moved tm-secret-enclave functionality into our enclave #5996
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: [push] | |
jobs: | |
Enclave-Unit-Tests: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
name: Pull git submodules | |
- name: Install Intel's SGX SDK | |
run: | | |
mkdir -p "$HOME/.sgxsdk" | |
cd "$HOME/.sgxsdk" | |
SDK_BIN=sgx_linux_x64_sdk_2.20.100.4.bin | |
wget https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu22.04-server/"$SDK_BIN" | |
chmod +x "$SDK_BIN" | |
echo yes | ./"$SDK_BIN" | |
- name: Cache cargo registry | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cargo/registry | |
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
- name: Cache xargo sysroot | |
uses: actions/cache@v4 | |
with: | |
path: ~/.xargo | |
key: ${{ runner.os }}-xargo-sysroot | |
- name: Cache build artifacts | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/sccache | |
key: ${{ runner.os }}-sccache | |
- run: | | |
rustup component add rust-src clippy | |
cd cosmwasm/enclaves/execute/ | |
rustup component add rust-src clippy | |
- name: Install xargo | |
run: | | |
cargo --version | |
rustc --version | |
cargo +stable install xargo --version 0.3.25 | |
xargo --version | |
- name: Test enclave | |
run: | | |
source "$HOME/.sgxsdk/sgxsdk/environment" | |
export SGX_MODE=SW | |
make enclave-tests | |
make clean-enclave | |
Build-Contracts: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install Requirements | |
run: | | |
rustup target add wasm32-unknown-unknown | |
chmod +x ./scripts/install-wasm-tools.sh | |
./scripts/install-wasm-tools.sh | |
- name: Build Contracts | |
run: | | |
make build-test-contracts | |
cp x/compute/internal/keeper/testdata/erc20.wasm . | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: erc20.wasm | |
path: erc20.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: contract.wasm | |
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/contract.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: contract-v2.wasm | |
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract-v2/contract-v2.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: v1-contract.wasm | |
path: cosmwasm/contracts/v1/compute-tests/test-compute-contract/v1-contract.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: ibc.wasm | |
path: cosmwasm/contracts/v1/compute-tests/ibc-test-contract/ibc.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: contract_with_floats.wasm | |
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/contract_with_floats.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: too-high-initial-memory.wasm | |
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/too-high-initial-memory.wasm | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: static-too-high-initial-memory.wasm | |
path: cosmwasm/contracts/v010/compute-tests/test-compute-contract/static-too-high-initial-memory.wasm | |
Go-Tests: | |
runs-on: ubuntu-22.04 | |
needs: [Build-Contracts, Build-LocalSecret] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 1.21 # The Go version to download (if necessary) and use. | |
- name: Install Intel's SGX SDK | |
run: | | |
mkdir -p "$HOME/.sgxsdk" | |
cd "$HOME/.sgxsdk" | |
SDK_BIN=sgx_linux_x64_sdk_2.20.100.4.bin | |
wget https://download.01.org/intel-sgx/sgx-linux/2.20/distro/ubuntu20.04-server/"$SDK_BIN" | |
chmod +x "$SDK_BIN" | |
echo yes | ./"$SDK_BIN" | |
- name: Download LocalSecret | |
uses: actions/download-artifact@v3 | |
with: | |
name: localsecret | |
path: /tmp | |
- name: Load images | |
run: | | |
docker load --input /tmp/localsecret.tar | |
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/bin/secretd /opt/mount/secretd | |
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/libgo_cosmwasm.so /opt/mount/libgo_cosmwasm.so | |
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/librust_cosmwasm_enclave.signed.so /opt/mount/librust_cosmwasm_enclave.signed.so | |
