From 06b60bfa1be0faa65e480903ed28aa556ae92bc8 Mon Sep 17 00:00:00 2001
From: mac <ryan.macarthur@gmail.com>
Date: Wed, 9 Oct 2024 22:17:14 +0200
Subject: [PATCH] Update tee-cd.yml

---
 .github/workflows/tee-cd.yml | 127 +++++++++++++++++++----------------
 1 file changed, 69 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/tee-cd.yml b/.github/workflows/tee-cd.yml
index 23397975fc..bdb25e6982 100644
--- a/.github/workflows/tee-cd.yml
+++ b/.github/workflows/tee-cd.yml
@@ -1,6 +1,14 @@
 name: azure-tee-release
 
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'git branch'
+        required: false
+        default: 'dev'
+        type: string
+
 #on:
 #  release:
 #    types: [published]
@@ -17,34 +25,21 @@ jobs:
     runs-on: [self-hosted, linux]
     outputs:
       teeport: ${{ steps.portbump.outputs.newport}}
+      deploy: ${{ steps.portbump.outputs.deploy}}
     steps:
       - name: checkout repository
         uses: actions/checkout@v4
-      - name: apt
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y jq
       - name: update caddyfile
         id: portbump
         env:
-          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          RELEASE_TAG: ${{ github.event.release.tag_name ||  inputs.ref }}
+
         run: |
-          NEXT_PORT=$(cd-scripts/azure/tee/updateproxy.sh 'cd-scripts/tee/azure/Caddyfile' $RELEASE_TAG)
+          NEXT_PORT=$(bash cd-scripts/tee/azure/updateproxy.sh 'cd-scripts/tee/azure/Caddyfile' $RELEASE_TAG)
           echo "newport=$NEXT_PORT" >> $GITHUB_OUTPUT
-      - name: Commit and push updated Caddyfile
-        env:
-          RELEASE_TAG: ${{ github.event.release.tag_name }}
-        run: |
-          handler=$RELEASE_TAG
-          if [ -z "${RELEASE_TAG}" ]; then
-            handler=dev
-          fi
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git add .
-          git commit -m "azure tee release: ${handler}"
-          git push
+          
       - name: Deploy updated Caddyfile to server
+        if: ${{ steps.portbump.outputs.deploy == 'new' }}
         uses: appleboy/scp-action@v0.1.7
         with:
           host: ${{ secrets.AZURE_TEE_PROD_HOST }}
@@ -54,6 +49,8 @@ jobs:
           target: "~/"
 
       - name: Reload Caddy on server
+        if: ${{ steps.portbump.outputs.deploy == 'new' }}
+
         uses: appleboy/ssh-action@v1.0.3
         with:
           host: ${{ secrets.AZURE_TEE_PROD_HOST }}
@@ -95,44 +92,16 @@ jobs:
         - name: reverse proxy port
           run: echo "${{needs.update-reverse-proxy.outputs.teeport}}" | tee >> $GITHUB_STEP_SUMMARY
 
