coprocessor-docker-build #1068

Workflow file for this run

.github/workflows/coprocessor-docker-build.yml at d437be5

	name: coprocessor-docker-build

	on:
	release:
	types:
	- published
	workflow_call:
	inputs:
	is_workflow_call:
	description: "Indicates if the workflow is called from another workflow"
	type: boolean
	default: true
	required: false
	secrets:
	AWS_ACCESS_KEY_S3_USER:
	required: true
	AWS_SECRET_KEY_S3_USER:
	required: true
	BLOCKCHAIN_ACTIONS_TOKEN:
	required: true
	GHCR_READ_TOKEN:
	required: true
	CGR_USERNAME:
	required: true
	CGR_PASSWORD:
	required: true
	outputs:
	db_migration_build_result:
	description: "Result of the build-db-migration job"
	value: ${{ jobs.build-db-migration.result }}
	gw_listener_build_result:
	description: "Result of the build-gw-listener job"
	value: ${{ jobs.build-gw-listener.result }}
	host_listener_build_result:
	description: "Result of the build-host-listener job"
	value: ${{ jobs.build-host-listener.result }}
	sns_worker_build_result:
	description: "Result of the build-sns-worker job"
	value: ${{ jobs.build-sns-worker.result }}
	tfhe_worker_build_result:
	description: "Result of the build-tfhe-worker job"
	value: ${{ jobs.build-tfhe-worker.result }}
	tx_sender_build_result:
	description: "Result of the build-tx-sender job"
	value: ${{ jobs.build-tx-sender.result }}
	zkproof_worker_build_result:
	description: "Result of the build-zkproof-worker job"
	value: ${{ jobs.build-zkproof-worker.result }}
	workflow_dispatch:
	inputs:
	build_db_migration:
	description: "Enable/disable build for Coprocessor's DB Migration"
	type: boolean
	default: true
	build_gw_listener:
	description: "Enable/disable build for Coprocessor's Gateway Listener"
	type: boolean
	default: true
	build_host_listener:
	description: "Enable/disable build for Coprocessor's Host Listener"
	type: boolean
	default: true
	build_sns_worker:
	description: "Enable/disable build for Coprocessor's SNS Worker"
	type: boolean
	default: true
	build_tfhe_worker:
	description: "Enable/disable build for Coprocessor's TFHE Worker"
	type: boolean
	default: true
	build_tx_sender:
	description: "Enable/disable build for Coprocessor's Transaction Sender"
	type: boolean
	default: true
	build_zkproof_worker:
	description: "Enable/disable build for Coprocessor's ZKProof Worker"
	type: boolean
	default: true
	push:
	branches: ['main', 'release/*']

	permissions: {}

	jobs:
	########################################################################
	# PRE-BUILD CHECKS #
	########################################################################
	is-latest-commit:
	uses: ./.github/workflows/is-latest-commit.yml
	if: github.event_name == 'push'

	check-changes-db-migration:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: &check_changes_secrets
	GHCR_READ_TOKEN: ${{ secrets.GHCR_READ_TOKEN }}
	permissions: &check_changes_permissions
	actions: 'read' # Required to read workflow run information
	contents: 'read' # Required to checkout repository code
	pull-requests: 'read' # Required to read pull request information
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/db-migration
	filters: \|
	db-migration:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/db-migration/**

	check-changes-gw-listener:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/gw-listener
	filters: \|
	gw-listener:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/gw-listener/**
	- coprocessor/fhevm-engine/Cargo.*

	check-changes-host-listener:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/host-listener
	filters: \|
	host-listener:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/host-listener/**
	- coprocessor/fhevm-engine/Cargo.*
	- host-contracts/contracts/*Events.sol
	- host-contracts/contracts/shared/**

	check-changes-sns-worker:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/sns-worker
	filters: \|
	sns-worker:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/sns-worker/**
	- coprocessor/fhevm-engine/Cargo.*

	check-changes-tfhe-worker:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/tfhe-worker
	filters: \|
	tfhe-worker:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/tfhe-worker/**
	- coprocessor/fhevm-engine/Cargo.*

	check-changes-tx-sender:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/tx-sender
	filters: \|
	tx-sender:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/transaction-sender/**
	- coprocessor/fhevm-engine/Cargo.*

	check-changes-zkproof-worker:
	uses: ./.github/workflows/check-changes-for-docker-build.yml
	if: github.event_name == 'push' \|\| inputs.is_workflow_call
	secrets: *check_changes_secrets
	permissions: *check_changes_permissions
	with:
	caller-workflow-event-name: ${{ github.event_name }}
	caller-workflow-event-before: ${{ github.event.before }}
	docker-image: fhevm/coprocessor/zkproof-worker
	filters: \|
	zkproof-worker:
	- .github/workflows/coprocessor-docker-build.yml
	- coprocessor/fhevm-engine/zkproof-worker/**
	- coprocessor/fhevm-engine/Cargo.*