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/librandom_api.so /opt/mount/librandom_api.so | |
docker run -v $PWD:/opt/mount --rm --entrypoint cp ghcr.io/scrtlabs/localsecret:v0.0.0 /usr/lib/tendermint_enclave.signed.so /opt/mount/tendermint_enclave.signed.so | |
- uses: actions/download-artifact@v3 | |
with: | |
name: contract.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: contract-v2.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: v1-contract.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: ibc.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: contract_with_floats.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: too-high-initial-memory.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- uses: actions/download-artifact@v3 | |
with: | |
name: static-too-high-initial-memory.wasm | |
path: ./x/compute/internal/keeper/testdata/ | |
- name: Setup Files | |
run: | | |
find "$(pwd)" -name \*.wasm | |
cp libgo_cosmwasm.so ./go-cosmwasm/api/libgo_cosmwasm.so | |
cp librust_cosmwasm_enclave.signed.so ./go-cosmwasm/librust_cosmwasm_enclave.signed.so | |
find "$(pwd)" -name \*.wasm | |
- name: Install Quote library SDK | |
run: | | |
curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add - | |
sudo add-apt-repository "deb https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main" | |
DCAP_VERSION=1.17.100.4-jammy1 | |
PSW_VERSION=2.20.100.4-jammy1 | |
sudo apt-get update | |
sudo apt-get install -y \ | |
libsgx-aesm-launch-plugin=$PSW_VERSION \ | |
libsgx-enclave-common=$PSW_VERSION \ | |
libsgx-epid=$PSW_VERSION \ | |
libsgx-launch=$PSW_VERSION \ | |
libsgx-quote-ex=$PSW_VERSION \ | |
libsgx-uae-service=$PSW_VERSION \ | |
libsgx-qe3-logic=$DCAP_VERSION \ | |
libsgx-pce-logic=$DCAP_VERSION \ | |
libsgx-aesm-ecdsa-plugin=$PSW_VERSION \ | |
libsgx-aesm-pce-plugin=$PSW_VERSION \ | |
libsgx-dcap-ql=$DCAP_VERSION \ | |
libsgx-dcap-quote-verify=$DCAP_VERSION \ | |
libsgx-dcap-default-qpl=$DCAP_VERSION \ | |
libsgx-urts=$PSW_VERSION | |
LIB_PATH=/usr/lib/x86_64-linux-gnu | |
sudo ln -s $LIB_PATH/libsgx_dcap_ql.so.1 $LIB_PATH/libsgx_dcap_ql.so | |
sudo ln -s $LIB_PATH/libsgx_dcap_quoteverify.so.1 $LIB_PATH/libsgx_dcap_quoteverify.so | |
- name: Test x/registration | |
run: | | |
source "$HOME/.sgxsdk/sgxsdk/environment" | |
go test -v -tags "secretcli" ./x/registration/internal/... | |
- name: Test x/compute | |
run: | | |
source "$HOME/.sgxsdk/sgxsdk/environment" | |
export SGX_MODE=SW | |
cp librust_cosmwasm_enclave.signed.so ./x/compute/internal/keeper | |
# cp tendermint_enclave.signed.so ./x/compute/internal/keeper | |
mkdir -p ias_keys/develop | |
mkdir -p /opt/secret/.sgx_secrets/ | |
echo "not_a_key" > ias_keys/develop/spid.txt | |
echo "not_a_key" > ias_keys/develop/api_key.txt | |
LOG_LEVEL=ERROR go test -v -tags "test" ./x/compute/client/... | |
LOG_LEVEL=ERROR SKIP_LIGHT_CLIENT_VALIDATION=TRUE go test -p 1 -timeout 90m -v -tags "test" ./x/compute/internal/... | |
Clippy: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Install Intel's SGX SDK | |
run: | | |
mkdir -p "$HOME/.sgxsdk" | |
cd "$HOME/.sgxsdk" | |
SDK_BIN=sgx_linux_x64_sdk_2.17.101.1.bin | |
wget https://download.01.org/intel-sgx/sgx-linux/2.17.1/distro/ubuntu20.04-server/"$SDK_BIN" | |
chmod +x "$SDK_BIN" | |
echo yes | ./"$SDK_BIN" | |
- name: Cache cargo registry | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cargo/registry | |
key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} | |
- name: Cache xargo sysroot | |
uses: actions/cache@v4 | |
with: | |
path: ~/.xargo | |
key: ${{ runner.os }}-xargo-sysroot | |
- name: Cache build artifacts | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/sccache | |
key: ${{ runner.os }}-sccache | |
- run: | | |
rustup component add rust-src clippy | |