-        - name: get measurement
-          working-directory: ${{ github.workspace }}/crates/notary/server/fixture/tee
+        - name: get hardware measurement
+          working-directory: ${{ github.workspace }}/crates/notary/server/tee
           run: |
-             curl https://sh.rustup.rs -sSf | sh -s -- -y
-             . "$HOME/.cargo/env"
-             apt install libssl-dev
-             gramine-sgx-gen-private-key
-             make
-             gramine-sgx-sign -m notary-server.manifest -o notary-server.sgx
-             mr_enclave=$(gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig |jq .mr_enclave)    
-             echo "mrenclave=$mr_enclave" >> "$GITHUB_OUTPUT"
-             echo "#### sgx mrenclave" | tee >> $GITHUB_STEP_SUMMARY
-             echo "\`\`\`${mr_enclave}\`\`\`" | tee >> $GITHUB_STEP_SUMMARY
-
-        - name: get quote from notary
-          working-directory: ${{ github.workspace }}/crates/notary/server/fixture/tee
-          id: attestation
-          run: |
-               SGX=1 make
-               gramine-sgx-sign -m notary-server.manifest -o notary-server.sgx
-               : # set up the fs like the hosted notary docker container:
-               mkdir config && cp config.yaml config && mkdir /tee && cp -R ../tee/* /tee/ && cd /tee && 
-               : # invoke sgx (use gramine-direct to emulate sgx hardware):
-               gramine-sgx notary-server &
-               sleep 5
-               quote=$(curl 127.0.0.1:7047/info | jq .quote.rawQuote)
-               echo $quote
-               echo "quote=$quote" >> $GITHUB_OUTPUT
-               echo "#### 🔒 signed quote ${quote}" | tee >> $GITHUB_STEP_SUMMARY
-               echo "${quote}" | tee >> $GITHUB_STEP_SUMMARY
-
-     
+             bash .github/scripts/gramine.sh sgx
+ 
   artifact-deploy:
+      if: ${{needs.update-reverse-proxy.outputs.deploy == 'new' }}
       environment: tee
       runs-on: [self-hosted, linux]
       needs: [ build-measure, update-reverse-proxy ]
-       # outputs:
-       # result: ${{ steps.artifact.outputs.hash}}
       steps:
         - name: auth to registry
           uses: docker/login-action@v3
@@ -159,16 +128,58 @@ jobs:
           name: Set up Docker Buildx
           uses: docker/setup-buildx-action@v3
         - name: Build and push
-         
-   
           uses: docker/build-push-action@v6
           with:
-            context: ${{ github.workspace }}/crates/notary/server/fixture/tee
-            # testing:
-            push: ${{ github.actor == 'maceip' }}
+            context: ${{ github.workspace }}/crates/notary/server/tee
+            push: true
             tags: notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }}
             labels: ${{needs.update-reverse-proxy.outputs.teeport}}
         - name: run
           run: |
            docker run --device /dev/sgx_enclave --device /dev/sgx_provision --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p  ${{needs.update-reverse-proxy.outputs.teeport}}:7047 notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }} &
+           
+  artifact-reload:
+      if: ${{needs.update-reverse-proxy.outputs.deploy != 'new' }}
+      environment: tee
+      runs-on: [self-hosted, linux]
+      needs: [ build-measure, update-reverse-proxy ]
+      steps:
+        - name: auth to registry
+          uses: docker/login-action@v3
+          with:
+            registry: notaryserverbuilds.azurecr.io
+            username: notaryserverbuilds
+            password: ${{ secrets.AZURE_CR_BUILDS_PW }}
+        - name: get code
+          uses: actions/checkout@v4
+          with:
+            repository: tlsnotary/tlsn
+            ref: quote-presentation
+        - name: sccache
+          if: github.event_name != 'release'
+          # && github.event_name != 'workflow_dispatch'
+          uses: mozilla-actions/sccache-action@v0.0.6
+        - name: set rust env for scc
+          if: github.event_name != 'release'
+          # && github.event_name != 'workflow_dispatch'
+          run: |
+            echo "SCCACHE_GHA_ENABLED=true" >> $GITHUB_ENV
+            echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
+        -
+          name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v3
+        - name: Build and push
+          uses: docker/build-push-action@v6
+          with:
+            context: ${{ github.workspace }}/crates/notary/server/tee
+            push: true
+            tags: notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }}
+            labels: ${{needs.update-reverse-proxy.outputs.teeport}}
+        - name: run
+          run: |
+            old=$($ docker ps --filter "name=${{needs.update-reverse-proxy.outputs.teeport}}")
+            docker rm -f $old
+            docker run --name ${{needs.update-reverse-proxy.outputs.teeport}} --device /dev/sgx_enclave --device /dev/sgx_provision --volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -p  ${{needs.update-reverse-proxy.outputs.teeport}}:7047 notaryserverbuilds.azurecr.io/prod/notary-sgx:${{ env.GIT_COMMIT_HASH }} &
+      
+