo clippy --features evm -- -D warnings
- name: Clippy with Sidechain feature
run: |
cargo clippy --features sidechain -- -D warnings
cd enclave-runtime && cargo clippy --features sidechain -- -D warnings
- name: Clippy with Teeracle feature
run: |
cargo clippy --features teeracle -- -D warnings
cd enclave-runtime && cargo clippy --features teeracle -- -D warnings
- name: Clippy with Offchain-worker feature
run: |
cargo clippy --features offchain-worker -- -D warnings
cd enclave-runtime && cargo clippy --features offchain-worker -- -D warnings
- name: Fail-fast; cancel other jobs
if: failure()
uses: andymckay/[email protected]
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: init rust
run: rustup show
- name: Worker & Client
run: cargo fmt --all -- --check
- name: Enclave # Enclave is separate as it's not in the workspace
run: cd enclave-runtime && cargo fmt --all -- --check
- name: Install taplo
run: cargo install taplo-cli --locked
- name: Cargo.toml fmt
run: taplo fmt --check
- name: Fail-fast; cancel other jobs
if: failure()
uses: andymckay/[email protected]
integration-tests:
runs-on: ${{ matrix.host }}
if: ${{ always() }}
needs: build-test
env:
WORKER_IMAGE_TAG: integritee-worker:dev
CLIENT_IMAGE_TAG: integritee-cli:dev
COINMARKETCAP_KEY: ${{ secrets.COINMARKETCAP_KEY }}
# IAS_EPID_SPID: ${{ secrets.IAS_SPID }}
# IAS_EPID_KEY: ${{ secrets.IAS_PRIMARY_KEY }}
TEERACLE_INTERVAL_SECONDS: 10
strategy:
fail-fast: false
matrix:
include:
- test: M6
flavor_id: sidechain
demo_name: demo-indirect-invocation
host: test-runner-sgx
sgx_mode: HW
- test: M8
flavor_id: sidechain
demo_name: demo-direct-call
host: test-runner-sgx
sgx_mode: HW
- test: Sidechain
flavor_id: sidechain
demo_name: demo-sidechain
host: test-runner-sgx
sgx_mode: HW
- test: M6
flavor_id: offchain-worker
demo_name: demo-indirect-invocation
host: test-runner-sgx
sgx_mode: HW
- test: Teeracle
flavor_id: teeracle
demo_name: demo-teeracle
host: test-runner-sgx
sgx_mode: HW
- test: Teeracle
flavor_id: teeracle
demo_name: demo-teeracle-generic
host: test-runner-sgx
sgx_mode: HW
- test: Benchmark
flavor_id: sidechain
demo_name: sidechain-benchmark
host: test-runner-sgx
sgx_mode: HW
- test: EVM
flavor_id: sidechain-evm
demo_name: demo-smart-contract
host: test-runner-sgx
sgx_mode: HW
steps:
- uses: actions/checkout@v3
- name: Set env
run: |
version=$RANDOM
echo "FLAVOR_ID=${{ matrix.flavor_id }}" >> $GITHUB_ENV
echo "PROJECT=${{ matrix.flavor_id }}-${{ matrix.demo_name }}" >> $GITHUB_ENV
echo "VERSION=dev.$version" >> $GITHUB_ENV
echo "WORKER_IMAGE_TAG=integritee-worker:dev.$version" >> $GITHUB_ENV
echo "INTEGRITEE_NODE=integritee-node-dev-ias:1.1.0.$version" >> $GITHUB_ENV
echo "CLIENT_IMAGE_TAG=integritee-cli:dev.$version" >> $GITHUB_ENV
if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
echo "SGX_PROVISION=/dev/sgx/provision" >> $GITHUB_ENV
echo "SGX_ENCLAVE=/dev/sgx/enclave" >> $GITHUB_ENV
echo "AESMD=/var/run/aesmd" >> $GITHUB_ENV
echo "SGX_QCNL=/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV
fi
echo "LOG_DIR=./logs-$version" >> $GITHUB_ENV
- name: Download Worker Image
uses: actions/download-artifact@v3
with:
name: integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
path: .