cd cosmwasm/enclaves/execute/ | |
rustup component add rust-src clippy | |
cd - && cd check-hw | |
rustup component add rust-src clippy | |
- name: Install xargo | |
run: | | |
cd cosmwasm/enclaves/execute/ | |
cargo --version | |
rustc --version | |
cargo +stable install xargo --version 0.3.25 | |
xargo --version | |
- name: Clippy | |
run: | | |
source "$HOME/.sgxsdk/sgxsdk/environment" | |
mkdir -p ias_keys/production | |
cp ias_keys/develop/api_key.txt ias_keys/production/api_key.txt | |
SGX_MODE=SW make clippy | |
SGX_MODE=HW make clippy | |
MacOS-ARM64-CLI: | |
runs-on: macos-12-large | |
strategy: | |
fail-fast: false | |
timeout-minutes: 90 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
name: checkout | |
submodules: recursive | |
- uses: actions/setup-go@v5 | |
with: | |
name: set up go | |
go-version: 1.23 # The Go version to download (if necessary) and use. | |
- name: Build macos darwin/arm64 | |
run: make build_cli | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: secretcli-macos-arm64 | |
path: secretcli | |
Build-LocalSecret: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
driver-opts: network=host | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Build LocalSecret | |
uses: docker/build-push-action@v4 | |
with: | |
file: deployment/dockerfiles/Dockerfile | |
context: . | |
load: true | |
tags: ghcr.io/scrtlabs/localsecret:v0.0.0 | |
secrets: | | |
API_KEY=00000000000000000000000000000000 | |
SPID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF | |
build-args: | | |
SECRET_NODE_TYPE=BOOTSTRAP | |
CHAIN_ID=secretdev-1 | |
FEATURES_U=debug-print,random,light-client-validation,go-tests | |
SGX_MODE=SW | |
target: build-localsecret | |
# cache-from: type=gha | |
# cache-to: type=gha,mode=max | |
outputs: type=docker,dest=/tmp/localsecret.tar | |
- name: Upload Image | |
uses: actions/upload-artifact@v3 | |
with: | |
name: localsecret | |
path: /tmp/localsecret.tar | |
Build-Hermes: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- uses: actions/checkout@v4 | |
- name: Build Hermes Image | |
uses: docker/build-push-action@v4 | |
with: | |
file: deployment/dockerfiles/ibc/hermes.Dockerfile | |
context: deployment/dockerfiles/ibc | |
load: true | |
tags: hermes:v0.0.0 | |
build-args: | | |
SECRET_NODE_TYPE=BOOTSTRAP | |
CHAIN_ID=secretdev-1 | |
outputs: type=docker,dest=/tmp/hermes.tar | |
- name: Upload Image | |
uses: actions/upload-artifact@v3 | |
with: | |
name: hermes | |
path: /tmp/hermes.tar | |
Integration-Tests: | |
runs-on: ubuntu-22.04 | |
needs: [Build-LocalSecret, Build-Hermes] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
- name: Download Hermes | |
uses: actions/download-artifact@v3 | |
with: | |
name: hermes | |
path: /tmp | |
- name: Download LocalSecret | |
uses: actions/download-artifact@v3 | |
with: | |
name: localsecret | |
path: /tmp | |
- name: Load images | |
run: | | |
docker load --input /tmp/localsecret.tar | |
docker load --input /tmp/hermes.tar | |
- name: Run integration tests | |
run: | | |
cd integration-tests | |
yarn | |
perl -i -pe 's/localsecret:.+?"/localsecret:v0.0.0"/' ../deployment/dockerfiles/ibc/docker-compose.yml | |
docker compose -f ../deployment/dockerfiles/ibc/docker-compose.yml up -d > docker-compose.log 2>&1 | |
yarn test || { cat docker-compose.log; exit 1; } | |
make kill-localsecret # next step needs the localsecret ports | |
- name: Run secret.js tests | |
run: | | |
git clone --depth 1 --branch cosmos-sdk-upgrade https://github.com/scrtlabs/secret.js | |
cd secret.js | |
# Use the docker images that we built just a few steps above | |
perl -i -pe 's/localsecret:.+?"/localsecret:v0.0.0"/' ./test/docker-compose.yml | |
yarn | |
docker compose -f ./test/docker-compose.yml up -d > docker-compose.log 2>&1 | |
sleep 10 | |
yarn test-ci || { cat docker-compose.log; exit 1; } | |
make kill-localsecret |