Skip to content

Add SGX_MODE env variable to android bindings build #2911

Add SGX_MODE env variable to android bindings build

Add SGX_MODE env variable to android bindings build #2911

# Copyright (c) 2018-2022 The MobileCoin Foundation
#
# MobileCoin Core projects - Build, deploy to development.
name: Mobilecoin CD
env:
CHART_REPO: https://harbor.mobilecoin.com/chartrepo/mobilecoinfoundation-public
DOCKER_ORG: mobilecoin
RELEASE_5X_TAG: v5.2.3-dev.alpha.6224
MINIMUM_BLOCK: '6224'
GH_SHORT_SHA: placeholder
RUST_CACHE_PATH: .tmp/rust-bin-cache
RUST_ARTIFACTS_PATH: .tmp/rust-bin-cache/bin/mobilecoin
MEASUREMENTS_ARTIFACTS_PATH: .tmp/rust-bin-cache/measurements/mobilecoin
GO_CACHE_PATH: .tmp/go-bin-cache
GO_ARTIFACTS_PATH: .tmp/go-bin-cache/bin/mobilecoin
on:
pull_request:
branches:
- 'release/**'
paths-ignore:
- '**.md'
push:
branches:
- 'feature/**'
tags:
- 'v[0-9]+*'
paths-ignore:
- '**.md'
# don't run more than one at a time for a branch/tag
concurrency:
group: mobilecoin-dev-cd-${{ github.head_ref || github.ref }}
cancel-in-progress: true
# Ignore dependabot. We just need to 'if' the top level jobs.
# Other jobs that 'need' these top level jobs will be skipped.
jobs:
############################################
# Generate environment information
############################################
generate-metadata:
if: ${{ ! startsWith(github.head_ref, 'dependabot/') }}
name: 👾 Environment Info 👾
runs-on: mcf-dev-small-x64
outputs:
namespace: ${{ steps.meta.outputs.namespace }}
tag: ${{ steps.meta.outputs.tag }}
docker_tag: ${{ steps.meta.outputs.docker_tag }}
docker_org: ${{ env.DOCKER_ORG }}
chart_repo: ${{ env.CHART_REPO }}
release_5x_tag: ${{ env.RELEASE_5X_TAG }}
minimum_block: ${{ env.MINIMUM_BLOCK }}
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Generate version metadata
id: meta
shell: bash
run: |
.internal-ci/util/metadata.sh
- name: 👾 Print Environment Details 👾
shell: bash
env:
CHART_REPO: ${{ env.CHART_REPO }}
NAMESPACE: ${{ steps.meta.outputs.namespace }}
VERSION: ${{ steps.meta.outputs.tag }}
run: |
.internal-ci/util/print_details.sh
#########################################
# Build binaries
#########################################
build-rust-hardware-projects:
needs:
- generate-metadata
runs-on: mcf-dev-large-x64
container:
image: mobilecoin/rust-sgx-base:v0.0.36
env:
# build cannot use relative paths for singing and minting trust root.
ENCLAVE_SIGNING_KEY_PATH: ${{ github.workspace }}/.tmp/enclave_signing.pem
MINTING_TRUST_ROOT_PUBLIC_KEY_PEM: ${{ github.workspace }}/.tmp/minting_trust_root.public.pem
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Write environment values
env:
ENCLAVE_SIGNING_KEY: ${{ secrets.DEV_ENCLAVE_SIGNING_KEY }}
MINTING_TRUST_ROOT_PUBLIC: ${{ secrets.DEV_MINTING_TRUST_ROOT_PUBLIC }}
run: |
mkdir -p .tmp
echo "${ENCLAVE_SIGNING_KEY}" > "${ENCLAVE_SIGNING_KEY_PATH}"
echo "${MINTING_TRUST_ROOT_PUBLIC}" > "${MINTING_TRUST_ROOT_PUBLIC_KEY_PEM}"
- name: Cache rust build binaries
id: rust_artifact_cache
uses: mobilecoinofficial/gh-actions/cache-rust-binaries@v0
with:
cache_buster: ${{ vars.CACHE_BUSTER }}
path: ${{ env.RUST_CACHE_PATH }}
- name: Build rust hardware projects
if: steps.rust_artifact_cache.outputs.cache-hit != 'true'
env:
SGX_MODE: HW
RUST_BACKTRACE: full
MOB_RELEASE: 1
CONSENSUS_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }}
LEDGER_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }}
VIEW_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }}
INGEST_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }}
run: |
cargo build --release --locked
- name: Copy artifacts to cache
if: steps.rust_artifact_cache.outputs.cache-hit != 'true'
shell: bash
run: |
mkdir -p "${RUST_ARTIFACTS_PATH}"
find target/release -maxdepth 1 -executable -type f -exec cp "{}" "${RUST_ARTIFACTS_PATH}" \;
find target/release -maxdepth 1 -name "*.signed.so" -exec cp "{}" "${RUST_ARTIFACTS_PATH}" \;
