kms-connector-docker-build #121

Workflow file for this run

.github/workflows/kms-connector-docker-build.yml at 88865d8

	name: kms-connector-docker-build

	on:
	workflow_call:
	inputs:
	is_workflow_call:
	description: "Indicates if the workflow is called from another workflow"
	type: boolean
	default: true
	required: false
	secrets:
	AWS_ACCESS_KEY_S3_USER:
	required: true
	AWS_SECRET_KEY_S3_USER:
	required: true
	BLOCKCHAIN_ACTIONS_TOKEN:
	required: true
	GHCR_READ_TOKEN:
	required: true
	CGR_USERNAME:
	required: true
	CGR_PASSWORD:
	required: true
	outputs:
	db_migration_build_result:
	description: "Result of the build-db-migration job"
	value: ${{ jobs.build-db-migration.result }}
	gw_listener_build_result:
	description: "Result of the build-gw-listener job"
	value: ${{ jobs.build-gw-listener.result }}
	kms_worker_build_result:
	description: "Result of the build-kms-worker job"
	value: ${{ jobs.build-kms-worker.result }}
	tx_sender_build_result:
	description: "Result of the build-tx-sender job"
	value: ${{ jobs.build-tx-sender.result }}
	release:
	types:
	- published
	workflow_dispatch:
	inputs:
	build_db_migration:
	description: "Enable/disable build for KMS Connector's DB Migration"
	type: boolean
	default: true
	build_gw_listener:
	description: "Enable/disable build for KMS Connector's Gateway Listener"
	type: boolean
	default: true
	build_kms_worker:
	description: "Enable/disable build for KMS Connector's KMS Worker"
	type: boolean
	default: true
	build_tx_sender:
	description: "Enable/disable build for KMS Connector's Transaction Sender"
	type: boolean
	default: true
	push:
	branches:
	- main

	permissions: {}

	jobs:
	########################################################################
	# PRE-BUILD CHECKS #
	########################################################################
	is-latest-commit:
	uses: ./.github/workflows/is-latest-commit.yml
	if: github.event_name == 'push'

	check-changes-db-migration:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: &check_changes_secrets
	GHCR_READ_TOKEN: ${{ secrets.GHCR_READ_TOKEN }}
	permissions: &check_changes_permissions
	actions: 'read' # Required to read workflow run information
	contents: 'read' # Required to checkout repository code
	pull-requests: 'read' # Required to read pull request information
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/kms-connector/db-migration
	filters: \|
	db-migration:
	- .github/workflows/kms-connector-docker-build.yml
	- kms-connector/connector-db/**

	check-changes-gw-listener:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/kms-connector/gw-listener
	filters: \|
	gw-listener:
	- .github/workflows/kms-connector-docker-build.yml
	- kms-connector/crates/gw-listener/**
	- kms-connector/crates/utils/**
	- kms-connector/Cargo.*
	- gateway-contracts/rust-bindings/**

	check-changes-kms-worker:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/kms-connector/kms-worker
	filters: \|
	kms-worker:
	- .github/workflows/kms-connector-docker-build.yml
	- kms-connector/crates/kms-worker/**
	- kms-connector/crates/utils/**
	- kms-connector/Cargo.*
	- gateway-contracts/rust-bindings/**
	- host-contracts/rust-bindings/**

	check-changes-tx-sender:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/kms-connector/tx-sender
	filters: \|
	tx-sender:
	- .github/workflows/kms-connector-docker-build.yml
	- kms-connector/crates/tx-sender/**
	- kms-connector/crates/utils/**
	- kms-connector/Cargo.*
	- gateway-contracts/rust-bindings/**

	########################################################################
	# BUILD DECISIONS #
	# Centralizes all build/re-tag logic in one place for maintainability #
	########################################################################
	build-decisions:
	runs-on: ubuntu-latest
	if: always()
	needs:
	- is-latest-commit
	- check-changes-db-migration
	- check-changes-gw-listener
	- check-changes-kms-worker
	- check-changes-tx-sender
	outputs:
	db_migration: ${{ steps.decide.outputs.db_migration }}
	gw_listener: ${{ steps.decide.outputs.gw_listener }}
	kms_worker: ${{ steps.decide.outputs.kms_worker }}
	tx_sender: ${{ steps.decide.outputs.tx_sender }}
	steps:
	- id: decide
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v0.8.0
	env:
	EVENT_NAME: ${{ github.event_name }}
	NEEDS: ${{ toJSON(needs) }}
	IS_WORKFLOW_CALL: ${{ inputs.is_workflow_call \|\| 'false' }}
	with:
	script: \|
	// Decision logic (returns: "build", "retag", or "skip"):
	// - release: always build
	// - workflow_dispatch: build if input is true, otherwise skip
	// - workflow_call: build if changes detected, retag if no changes
	// - push: only act if latest commit; build if changes, retag otherwise
	const event = process.env.EVENT_NAME;
	const needs = JSON.parse(process.env.NEEDS);
	const isLatestCommit = needs['is-latest-commit'].outputs?.is_latest === 'true' \|\| false;
	const isWorkflowCall = process.env.IS_WORKFLOW_CALL === 'true';

