From b10f4f80ecbf637c7c997c511a06f742e585b1b4 Mon Sep 17 00:00:00 2001 From: Amina <10723626+0xawaz@users.noreply.github.com> Date: Wed, 6 Nov 2024 13:32:25 +0100 Subject: [PATCH] chore(ci): add fhevm coprocessor docker workflows (#105) * chore(ci): update dockerfile var * chore(ci): add fhevm-coprocessor * chore(ci): update Dockerfile * chore(ci): pin protobuf version * chore(ci): disable generate-dev-image * chore(ci): disable hadolint * chore(ci): update Dockerfile * chore(ci): add non root user * chore(ci): add proto * chore(ci): enable hadolint * chore(ci): add docker-common to paths * chore(ci): update workflow trigger * chore(ci): restrict push to main/release --- .github/workflows/common-docker.yml | 8 ++-- .github/workflows/fhevm-coprocessor.yml | 46 +++++++++++++++++++++ .github/workflows/fhevm-smart-contracts.yml | 12 ++++-- fhevm-engine/coprocessor/Dockerfile | 30 ++++++++++---- 4 files changed, 82 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/fhevm-coprocessor.yml diff --git a/.github/workflows/common-docker.yml b/.github/workflows/common-docker.yml index dcb99e43..da4b2784 100644 --- a/.github/workflows/common-docker.yml +++ b/.github/workflows/common-docker.yml @@ -82,13 +82,13 @@ jobs: - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: - dockerfile: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file }} + dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file }} failure-threshold: none - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 if: ${{ inputs.generate-dev-image }} with: - dockerfile: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file-dev }} + dockerfile: ${{ inputs.working-directory }}/${{ inputs.docker-file-dev }} failure-threshold: none - name: Set up SSH @@ -134,7 +134,7 @@ jobs: platforms: linux/amd64,linux/arm64 build-args: | BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} - file: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file }} + file: ${{ inputs.working-directory }}/${{ inputs.docker-file }} push: ${{ inputs.push_image }} pull: false tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }},ghcr.io/zama-ai/${{ inputs.image-name }}:latest @@ -164,7 +164,7 @@ jobs: platforms: linux/amd64,linux/arm64 build-args: | BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} - file: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file-dev }} + file: ${{ inputs.working-directory }}/${{ inputs.docker-file-dev }} push: ${{ inputs.push_image }} pull: false tags: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}},ghcr.io/zama-ai/${{ inputs.image-dev-name }}:latest diff --git a/.github/workflows/fhevm-coprocessor.yml b/.github/workflows/fhevm-coprocessor.yml new file mode 100644 index 00000000..2edbde76 --- /dev/null +++ b/.github/workflows/fhevm-coprocessor.yml @@ -0,0 +1,46 @@ +name: "fhEVM Coprocessor Docker Image" + +on: + push: + branches: + - main + - amina/fhevm-coprocessor-workflows + paths: + - .github/workflows/fhevm-coprocessor.yml + - .github/workflows/common-docker.yml + - fhevm-engine/coprocessor/** + release: + types: + - published + +concurrency: + group: fhevm-coprocessor + cancel-in-progress: true + +jobs: + docker-coprocessor: + uses: ./.github/workflows/common-docker.yml + permissions: + contents: "read" + id-token: "write" + packages: "write" + with: + working-directory: "." + push_image: ${{ github.event_name == 'release' || github.ref_name == 'main' }} + image-name: "fhevm-coprocessor" + generate-dev-image: false + docker-file: "fhevm-engine/coprocessor/Dockerfile" + arm-build: true + + secrets: + BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} + GRAVITON_BUILDER_SSH_PRIVATE_KEY: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }} + + done: + runs-on: ubuntu-latest + name: Pipeline Done + steps: + - name: Success + run: echo Pipeline Done + needs: + - docker-coprocessor diff --git a/.github/workflows/fhevm-smart-contracts.yml b/.github/workflows/fhevm-smart-contracts.yml index cdde945d..272d3111 100644 --- a/.github/workflows/fhevm-smart-contracts.yml +++ b/.github/workflows/fhevm-smart-contracts.yml @@ -2,10 +2,16 @@ name: "fhEVM smart contracts Docker Image" on: push: - branches: ["main"] + branches: + - main + - amina/fhevm-coprocessor-workflows paths: - .github/workflows/fhevm-smart-contracts.yml + - .github/workflows/common-docker.yml - contracts/** + release: + types: + - published concurrency: group: fhevm-smart-contracts @@ -24,8 +30,8 @@ jobs: image-name: "fhevm-smart-contracts" image-dev-name: "fhevm-smart-contracts-dev" generate-dev-image: true - docker-file: "ci.dockerfile" - docker-file-dev: "dev.dockerfile" + docker-file: "contracts/operations/docker/ci.dockerfile" + docker-file-dev: "contracts/operations/docker/dev.dockerfile" image-dev-description: "fhevm smart contracts dev image" arm-build: true diff --git a/fhevm-engine/coprocessor/Dockerfile b/fhevm-engine/coprocessor/Dockerfile index 05f6fb6f..a4a60291 100644 --- a/fhevm-engine/coprocessor/Dockerfile +++ b/fhevm-engine/coprocessor/Dockerfile @@ -1,15 +1,31 @@ +# Stage 1: Build FROM rust:1.82.0-bullseye AS build -RUN apt-get update -RUN apt-get install -y protobuf-compiler +WORKDIR /app -# we assume we're in the root directory -ADD . /app/ +# Install dependencies +RUN apt-get update && \ + apt-get install -y --no-install-recommends protobuf-compiler=3.12.4* && \ + rm -rf /var/lib/apt/lists/* -RUN cd /app/fhevm-engine/coprocessor && SQLX_OFFLINE=true cargo build --release +COPY ./fhevm-engine/ ./fhevm-engine/ +COPY ./proto/ ./proto/ -FROM debian:bullseye +WORKDIR /app/fhevm-engine/coprocessor -COPY --from=build /app/fhevm-engine/target/release/coprocessor /usr/local/bin +RUN cargo fetch && \ + SQLX_OFFLINE=true cargo build --release + +# Stage 2: Final image +FROM debian:bullseye-slim + +RUN useradd -m zama + +COPY --from=build /app/fhevm-engine/target/release/coprocessor /usr/local/bin/ + +RUN chown zama:zama /usr/local/bin/coprocessor && \ + chmod 500 /usr/local/bin/coprocessor + +USER zama ENTRYPOINT ["/usr/local/bin/coprocessor"] \ No newline at end of file