ci: fix TEE deployments (#686)

* do not run tee-deployments builds for PR builds
* Remove AWS deployment scripts
* added missing timeout parameter to TEE config

.github/scripts/build-server.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-# https://github.com/tlsnotary/tlsn/pull/419
-set -ex
-
-environment=$1
-
-aws s3 sync .git s3://tlsn-deploy/$environment/.git --delete
-
-cargo build -p notary-server --release
-aws s3 cp ./target/release/notary-server s3://tlsn-deploy/$environment/
-
-exit 0

.github/scripts/deploy-server.sh

@@ -1,27 +0,0 @@
-#!/bin/bash
-set -ex
-
-environment=$1
-branch=$2
-
-INSTANCE_ID=$(aws ec2 describe-instances --filters Name=tag:Name,Values=[tlsnotary-backend-v1] Name=instance-state-name,Values=[running] --query "Reservations[*].Instances[*][InstanceId]" --output text)
-aws ec2 create-tags --resources $INSTANCE_ID --tags "Key=$environment,Value=$branch"
-
-COMMIT_HASH=$(git rev-parse HEAD)
-DEPLOY_ID=$(aws deploy create-deployment --application-name tlsn-$environment-v1 --deployment-group-name tlsn-$environment-v1-group --github-location repository=$GITHUB_REPOSITORY,commitId=$COMMIT_HASH --ignore-application-stop-failures --file-exists OVERWRITE --output text)
-
-while true; do
-  STATUS=$(aws deploy get-deployment --deployment-id $DEPLOY_ID --query 'deploymentInfo.status' --output text)
-  if [ $STATUS != "InProgress" ] && [ $STATUS != "Created" ]; then
-    if [ $STATUS = "Succeeded" ]; then
-       echo "SUCCESS"
-       exit 0
-    else
-       echo "Failed"
-       exit 1
-    fi
-  else
-    echo "Deploying..."
-  fi
-     sleep 30
-done

.github/scripts/modify-proxy.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-# This script is triggered by Deploy server workflow in order to send an execution command of cd-scripts/modify_proxy.sh via AWS SSM to the proxy server
-
-set -e
-
-GH_OWNER="tlsnotary"
-GH_REPO="tlsn"
-BACKEND_INSTANCE_ID=$(aws ec2 describe-instances --filters Name=tag:Name,Values=[tlsnotary-backend-v1] Name=instance-state-name,Values=[running] --query "Reservations[*].Instances[*][InstanceId]" --output text)
-PROXY_INSTANCE_ID=$(aws ec2 describe-instances --filters Name=tag:Name,Values=[tlsnotary-web] Name=instance-state-name,Values=[running] --query "Reservations[*].Instances[*][InstanceId]" --output text)
-TAGS=$(aws ec2 describe-instances --instance-ids $BACKEND_INSTANCE_ID --query 'Reservations[*].Instances[*].Tags')
-
-TAG=$(echo $TAGS | jq -r '.[][][] | select(.Key == "stable").Value')
-PORT=$(echo $TAGS | jq -r '.[][][] | select(.Key == "port").Value')
-
-COMMAND_ID=$(aws ssm send-command --document-name "AWS-RunRemoteScript" --instance-ids $PROXY_INSTANCE_ID --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"'${GH_OWNER}'\", \"repository\":\"'${GH_REPO}'\", \"getOptions\":\"branch:'${TAG}'\", \"path\": \"cd-scripts\"}"],"commandLine":["modify_proxy.sh '${PORT}' '${TAG}' "]}' --output text --query "Command.CommandId")
-
-while true; do
-  SSM_STATUS=$(aws ssm list-command-invocations --command-id $COMMAND_ID --details --query "CommandInvocations[].Status" --output text)
-
-  if [ $SSM_STATUS != "Success" ] && [ $SSM_STATUS != "InProgress" ]; then
-    echo "Proxy modification failed"
-    aws ssm list-command-invocations --command-id $COMMAND_ID --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}"
-    exit 1
-  elif [ $SSM_STATUS = "Success" ]; then
-    aws ssm list-command-invocations --command-id $COMMAND_ID --details --query "CommandInvocations[].CommandPlugins[].{Status:Status,Output:Output}"
-    echo "Success"
-    break
-  fi
-
-  sleep 2
-done
-
-exit 0

