ci: add workflows to build OCI images (#9)

jbern0rd · web-flow · commit 91d01df82302 · 2025-09-12T09:30:49.000+02:00
diff --git a/.cargo/config.toml b/.cargo/config.toml
@@ -0,0 +1,2 @@
+[build]
+rustflags = ["-C", "target-feature=-crt-static"]
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -4,6 +4,7 @@ on:
   pull_request:
   push:
     branches: [main]
+  workflow_dispatch:
 
 jobs:
   build-and-test:
@@ -13,3 +14,71 @@ jobs:
       working-directory: "."
       enable-cache: true
       publish-crates-io: false
+
+  prepare:
+    name: Determine image tag
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    if: |
+      github.ref_name == 'main' ||
+      startsWith(github.head_ref, 'feature/') ||
+      startsWith(github.head_ref, 'bugfix/') ||
+      (github.event_name == 'workflow_dispatch' && (startsWith(github.ref_name, 'feature/') || startsWith(github.ref_name, 'bugfix/')))
+    outputs:
+      image_tag: ${{ steps.determine-tag.outputs.image_tag }}
+    steps:
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ] ; then
+            SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
+          else
+            SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
+          fi
+
+          if [ "${{ github.ref_name }}" = "main" ] ; then
+            echo "Processing main branch"
+            echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
+          else
+            # This covers feature/ and bugfix/ branches
+            echo "Processing feature/bugfix branch ${{ github.head_ref }}"
+            echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT
+          fi
+
+  post-compute-oci-image:
+    name: post-compute OCI image
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-post-compute-rust
+      image-tag: ${{ needs.prepare.outputs.image_tag }}
+      dockerfile: post-compute/Dockerfile
+      context: .
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platforms: linux/amd64
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
+
+  pre-compute-oci-image:
+    name: pre-compute OCI image
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
+      image-tag: ${{ needs.prepare.outputs.image_tag }}
+      dockerfile: pre-compute/Dockerfile
+      context: .
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platforms: linux/amd64
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
diff --git a/.github/workflows/docker-build-on-tag.yaml b/.github/workflows/docker-build-on-tag.yaml
@@ -0,0 +1,72 @@
+name: Build and Push Release Image
+
+on:
+  push:
+    tags:
+      - 'tee-worker-post-compute-v*.*.*'
+      - 'tee-worker-pre-compute-v*.*.*'
+
+jobs:
+  prepare:
+    name: Determine image tag
+    runs-on: ubuntu-latest
+    outputs:
+      dockerfile: ${{ steps.determine-tag.outputs.dockerfile }}
+      image_name: ${{ steps.determine-tag.outputs.image_name }}
+      image_tag: ${{ steps.determine-tag.outputs.image_tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag
+          TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main')
+
+          if [ -z "$TAG_ON_MAIN" ] ; then
+            echo "Error: Tag ${{ github.ref_name }} is not on main branch"
+            echo "Tags must be created on main branch to generate X.Y.Z image tags"
+            exit 1
+          fi
+
+          GITHUB_REF_NAME="${{ github.ref_name }}"
+          echo "Processing tag on main branch: ${{ github.ref_name }}"
+
+          case "$GITHUB_REF_NAME" in
+            tee-worker-post-compute-v*)
+              echo "dockerfile=post-compute/Dockerfile" | tee -a $GITHUB_OUTPUT
+              echo "image_name=tee-worker-post-compute-rust" | tee -a $GITHUB_OUTPUT
+              echo "image_tag=${GITHUB_REF_NAME#tee-worker-post-compute-v}" | tee -a $GITHUB_OUTPUT
+            ;;
+            tee-worker-pre-compute-v*)
+              echo "dockerfile=pre-compute/Dockerfile" | tee -a $GITHUB_OUTPUT
+              echo "image_name=tee-worker-pre-compute-rust" | tee -a $GITHUB_OUTPUT
+              echo "image_tag=${GITHUB_REF_NAME#tee-worker-pre-compute-v}" | tee -a $GITHUB_OUTPUT
+            ;;
+            *)
+              echo "Error: Unsupported tag ${{ github.ref_name }}"
+              exit 1
+            ;;
+          esac
+
+  build-oci-image:
+    name: Build OCI image
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0
+    with:
+      image-name: docker-regis.iex.ec/${{ needs.prepare.outputs.image_name }}
+      image-tag: ${{ needs.prepare.outputs.image_tag }}
+      dockerfile: ${{ needs.prepare.outputs.dockerfile }}
+      context: .
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platforms: linux/amd64
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
diff --git a/post-compute/Dockerfile b/post-compute/Dockerfile
@@ -0,0 +1,26 @@
+FROM rust:1.88-alpine3.22 AS builder
+
+# Install build dependencies with pinned versions
+RUN apk add --no-cache musl-dev=1.2.5-r10 openssl-dev=3.5.2-r0
+
+WORKDIR /app
+
+# Copy manifest and source files
+COPY . .
+
+# Build the application
+RUN cargo build --release --bin tee-worker-post-compute
+
+FROM alpine:3.22
+
+# Install required runtime dependencies with pinned versions
+RUN apk add --no-cache libgcc=14.2.0-r6
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder stage
+COPY --from=builder /app/target/release/tee-worker-post-compute .
+
+# Run the application
+ENTRYPOINT ["/app/tee-worker-post-compute"]
diff --git a/pre-compute/Dockerfile b/pre-compute/Dockerfile
@@ -0,0 +1,26 @@
+FROM rust:1.88-alpine3.22 AS builder
+
+# Install build dependencies with pinned versions
+RUN apk add --no-cache musl-dev=1.2.5-r10 openssl-dev=3.5.2-r0
+
+WORKDIR /app
+
+# Copy manifest and source files
+COPY . .
+
+# Build the application
+RUN cargo build --release --bin tee-worker-pre-compute
+
+FROM alpine:3.22
+
+# Install required runtime dependencies with pinned versions
+RUN apk add --no-cache libgcc=14.2.0-r6
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder stage
+COPY --from=builder /app/target/release/tee-worker-pre-compute .
+
+# Run the application
+ENTRYPOINT ["/app/tee-worker-pre-compute"]

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+[build]`
	`2`	`+rustflags = ["-C", "target-feature=-crt-static"]`