diff --git a/.github/workflows/_build-enclave-artifacts.yml b/.github/workflows/_build-enclave-artifacts.yml new file mode 100644 index 00000000..94238637 --- /dev/null +++ b/.github/workflows/_build-enclave-artifacts.yml @@ -0,0 +1,69 @@ +--- + +name: "Build enclave artifacts" +on: + workflow_call: + inputs: + ref: + description: 'git ref: hash, branch, tag to build enclave files from' + type: string + required: true + outputs: + artifact-name-eif: + description: 'Name of artifact: shielder-prover-tee enclave file' + value: ${{ jobs.main.outputs.artifact-name-eif }} + artifact-name-measurements: + description: 'Name of artifact: shielder-prover-tee enclave measurements' + value: ${{ jobs.main.outputs.artifact-name-measurements }} +jobs: + main: + runs-on: ubuntu-24.04 + defaults: + run: + working-directory: "tee/nix" + outputs: + artifact-name-eif: ${{ steps.get-artifact-names.outputs.eif }} + artifact-name-measurements: ${{ steps.steps.get-artifact-names.outputs.measurements }} + steps: + - name: Checkout source code + uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref }} + fetch-depth: 0 + + - name: Call action get-ref-properties + id: get-ref-properties + uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7 + + - name: Install nix + uses: cachix/install-nix-action@v31 + + - name: Check nix inputs + run: nix flake check + + - name: Build enclave for shielder-prover-tee + # yamllint disable rule:line-length + run: | + nix build --override-input zkOS-monorepo "github:${GITHUB_REPOSITORY}/${{ steps.get-ref-properties.outputs.full-sha }}" + + - name: Get artifact names + id: get-artifact-names + run: | + echo "eif=shielder-prover-tee-eif" >> $GITHUB_OUTPUT + echo "measurements=shielder-prover-tee-measurements" >> $GITHUB_OUTPUT + + - name: Upload EIF to GH Artifacts + uses: actions/upload-artifact@v4 + with: + name: ${{ steps.get-artifact-names.outputs.eif }} + path: tee/nix/result/shielderProverTEE/image.eif + if-no-files-found: error + retention-days: 7 + + - name: Upload measurements to GH Artifacts + uses: actions/upload-artifact@v4 + with: + name: ${{ steps.get-artifact-names.outputs.measurements }} + path: tee/nix/result/shielderProverTEE/pcr.json + if-no-files-found: error + retention-days: 7 diff --git a/.github/workflows/build-enclaves.yml b/.github/workflows/build-enclaves.yml deleted file mode 100644 index 93a778a3..00000000 --- a/.github/workflows/build-enclaves.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -name: "Build enclaves" -on: - pull_request: -jobs: - build-and-check: - runs-on: ubuntu-22.04 - defaults: - run: - working-directory: "tee/nix" - steps: - - name: Checkout source code - uses: actions/checkout@v4 - - - name: Call action get-ref-properties - id: get-ref-properties - uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7 - - - name: Install nix - uses: cachix/install-nix-action@v31 - - - name: Check nix inputs - run: nix flake check - - - name: Build enclave for shielder-prover-tee - # yamllint disable rule:line-length - run: | - nix build --override-input zkOS-monorepo 'github:Cardinal-Cryptography/zkOS-monorepo/${{ steps.get-ref-properties.outputs.full-sha }}' diff --git a/.github/workflows/on-pull-request-commit.yml b/.github/workflows/on-pull-request-commit.yml index fa489fdc..ce6318e3 100644 --- a/.github/workflows/on-pull-request-commit.yml +++ b/.github/workflows/on-pull-request-commit.yml @@ -15,6 +15,12 @@ jobs: uses: ./.github/workflows/_check-vars-and-secrets.yml secrets: inherit + build-enclave-artifacts: + name: Build enclave artifacts + uses: ./.github/workflows/_build-enclave-artifacts.yml + with: + ref: ${{ github.ref }} + build-contracts: name: Generate and compile contracts needs: [check-vars-and-secrets]