harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 07:03:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(ci): switch to GitHub Container Registry for images

Browse source 
Updated the workflow to push container images to GitHub Container Registry instead of Docker Hub. Added a login step for GHCR and updated image tagging and pushing commands accordingly.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-04-02 16:27:24 +02:00
parent 542e3a9fcc
commit 3257f316b5
Signed by: harald
GPG key ID: F519A1143B3FBE32
12 changed files with 43 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.github/workflows/nix.yml vendored
View file

@ -90,11 +90,12 @@ jobs:
cache: tee-pot cache: tee-pot
token: ${{ secrets.ATTIC_TOKEN }} token: ${{ secrets.ATTIC_TOKEN }}
- name: Log in to Docker Hub - name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with: with:
username: ${{ secrets.DOCKERHUB_USER }} registry: ghcr.io
password: ${{ secrets.DOCKERHUB_TOKEN }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Load container - name: Load container
id: build id: build
@ -106,21 +107,21 @@ jobs:
- name: Push container - name: Push container
run: | run: |
echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to Docker Hub" echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to GitHub Container Registry"
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}" docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_TAG }}"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_TAG }}" docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_TAG }}"
- name: Tag container as latest - name: Tag container as latest
if: ${{ github.event_name == 'push' }} if: ${{ github.event_name == 'push' }}
run: | run: |
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest" docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:latest" docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
- name: Tag container with tag - name: Tag container with tag
if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }} if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
run: | run: |
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME" docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME"
docker push matterlabsrobot/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME" docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME"
- name: Generate build ID for Flux Image Automation - name: Generate build ID for Flux Image Automation
id: flux id: flux

2
assets/gcloud-deploy.sh
View file

@ -45,6 +45,6 @@ gcloud compute instances create tdx-pilot \
--maintenance-policy=TERMINATE \ --maintenance-policy=TERMINATE \
--image-project=tdx-pilot \ --image-project=tdx-pilot \
--project tdx-pilot \ --project tdx-pilot \
--metadata=container_hub="docker.io",container_image="matterlabsrobot/test-tdx:117p5y281limw0w7b03v802ij00c5gzw" \ --metadata=container_hub="docker.io",container_image="ghcr.io/matter-labs/test-tdx:117p5y281limw0w7b03v802ij00c5gzw" \
--metadata-from-file=container_config=$BASE_DIR/config.json \ --metadata-from-file=container_config=$BASE_DIR/config.json \
--image tdx-img-f-"${NO}" --image tdx-img-f-"${NO}"