.github/workflows/cd-server.yml

@@ -1,86 +0,0 @@
-name: Deploy server
-on:
-  push:
-    branches:
-      - dev
-    tags:
-      - "[v]?[0-9]+.[0-9]+.[0-9]+*"
-  workflow_dispatch:
-    inputs:
-      environment:
-        description: "Environment"
-        required: true
-        default: "nightly"
-        type: choice
-        options:
-        - nightly
-        - stable
-
-concurrency:
-  group: ${{ github.workflow }}
-  cancel-in-progress: false
-
-jobs:  
-  deploy:
-    runs-on: ubuntu-latest
-    env:
-      DATA_ENV: ${{ github.event.inputs.environment || 'nightly' }}
-    permissions:
-      id-token: write
-      contents: read
-    
-    steps:      
-      - name: Manipulate Environment
-        id: manipulate
-        run: |
-          if [ "${{ github.event_name }}" = "push" ] && [ "$GITHUB_REF_NAME" = "dev" ]; then
-            echo "env=nightly" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event_name }}" = "push" ] && [[ "${{ github.ref }}" = "refs/tags/"* ]]; then
-            echo "env=stable" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            echo "env=${{ env.DATA_ENV }}" >> $GITHUB_OUTPUT
-          else
-            echo "Operation not permitted"
-            exit 1
-          fi
-
-      - name: Wait for integration test workflow to succeed
-        if: github.event_name == 'push'
-        uses: lewagon/wait-on-check-action@v1.3.1
-        with:
-          ref: ${{ github.ref }}
-          # More details [here](https://github.com/lewagon/wait-on-check-action#check-name)
-          check-name: 'Run tests release build'
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          # How frequent (in seconds) this job will call GitHub API to check the status of the job specified at 'check-name'
-          wait-interval: 60
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-          
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::490752553772:role/tlsn-deploy-slc
-          role-duration-seconds: 1800
-          aws-region: eu-central-1
-
-      - name: Install stable rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
-
-      - name: Cargo build
-        run: |
-          .github/scripts/build-server.sh ${{ steps.manipulate.outputs.env }}
-
-      - name: Trigger Deployment
-        run: |
-          .github/scripts/deploy-server.sh ${{ steps.manipulate.outputs.env }} $GITHUB_REF_NAME
-
-      - name: Modify Proxy
-        if: ${{ steps.manipulate.outputs.env == 'stable' }}
-        run: |
-          .github/scripts/modify-proxy.sh

.github/workflows/ci.yml

@@ -155,11 +155,4 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: lcov.info
-          fail_ci_if_error: true
-  # trigger-deployment:
-    # doing this here due to feedback @ https://github.com/tlsnotary/tlsn/pull/631#issuecomment-2415806267
-    # needs: tests-integration
-    # uses: ./.github/workflows/tee-cd.yml
-    # with:
-    #  # what this is supposed to do -> $ref is the tag: e.g., v0.1.0-alpha.7; pass the $ref string to the cd script and update reverse proxy / deploy 
-    #  ref: ${{  github.ref_name }}	
+          fail_ci_if_error: true

.github/workflows/rustdoc.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches: [dev]
   pull_request:
-    branches: [dev]
 
 env:
   CARGO_TERM_COLOR: always

.github/workflows/tee-ci.yml

@@ -3,9 +3,7 @@ name: tee-build
 on:
   push:
     branches: [ "dev" ]
-  pull_request:
-    branches: [ "dev" ]
-    
+
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -38,5 +36,4 @@ jobs:
         - name: get emulated measurement (call gramine.sh without the sgx arg)
           working-directory: ${{ github.workspace }}/crates/notary/server/tee
           run: |
-             # this fails current ci because gramine.sh is part of this pr so the file doesnt exist
-             # bash .github/scripts/gramine.sh
+            chmod +x  ../../../../.github/scripts/gramine.sh && ../../../../.github/scripts/gramine.sh

crates/notary/server/tee/config/config.yaml

@@ -27,6 +27,7 @@ server:
 notarization:
   max_sent_data: 4096
   max_recv_data: 16384
+  timeout: 1800
 
 tls:
   enabled: false