Cardinal-Cryptography · Marcin-Radecki · Jul 17, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
diff --git a/.github/workflows/_build-enclave-artifacts.yml b/.github/workflows/_build-enclave-artifacts.yml
@@ -0,0 +1,69 @@
+---
+
+name: "Build enclave artifacts"
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: 'git ref: hash, branch, tag to build enclave files from'
+        type: string
+        required: true
+    outputs:
+      artifact-name-eif:
+        description: 'Name of artifact: shielder-prover-tee enclave file'
+        value: ${{ jobs.main.outputs.artifact-name-eif }}
+      artifact-name-measurements:
+        description: 'Name of artifact: shielder-prover-tee enclave measurements'
+        value: ${{ jobs.main.outputs.artifact-name-measurements }}
+jobs:
+  main:
+    runs-on: ubuntu-24.04
+    defaults:
+      run:
+        working-directory: "tee/nix"
+    outputs:
+      artifact-name-eif: ${{ steps.get-artifact-names.outputs.eif }}
+      artifact-name-measurements: ${{ steps.steps.get-artifact-names.outputs.measurements }}
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Call action get-ref-properties
+        id: get-ref-properties
+        uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7
+
+      - name: Install nix
+        uses: cachix/install-nix-action@v31
+
+      - name: Check nix inputs
+        run: nix flake check
+
+      - name: Build enclave for shielder-prover-tee
+        # yamllint disable rule:line-length
+        run: |
+          nix build --override-input zkOS-monorepo 'github:Cardinal-Cryptography/zkOS-monorepo/${{ steps.get-ref-properties.outputs.full-sha }}'
+
+      - name: Get artifact names
+        id: get-artifact-names
+        run: |
+          echo "eif=shielder-prover-tee-eif" >> $GITHUB_OUTPUT
+          echo "measurements=shielder-prover-tee-measurements" >> $GITHUB_OUTPUT
+
+      - name: Upload EIF to GH Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.get-artifact-names.outputs.eif }}
+          path: tee/nix/result/shielderProverTEE/image.eif
+          if-no-files-found: error
+          retention-days: 7
+
+      - name: Upload measurements to GH Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.get-artifact-names.outputs.measurements }}
+          path: tee/nix/result/shielderProverTEE/pcr.json
+          if-no-files-found: error
+          retention-days: 7
diff --git a/.github/workflows/build-enclaves.yml b/.github/workflows/build-enclaves.yml
diff --git a/.github/workflows/on-pull-request-commit.yml b/.github/workflows/on-pull-request-commit.yml
@@ -15,6 +15,12 @@ jobs:
     uses: ./.github/workflows/_check-vars-and-secrets.yml
     secrets: inherit
 
+  build-enclave-artifacts:
+    name: Build enclave artifacts
+    uses: ./.github/workflows/_build-enclave-artifacts.yml
+    with:
+      ref: ${{ github.ref }}
+
   build-contracts:
     name: Generate and compile contracts
     needs: [check-vars-and-secrets]