ci: calculate SGX mr_enclave for notary server in gramine docker #1171
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: | |
| - dev | |
| tags: | |
| - "[v]?[0-9]+.[0-9]+.[0-9]+*" | |
| pull_request: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| attestations: write | |
| env: | |
| CARGO_TERM_COLOR: always | |
| CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse | |
| # We need a higher number of parallel rayon tasks than the default (which is 4) | |
| # in order to prevent a deadlock, c.f. | |
| # - https://github.com/tlsnotary/tlsn/issues/548 | |
| # - https://github.com/privacy-scaling-explorations/mpz/issues/178 | |
| # 32 seems to be big enough for the foreseeable future | |
| RAYON_NUM_THREADS: 32 | |
| GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }} | |
| jobs: | |
| fmt: | |
| name: Check formatting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # We use nightly to support `imports_granularity` feature | |
| - name: Install nightly rust toolchain with rustfmt | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: nightly | |
| components: rustfmt | |
| - name: Use caching | |
| uses: Swatinem/[email protected] | |
| - name: Check formatting | |
| run: cargo +nightly fmt --check --all | |
| build-and-test: | |
| name: Build and test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install stable rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| components: clippy | |
| - name: Use caching | |
| uses: Swatinem/[email protected] | |
| - name: Clippy | |
| run: cargo clippy --all-features --all-targets -- -D warnings | |
| - name: Build | |
| run: cargo build --all-targets | |
| - name: Test | |
| run: cargo test | |
| wasm: | |
| name: Build and Test wasm | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install stable rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: wasm32-unknown-unknown | |
| toolchain: stable | |
| - name: Install nightly rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: wasm32-unknown-unknown,x86_64-unknown-linux-gnu | |
| toolchain: nightly | |
| components: rust-src | |
| - name: Install chromedriver | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y chromium-chromedriver | |
| - name: Install wasm-pack | |
| run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh | |
| - name: Use caching | |
| uses: Swatinem/[email protected] | |
| - name: Run tests | |
| run: | | |
| cd crates/wasm-test-runner | |
| ./run.sh | |
| - name: Run build | |
| run: | | |
| cd crates/wasm | |
| ./build.sh | |
| - name: Dry Run NPM Publish | |
| run: | | |
| cd crates/wasm/pkg | |
| npm publish --dry-run | |
| - name: Save tlsn-wasm package for tagged builds | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.ref_name }}-tlsn-wasm-pkg | |
| path: ./crates/wasm/pkg | |
| if-no-files-found: error | |
| tests-integration: | |
| name: Run tests release build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install stable rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Use caching | |
| uses: Swatinem/[email protected] | |
| - name: Add custom DNS entry to /etc/hosts for notary TLS test | |
| run: echo "127.0.0.1 tlsnotaryserver.io" | sudo tee -a /etc/hosts | |
| - name: Run integration tests | |
| run: cargo test --profile tests-integration --workspace --exclude tlsn-tls-client --exclude tlsn-tls-core -- --include-ignored | |
| coverage: | |
| runs-on: ubuntu-latest | |
| env: | |
| CARGO_TERM_COLOR: always | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install stable rust toolchain | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| toolchain: stable | |
| - name: Install cargo-llvm-cov | |
| uses: taiki-e/install-action@cargo-llvm-cov | |
| - name: Generate code coverage | |
| run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: lcov.info | |
| fail_ci_if_error: true | |
| build-sgx: | |
| runs-on: ubuntu-latest | |
| needs: build-and-test | |
| container: | |
| image: rust:latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Clang | |
| run: | | |
| apt update | |
| apt install -y clang | |
| - name: Use caching | |
| uses: Swatinem/[email protected] | |
| - name: Build Rust Binary | |
| run: | | |
| cargo build --bin notary-server --release --features tee_quote | |
| cp --verbose target/release/notary-server $GITHUB_WORKSPACE | |
| - name: Upload Binary for use in the Gramine Job | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: notary-server | |
| path: notary-server | |
| if-no-files-found: error | |
| gramine-sgx: | |
| runs-on: ubuntu-latest | |
| needs: build-sgx | |
| environment: tee | |
| container: | |
| image: gramineproject/gramine:latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Restore SGX signing key from secrets | |
| run: | | |
| mkdir -p "${HOME}/.config/gramine/" | |
| echo "${{ secrets.SGX_SIGNING_KEY }}" > "${HOME}/.config/gramine/enclave-key.pem" | |
| # verify key | |
| openssl rsa -in "${HOME}/.config/gramine/enclave-key.pem" -check -noout | |
| - name: Download notary-server binary from build job | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: notary-server | |
| path: crates/notary/server/tee | |
| - name: Install jq | |
| run: | | |
| apt update | |
| apt install -y jq | |
| - name: Run notary-server in Gramine | |
| run: | | |
| cd crates/notary/server/tee | |
| chmod +x notary-server | |
| gramine-manifest \ | |
| -Dlog_level=debug \ | |
| -Darch_libdir=/lib/x86_64-linux-gnu \ | |
| -Dself_exe=notary-server \ | |
| notary-server.manifest.template \ | |
| notary-server.manifest | |
| gramine-sgx-sign \ | |
| --manifest notary-server.manifest \ | |
| --output notary-server.manifest.sgx | |
| gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig | tee >> notary-server-sigstruct.json | |
| cat notary-server-sigstruct.json | |
| mr_enclave=$(jq -r '.mr_enclave' notary-server-sigstruct.json) | |
| mr_signer=$(jq -r '.mr_signer' notary-server-sigstruct.json) | |
| echo "mrenclave=$mr_enclave" >>"$GITHUB_OUTPUT" | |
| echo "#### sgx mrenclave" | tee >>$GITHUB_STEP_SUMMARY | |
| echo "\`\`\`mr_enclave: ${mr_enclave}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY | |
| echo "\`\`\`mr_signer: ${mr_signer}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY | |
| - name: Upload notary-server and signatures | |
| id: upload-notary-server-sgx | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: notary-server-sgx.zip | |
| path: | | |
| crates/notary/server/tee/notary-server | |
| crates/notary/server/tee/notary-server-sigstruct.json | |
| crates/notary/server/tee/notary-server.sig | |
| crates/notary/server/tee/notary-server.manifest | |
| crates/notary/server/tee/notary-server.manifest.sgx | |
| crates/notary/server/tee/config | |
| crates/notary/server/tee/notary-server-sgx.md | |
| if-no-files-found: error | |
| - name: Attest Build Provenance | |
| if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/dev' | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: notary-server-sgx.zip | |
| subject-digest: sha256:${{ steps.upload-notary-server-sgx.outputs.artifact-digest }} | |
| - uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature | |
| with: | |
| name: notary-server |