From f59153b0a07ce8c428d9b4f0094e74cc471b89e9 Mon Sep 17 00:00:00 2001 From: Hendrik Eeckhaut Date: Thu, 20 Feb 2025 11:58:13 +0100 Subject: [PATCH] ci: fix TEE deployments (#686) * do not run tee-deployments builds for PR builds * Remove AWS deployment scripts * added missing timeout parameter to TEE config --- .github/scripts/build-server.sh | 12 --- .github/scripts/deploy-server.sh | 27 ------- .github/scripts/modify-proxy.sh | 33 -------- .github/workflows/cd-server.yml | 86 --------------------- .github/workflows/ci.yml | 9 +-- .github/workflows/rustdoc.yml | 1 - .github/workflows/tee-ci.yml | 7 +- crates/notary/server/tee/config/config.yaml | 1 + 8 files changed, 4 insertions(+), 172 deletions(-) delete mode 100755 .github/scripts/build-server.sh delete mode 100755 .github/scripts/deploy-server.sh delete mode 100755 .github/scripts/modify-proxy.sh delete mode 100644 .github/workflows/cd-server.yml diff --git a/.github/scripts/build-server.sh b/.github/scripts/build-server.sh deleted file mode 100755 index 16ebcf0eb..000000000 --- a/.github/scripts/build-server.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -# https://github.com/tlsnotary/tlsn/pull/419 -set -ex - -environment=$1 - -aws s3 sync .git s3://tlsn-deploy/$environment/.git --delete - -cargo build -p notary-server --release -aws s3 cp ./target/release/notary-server s3://tlsn-deploy/$environment/ - -exit 0 diff --git a/.github/scripts/deploy-server.sh b/.github/scripts/deploy-server.sh deleted file mode 100755 index ff86ca174..000000000 --- a/.github/scripts/deploy-server.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -set -ex - -environment=$1 -branch=$2 - -INSTANCE_ID=$(aws ec2 describe-instances --filters Name=tag:Name,Values=[tlsnotary-backend-v1] Name=instance-state-name,Values=[running] --query "Reservations[*].Instances[*][InstanceId]" --output text) -aws ec2 create-tags --resources $INSTANCE_ID --tags "Key=$environment,Value=$branch" - -COMMIT_HASH=$(git rev-parse HEAD) -DEPLOY_ID=$(aws deploy create-deployment --application-name tlsn-$environment-v1 --deployment-group-name tlsn-$environment-v1-group --github-location repository=$GITHUB_REPOSITORY,commitId=$COMMIT_HASH --ignore-application-stop-failures --file-exists OVERWRITE --output text) - -while true; do - STATUS=$(aws deploy get-deployment --deployment-id $DEPLOY_ID --query 'deploymentInfo.status' --output text) - if [ $STATUS != "InProgress" ] && [ $STATUS != "Created" ]; then - if [ $STATUS = "Succeeded" ]; then - echo "SUCCESS" - exit 0 - else - echo "Failed" - exit 1 - fi - else - echo "Deploying..." - fi - sleep 30 -done diff --git a/.github/scripts/modify-proxy.sh b/.github/scripts/modify-proxy.sh deleted file mode 100755 index 921b1641f..000000000 --- a/.github/scripts/modify-proxy.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -# This script is triggered by Deploy server workflow in order to send an execution command of cd-scripts/modify_proxy.sh via AWS SSM to the proxy server - -set -e - -GH_OWNER="tlsnotary" -GH_REPO="tlsn" -BACKEND_INSTANCE_ID=$(aws ec2 describe-instances --filters Name=tag:Name,Values=[tlsnotary-backend-v1] Name=instance-state-name,Values=[running] --query "Reservations[*].Instances[*][InstanceId]" --output text) -PROXY_INSTANCE_ID=$(aws ec2 describe-instances --filters Name=tag:Name,Values=[tlsnotary-web] Name=instance-state-name,Values=[running] --query "Reservations[*].Instances[*][InstanceId]" --output text) -TAGS=$(aws ec2 describe-instances --instance-ids $BACKEND_INSTANCE_ID --query 'Reservations[*].Instances[*].Tags') - -TAG=$(echo $TAGS | jq -r '.[][][] | select(.Key == "stable").Value') -PORT=$(echo $TAGS | jq -r '.[][][] | select(.Key == "port").Value') - -COMMAND_ID=$(aws ssm send-command --document-name "AWS-RunRemoteScript" --instance-ids $PROXY_INSTANCE_ID --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"'${GH_OWNER}'\", \"repository\":\"'${GH_REPO}'\", \"getOptions\":\"branch:'${TAG}'\", \"path\": \"cd-scripts\"}"],"commandLine":["modify_proxy.sh '${PORT}' '${TAG}' "]}' --output text --query "Command.CommandId") - -while true; do - SSM_STATUS=$(aws ssm list-command-invocations --command-id $COMMAND_ID --details --query "CommandInvocations[].Status" --output text) - - if [ $SSM_STATUS != "Success" ] && [ $SSM_STATUS != "InProgress" ]; then - echo "Proxy modification failed" - aws ssm list-command-invocations --command-id $COMMAND_ID --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" - exit 1 - elif [ $SSM_STATUS = "Success" ]; then - aws ssm list-command-invocations --command-id $COMMAND_ID --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}" - echo "Success" - break - fi - - sleep 2 -done - -exit 0 diff --git a/.github/workflows/cd-server.yml b/.github/workflows/cd-server.yml deleted file mode 100644 index 123dc8cc9..000000000 --- a/.github/workflows/cd-server.yml +++ /dev/null @@ -1,86 +0,0 @@ -name: Deploy server -on: - push: - branches: - - dev - tags: - - "[v]?