mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 23:23:57 +02:00
716c782e6f
- Updated multiple Rust dependencies, including `opentelemetry`, `const-oid`, and `webpki-roots` for enhanced features and bug fixes. - Upgraded `nixpkgs` and `crane` in the nix flake configuration. - Removed unused dependencies and introduced missing dependencies for improved build integrity. Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
158 lines
6.9 KiB
YAML
158 lines
6.9 KiB
YAML
name: nix
|
|
|
|
on:
|
|
pull_request:
|
|
branches: ["main"]
|
|
push:
|
|
branches: ["main"]
|
|
tags: ["*"]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
check:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
|
- uses: cachix/install-nix-action@v31
|
|
with:
|
|
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
|
|
extra_nix_config: |
|
|
access-tokens = github.com=${{ github.token }}
|
|
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
|
|
substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
|
|
sandbox = true
|
|
- name: Setup Attic cache
|
|
uses: ryanccn/attic-action@v0
|
|
with:
|
|
endpoint: https://attic.teepot.org/
|
|
cache: tee-pot
|
|
token: ${{ secrets.ATTIC_TOKEN }}
|
|
|
|
- run: nix flake check -L --show-trace --keep-going
|
|
|
|
build:
|
|
needs: check
|
|
runs-on: [matterlabs-default-infra-runners]
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
|
|
- uses: cachix/install-nix-action@v31
|
|
with:
|
|
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
|
|
extra_nix_config: |
|
|
access-tokens = github.com=${{ github.token }}
|
|
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
|
|
substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
|
|
sandbox = true
|
|
- name: Setup Attic cache
|
|
uses: ryanccn/attic-action@v0
|
|
with:
|
|
endpoint: https://attic.teepot.org/
|
|
cache: tee-pot
|
|
token: ${{ secrets.ATTIC_TOKEN }}
|
|
|
|
- name: nix build
|
|
run: nix run github:nixos/nixpkgs/nixos-23.11#nixci
|
|
|
|
push_to_docker:
|
|
needs: build
|
|
runs-on: [matterlabs-default-infra-runners]
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }}
|
|
cancel-in-progress: true
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
config:
|
|
- { nixpackage: 'container-vault-sgx-azure' }
|
|
- { nixpackage: 'container-vault-unseal-sgx-azure' }
|
|
- { nixpackage: 'container-vault-admin-sgx-azure' }
|
|
- { nixpackage: 'container-vault-unseal' }
|
|
- { nixpackage: 'container-vault-admin' }
|
|
- { nixpackage: 'container-self-attestation-test-sgx-dcap' }
|
|
- { nixpackage: 'container-self-attestation-test-sgx-azure' }
|
|
- { nixpackage: 'container-verify-attestation-sgx' }
|
|
- { nixpackage: 'container-verify-era-proof-attestation-sgx' }
|
|
- { nixpackage: 'container-tdx-test' }
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: cachix/install-nix-action@v31
|
|
with:
|
|
install_url: https://releases.nixos.org/nix/nix-2.28.3/install
|
|
extra_nix_config: |
|
|
access-tokens = github.com=${{ github.token }}
|
|
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
|
|
substituters = https://cache.nixos.org/ https://attic.teepot.org/tee-pot
|
|
sandbox = true
|
|
- name: Setup Attic cache
|
|
uses: ryanccn/attic-action@v0
|
|
with:
|
|
endpoint: https://attic.teepot.org/
|
|
cache: tee-pot
|
|
token: ${{ secrets.ATTIC_TOKEN }}
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Load container
|
|
id: build
|
|
run: |
|
|
nix build --accept-flake-config -L .#${{ matrix.config.nixpackage }}
|
|
export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
|
|
echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
|
|
echo "IMAGE_NAME=${IMAGE_TAG%:*}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Push container
|
|
run: |
|
|
echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to GitHub Container Registry"
|
|
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_TAG }}"
|
|
docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_TAG }}"
|
|
|
|
- name: Tag container as latest
|
|
if: ${{ github.event_name == 'push' }}
|
|
run: |
|
|
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
|
|
docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
|
|
|
|
- name: Tag container with tag
|
|
if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
|
|
run: |
|
|
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME"
|
|
docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME"
|
|
|
|
- name: Generate build ID for Flux Image Automation
|
|
id: flux
|
|
if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/tags') }}
|
|
run: |
|
|
sha=$(git rev-parse --short HEAD)
|
|
ts=$(date +%s%N | cut -b1-13)
|
|
echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Generate build ID for Flux Image Automation
|
|
id: tag
|
|
if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
|
|
run: |
|
|
echo "BUILD_ID=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Auth to google artifact registry
|
|
if: ${{ github.event_name == 'push' }}
|
|
run: |
|
|
gcloud auth configure-docker us-docker.pkg.dev -q
|
|
|
|
- name: Push Docker image to matterlabs-infra
|
|
if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/tags') }}
|
|
run: |
|
|
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.flux.outputs.BUILD_ID }}"
|
|
docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.flux.outputs.BUILD_ID }}"
|
|
|
|
- name: Push Docker image to matterlabs-infra
|
|
if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
|
|
run: |
|
|
docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.tag.outputs.BUILD_ID }}"
|
|
docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.tag.outputs.BUILD_ID }}"
|