18
bin/tee-self-attestation-test/README.md
View file

@ -1,6 +1,6 @@
# self-attestation-test # self-attestation-test
Optionally build and load the containers (remove the `matterlabsrobot/` repo from the commands below then) Optionally build and load the containers (remove the `ghcr.io/matter-labs/` repo from the commands below then)
```bash ```bash
$ nix build -L .#container-verify-attestation-sgx && docker load -i result $ nix build -L .#container-verify-attestation-sgx && docker load -i result
@ -12,9 +12,9 @@ $ nix build -L .#container-self-attestation-test-sgx-azure && docker load -i res
```bash ```bash
docker run -i --init --rm --privileged --device /dev/sgx_enclave \ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-azure:latest \ ghcr.io/matter-labs/teepot-self-attestation-test-sgx-azure:latest \
| base64 -d --ignore-garbage \ | base64 -d --ignore-garbage \
| docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest - | docker run -i --rm ghcr.io/matter-labs/verify-attestation-sgx:latest -
aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Gramine is starting. Parsing TOML manifest file, this may take some time... Gramine is starting. Parsing TOML manifest file, this may take some time...
@ -31,9 +31,9 @@ reportdata: 00000000000000000000000000000000000000000000000000000000000000000000
```bash ```bash
docker run -i --init --rm --privileged --device /dev/sgx_enclave \ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ ghcr.io/matter-labs/teepot-self-attestation-test-sgx-dcap:latest \
| base64 -d --ignore-garbage \ | base64 -d --ignore-garbage \
| docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest - | docker run -i --rm ghcr.io/matter-labs/verify-attestation-sgx:latest -
aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Gramine is starting. Parsing TOML manifest file, this may take some time... Gramine is starting. Parsing TOML manifest file, this may take some time...
@ -48,9 +48,9 @@ On an outdated machine, this might look like this:
```bash ```bash
docker run -i --init --rm --privileged --device /dev/sgx_enclave \ docker run -i --init --rm --privileged --device /dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ ghcr.io/matter-labs/teepot-self-attestation-test-sgx-dcap:latest \
| base64 -d --ignore-garbage \ | base64 -d --ignore-garbage \
| docker run -i --rm matterlabsrobot/verify-attestation-sgx:latest - | docker run -i --rm ghcr.io/matter-labs/verify-attestation-sgx:latest -
aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground. aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Gramine is starting. Parsing TOML manifest file, this may take some time... Gramine is starting. Parsing TOML manifest file, this may take some time...
@ -73,9 +73,9 @@ reportdata: 00000000000000000000000000000000000000000000000000000000000000000000
```bash ```bash
podman run -i --rm --group-add=keep-groups -v /var/run/aesmd:/var/run/aesmd -v /dev/sgx_enclave:/dev/sgx_enclave \ podman run -i --rm --group-add=keep-groups -v /var/run/aesmd:/var/run/aesmd -v /dev/sgx_enclave:/dev/sgx_enclave \
matterlabsrobot/teepot-self-attestation-test-sgx-dcap:latest \ ghcr.io/matter-labs/teepot-self-attestation-test-sgx-dcap:latest \
| base64 -d --ignore-garbage \ | base64 -d --ignore-garbage \
| podman run -i --rm --net host \ | podman run -i --rm --net host \
-v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \ -v /etc/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf \
matterlabsrobot/verify-attestation-sgx-dcap:latest ghcr.io/matter-labs/verify-attestation-sgx-dcap:latest
``` ```

10
examples/README.md
View file

@ -121,7 +121,7 @@ Passphrase:
Find out the `mr_enclave` value of the teepot-vault-admin-sgx-azure enclave and extract the sigstruct file: Find out the `mr_enclave` value of the teepot-vault-admin-sgx-azure enclave and extract the sigstruct file:
```bash ```bash
docker run -v .:/mnt --pull always -it matterlabsrobot/teepot-vault-admin-sgx-azure:latest 'gramine-sgx-sigstruct-view teepot-vault-admin-sgx-azure.sig; cp teepot-vault-admin-sgx-azure.sig /mnt' docker run -v .:/mnt --pull always -it ghcr.io/matter-labs/teepot-vault-admin-sgx-azure:latest 'gramine-sgx-sigstruct-view teepot-vault-admin-sgx-azure.sig; cp teepot-vault-admin-sgx-azure.sig /mnt'
[...] [...]
Attributes: Attributes:
mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d mr_signer: c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d
@ -226,18 +226,18 @@ Next is to sign the admin tee with the vault-admin tool:
``` ```
Then replace `teepot-vault-admin-sgx-azure.sig` with `teepot-vault-admin-sgx-azure-new.sig` in the container Then replace `teepot-vault-admin-sgx-azure.sig` with `teepot-vault-admin-sgx-azure-new.sig` in the container
image `matterlabsrobot/teepot-vault-admin-sgx-azure:latest` with this Dockerfile: image `ghcr.io/matter-labs/teepot-vault-admin-sgx-azure:latest` with this Dockerfile:
```Dockerfile ```Dockerfile
FROM matterlabsrobot/teepot-vault-admin-sgx-azure:latest FROM ghcr.io/matter-labs/teepot-vault-admin-sgx-azure:latest
COPY teepot-vault-admin-sgx-azure-new.sig /app/teepot-vault-admin-sgx-azure.sig COPY teepot-vault-admin-sgx-azure-new.sig /app/teepot-vault-admin-sgx-azure.sig
``` ```
Build and push the new image: Build and push the new image:
```bash ```bash
docker build -t matterlabsrobot/teepot-vault-admin-sgx-azure-signed:latest . docker build -t ghcr.io/matter-labs/teepot-vault-admin-sgx-azure-signed:latest .
docker push matterlabsrobot/teepot-vault-admin-sgx-azure-signed:latest docker push ghcr.io/matter-labs/teepot-vault-admin-sgx-azure-signed:latest
``` ```
Delete the old vault-admin pod and start the new one: Delete the old vault-admin pod and start the new one:

