From 3c383db53b6dffda4a4d9eaacdfe45f89b85aaf3 Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Mon, 4 May 2026 15:30:41 +0200 Subject: [PATCH 1/2] fix: remove sconification steps --- .github/workflows/docker-build.yaml | 56 ++-------------- .github/workflows/sconify-release.yaml | 89 -------------------------- 2 files changed, 6 insertions(+), 139 deletions(-) delete mode 100644 .github/workflows/sconify-release.yaml diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index 2886819..cc09f9a 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -19,7 +19,7 @@ jobs: image_tag: ${{ steps.determine-tag.outputs.image_tag }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 @@ -51,7 +51,7 @@ jobs: echo "image_tag=dev-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT else # This covers other branches - echo "Processing feature/bugfix branch ${{ github.head_ref }}" + echo "Processing feat/fix branch ${{ github.head_ref }}" echo "image_tag=feature-${SHORT_SHA}" | tee -a $GITHUB_OUTPUT fi fi @@ -59,7 +59,7 @@ jobs: build-oci-image: name: Build OCI image needs: prepare - uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v2.4.0 + uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@docker-build-v3.3.0 with: image-name: docker-regis.iex.ec/python-hello-world image-tag: ${{ needs.prepare.outputs.image_tag }} @@ -70,53 +70,9 @@ jobs: security-scan: true security-report: "sarif" hadolint: true - platforms: linux/amd64 + platform: linux/amd64 secrets: + dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }} + dockerhub-password: ${{ secrets.DOCKERHUB_TOKEN_PULL_ONLY }} username: ${{ secrets.NEXUS_USERNAME }} password: ${{ secrets.NEXUS_PASSWORD }} - - build-tee-image: - name: Build TEE image - needs: [prepare, build-oci-image] - runs-on: ubuntu-latest - env: - native_image: docker-regis.iex.ec/python-hello-world - enclave_image: docker-regis.iex.ec/python-hello-world-unlocked - sconify_image: registry.scontain.com/scone-debug/iexec-sconify-image-unlocked - sconify_version: 5.9.1 - steps: - - name: Login to Scontain registry - uses: docker/login-action@v3 - with: - registry: registry.scontain.com - username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }} - password: ${{ secrets.SCONTAIN_REGISTRY_PAT }} - - name: Login to Docker regis - uses: docker/login-action@v3 - with: - registry: docker-regis.iex.ec - username: ${{ secrets.NEXUS_USERNAME }} - password: ${{ secrets.NEXUS_PASSWORD }} - - name: Pull sconification tools - run: docker pull $sconify_image:$sconify_version - - name: Pull native image - run: docker pull $native_image:${{ needs.prepare.outputs.image_tag }} - - name: Sconify - run: | - IMG_FROM=$native_image:${{ needs.prepare.outputs.image_tag }} - IMG_TO=$enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug - SCONE_IMAGE=$sconify_image:$sconify_version - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCONE_IMAGE \ - sconify_iexec --cli=$SCONE_IMAGE --crosscompiler=$SCONE_IMAGE \ - --from=$IMG_FROM --to=$IMG_TO --binary-fs --fs-dir=/app --binary=/usr/local/bin/python3.7 \ - --heap=1G --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose - echo - docker run --rm -e SCONE_HASH=1 $IMG_TO - - name: Push TEE image - run: docker push $enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug - - name: Clean OCI images - run: | - docker image rm -f \ - $native_image:${{ needs.prepare.outputs.image_tag }} \ - $enclave_image:${{ needs.prepare.outputs.image_tag }}-sconify-$sconify_version-debug \ - $sconify_image:$sconify_version diff --git a/.github/workflows/sconify-release.yaml b/.github/workflows/sconify-release.yaml