Skip to content

Commit

Permalink
chore: cleanup and nixify
Browse files Browse the repository at this point in the history
* create containers with nix
* updated README.md
* added SPDX license headers

Signed-off-by: Harald Hoyer <[email protected]>
  • Loading branch information
haraldh committed Feb 28, 2024
1 parent c8082de commit ef76ced
Show file tree
Hide file tree
Showing 36 changed files with 896 additions and 663 deletions.
51 changes: 0 additions & 51 deletions .github/workflows/container.yml

This file was deleted.

127 changes: 80 additions & 47 deletions .github/workflows/nix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,94 +14,127 @@ jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix flake check -L --show-trace --keep-going
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee

- run: nix flake check -L --show-trace --keep-going

fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- run: nix fmt
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee

- run: nix fmt

clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
# Cache any artifacts that aren't already cached at https://cache.nixos.org
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Use nixsgx cache
run: |
nix-env -iA cachix -f https://cachix.org/api/v1/install
cachix use nixsgx
- name: cargo clippy
run: nix develop -L --ignore-environment -c cargo clippy --all --locked
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: cargo clippy
run: nix develop -L --ignore-environment -c cargo clippy --all --locked

build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
# Cache any artifacts that aren't already cached at https://cache.nixos.org
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: Use nixsgx cache
run: |
nix-env -iA cachix -f https://cachix.org/api/v1/install
cachix use nixsgx
- name: nix build
run: nix run nixpkgs#nixci

push_to_docker:
if: ${{ github.event_name == 'push' }}
needs: build
# if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.dockerfile }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
config:
- { nixpackage: 'container-vault-sgx-azure', dockerfile: 'packages/container-vault-sgx-azure/Dockerfile', tag: 'vault:latest', repository: 'teepot-vault' }
- { nixpackage: 'container-vault-unseal-sgx-azure', dockerfile: 'packages/container-vault-unseal-sgx-azure/Dockerfile', tag: 'tvu:latest', repository: 'teepot-tvu' }
- { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', tag: 'tva:latest', repository: 'teepot-tva' }
- { nixpackage: 'container-verify-attestation' }
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v25
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
# Cache any artifacts that aren't already cached at https://cache.nixos.org
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: Use nixsgx cache
run: |
nix-env -iA cachix -f https://cachix.org/api/v1/install
cachix use nixsgx
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Load and push
- name: Load and Push nix container
run: |
nix build -L .#container-verify-attestation
nix build -L .#${{ matrix.config.nixpackage }}
export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
echo "Pushing image ${IMAGE_TAG} to Docker Hub"
echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}"
docker push matterlabsrobot/"${IMAGE_TAG}"
docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest"
docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest"
- name: Generate build ID for Flux Image Automation
if: ${{ matrix.config.dockerfile }}
id: buildid
run: |
sha=$(git rev-parse --short HEAD)
ts=$(date +%s%N | cut -b1-13)
echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"
- name: Build and Push Container
if: ${{ matrix.config.dockerfile }}
uses: docker/build-push-action@v5
with:
file: ${{ matrix.config.dockerfile }}
tags: |
"matterlabsrobot/${{ matrix.config.repository }}:latest"
"matterlabsrobot/${{ matrix.config.repository }}:${{ steps.buildid.outputs.BUILD_ID }}"
push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
38 changes: 0 additions & 38 deletions assets/Azure-DCAP-Client.patch

This file was deleted.

6 changes: 2 additions & 4 deletions assets/extract-sig.sh
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
#
# This script is used to extract the signature of a gramine docker image.
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
#
# Usage: ./extract-sig.sh <image-name> <tee-name> <output-file>
# Example: ./extract-sig.sh tva tee-vault-admin

id=$(docker create $1)
trap 'docker rm -v $id' EXIT
Expand Down
6 changes: 2 additions & 4 deletions assets/replace-sig.sh
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
#
# This script is used to replace the signature of a gramine docker image with a new one.
# SPDX-License-Identifier: Apache-2.0
# Copyright (c) 2024 Matter Labs
#
# Usage: ./replace-sig.sh <image> <new-signature-file> <old-signature-file>
# Example: ./replace-sig.sh tva tee-vault-admin.sig /app/tee-vault-admin.sig

DOCKERFILE="Dockerfile-tmp-$$"

Expand Down
1 change: 0 additions & 1 deletion assets/vault-auth-tee.sha256

This file was deleted.

85 changes: 0 additions & 85 deletions bin/tee-vault-admin/Dockerfile-azure

This file was deleted.

Loading

0 comments on commit ef76ced

Please sign in to comment.