4
examples/k8s/vault-1-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets: imagePullSecrets:
- name: docker-regcred - name: docker-regcred
containers: containers:
- image: matterlabsrobot/teepot-vault-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-sgx-azure:latest
name: vault name: vault
imagePullPolicy: Always imagePullPolicy: Always
env: env:
@ -62,7 +62,7 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /opt/vault/data - mountPath: /opt/vault/data
name: data-1 name: data-1
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

4
examples/k8s/vault-2-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets: imagePullSecrets:
- name: docker-regcred - name: docker-regcred
containers: containers:
- image: matterlabsrobot/teepot-vault-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-sgx-azure:latest
name: vault name: vault
imagePullPolicy: Always imagePullPolicy: Always
env: env:
@ -62,7 +62,7 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /opt/vault/data - mountPath: /opt/vault/data
name: data-2 name: data-2
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

4
examples/k8s/vault-3-pod.yaml
View file

@ -27,7 +27,7 @@ spec:
imagePullSecrets: imagePullSecrets:
- name: docker-regcred - name: docker-regcred
containers: containers:
- image: matterlabsrobot/teepot-vault-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-sgx-azure:latest
name: vault name: vault
imagePullPolicy: Always imagePullPolicy: Always
env: env:
@ -62,7 +62,7 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /opt/vault/data - mountPath: /opt/vault/data
name: data-3 name: data-3
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

2
examples/k8s/vault-unseal-pod-0.yaml
View file

@ -11,7 +11,7 @@ spec:
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
containers: containers:
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

2
examples/k8s/vault-unseal-pod-1.yaml
View file

@ -11,7 +11,7 @@ spec:
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
containers: containers:
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

2
examples/k8s/vault-unseal-pod-2.yaml
View file

@ -11,7 +11,7 @@ spec:
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
containers: containers:
- image: matterlabsrobot/teepot-vault-unseal-sgx-azure:latest - image: ghcr.io/matter-labs/teepot-vault-unseal-sgx-azure:latest
name: vault-unseal name: vault-unseal
imagePullPolicy: Always imagePullPolicy: Always
env: env:

2
systems/x86_64-linux/tdxtest/default.nix
View file

@ -29,7 +29,7 @@
systemd.services.docker_start_container = { systemd.services.docker_start_container = {
# environment = { # environment = {
# CONTAINER_IMAGE = "matterlabsrobot/tdx-test:pnj1ryxxb8gbzk9wh18s9bcqrzr1z9ff"; # CONTAINER_IMAGE = "ghcr.io/matter-labs/tdx-test:pnj1ryxxb8gbzk9wh18s9bcqrzr1z9ff";
# CONTAINER_HUB = "docker.io"; # CONTAINER_HUB = "docker.io";
# CONTAINER_TOKEN = ""; # CONTAINER_TOKEN = "";
# CONTAINER_USER = ""; # CONTAINER_USER = "";

2
systems/x86_64-linux/tdxtest/web-root/computeMetadata/v1/instance/attributes/container_image
View file

@ -1 +1 @@
matterlabsrobot/tdx-test:81hgl91s5hj0sb83c7ij9acf2s5qjvb5 ghcr.io/matter-labs/tdx-test:81hgl91s5hj0sb83c7ij9acf2s5qjvb5