- name: Download CLI client Image
uses: actions/download-artifact@v3
with:
name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
path: .
- name: Load Worker & Client Images
env:
DOCKER_BUILDKIT: 1
run: |
docker image load --input integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
docker image load --input integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
docker images --all
##
# Before tagging, delete the old "stuck" ones to be sure that the newly created ones are the latest
# Without if the docker image rmi throws an error if the image doesn't exist.
##
- name: Re-name Image Tags
run: |
if [[ "$(docker images -q ${{ env.WORKER_IMAGE_TAG }} 2> /dev/null)" == "" ]]; then
docker image rmi --force ${{ env.WORKER_IMAGE_TAG }} 2>/dev/null
fi
if [[ "$(docker images -q ${{ env.CLIENT_IMAGE_TAG }} 2> /dev/null)" == "" ]]; then
docker image rmi --force ${{ env.CLIENT_IMAGE_TAG }} 2>/dev/null
fi
docker tag integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.WORKER_IMAGE_TAG }}
docker tag integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} ${{ env.CLIENT_IMAGE_TAG }}
docker pull integritee/integritee-node-dev-ias:1.1.0
docker tag integritee/integritee-node-dev-ias:1.1.0 ${{ env.INTEGRITEE_NODE }}
docker images --all
##
# Stop any stucked/running compose projects
##
- name: Stop docker containers
if: always()
continue-on-error: true
run: |
cd docker
docker compose -f <(envsubst < docker-compose.yml) -f <(envsubst < ${{ matrix.demo_name }}.yml) -p ${PROJECT} stop
- name: Integration Test ${{ matrix.test }}-${{ matrix.flavor_id }}
run: |
cd docker
docker compose -f <(envsubst < docker-compose.yml) -f <(envsubst < ${{ matrix.demo_name }}.yml) -p ${PROJECT} up ${{ matrix.demo_name }} --no-build --exit-code-from ${{ matrix.demo_name }} --remove-orphans
- name: Collect Docker Logs
continue-on-error: true
if: always()
uses: jwalton/gh-docker-logs@v2
with:
images: '${{ env.WORKER_IMAGE_TAG }},${{ env.CLIENT_IMAGE_TAG }},${{ env.INTEGRITEE_NODE }}'
tail: all
dest: ${{ env.LOG_DIR }}
- name: Upload logs
if: always()
uses: actions/upload-artifact@v3
with:
name: logs-${{ matrix.test }}-${{ matrix.flavor_id }}
path: ${{ env.LOG_DIR }}
- name: Stop docker containers
if: always()
continue-on-error: true
run: |
cd docker
docker compose -f <(envsubst < docker-compose.yml) -f <(envsubst < ${{ matrix.demo_name }}.yml) -p ${PROJECT} stop
- name: Delete images
run: |
if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
if [[ "$(docker images -q ${{ env.WORKER_IMAGE_TAG }} 2> /dev/null)" != "" ]]; then
docker image rmi --force ${{ env.WORKER_IMAGE_TAG }} 2>/dev/null
fi
if [[ "$(docker images -q ${{ env.CLIENT_IMAGE_TAG }} 2> /dev/null)" != "" ]]; then
docker image rmi --force ${{ env.CLIENT_IMAGE_TAG }} 2>/dev/null
fi
if [[ "$(docker images -q ${{ env.INTEGRITEE_NODE }} 2> /dev/null)" != "" ]]; then
docker image rmi --force ${{ env.INTEGRITEE_NODE }} 2>/dev/null
fi
docker images --all
release-build:
runs-on: integritee-builder-sgx
name: Release Build of teeracle
if: startsWith(github.ref, 'refs/tags/')
needs: [build-test, integration-tests]
strategy:
fail-fast: false
matrix:
include:
- flavor_id: teeracle
mode: teeracle
sgx_mode: HW
additional_features: dcap
steps:
- uses: actions/checkout@v3
- name: Add masks
run: |
echo "::add-mask::$VAULT_TOKEN"
echo "::add-mask::$PRIVKEY_B64"
echo "::add-mask::$PRIVKEY_PASS"
- name: Set env
run: |
fingerprint=$RANDOM
echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV
if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV
echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd --volume /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf" >> $GITHUB_ENV
else
echo "DOCKER_DEVICES=" >> $GITHUB_ENV
echo "DOCKER_VOLUMES=" >> $GITHUB_ENV
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
buildkitd-flags: --debug
driver: docker-container
- name: Import secrets
uses: hashicorp/vault-action@v2
id: import-secrets
with:
url: ${{ secrets.VAULT_URL }}
tlsSkipVerify: false
token: ${{ env.VAULT_TOKEN }}
exportEnv: false
secrets: |
${{ secrets.VAULT_PATH }} intel_sgx_pem_base64 | PRIVKEY_B64 ;
${{ secrets.VAULT_PATH }} password | PRIVKEY_PASS
- name: Get secrets
env:
PRIVKEY_B64: ${{ steps.import-secrets.outputs.PRIVKEY_B64 }}
PRIVKEY_PASS: ${{ steps.import-secrets.outputs.PRIVKEY_PASS }}
run: |
echo $PRIVKEY_B64 | base64 --ignore-garbage --decode > enclave-runtime/intel_sgx.pem
echo $PRIVKEY_PASS > enclave-runtime/passfile.txt
- name: Build Worker & Run Cargo Test
env:
DOCKER_BUILDKIT: 1
run: >
docker build -t integritee/${{ matrix.flavor_id }}:${{ github.ref_name }}
--target deployed-worker
--build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg SGX_COMMERCIAL_KEY=enclave-runtime/intel_sgx.pem --build-arg SGX_PASSFILE=enclave-runtime/passfile.txt --build-arg SGX_PRODUCTION=1 --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }}
-f build.Dockerfile .
- name: Save released teeracle
run: |
docker image save integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz
docker images --all
- name: Upload teeracle image
uses: actions/upload-artifact@v3
with:
name: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz
path: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz
- name: Delete images
run: |
if [[ "$(docker images -q integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2>/dev/null
fi
docker images --all
release:
runs-on: ubuntu-latest
name: Draft Release
if: startsWith(github.ref, 'refs/tags/')
needs: [build-test, integration-tests, release-build]
outputs:
release_url: ${{ steps.create-release.outputs.html_url }}
asset_upload_url: ${{ steps.create-release.outputs.upload_url }}
steps:
- uses: actions/checkout@v3
- name: Download Worker Image
uses: actions/download-artifact@v3
with:
name: integritee-worker-teeracle-${{ github.ref_name }}.tar.gz
path: .
#
# Temporary comment out until we decide what to release
#
# - name: Download Integritee Service
# uses: actions/download-artifact@v3
# with:
# name: integritee-worker-sidechain-${{ github.sha }}
# path: integritee-worker-tmp
# - name: Download Integritee Client
# uses: actions/download-artifact@v3
# with:
# name: integritee-client-sidechain-${{ github.sha }}
# path: integritee-client-tmp
# - name: Download Enclave Signed
# uses: actions/download-artifact@v3
# with:
# name: enclave-signed-sidechain-${{ github.sha }}
# path: enclave-signed-tmp
# - name: Move service binaries
# run: mv integritee-worker-tmp/integritee-service ./integritee-demo-validateer
# - name: Move service client binaries
# run: mv integritee-client-tmp/integritee-cli ./integritee-client
# - name: Move service client binaries
# run: mv enclave-signed-tmp/enclave.signed.so ./enclave.signed.so
- name: Changelog
uses: scottbrenner/generate-changelog-action@master
id: Changelog
- name: Display structure of downloaded files
run: ls -R
working-directory: .
- name: Release
id: create-release
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
body: |
${{ steps.Changelog.outputs.changelog }}
draft: true
name: Docker ${{ github.ref_name }}
files: |
integritee-worker-teeracle-${{ github.ref_name }}.tar.gz
integritee-client
integritee-demo-validateer
enclave.signed.so