	########################################################################
	# BUILD DECISIONS #
	# Centralizes all build/re-tag logic in one place for maintainability #
	########################################################################
	build-decisions:
	name: build-decisions
	runs-on: ubuntu-latest
	if: always()
	needs:
	- is-latest-commit
	- check-changes-db-migration
	- check-changes-gw-listener
	- check-changes-host-listener
	- check-changes-sns-worker
	- check-changes-tfhe-worker
	- check-changes-tx-sender
	- check-changes-zkproof-worker
	outputs:
	db_migration: ${{ steps.decide.outputs.db_migration }}
	gw_listener: ${{ steps.decide.outputs.gw_listener }}
	host_listener: ${{ steps.decide.outputs.host_listener }}
	sns_worker: ${{ steps.decide.outputs.sns_worker }}
	tfhe_worker: ${{ steps.decide.outputs.tfhe_worker }}
	tx_sender: ${{ steps.decide.outputs.tx_sender }}
	zkproof_worker: ${{ steps.decide.outputs.zkproof_worker }}
	steps:
	- id: decide
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
	env:
	EVENT_NAME: ${{ github.event_name }}
	NEEDS: ${{ toJSON(needs) }}
	INPUTS: ${{ toJSON(inputs) }}
	with:
	script: \|
	// Decision logic (returns: "build", "retag", or "skip"):
	// - release: always build
	// - push: only act if latest commit; build if changes, retag otherwise
	// - workflow_call: build if changes detected, otherwise skip
	// - workflow_dispatch: build if input is true, otherwise skip
	const event = process.env.EVENT_NAME;
	const needs = JSON.parse(process.env.NEEDS);
	const inputs = JSON.parse(process.env.INPUTS);
	const isLatestCommit = needs['is-latest-commit'].outputs?.is_latest === 'true';
	const isWorkflowCall = inputs.is_workflow_call ?? false;

	const decideAction = (changes, manualInput) => {
	if (event === 'release') return 'build';
	if (event === 'push') return isLatestCommit ? (changes ? 'build' : 'retag') : 'skip';
	if (isWorkflowCall) return changes ? 'build' : 'skip';
	if (!isWorkflowCall && event === 'workflow_dispatch') return manualInput ? 'build' : 'skip';
	return 'skip';
	};

	const services = {
	db_migration: { changes: needs['check-changes-db-migration'].outputs?.changes, build_input: inputs.build_db_migration },
	gw_listener: { changes: needs['check-changes-gw-listener'].outputs?.changes, build_input: inputs.build_gw_listener },
	host_listener: { changes: needs['check-changes-host-listener'].outputs?.changes, build_input: inputs.build_host_listener },
	sns_worker: { changes: needs['check-changes-sns-worker'].outputs?.changes, build_input: inputs.build_sns_worker },
	tfhe_worker: { changes: needs['check-changes-tfhe-worker'].outputs?.changes, build_input: inputs.build_tfhe_worker },
	tx_sender: { changes: needs['check-changes-tx-sender'].outputs?.changes, build_input: inputs.build_tx_sender },
	zkproof_worker: { changes: needs['check-changes-zkproof-worker'].outputs?.changes, build_input: inputs.build_zkproof_worker },
	};

	core.info(`Event: ${event}, Is latest commit: ${isLatestCommit}, Is workflow call: ${isWorkflowCall}`);
	for (const [name, { changes, build_input }] of Object.entries(services)) {
	const action = decideAction(changes === 'true', build_input ?? false);
	core.setOutput(name, action);
	core.info(`${name}: ${action} (changes: ${changes}, build_input: ${build_input})`);
	}