# clean up target directory so the cache hash compute doesn't fail.
# unable to access ???:
# target/release/build/mc-crypto-x509-test-vectors-***/out/openssl/ok_intermediate1/private
rm -rf target/release
- name: Create css measurements
if: steps.rust_artifact_cache.outputs.cache-hit != 'true'
shell: bash
run: |
mkdir -p "${MEASUREMENTS_ARTIFACTS_PATH}"
orig_dir=$(pwd)
cd "${RUST_ARTIFACTS_PATH}"
for i in *.signed.so
do
css=$(echo -n "${i}" | sed -r 's/(.*)\.signed\.so/\1/')
sgx_sign dump -enclave "${i}" -dumpfile /dev/null -cssfile "${css}.css"
cp "${css}.css" "${orig_dir}/${MEASUREMENTS_ARTIFACTS_PATH}"
done
- name: Check artifacts
shell: bash
run: |
ls -alR "${RUST_CACHE_PATH}"
- name: Upload artifacts - rust
uses: mobilecoinofficial/gh-actions/upload-artifact@v0
with:
name: rust-binaries
path: ${{ env.RUST_ARTIFACTS_PATH }}
- name: Upload artifacts - measurements
uses: mobilecoinofficial/gh-actions/upload-artifact@v0
with:
name: measurements
path: ${{ env.MEASUREMENTS_ARTIFACTS_PATH }}
mrenclave-values:
strategy:
matrix:
enclave:
- libconsensus-enclave.signed.so
- libledger-enclave.signed.so
- libview-enclave.signed.so
- libingest-enclave.signed.so
runs-on: mcf-dev-small-x64
needs:
- build-rust-hardware-projects
container:
image: mobilecoin/rust-sgx-base:v0.0.36
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Cache rust build binaries
id: rust_artifact_cache
uses: mobilecoinofficial/gh-actions/cache-rust-binaries@v0
with:
cache_buster: ${{ vars.CACHE_BUSTER }}
path: ${{ env.RUST_CACHE_PATH }}
- name: Get enclave MRSIGNER/MRENCLAVE values
id: enclave
uses: mobilecoinofficial/gh-actions/enclave-measurements@v0
with:
enclave_so_path: ${{ env.RUST_ARTIFACTS_PATH }}/${{ matrix.enclave }}
build-go-projects:
runs-on: mcf-dev-small-x64
needs:
- generate-metadata
container:
image: golang:1.22.2-bullseye
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Add protobuf-compiler
run: |
apt update
apt install -y protobuf-compiler zstd
- name: Cache go build binaries
id: go_cache
uses: mobilecoinofficial/gh-actions/cache-go-binaries@v0
with:
cache_buster: ${{ vars.CACHE_BUSTER }}
path: ${{ env.GO_CACHE_PATH }}
- name: Build go-grpc-gateway
if: steps.go_cache.outputs.cache-hit != 'true'
shell: bash
run: |
mkdir -p "${GO_ARTIFACTS_PATH}"
pushd go-grpc-gateway
./install_tools.sh
./build.sh
popd
cp go-grpc-gateway/go-grpc-gateway "${GO_ARTIFACTS_PATH}"
- name: check artifacts
shell: bash
run: |
ls -alR "${GO_ARTIFACTS_PATH}"
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: go-binaries
path: ${{ env.GO_ARTIFACTS_PATH }}
########################################
# Create/Refresh base runtime image
########################################
docker-base:
runs-on: mcf-dev-small-x64
needs:
- generate-metadata
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Docker
uses: mobilecoinofficial/gh-actions/docker@v0
with:
dockerfile: .internal-ci/docker/Dockerfile.dcap-runtime-base
flavor: latest=true
images: ${{ env.DOCKER_ORG }}/dcap-runtime-base
tags: |
type=sha
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
#########################################
# Build/Publish public artifacts
#########################################
docker:
runs-on: mcf-dev-small-x64
needs:
- build-go-projects
- build-rust-hardware-projects
- docker-base
- generate-metadata
strategy:
matrix:
image:
- bootstrap-tools
- fogingest
- fog-ledger
- fogreport
- fog-test-client
- fogview
- go-grpc-gateway
- node_hw
- mobilecoind
- watcher
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Cache rust build binaries
id: rust_artifact_cache
uses: mobilecoinofficial/gh-actions/cache-rust-binaries@v0
with:
cache_buster: ${{ vars.CACHE_BUSTER }}
path: ${{ env.RUST_CACHE_PATH }}
- name: Cache go build binaries
uses: mobilecoinofficial/gh-actions/cache-go-binaries@v0
with:
cache_buster: ${{ vars.CACHE_BUSTER }}
path: ${{ env.GO_CACHE_PATH }}
- name: Get short SHA
run: echo "GH_SHORT_SHA=sha-$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "${GITHUB_ENV}"
- name: Docker
uses: mobilecoinofficial/gh-actions/docker@v0
with:
build_args: |
REPO_ORG=${{ env.DOCKER_ORG }}
BASE_TAG=${{ env.GH_SHORT_SHA }}
RUST_BIN_PATH=${{ env.RUST_ARTIFACTS_PATH }}
GO_BIN_PATH=${{ env.GO_ARTIFACTS_PATH }}
dockerfile: .internal-ci/docker/Dockerfile.${{ matrix.image }}
flavor: latest=true
images: ${{ env.DOCKER_ORG }}/${{ matrix.image }}
