Merge pull request #595 from zama-ai/amina/fhevm-sc-workflows

chore(ci): add fhevm smart contracts docker workflows

.github/workflows/common-docker.yml

@@ -0,0 +1,167 @@
+name: Docker Build and Push
+
+on:
+  workflow_call:
+    secrets:
+      BLOCKCHAIN_ACTIONS_TOKEN:
+        required: true
+      GRAVITON_BUILDER_SSH_PRIVATE_KEY:
+        required: true
+    inputs:
+      ref:
+        type: string
+        required: false
+        default: ""
+      working-directory:
+        type: string
+        required: true
+      docker-context:
+        type: string
+        required: false
+        default: "."
+      image-name:
+        type: string
+        required: true
+      image-dev-name:
+        type: string
+        required: false
+      image-dev-description:
+        type: string
+        required: false
+      push_image:
+        type: boolean
+        default: true
+        required: false
+      runs_on:
+        type: string
+        required: false
+        default: "ubuntu-latest"
+      generate-dev-image:
+        type: boolean
+        default: false
+        required: false
+      docker-file:
+        type: string
+        default: "ci.dockerfile"
+        required: false
+      docker-file-dev:
+        type: string
+        default: "dev.dockerfile"
+        required: false
+      graviton-build-host:
+        type: string
+        required: false
+        default: "ec2-15-188-101-126.eu-west-3.compute.amazonaws.com"
+      arm-build:
+        type: boolean
+        default: true
+        required: false
+      cache-from:
+        type: string
+        required: false
+        default: "type=gha"
+      cache-to:
+        type: string
+        required: false
+        default: "type=gha,mode=max"
+    outputs:
+      image_name:
+        description: "Image Name with Tag generated by this task"
+        value: "${{ jobs.build-and-push-docker.outputs.image_name }}"
+
+jobs:
+  build-and-push-docker:
+    runs-on: ${{ inputs.runs_on }}
+    outputs:
+      image_name: ${{ steps.export-image.outputs.image }}
+    env:
+      HOME: ${{ inputs.runs_on != 'ubuntu-latest' && '/root' || '/home/runner' }}
+    steps:
+      - name: Checkout Project
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Set up SSH
+        if: inputs.arm-build
+        uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0
+        with:
+          host: ${{ inputs.graviton-build-host }}
+          private-key: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }}
+          private-key-name: docker_builder_arm
+
+      - name: Set up Docker Buildx
+        if: inputs.arm-build
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        with:
+          platforms: linux/amd64,linux/arm64
+          append: |
+            - endpoint: "ssh://ec2-user@${{ inputs.graviton-build-host }}"
+              platforms: linux/arm64
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Echo github event
+        run: echo "Github event ==> ${{ github.event_name }}"
+
+      - name: Current branch sha
+        if: github.event_name != 'release'
+        run: |
+          echo "DOCKER_TAG_IMAGE=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
+      - name: Current Tag
+        if: github.event_name == 'release'
+        run: |
+          echo "DOCKER_TAG_IMAGE=${{  github.ref_name }}" >> "$GITHUB_ENV"
+
+      - name: Docker Build and Push
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        with:
+          context: ${{ inputs.docker-context }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+          file: ${{ inputs.working-directory }}/operations/docker/${{ inputs.docker-file }}
+          push: ${{ inputs.push_image }}
+          pull: false
+          tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }},ghcr.io/zama-ai/${{ inputs.image-name }}:latest
+          cache-from: ${{ inputs.cache-from }}
+          cache-to: ${{ inputs.cache-to }}
+
+      - name: Extract Docker metadata
+        if: ${{ inputs.generate-dev-image }}
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          annotations: |
+            org.opencontainers.image.description="${{ inputs.image-dev-description }}"
+          labels: |
+            zama.fhevm.version=${{ env.DOCKER_TAG_IMAGE }}
+            zama.fhevm.description="${{ inputs.image-dev-description }}"
+          images: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{ env.DOCKER_TAG_IMAGE }}
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
+
+      - name: Docker Build and Push Dev Image
+        if: ${{ inputs.generate-dev-image }}
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        timeout-minutes: 360
+        with:
+          context: ${{ inputs.docker-context }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+          file: ${{ inputs.working-directory }}/operations/docker/${{ inputs.docker-file-dev }}
+          push: ${{ inputs.push_image }}
+          pull: false
+          tags: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}},ghcr.io/zama-ai/${{ inputs.image-dev-name }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+
+      - name: Export image name
+        id: export-image
+        run: echo "image=ghcr.io/zama-ai/${{inputs.image-name}}:${{env.DOCKER_TAG_IMAGE}}" >> "${GITHUB_OUTPUT}"

.github/workflows/fhevm-smart-contracts.yml

@@ -0,0 +1,36 @@
+name: "fhEVM smart contracts Docker image"
+
+on:
+  push:
+    branches: ["main"]
+
+jobs:
+  docker-smart-contracts:
+    uses: ./.github/workflows/common-docker.yml
+    permissions:
+      contents: "read"
+      id-token: "write"
+      packages: "write"
+    with:
+      working-directory: "."
+      push_image: true
+      image-name: "fhevm-smart-contracts"
+      image-dev-name: "fhevm-smart-contracts-dev"
+      generate-dev-image: true
+      docker-file: "ci.dockerfile"
+      docker-file-dev: "dev.dockerfile"
+      image-dev-description: "fhEVM smart contracts dev Image"
+      arm-build: true
+
+    secrets:
+      BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+      GRAVITON_BUILDER_SSH_PRIVATE_KEY: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }}
+
+  done:
+    runs-on: ubuntu-latest
+    name: Pipeline Done
+    steps:
+      - name: Success
+        run: echo Pipeline Done
+    needs:
+      - docker-smart-contracts

operations/docker/ci.dockerfile

@@ -0,0 +1,16 @@
+FROM node:20
+
+# Set the working directory inside the container
+WORKDIR /app
+COPY package.json ./
+
+# Install the dependencies
+RUN npm install
+
+COPY .env.example.deployment ./
+COPY lib ./lib/
+COPY tasks ./tasks/
+COPY gateway ./gateway/
+COPY *.sh ./
+COPY *.ts ./
+COPY tsconfig.json ./

operations/docker/dev.dockerfile

@@ -0,0 +1,27 @@
+FROM node:20
+
+# Set the working directory inside the container
+WORKDIR /app
+COPY package.json ./
+
+# Install the dependencies
+RUN npm install
+
+COPY .env.example.deployment ./
+COPY lib ./lib/
+COPY tasks ./tasks/
+COPY gateway ./gateway/
+COPY *.sh ./
+COPY *.ts ./
+COPY tsconfig.json ./
+
+RUN cp .env.example.deployment .env
+RUN ./precompute-addresses.sh
+
+RUN npx hardhat clean
+
+RUN PRIVATE_KEY_FHEVM_DEPLOYER=$(grep PRIVATE_KEY_FHEVM_DEPLOYER .env | cut -d '"' -f 2)
+RUN NUM_KMS_SIGNERS=$(grep NUM_KMS_SIGNERS .env | cut -d '"' -f 2)
+
+RUN npx hardhat compile:specific --contract lib
+RUN npx hardhat compile:specific --contract gateway