build_and_test.yml

name: Build, Test, Clippy

on:
  workflow_dispatch:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

env:
  CARGO_TERM_COLOR: always
  WORKER_BIN: integritee-service
  CLIENT_BIN: integritee-cli
  ENCLAVE_BIN: enclave.signed.so
  LOG_DIR: log

jobs:
  cancel_previous_runs:
    name: Cancel Previous Runs
    runs-on: ubuntu-20.04
    steps:
      - uses: styfle/cancel-workflow-action@0.4.1
        with:
          access_token: ${{ secrets.GITHUB_TOKEN }}

  build-test:
    runs-on: ubuntu-latest
    container: "integritee/integritee-dev:0.1.7"
    steps:
      - uses: actions/checkout@v2
      - name: init rust
        run: rustup show

      - name: Build
        run:  env "MITIGATION-CVE-2020-0551=LOAD" "SGX_MODE=SW" make
      - name: Test Service & Client
        run: cargo test
      - name: Test Enclave # cargo test is not supported, see: https://github.com/apache/incubator-teaclave-sgx-sdk/issues/232
        run: |
          cd bin
          ./integritee-service test -u -e

      # Todo: #REBRAND path names
      - name: Upload worker
        uses: actions/upload-artifact@v2
        with:
          name: integritee-worker-${{ github.sha }}
          path: bin/${{ env.WORKER_BIN }}

      - name: Upload client
        uses: actions/upload-artifact@v2
        with:
          name: integritee-client-${{ github.sha }}
          path: bin/${{ env.CLIENT_BIN }}

      - name: Upload enclave
        uses: actions/upload-artifact@v2
        with:
          name: enclave-signed-${{ github.sha }}
          path: bin/${{ env.ENCLAVE_BIN }}

  clippy:
    runs-on: ubuntu-latest
    container: "integritee/integritee-dev:0.1.7"
    steps:
      - uses: actions/checkout@v2
      - name: init rust
        # enclave is not in the same workspace
        run: rustup show && cd enclave-runtime && rustup show

      - name: Worker & Client
        run: cargo clippy -- -D warnings
      - name: Enclave # Enclave is separate as it's not in the workspace
        run: cd enclave-runtime && cargo clippy -- -D warnings

      - name: Fail-fast; cancel other jobs
        if: failure()
        uses: andymckay/cancel-action@0.2

  fmt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: init rust
        run: rustup show

      - name: Worker & Client
        run: cargo fmt --all -- --check
      - name: Enclave # Enclave is separate as it's not in the workspace
        run: cd enclave-runtime && cargo fmt --all -- --check

      - name: Fail-fast; cancel other jobs
        if: failure()
        uses: andymckay/cancel-action@0.2

  integration-tests:
    runs-on: ubuntu-latest
    needs: build-test
    container: "integritee/integritee-dev:0.1.7"
    strategy:
      fail-fast: false
      matrix:
        test: [M6, M8]
        include:
          - test: M6
            demo_name: m6_demo_shielding_unshielding
            demo_script: m6.sh
          - test: M8
            demo_name: m8_demo_direct_call
            demo_script: m8.sh

    env:
      BIN_DIR: bin
    steps:
      - uses: actions/checkout@v2

      - uses: actions/setup-python@v2
        with:
          python-version: '3.7'

      - name: Download Worker
        uses: actions/download-artifact@v2
        with:
          name: integritee-worker-${{ github.sha }}
          path: ${{ env.BIN_DIR }}

      - name: Download Client
        uses: actions/download-artifact@v2
        with:
          name: integritee-client-${{ github.sha }}
          path: ${{ env.BIN_DIR }}

      - name: Download Enclave
        uses: actions/download-artifact@v2
        with:
          name: enclave-signed-${{ github.sha }}
          path: ${{ env.BIN_DIR }}

        # If you want to debug ci and you don't want to build the binaries, you can replace the downloads above with
        # the actions below to download binaries from an earlier run.
#      - name: Download Worker
#        uses: dawidd6/action-download-artifact@v2
#        with:
#          github_token: ${{secrets.GITHUB_TOKEN}}
#          workflow: build_and_test.yml
#          run_id: 1033249727
#          name: integritee-worker-da8d4b442d3f2b09dbafb097d4d7a1bce409d518
#          path: ${{ env.BIN_DIR }}
#
#      - name: Download Client
#        uses: dawidd6/action-download-artifact@v2
#        with:
#          github_token: ${{secrets.GITHUB_TOKEN}}
#          workflow: build_and_test.yml
#          run_id: 1033249727
#          name: integritee-client-da8d4b442d3f2b09dbafb097d4d7a1bce409d518
#          path: ${{ env.BIN_DIR }}
#
#      - name: Download Enclave
#        uses: dawidd6/action-download-artifact@v2
#        with:
#          github_token: ${{secrets.GITHUB_TOKEN}}
#          workflow: build_and_test.yml
#          run_id: 1033249727
#          name: enclave-signed-da8d4b442d3f2b09dbafb097d4d7a1bce409d518
#          path: ${{ env.BIN_DIR }}

      - name: Download integritee-node
        uses: dawidd6/action-download-artifact@v2
        with:
          github_token: ${{secrets.GITHUB_TOKEN}}
          workflow: ci.yml
          name: integritee-node-dev-5b2868e0269181e7bd31f4e3970bf7b6fd5166de
          # in fact this action should download the latest artifact, but sometimes fails. Then we need to
          # set the `run_id` to force a download of an updated binary.
          run_id: 1503342881
          path: node
          repo: integritee-network/integritee-node

      - name: Prepare working directory
        run: |
          mkdir -p ${{ env.LOG_DIR}}
          chmod +x node/integritee-node
          cd ${{ env.BIN_DIR }}
          chmod +x ${{ env.WORKER_BIN }}
          chmod +x ${{ env.CLIENT_BIN }}
          chmod +x ${{ env.ENCLAVE_BIN }}

      - name: "Setup Keys"
        env:
          KEY: ${{ secrets.IAS_PRIMARY_KEY }}
          SPID: ${{ secrets.IAS_SPID }}
          TLS_CERTIFICATE: ${{ secrets.TLS_WS_SERVER_CERTIFICATE }}
          TLS_PRIVATE_KEY: ${{ secrets.TLS_WS_SERVER_PRIVATE_KEY }}
        run: |
          cd ${{ env.BIN_DIR }}
          echo "${{ env.KEY }}" > key.txt
          echo "${{ env.SPID }}" > spid.txt
          echo "${{ env.TLS_CERTIFICATE }}" > end.fullchain
          echo "${{ env.TLS_PRIVATE_KEY }}" > end.rsa
          chmod 644 end.fullchain
          chmod 644 end.rsa

      - name: Run local setup
        # * `set -eo pipefail` is needed to return an error even if piped to `tee`.
        shell: bash --noprofile --norc -eo pipefail {0}
        run: |
          touch ${{ env.LOG_DIR}}/local-setup.log
          ./local-setup/launch.py local-setup/github-action-config.json 2>&1 | tee ${{ env.LOG_DIR}}/local-setup.log &
          sleep 60

      - name: ${{ matrix.demo_name }}
        # * the change the symbolic link which points to the target/release... folder.
        # * need overwrite default shell to bash to get access to the `source` cmd.
        shell: bash --noprofile --norc -eo pipefail {0}
        run: |
          source ./scripts/init_env.sh && ./scripts/${{ matrix.demo_script }}

      - name: Upload logs
        continue-on-error: true
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ${{ matrix.test }}_logs
          path: ${{ env.LOG_DIR }}