	########################################################################
	# DB MIGRATION #
	########################################################################
	build-db-migration:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-db-migration-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.db_migration == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	secrets: &docker_secrets
	AWS_ACCESS_KEY_S3_USER: ${{ secrets.AWS_ACCESS_KEY_S3_USER }}
	AWS_SECRET_KEY_S3_USER: ${{ secrets.AWS_SECRET_KEY_S3_USER }}
	BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
	CGR_USERNAME: ${{ secrets.CGR_USERNAME }}
	CGR_PASSWORD: ${{ secrets.CGR_PASSWORD }}
	permissions: &docker_permissions
	actions: 'read' # Required to read workflow run information
	contents: 'read' # Required to checkout repository code
	pull-requests: 'read' # Required to read pull request information
	attestations: 'write' # Required to create build attestations
	packages: 'write' # Required to publish Docker images
	id-token: 'write' # Required for OIDC authentication
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/db-migration"
	docker-file: "coprocessor/fhevm-engine/db-migration/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-db-migration"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-db-migration-image:
	needs: [build-decisions, check-changes-db-migration]
	if: always() && needs.build-decisions.outputs.db_migration == 'retag'
	permissions: &re-tag-image-permissions
	actions: 'read' # Required to read workflow run information
	contents: 'read' # Required to checkout repository code
	packages: 'write' # Required to publish Docker images
	id-token: 'write' # Required for OIDC authentication
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/db-migration"
	previous-tag-or-commit: ${{ needs.check-changes-db-migration.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# GATEWAY LISTENER #
	########################################################################
	build-gw-listener:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-gw-listener-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.gw_listener == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/gw-listener"
	docker-file: "./coprocessor/fhevm-engine/gw-listener/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-gw-listener"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-gw-listener-image:
	needs: [build-decisions, check-changes-gw-listener]
	if: always() && needs.build-decisions.outputs.gw_listener == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/gw-listener"
	previous-tag-or-commit: ${{ needs.check-changes-gw-listener.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# HOST LISTENER #
	########################################################################
	build-host-listener:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-host-listener-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.host_listener == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/host-listener"
	docker-file: "coprocessor/fhevm-engine/host-listener/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-host-listener"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-host-listener-image:
	needs: [build-decisions, check-changes-host-listener]
	if: always() && needs.build-decisions.outputs.host_listener == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/host-listener"
	previous-tag-or-commit: ${{ needs.check-changes-host-listener.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# SNS WORKER #
	########################################################################
	build-sns-worker:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-sns-worker-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.sns_worker == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/sns-worker"
	docker-file: "coprocessor/fhevm-engine/sns-worker/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-sns-worker"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-sns-worker-image:
	needs: [build-decisions, check-changes-sns-worker]
	if: always() && needs.build-decisions.outputs.sns_worker == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/sns-worker"
	previous-tag-or-commit: ${{ needs.check-changes-sns-worker.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# TFHE WORKER #
	########################################################################
	build-tfhe-worker:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-tfhe-worker-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.tfhe_worker == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/tfhe-worker"
	docker-file: "coprocessor/fhevm-engine/tfhe-worker/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-tfhe-worker"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-tfhe-worker-image:
	needs: [build-decisions, check-changes-tfhe-worker]
	if: always() && needs.build-decisions.outputs.tfhe_worker == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/tfhe-worker"
	previous-tag-or-commit: ${{ needs.check-changes-tfhe-worker.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# TRANSACTION SENDER #
	########################################################################
	build-tx-sender:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-tx-sender-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.tx_sender == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/tx-sender"
	docker-file: "./coprocessor/fhevm-engine/transaction-sender/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-tx-sender"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-tx-sender-image:
	needs: [build-decisions, check-changes-tx-sender]
	if: always() && needs.build-decisions.outputs.tx_sender == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/tx-sender"
	previous-tag-or-commit: ${{ needs.check-changes-tx-sender.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

	########################################################################
	# ZKPROOF WORKER #
	########################################################################
	build-zkproof-worker:
	needs: build-decisions
	concurrency:
	group: coprocessor-build-zkproof-worker-${{ github.ref_name }}
	cancel-in-progress: true
	if: always() && needs.build-decisions.outputs.zkproof_worker == 'build'
	uses: zama-ai/ci-templates/.github/workflows/common-docker.yml@3cf4c2b133947d29e7a313555638621f9ca0345c # v1.0.3
	permissions: *docker_permissions
	secrets: *docker_secrets
	with:
	use-cgr-secrets: true
	working-directory: "."
	image-name: "fhevm/coprocessor/zkproof-worker"
	docker-file: "coprocessor/fhevm-engine/zkproof-worker/Dockerfile"
	app-cache-dir: "fhevm-coprocessor-zkproof-worker"
	rust-toolchain-file-path: coprocessor/fhevm-engine/rust-toolchain.toml

	re-tag-zkproof-worker-image:
	needs: [build-decisions, check-changes-zkproof-worker]
	if: always() && needs.build-decisions.outputs.zkproof_worker == 'retag'
	permissions: *re-tag-image-permissions
	uses: ./.github/workflows/re-tag-docker-image.yml
	with:
	image-name: "fhevm/coprocessor/zkproof-worker"
	previous-tag-or-commit: ${{ needs.check-changes-zkproof-worker.outputs.base-commit }}
	new-tag-or-commit: ${{ github.event.after }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

coprocessor-docker-build #1068

Workflow file

coprocessor-docker-build #1068

Uh oh!

Workflow file for this run