	const decideAction = (changes, manualInput) => {
	if (event === 'release') return 'build';
	if (event === 'workflow_dispatch') return manualInput ? 'build' : 'skip';
	if (event === 'push') return isLatestCommit ? (changes ? 'build' : 'retag') : 'skip';
	if (isWorkflowCall) return changes ? 'build' : 'retag';
	return 'skip';
	};

	const services = {
	db_migration: { changes: needs['check-changes-db-migration'].outputs?.changes, input_name: 'build_db_migration' },
	gw_listener: { changes: needs['check-changes-gw-listener'].outputs?.changes, input_name: 'build_gw_listener' },
	kms_worker: { changes: needs['check-changes-kms-worker'].outputs?.changes, input_name: 'build_kms_worker' },
	tx_sender: { changes: needs['check-changes-tx-sender'].outputs?.changes, input_name: 'build_tx_sender' },
	};

	core.info(`Event: ${event}, Is latest commit: ${isLatestCommit}, Is workflow call: ${isWorkflowCall}`);
	for (const [name, { changes, input_name }] of Object.entries(services)) {
	let manualInput = core.getBooleanInput(input_name);
	const action = decideAction(changes === 'true', manualInput);
	core.setOutput(name, action);
	core.info(`${name}: ${action} (changes: ${changes})`);
	}

	########################################################################
	# DB MIGRATION #
	########################################################################
	build-db-migration:
	needs: [build-decisions, check-changes-db-migration]
	concurrency:
	group: kms-connector-build-db-migration-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.db_migration == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	secrets: &docker_secrets
	AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
	AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
	BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
	CGR_USERNAME: ${{ secrets.CGR_USERNAME }}
	CGR_PASSWORD: ${{ secrets.CGR_PASSWORD }}
	permissions: &docker_permissions
	actions: 'read' # Required to read workflow run information
	contents: 'read' # Required to checkout repository code
	pull-requests: 'read' # Required to read pull request information
	attestations: 'write' # Required to create build attestations
	packages: 'write' # Required to publish Docker images
	id-token: 'write' # Required for OIDC authentication
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/kms-connector/db-migration"
	docker-file: "kms-connector/connector-db/Dockerfile"
	app-cache-dir: "fhevm-kms-connector-db-migration"
	rust-toolchain-file-path: kms-connector/rust-toolchain.toml

	re-tag-db-migration-image:
	needs: [build-decisions, check-changes-db-migration]
	if: always() && needs.build-decisions.outputs.db_migration == 'retag'
	permissions: &re-tag-image-permissions
	actions: 'read' # Required to read workflow run information
	contents: 'read' # Required to checkout repository code
	packages: 'write' # Required to publish Docker images
	id-token: 'write' # Required for OIDC authentication
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/kms-connector/db-migration"
	previous-tag-or-commit: ${{ needs.check-changes-db-migration.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# GATEWAY LISTENER #
	########################################################################
	build-gw-listener:
	needs: [build-decisions, check-changes-gw-listener]
	concurrency:
	group: kms-connector-build-gw-listener-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.gw_listener == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/kms-connector/gw-listener"
	docker-file: "./kms-connector/crates/gw-listener/Dockerfile"
	app-cache-dir: "fhevm-kms-connector-gw-listener"
	rust-toolchain-file-path: kms-connector/rust-toolchain.toml

	re-tag-gw-listener-image:
	needs: [build-decisions, check-changes-gw-listener]
	if: always() && needs.build-decisions.outputs.gw_listener == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/kms-connector/gw-listener"
	previous-tag-or-commit: ${{ needs.check-changes-gw-listener.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# KMS WORKER #
	########################################################################
	build-kms-worker:
	needs: [build-decisions, check-changes-kms-worker]
	concurrency:
	group: kms-connector-build-kms-worker-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.kms_worker == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/kms-connector/kms-worker"
	docker-file: "./kms-connector/crates/kms-worker/Dockerfile"
	app-cache-dir: "fhevm-kms-connector-kms-worker"
	rust-toolchain-file-path: kms-connector/rust-toolchain.toml

	re-tag-kms-worker-image:
	needs: [build-decisions, check-changes-kms-worker]
	if: always() && needs.build-decisions.outputs.kms_worker == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/kms-connector/kms-worker"
	previous-tag-or-commit: ${{ needs.check-changes-kms-worker.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# TRANSACTION SENDER #
	########################################################################
	build-tx-sender:
	needs: [build-decisions, check-changes-tx-sender]
	concurrency:
	group: kms-connector-build-tx-sender-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.tx_sender == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/kms-connector/tx-sender"
	docker-file: "./kms-connector/crates/tx-sender/Dockerfile"
	app-cache-dir: "fhevm-kms-connector-tx-sender"
	rust-toolchain-file-path: kms-connector/rust-toolchain.toml

	re-tag-tx-sender-image:
	needs: [build-decisions, check-changes-tx-sender]
	if: always() && needs.build-decisions.outputs.tx_sender == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/kms-connector/tx-sender"
	previous-tag-or-commit: ${{ needs.check-changes-tx-sender.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kms-connector-docker-build #121

Workflow file

kms-connector-docker-build #121

Uh oh!

Workflow file for this run