tags: ${{ needs.generate-metadata.outputs.docker_tag }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
charts:
runs-on: mcf-dev-small-x64
needs:
- docker
- generate-metadata
strategy:
matrix:
chart:
- consensus-node
- fog-ingest
- fog-test-client
- mobilecoind
- watcher
- fog-report
- fog-view
- fog-ledger
steps:
- name: Checkout
uses: mobilecoinofficial/gh-actions/checkout@v0
- name: Package and publish chart
uses: mobilecoinofficial/gha-k8s-toolbox@v1
with:
action: helm-publish
chart_repo_username: ${{ secrets.HARBOR_USERNAME }}
chart_repo_password: ${{ secrets.HARBOR_PASSWORD }}
chart_repo: ${{ env.CHART_REPO }}
chart_app_version: ${{ needs.generate-metadata.outputs.tag }}
chart_version: ${{ needs.generate-metadata.outputs.tag }}
chart_path: .internal-ci/helm/${{ matrix.chart }}
################################################
# Bootstrap namespace to v5.2.3-dev from backup
################################################
bootstrap-v5-bv3:
uses: ./.github/workflows/mobilecoin-workflow-dev-bootstrap.yaml
needs:
- generate-metadata
with:
block_version: 3
chart_repo: ${{ needs.generate-metadata.outputs.chart_repo }}
namespace: ${{ needs.generate-metadata.outputs.namespace }}
bootstrap_version: ${{ needs.generate-metadata.outputs.release_5x_tag }}
secrets: inherit
###############################################
# Deploy current version to namespace block v4
###############################################
deploy-current-bv4-release:
uses: ./.github/workflows/mobilecoin-workflow-dev-deploy.yaml
needs:
- bootstrap-v5-bv3
- charts
- generate-metadata
with:
block_version: 4
chart_repo: ${{ needs.generate-metadata.outputs.chart_repo }}
docker_image_org: ${{ needs.generate-metadata.outputs.docker_org }}
ingest_color: blue
namespace: ${{ needs.generate-metadata.outputs.namespace }}
version: ${{ needs.generate-metadata.outputs.tag }}
minimum_block: ${{ needs.generate-metadata.outputs.minimum_block }}
secrets: inherit
test-current-bv4-release:
uses: ./.github/workflows/mobilecoin-workflow-dev-test.yaml
needs:
- deploy-current-bv4-release
- generate-metadata
with:
fog_distribution: false
ingest_color: blue
namespace: ${{ needs.generate-metadata.outputs.namespace }}
testing_block_v0: false
testing_block_v2: false
testing_block_v3: true
generate_and_submit_mint_config_tx_uses_json: true
secrets: inherit
#################################################
# Update current consensus to namespace block vX
#################################################
# update-current-to-bv3:
# uses: ./.github/workflows/mobilecoin-workflow-dev-update-consensus.yaml
# needs:
# - test-current-bv2-release
# - generate-metadata
# with:
# block_version: 4
# chart_repo: ${{ needs.generate-metadata.outputs.chart_repo }}
# namespace: ${{ needs.generate-metadata.outputs.namespace }}
# version: ${{ needs.generate-metadata.outputs.tag }}
# secrets: inherit
# test-current-bv4-release:
# uses: ./.github/workflows/mobilecoin-workflow-dev-test.yaml
# needs:
# - update-current-to-bv3
# - generate-metadata
# with:
# fog_distribution: false
# ingest_color: blue
# namespace: ${{ needs.generate-metadata.outputs.namespace }}
# testing_block_v0: false
# testing_block_v2: false
# testing_block_v3: true
# generate_and_submit_mint_config_tx_uses_json: true
# secrets: inherit
mobilecoin-cd-complete:
# Dummy step for a standard GHA Check that won't change when we update the tests.
runs-on: mcf-dev-small-x64
needs:
- test-current-bv4-release
steps:
- name: CD is Complete
run: 'true'
###############################################################
# Clean up deployments
###############################################################
# we keep feature/*
# run on tag
# run on pr to release/*
cleanup-after-tag:
if: github.ref_type == 'tag'
needs:
- test-current-bv4-release
- generate-metadata
uses: ./.github/workflows/mobilecoin-workflow-dev-reset.yaml
with:
namespace: ${{ needs.generate-metadata.outputs.namespace }}
delete_namespace: true
secrets: inherit
cleanup-after-pr-to-release-branch:
if: github.event_name == 'pull_request' && startsWith(github.base_ref, 'release/')
needs:
- test-current-bv4-release
- generate-metadata
uses: ./.github/workflows/mobilecoin-workflow-dev-reset.yaml
with:
namespace: ${{ needs.generate-metadata.outputs.namespace }}
delete_namespace: true
secrets: inherit