Add SGX_MODE env variable to android bindings build #2911
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) 2018-2022 The MobileCoin Foundation | |
# | |
# MobileCoin Core projects - Build, deploy to development. | |
name: Mobilecoin CD | |
env: | |
CHART_REPO: https://harbor.mobilecoin.com/chartrepo/mobilecoinfoundation-public | |
DOCKER_ORG: mobilecoin | |
RELEASE_5X_TAG: v5.2.3-dev.alpha.6224 | |
MINIMUM_BLOCK: '6224' | |
GH_SHORT_SHA: placeholder | |
RUST_CACHE_PATH: .tmp/rust-bin-cache | |
RUST_ARTIFACTS_PATH: .tmp/rust-bin-cache/bin/mobilecoin | |
MEASUREMENTS_ARTIFACTS_PATH: .tmp/rust-bin-cache/measurements/mobilecoin | |
GO_CACHE_PATH: .tmp/go-bin-cache | |
GO_ARTIFACTS_PATH: .tmp/go-bin-cache/bin/mobilecoin | |
on: | |
pull_request: | |
branches: | |
- 'release/**' | |
paths-ignore: | |
- '**.md' | |
push: | |
branches: | |
- 'feature/**' | |
tags: | |
- 'v[0-9]+*' | |
paths-ignore: | |
- '**.md' | |
# don't run more than one at a time for a branch/tag | |
concurrency: | |
group: mobilecoin-dev-cd-${{ github.head_ref || github.ref }} | |
cancel-in-progress: true | |
# Ignore dependabot. We just need to 'if' the top level jobs. | |
# Other jobs that 'need' these top level jobs will be skipped. | |
jobs: | |
############################################ | |
# Generate environment information | |
############################################ | |
generate-metadata: | |
if: ${{ ! startsWith(github.head_ref, 'dependabot/') }} | |
name: 👾 Environment Info 👾 | |
runs-on: mcf-dev-small-x64 | |
outputs: | |
namespace: ${{ steps.meta.outputs.namespace }} | |
tag: ${{ steps.meta.outputs.tag }} | |
docker_tag: ${{ steps.meta.outputs.docker_tag }} | |
docker_org: ${{ env.DOCKER_ORG }} | |
chart_repo: ${{ env.CHART_REPO }} | |
release_5x_tag: ${{ env.RELEASE_5X_TAG }} | |
minimum_block: ${{ env.MINIMUM_BLOCK }} | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Generate version metadata | |
id: meta | |
shell: bash | |
run: | | |
.internal-ci/util/metadata.sh | |
- name: 👾 Print Environment Details 👾 | |
shell: bash | |
env: | |
CHART_REPO: ${{ env.CHART_REPO }} | |
NAMESPACE: ${{ steps.meta.outputs.namespace }} | |
VERSION: ${{ steps.meta.outputs.tag }} | |
run: | | |
.internal-ci/util/print_details.sh | |
######################################### | |
# Build binaries | |
######################################### | |
build-rust-hardware-projects: | |
needs: | |
- generate-metadata | |
runs-on: mcf-dev-large-x64 | |
container: | |
image: mobilecoin/rust-sgx-base:v0.0.36 | |
env: | |
# build cannot use relative paths for singing and minting trust root. | |
ENCLAVE_SIGNING_KEY_PATH: ${{ github.workspace }}/.tmp/enclave_signing.pem | |
MINTING_TRUST_ROOT_PUBLIC_KEY_PEM: ${{ github.workspace }}/.tmp/minting_trust_root.public.pem | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Write environment values | |
env: | |
ENCLAVE_SIGNING_KEY: ${{ secrets.DEV_ENCLAVE_SIGNING_KEY }} | |
MINTING_TRUST_ROOT_PUBLIC: ${{ secrets.DEV_MINTING_TRUST_ROOT_PUBLIC }} | |
run: | | |
mkdir -p .tmp | |
echo "${ENCLAVE_SIGNING_KEY}" > "${ENCLAVE_SIGNING_KEY_PATH}" | |
echo "${MINTING_TRUST_ROOT_PUBLIC}" > "${MINTING_TRUST_ROOT_PUBLIC_KEY_PEM}" | |
- name: Cache rust build binaries | |
id: rust_artifact_cache | |
uses: mobilecoinofficial/gh-actions/cache-rust-binaries@v0 | |
with: | |
cache_buster: ${{ vars.CACHE_BUSTER }} | |
path: ${{ env.RUST_CACHE_PATH }} | |
- name: Build rust hardware projects | |
if: steps.rust_artifact_cache.outputs.cache-hit != 'true' | |
