BAC-189: CI for Shielder Prover Server (#286)

Author: Marcin-Radecki

.github/workflows/_build-enclave-artifacts.yml

@@ -44,7 +44,10 @@ jobs:
       - name: Build enclave for shielder-prover-tee
         # yamllint disable rule:line-length
         run: |
+          mkdir out
           nix build --override-input zkOS-monorepo "github:${GITHUB_REPOSITORY}/${{ steps.get-ref-properties.outputs.full-sha }}"
+          cp result/shielderProverTEE/image.eif out/shielder-prover-tee-${{ steps.get-ref-properties.outputs.sha }}.eif
+          cp result/shielderProverTEE/pcr.json out/pcr-${{ steps.get-ref-properties.outputs.sha }}.json
 
       - name: Get artifact names
         id: get-artifact-names
@@ -56,14 +59,14 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.get-artifact-names.outputs.eif }}
-          path: tee/nix/result/shielderProverTEE/image.eif
+          path: tee/nix/out/shielder-prover-tee-${{ steps.get-ref-properties.outputs.sha }}.eif
           if-no-files-found: error
           retention-days: 7
 
       - name: Upload measurements to GH Artifacts
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.get-artifact-names.outputs.measurements }}
-          path: tee/nix/result/shielderProverTEE/pcr.json
+          path: tee/nix/out/pcr-${{ steps.get-ref-properties.outputs.sha }}.json
           if-no-files-found: error
           retention-days: 7

.github/workflows/_check-vars-and-secrets.yml

@@ -21,6 +21,8 @@ jobs:
             -z '${{ vars.CI_TESTNET_RELAYER_SIGNER_ADDRESSES }}' || \
             -z '${{ vars.CI_TESTNET_STAGE_OWNER_ADDRESS }}' || \
             -z '${{ vars.CI_TESTNET_TS_SDK_PUBLIC_KEY }}' || \
+            -z '${{ vars.ECR_PUBLIC_HOST }}' || \
+            -z '${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}' || \
             -z '${{ vars.MAINNET_PROD_OWNER_ADDRESS }}' || \
             -z '${{ vars.SHIELDER_CONTRACT_ADDRESS }}'
           ]]; then
@@ -34,6 +36,8 @@ jobs:
           if [[ \
             -z '${{ secrets.AWS_MAINNET_ECR_ACCESS_KEY }}' || \
             -z '${{ secrets.AWS_MAINNET_ECR_ACCESS_KEY_ID }}' || \
+            -z '${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY }}' || \
+            -z '${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY_ID }}' || \
             -z '${{ secrets.CI_GH_TOKEN }}' || \
             -z '${{ secrets.CI_MAINNET_DEPLOYER_PRIVATE_KEY }}' || \
             -z '${{ secrets.CI_TESTNET_ALICE_PRIVATE_KEY }}' || \

.github/workflows/build-and-push-prover-server.yml

@@ -0,0 +1,51 @@
+---
+name: Build and push Shielder-Prover-Server docker image (host app)
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'git ref: hash, branch, tag to build shielder-prover-server files from'
+        type: string
+        required: true
+
+jobs:
+  main:
+    name: Build Shielder Prover Server (host app)
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Call action get-ref-properties
+        id: get-ref-properties
+        uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7
+
+      - name: Login to Public Amazon ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.ECR_PUBLIC_HOST }}
+          username: ${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY }}
+
+      - name: DOCKER | Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: v0.9.1
+
+      - name: Build and push docker image
+        id: build-image
+        uses: docker/build-push-action@v3
+        with:
+          context: tee
+          builder: ${{ steps.buildx.outputs.name }}
+          file: ./tee/docker/Dockerfile
+          push: true
+          # yamllint disable rule:line-length
+          tags: |
+            ${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}shielder-prover:${{ steps.get-ref-properties.outputs.sha }}
+            ${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}shielder-prover:latest

.github/workflows/on-release.yml

@@ -0,0 +1,66 @@
+---
+name: Build and add Shielder Prover Server artifacts to GitHub Release
+
+on:
+  release:
+    types:
+      - published
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  check-vars-and-secrets:
+    name: Check vars and secrets
+    uses: ./.github/workflows/_check-vars-and-secrets.yml
+    secrets: inherit
+
+  build-enclave-artifacts:
+    name: Build enclave artifacts
+    uses: ./.github/workflows/_build-enclave-artifacts.yml
+    with:
+      ref: ${{ github.ref }}
+
+  add-ci-artifacts-to-release:
+    name: Add CI artifacts to the release
+    needs:
+      - check-vars-and-secrets
+      - build-enclave-artifacts
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Call action get-ref-properties
+        id: get-ref-properties
+        uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7
+
+      - name: Download enclave artifacts - EIF
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-enclave-artifacts.outputs.artifact-name-eif }}
+          merge-multiple: true
+          path: artifacts
+
+      - name: Download enclave artifacts - Measurements
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-enclave-artifacts.outputs.artifact-name-measurements }}
+          merge-multiple: true
+          path: artifacts
+
+      - name: Generate release artifacts checksum (SHA256)
+        uses: jmgilman/actions-generate-checksum@v1
+        with:
+          output:
+            checksums.txt
+          patterns: |
+            artifacts/*
+
+      - name: Add CI artifacts to the release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            checksums.txt
+            artifacts/*

tee/docker/Dockerfile

@@ -15,10 +15,6 @@ WORKDIR /app
 
 COPY --from=builder /app/target/release/shielder-prover-server .
 
-COPY docker/dockerentrypoint.sh .
-
-RUN chmod +x dockerentrypoint.sh
-
 # Expose the default public port
 EXPOSE 3000