deleted file mode 100644 index 8165f8c..0000000 --- a/.github/workflows/sconify-release.yaml +++ /dev/null @@ -1,89 +0,0 @@ -name: Sconify and push TEE image - -on: - workflow_dispatch: - inputs: - sconify_version: - default: 5.9.1-v16 - required: true - -jobs: - prepare: - name: Determine image tag - if: github.repository_owner == 'iExecBlockchainComputing' - runs-on: ubuntu-latest - outputs: - image_tag: ${{ steps.determine-tag.outputs.image_tag }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Determine base tag - id: determine-tag - run: | - if [ "${{ github.ref_type }}" != "tag" ]; then - echo "Error: This workflow must be run on a tag" - echo "Current ref type: ${{ github.ref_type }}" - echo "Current ref: ${{ github.ref }}" - exit 1 - fi - - TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main') - - if [ -z "$TAG_ON_MAIN" ] ; then - echo "Error: Tag ${{ github.ref_name }} is not on main branch" - echo "Tags must be created on main branch to generate X.Y.Z image tags" - exit 1 - fi - - GITHUB_REF_NAME="${{ github.ref_name }}" - echo "Processing tag on main branch: ${{ github.ref_name }}" - echo "image_tag=${GITHUB_REF_NAME#v}" | tee -a $GITHUB_OUTPUT - - build-tee-image: - name: Sconify TEE image - needs: prepare - runs-on: ubuntu-latest - env: - IMG_FROM: docker-regis.iex.ec/python-hello-world:${{ needs.prepare.outputs.image_tag }} - IMG_TO: docker-regis.iex.ec/python-hello-world:${{ needs.prepare.outputs.image_tag }}-sconify-${{ inputs.sconify_version }}-production - SCONIFY_IMAGE: registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify_version }} - steps: - - name: Login to Scontain registry - uses: docker/login-action@v3 - with: - registry: registry.scontain.com - username: ${{ secrets.SCONTAIN_REGISTRY_USERNAME }} - password: ${{ secrets.SCONTAIN_REGISTRY_PAT }} - - name: Login to Docker regis - uses: docker/login-action@v3 - with: - registry: docker-regis.iex.ec - username: ${{ secrets.NEXUS_USERNAME }} - password: ${{ secrets.NEXUS_PASSWORD }} - - name: Pull sconification tools - run: docker pull ${{ env.SCONIFY_IMAGE }} - - name: Pull native image - run: docker pull ${{ env.IMG_FROM }} - - name: Sconify - run: | - TEMP_KEY=$(mktemp) - echo "${{ secrets.SCONIFY_SIGNING_PRIVATE_KEY }}" > "$TEMP_KEY" - chmod 600 "$TEMP_KEY" - trap "rm -f $TEMP_KEY" EXIT - - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$TEMP_KEY:/sig.pem:ro" ${{ env.SCONIFY_IMAGE }} \ - sconify_iexec --cli=${{ env.SCONIFY_IMAGE }} --crosscompiler=${{ env.SCONIFY_IMAGE }} \ - --from=${{ env.IMG_FROM }} --to=${{ env.IMG_TO }} --binary-fs --fs-dir=/app --binary=/usr/local/bin/python3.7 \ - --heap=1G --host-path=/etc/hosts --host-path=/etc/resolv.conf --no-color --verbose \ - --scone-signer=/sig.pem - echo - docker run --rm -e SCONE_HASH=1 ${{ env.IMG_TO }} - - name: Push TEE image - run: docker push ${{ env.IMG_TO }} - - name: Clean OCI images - if: always() - run: docker image rm -f ${{ env.IMG_FROM }} ${{ env.IMG_TO }} ${{ env.SCONIFY_IMAGE }} - From 605c81344de19c526ba81b88ae907730493b6af0 Mon Sep 17 00:00:00 2001 From: Jeremy Bernard Date: Mon, 4 May 2026 16:06:55 +0200 Subject: [PATCH 2/2] fix: upgrade to Python 3.13 --- cloud-computing/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cloud-computing/Dockerfile b/cloud-computing/Dockerfile index da4ef5f..51d7b08 100644 --- a/cloud-computing/Dockerfile +++ b/cloud-computing/Dockerfile @@ -1,6 +1,7 @@ -FROM python:3.7-alpine3.10 +FROM python:3.13-alpine3.23 + +RUN apk upgrade --no-cache -### install needed python3 dependencies RUN pip3 install pyfiglet COPY ./src /app