env: | |
SGX_MODE: HW | |
RUST_BACKTRACE: full | |
MOB_RELEASE: 1 | |
CONSENSUS_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }} | |
LEDGER_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }} | |
VIEW_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }} | |
INGEST_ENCLAVE_PRIVKEY: ${{ env.ENCLAVE_SIGNING_KEY_PATH }} | |
run: | | |
cargo build --release --locked | |
- name: Copy artifacts to cache | |
if: steps.rust_artifact_cache.outputs.cache-hit != 'true' | |
shell: bash | |
run: | | |
mkdir -p "${RUST_ARTIFACTS_PATH}" | |
find target/release -maxdepth 1 -executable -type f -exec cp "{}" "${RUST_ARTIFACTS_PATH}" \; | |
find target/release -maxdepth 1 -name "*.signed.so" -exec cp "{}" "${RUST_ARTIFACTS_PATH}" \; | |
# clean up target directory so the cache hash compute doesn't fail. | |
# unable to access ???: | |
# target/release/build/mc-crypto-x509-test-vectors-***/out/openssl/ok_intermediate1/private | |
rm -rf target/release | |
- name: Create css measurements | |
if: steps.rust_artifact_cache.outputs.cache-hit != 'true' | |
shell: bash | |
run: | | |
mkdir -p "${MEASUREMENTS_ARTIFACTS_PATH}" | |
orig_dir=$(pwd) | |
cd "${RUST_ARTIFACTS_PATH}" | |
for i in *.signed.so | |
do | |
css=$(echo -n "${i}" | sed -r 's/(.*)\.signed\.so/\1/') | |
sgx_sign dump -enclave "${i}" -dumpfile /dev/null -cssfile "${css}.css" | |
cp "${css}.css" "${orig_dir}/${MEASUREMENTS_ARTIFACTS_PATH}" | |
done | |
- name: Check artifacts | |
shell: bash | |
run: | | |
ls -alR "${RUST_CACHE_PATH}" | |
- name: Upload artifacts - rust | |
uses: mobilecoinofficial/gh-actions/upload-artifact@v0 | |
with: | |
name: rust-binaries | |
path: ${{ env.RUST_ARTIFACTS_PATH }} | |
- name: Upload artifacts - measurements | |
uses: mobilecoinofficial/gh-actions/upload-artifact@v0 | |
with: | |
name: measurements | |
path: ${{ env.MEASUREMENTS_ARTIFACTS_PATH }} | |
mrenclave-values: | |
strategy: | |
matrix: | |
enclave: | |
- libconsensus-enclave.signed.so | |
- libledger-enclave.signed.so | |
- libview-enclave.signed.so | |
- libingest-enclave.signed.so | |
runs-on: mcf-dev-small-x64 | |
needs: | |
- build-rust-hardware-projects | |
container: | |
image: mobilecoin/rust-sgx-base:v0.0.36 | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Cache rust build binaries | |
id: rust_artifact_cache | |
uses: mobilecoinofficial/gh-actions/cache-rust-binaries@v0 | |
with: | |
cache_buster: ${{ vars.CACHE_BUSTER }} | |
path: ${{ env.RUST_CACHE_PATH }} | |
- name: Get enclave MRSIGNER/MRENCLAVE values | |
id: enclave | |
uses: mobilecoinofficial/gh-actions/enclave-measurements@v0 | |
with: | |
enclave_so_path: ${{ env.RUST_ARTIFACTS_PATH }}/${{ matrix.enclave }} | |
build-go-projects: | |
runs-on: mcf-dev-small-x64 | |
needs: | |
- generate-metadata | |
container: | |
image: golang:1.22.2-bullseye | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Add protobuf-compiler | |
run: | | |
apt update | |
apt install -y protobuf-compiler zstd | |
- name: Cache go build binaries | |
id: go_cache | |
uses: mobilecoinofficial/gh-actions/cache-go-binaries@v0 | |
with: | |
cache_buster: ${{ vars.CACHE_BUSTER }} | |
path: ${{ env.GO_CACHE_PATH }} | |
- name: Build go-grpc-gateway | |
if: steps.go_cache.outputs.cache-hit != 'true' | |
shell: bash | |
run: | | |
mkdir -p "${GO_ARTIFACTS_PATH}" | |
pushd go-grpc-gateway | |
./install_tools.sh | |
./build.sh | |
popd | |
cp go-grpc-gateway/go-grpc-gateway "${GO_ARTIFACTS_PATH}" | |
- name: check artifacts | |
shell: bash | |
run: | | |
