diff --git a/.github/workflows/common-docker.yml b/.github/workflows/common-docker.yml new file mode 100644 index 00000000..9a35f04c --- /dev/null +++ b/.github/workflows/common-docker.yml @@ -0,0 +1,167 @@ +name: Docker Build and Push + +on: + workflow_call: + secrets: + BLOCKCHAIN_ACTIONS_TOKEN: + required: true + GRAVITON_BUILDER_SSH_PRIVATE_KEY: + required: true + inputs: + ref: + type: string + required: false + default: "" + working-directory: + type: string + required: true + docker-context: + type: string + required: false + default: "." + image-name: + type: string + required: true + image-dev-name: + type: string + required: false + image-dev-description: + type: string + required: false + push_image: + type: boolean + default: true + required: false + runs_on: + type: string + required: false + default: "ubuntu-latest" + generate-dev-image: + type: boolean + default: false + required: false + docker-file: + type: string + default: "ci.dockerfile" + required: false + docker-file-dev: + type: string + default: "dev.dockerfile" + required: false + graviton-build-host: + type: string + required: false + default: "ec2-15-188-101-126.eu-west-3.compute.amazonaws.com" + arm-build: + type: boolean + default: true + required: false + cache-from: + type: string + required: false + default: "type=gha" + cache-to: + type: string + required: false + default: "type=gha,mode=max" + outputs: + image_name: + description: "Image Name with Tag generated by this task" + value: "${{ jobs.build-and-push-docker.outputs.image_name }}" + +jobs: + build-and-push-docker: + runs-on: ${{ inputs.runs_on }} + outputs: + image_name: ${{ steps.export-image.outputs.image }} + env: + HOME: ${{ inputs.runs_on != 'ubuntu-latest' && '/root' || '/home/runner' }} + steps: + - name: Checkout Project + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up SSH + if: inputs.arm-build + uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0 + with: + host: ${{ inputs.graviton-build-host }} + private-key: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }} + private-key-name: docker_builder_arm + + - name: Set up Docker Buildx + if: inputs.arm-build + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + with: + platforms: linux/amd64,linux/arm64 + append: | + - endpoint: "ssh://ec2-user@${{ inputs.graviton-build-host }}" + platforms: linux/arm64 + + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Echo github event + run: echo "Github event ==> ${{ github.event_name }}" + + - name: Current branch sha + if: github.event_name != 'release' + run: | + echo "DOCKER_TAG_IMAGE=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV" + - name: Current Tag + if: github.event_name == 'release' + run: | + echo "DOCKER_TAG_IMAGE=${{ github.ref_name }}" >> "$GITHUB_ENV" + + - name: Docker Build and Push + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + with: + context: ${{ inputs.docker-context }} + platforms: linux/amd64,linux/arm64 + build-args: | + BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} + file: ${{ inputs.working-directory }}/operations/docker/${{ inputs.docker-file }} + push: ${{ inputs.push_image }} + pull: false + tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }},ghcr.io/zama-ai/${{ inputs.image-name }}:latest + cache-from: ${{ inputs.cache-from }} + cache-to: ${{ inputs.cache-to }} + + - name: Extract Docker metadata + if: ${{ inputs.generate-dev-image }} + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + annotations: | + org.opencontainers.image.description="${{ inputs.image-dev-description }}" + labels: | + zama.fhevm.version=${{ env.DOCKER_TAG_IMAGE }} + zama.fhevm.description="${{ inputs.image-dev-description }}" + images: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{ env.DOCKER_TAG_IMAGE }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: index + + - name: Docker Build and Push Dev Image + if: ${{ inputs.generate-dev-image }} + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 + timeout-minutes: 360 + with: + context: ${{ inputs.docker-context }} + platforms: linux/amd64,linux/arm64 + build-args: | + BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} + file: ${{ inputs.working-directory }}/operations/docker/${{ inputs.docker-file-dev }} + push: ${{ inputs.push_image }} + pull: false + tags: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}},ghcr.io/zama-ai/${{ inputs.image-dev-name }}:latest + cache-from: type=gha + cache-to: type=gha,mode=max + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + + - name: Export image name + id: export-image + run: echo "image=ghcr.io/zama-ai/${{inputs.image-name}}:${{env.DOCKER_TAG_IMAGE}}" >> "${GITHUB_OUTPUT}" diff --git a/.github/workflows/fhevm-smart-contracts.yml b/.github/workflows/fhevm-smart-contracts.yml new file mode 100644 index 00000000..0bf5c722 --- /dev/null +++ b/.github/workflows/fhevm-smart-contracts.yml @@ -0,0 +1,36 @@ +name: "fhEVM smart contracts Docker image" + +on: + push: + branches: ["main"] + +jobs: + docker-smart-contracts: + uses: ./.github/workflows/common-docker.yml + permissions: + contents: "read" + id-token: "write" + packages: "write" + with: + working-directory: "." + push_image: true + image-name: "fhevm-smart-contracts" + image-dev-name: "fhevm-smart-contracts-dev" + generate-dev-image: true + docker-file: "ci.dockerfile" + docker-file-dev: "dev.dockerfile" + image-dev-description: "fhEVM smart contracts dev Image" + arm-build: true + + secrets: + BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }} + GRAVITON_BUILDER_SSH_PRIVATE_KEY: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }} + + done: + runs-on: ubuntu-latest + name: Pipeline Done + steps: + - name: Success + run: echo Pipeline Done + needs: + - docker-smart-contracts diff --git a/operations/docker/ci.dockerfile b/operations/docker/ci.dockerfile new file mode 100644 index 00000000..e5360aaf --- /dev/null +++ b/operations/docker/ci.dockerfile @@ -0,0 +1,16 @@ +FROM node:20 + +# Set the working directory inside the container +WORKDIR /app +COPY package.json ./ + +# Install the dependencies +RUN npm install + +COPY .env.example.deployment ./ +COPY lib ./lib/ +COPY tasks ./tasks/ +COPY gateway ./gateway/ +COPY *.sh ./ +COPY *.ts ./ +COPY tsconfig.json ./ \ No newline at end of file diff --git a/operations/docker/dev.dockerfile b/operations/docker/dev.dockerfile new file mode 100644 index 00000000..eff60413 --- /dev/null +++ b/operations/docker/dev.dockerfile @@ -0,0 +1,27 @@ +FROM node:20 + +# Set the working directory inside the container +WORKDIR /app +COPY package.json ./ + +# Install the dependencies +RUN npm install + +COPY .env.example.deployment ./ +COPY lib ./lib/ +COPY tasks ./tasks/ +COPY gateway ./gateway/ +COPY *.sh ./ +COPY *.ts ./ +COPY tsconfig.json ./ + +RUN cp .env.example.deployment .env +RUN ./precompute-addresses.sh + +RUN npx hardhat clean + +RUN PRIVATE_KEY_FHEVM_DEPLOYER=$(grep PRIVATE_KEY_FHEVM_DEPLOYER .env | cut -d '"' -f 2) +RUN NUM_KMS_SIGNERS=$(grep NUM_KMS_SIGNERS .env | cut -d '"' -f 2) + +RUN npx hardhat compile:specific --contract lib +RUN npx hardhat compile:specific --contract gateway