[0-9]+.[0-9]+.[0-9]+*" - workflow_dispatch: - inputs: - environment: - description: "Environment" - required: true - default: "nightly" - type: choice - options: - - nightly - - stable - -concurrency: - group: ${{ github.workflow }} - cancel-in-progress: false - -jobs: - deploy: - runs-on: ubuntu-latest - env: - DATA_ENV: ${{ github.event.inputs.environment || 'nightly' }} - permissions: - id-token: write - contents: read - - steps: - - name: Manipulate Environment - id: manipulate - run: | - if [ "${{ github.event_name }}" = "push" ] && [ "$GITHUB_REF_NAME" = "dev" ]; then - echo "env=nightly" >> $GITHUB_OUTPUT - elif [ "${{ github.event_name }}" = "push" ] && [[ "${{ github.ref }}" = "refs/tags/"* ]]; then - echo "env=stable" >> $GITHUB_OUTPUT - elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - echo "env=${{ env.DATA_ENV }}" >> $GITHUB_OUTPUT - else - echo "Operation not permitted" - exit 1 - fi - - - name: Wait for integration test workflow to succeed - if: github.event_name == 'push' - uses: lewagon/wait-on-check-action@v1.3.1 - with: - ref: ${{ github.ref }} - # More details [here](https://github.com/lewagon/wait-on-check-action#check-name) - check-name: 'Run tests release build' - repo-token: ${{ secrets.GITHUB_TOKEN }} - # How frequent (in seconds) this job will call GitHub API to check the status of the job specified at 'check-name' - wait-interval: 60 - - - name: Checkout - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::490752553772:role/tlsn-deploy-slc - role-duration-seconds: 1800 - aws-region: eu-central-1 - - - name: Install stable rust toolchain - uses: dtolnay/rust-toolchain@stable - with: - toolchain: stable - - - name: Cargo build - run: | - .github/scripts/build-server.sh ${{ steps.manipulate.outputs.env }} - - - name: Trigger Deployment - run: | - .github/scripts/deploy-server.sh ${{ steps.manipulate.outputs.env }} $GITHUB_REF_NAME - - - name: Modify Proxy - if: ${{ steps.manipulate.outputs.env == 'stable' }} - run: | - .github/scripts/modify-proxy.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a31171b9d..619d2e6dc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -155,11 +155,4 @@ jobs: with: token: ${{ secrets.CODECOV_TOKEN }} files: lcov.info - fail_ci_if_error: true - # trigger-deployment: - # doing this here due to feedback @ https://github.com/tlsnotary/tlsn/pull/631#issuecomment-2415806267 - # needs: tests-integration - # uses: ./.github/workflows/tee-cd.yml - # with: - # # what this is supposed to do -> $ref is the tag: e.g., v0.1.0-alpha.7; pass the $ref string to the cd script and update reverse proxy / deploy - # ref: ${{ github.ref_name }} + fail_ci_if_error: true \ No newline at end of file diff --git a/.github/workflows/rustdoc.yml b/.github/workflows/rustdoc.yml index 5c86ee6cd..59960c424 100644 --- a/.github/workflows/rustdoc.yml +++ b/.github/workflows/rustdoc.yml @@ -4,7 +4,6 @@ on: push: branches: [dev] pull_request: - branches: [dev] env: CARGO_TERM_COLOR: always diff --git a/.github/workflows/tee-ci.yml b/.github/workflows/tee-ci.yml index badacfaf6..aae7bb51e 100644 --- a/.github/workflows/tee-ci.yml +++ b/.github/workflows/tee-ci.yml @@ -3,9 +3,7 @@ name: tee-build on: push: branches: [ "dev" ] - pull_request: - branches: [ "dev" ] - + concurrency: group: ${{ github.head_ref || github.run_id }} cancel-in-progress: true @@ -38,5 +36,4 @@ jobs: - name: get emulated measurement (call gramine.sh without the sgx arg) working-directory: ${{ github.workspace }}/crates/notary/server/tee run: | - # this fails current ci because gramine.sh is part of this pr so the file doesnt exist - # bash .github/scripts/gramine.sh + chmod +x ../../../../.github/scripts/gramine.sh && ../../../../.github/scripts/gramine.sh diff --git a/crates/notary/server/tee/config/config.yaml b/crates/notary/server/tee/config/config.yaml index d85859fed..48d229c23 100644 --- a/crates/notary/server/tee/config/config.yaml +++ b/crates/notary/server/tee/config/config.yaml @@ -27,6 +27,7 @@ server: notarization: max_sent_data: 4096 max_recv_data: 16384 + timeout: 1800 tls: enabled: false