ls -alR "${GO_ARTIFACTS_PATH}" | |
- name: Upload Artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: go-binaries | |
path: ${{ env.GO_ARTIFACTS_PATH }} | |
######################################## | |
# Create/Refresh base runtime image | |
######################################## | |
docker-base: | |
runs-on: mcf-dev-small-x64 | |
needs: | |
- generate-metadata | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Docker | |
uses: mobilecoinofficial/gh-actions/docker@v0 | |
with: | |
dockerfile: .internal-ci/docker/Dockerfile.dcap-runtime-base | |
flavor: latest=true | |
images: ${{ env.DOCKER_ORG }}/dcap-runtime-base | |
tags: | | |
type=sha | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
######################################### | |
# Build/Publish public artifacts | |
######################################### | |
docker: | |
runs-on: mcf-dev-small-x64 | |
needs: | |
- build-go-projects | |
- build-rust-hardware-projects | |
- docker-base | |
- generate-metadata | |
strategy: | |
matrix: | |
image: | |
- bootstrap-tools | |
- fogingest | |
- fog-ledger | |
- fogreport | |
- fog-test-client | |
- fogview | |
- go-grpc-gateway | |
- node_hw | |
- mobilecoind | |
- watcher | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Cache rust build binaries | |
id: rust_artifact_cache | |
uses: mobilecoinofficial/gh-actions/cache-rust-binaries@v0 | |
with: | |
cache_buster: ${{ vars.CACHE_BUSTER }} | |
path: ${{ env.RUST_CACHE_PATH }} | |
- name: Cache go build binaries | |
uses: mobilecoinofficial/gh-actions/cache-go-binaries@v0 | |
with: | |
cache_buster: ${{ vars.CACHE_BUSTER }} | |
path: ${{ env.GO_CACHE_PATH }} | |
- name: Get short SHA | |
run: echo "GH_SHORT_SHA=sha-$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "${GITHUB_ENV}" | |
- name: Docker | |
uses: mobilecoinofficial/gh-actions/docker@v0 | |
with: | |
build_args: | | |
REPO_ORG=${{ env.DOCKER_ORG }} | |
BASE_TAG=${{ env.GH_SHORT_SHA }} | |
RUST_BIN_PATH=${{ env.RUST_ARTIFACTS_PATH }} | |
GO_BIN_PATH=${{ env.GO_ARTIFACTS_PATH }} | |
dockerfile: .internal-ci/docker/Dockerfile.${{ matrix.image }} | |
flavor: latest=true | |
images: ${{ env.DOCKER_ORG }}/${{ matrix.image }} | |
tags: ${{ needs.generate-metadata.outputs.docker_tag }} | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
charts: | |
runs-on: mcf-dev-small-x64 | |
needs: | |
- docker | |
- generate-metadata | |
strategy: | |
matrix: | |
chart: | |
- consensus-node | |
- fog-ingest | |
- fog-test-client | |
- mobilecoind | |
- watcher | |
- fog-report | |
- fog-view | |
- fog-ledger | |
steps: | |
- name: Checkout | |
uses: mobilecoinofficial/gh-actions/checkout@v0 | |
- name: Package and publish chart | |
uses: mobilecoinofficial/gha-k8s-toolbox@v1 | |
with: | |
action: helm-publish | |
chart_repo_username: ${{ secrets.HARBOR_USERNAME }} | |
chart_repo_password: ${{ secrets.HARBOR_PASSWORD }} | |
chart_repo: ${{ env.CHART_REPO }} | |
chart_app_version: ${{ needs.generate-metadata.outputs.tag }} | |
chart_version: ${{ needs.generate-metadata.outputs.tag }} | |
chart_path: .internal-ci/helm/${{ matrix.chart }} | |
################################################ | |
# Bootstrap namespace to v5.2.3-dev from backup | |
################################################ | |
bootstrap-v5-bv3: | |
uses: ./.github/workflows/mobilecoin-workflow-dev-bootstrap.yaml | |
needs: | |
- generate-metadata | |
with: | |
block_version: 3 | |
chart_repo: ${{ needs.generate-metadata.outputs.chart_repo }} | |
namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
bootstrap_version: ${{ needs.generate-metadata.outputs.release_5x_tag }} | |
secrets: inherit | |
############################################### | |
# Deploy current version to namespace block v4 | |
############################################### | |
deploy-current-bv4-release: | |
uses: ./.github/workflows/mobilecoin-workflow-dev-deploy.yaml | |
needs: | |
- bootstrap-v5-bv3 | |
- charts | |
- generate-metadata | |
with: | |
block_version: 4 | |
chart_repo: ${{ needs.generate-metadata.outputs.chart_repo }} | |
docker_image_org: ${{ needs.generate-metadata.outputs.docker_org }} | |
ingest_color: blue | |
namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
version: ${{ needs.generate-metadata.outputs.tag }} | |
minimum_block: ${{ needs.generate-metadata.outputs.minimum_block }} | |
secrets: inherit | |
test-current-bv4-release: | |
uses: ./.github/workflows/mobilecoin-workflow-dev-test.yaml | |
needs: | |
- deploy-current-bv4-release | |
- generate-metadata | |
with: | |
fog_distribution: false | |
ingest_color: blue | |
namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
testing_block_v0: false | |
testing_block_v2: false | |
testing_block_v3: true | |
generate_and_submit_mint_config_tx_uses_json: true | |
secrets: inherit | |
################################################# | |
# Update current consensus to namespace block vX | |
################################################# | |
# update-current-to-bv3: | |
# uses: ./.github/workflows/mobilecoin-workflow-dev-update-consensus.yaml | |
# needs: | |
# - test-current-bv2-release | |
# - generate-metadata | |
# with: | |
# block_version: 4 | |
# chart_repo: ${{ needs.generate-metadata.outputs.chart_repo }} | |
# namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
# version: ${{ needs.generate-metadata.outputs.tag }} | |
# secrets: inherit | |
# test-current-bv4-release: | |
# uses: ./.github/workflows/mobilecoin-workflow-dev-test.yaml | |
# needs: | |
# - update-current-to-bv3 | |
# - generate-metadata | |
# with: | |
# fog_distribution: false | |
# ingest_color: blue | |
# namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
# testing_block_v0: false | |
# testing_block_v2: false | |
# testing_block_v3: true | |
# generate_and_submit_mint_config_tx_uses_json: true | |
# secrets: inherit | |
mobilecoin-cd-complete: | |
# Dummy step for a standard GHA Check that won't change when we update the tests. | |
runs-on: mcf-dev-small-x64 | |
needs: | |
- test-current-bv4-release | |
steps: | |
- name: CD is Complete | |
run: 'true' | |
############################################################### | |
# Clean up deployments | |
############################################################### | |
# we keep feature/* | |
# run on tag | |
# run on pr to release/* | |
cleanup-after-tag: | |
if: github.ref_type == 'tag' | |
needs: | |
- test-current-bv4-release | |
- generate-metadata | |
uses: ./.github/workflows/mobilecoin-workflow-dev-reset.yaml | |
with: | |
namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
delete_namespace: true | |
secrets: inherit | |
cleanup-after-pr-to-release-branch: | |
if: github.event_name == 'pull_request' && startsWith(github.base_ref, 'release/') | |
needs: | |
- test-current-bv4-release | |
- generate-metadata | |
uses: ./.github/workflows/mobilecoin-workflow-dev-reset.yaml | |
with: | |
namespace: ${{ needs.generate-metadata.outputs.namespace }} | |
delete_namespace: true | |
secrets: inherit |