Add support for AMD SEV-SNP #2182
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Veracruz-CI | |
# Controls when the workflow will run | |
on: | |
# Triggers the workflow on push or pull request events but only for the main branch | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
env: | |
WASMTIME_VERSION: v9.0.4 | |
jobs: | |
check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install cosign | |
# https://github.com/sigstore/cosign-installer | |
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
with: | |
cosign-release: "v2.2.1" | |
- name: Check image signature | |
id: cosign-verify | |
run: | | |
COSIGN_EXPERIMENTAL=true cosign verify \ | |
--certificate-identity-regexp 'https://github.com/veracruz-project/veracruz/.github/workflows/docker.yml@refs/heads/dreemkiller_amd_sev' \ | |
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
ghcr.io/veracruz-project/veracruz/ci@sha256:48fbfbe4af44372b5cad15e80c7e17f523bb76cc157cf492860a48b37db4bd3f | |
linux: | |
runs-on: ubuntu-latest | |
needs: [check] | |
outputs: | |
output: ${{ steps.check-diff.outputs.cargo-lock }} | |
container: | |
image: ghcr.io/veracruz-project/veracruz/ci@sha256:48fbfbe4af44372b5cad15e80c7e17f523bb76cc157cf492860a48b37db4bd3f | |
volumes: | |
- ${{ github.workspace }}:/work/veracruz | |
steps: | |
- name: Check out the Veracruz repository | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: Build Veracruz-Linux | |
id: linux-build | |
run: | | |
make -C /work/veracruz/workspaces linux | |
- name: Running linux test script | |
id: linux-build-and-test | |
run: | | |
make -C /work/veracruz/workspaces linux-tests | |
- name: Move back to veracruz root | |
run: | | |
cd /work/veracruz | |
git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Check modification to Cargo.lock | |
id: check-diff | |
run: | | |
# Find if any Cargo.lock changed, pad them into a line and trim leading and trailing whitespace. | |
file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs) | |
echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT | |
if [ -n "$file_changed" ] ; then | |
echo "::warning::Cargo.lock files modified"; | |
echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}"; | |
fi | |
- name: Upload Cargo.lock files | |
id: upload-changed-cargo-lock | |
if: steps.check-diff.outputs.cargo-lock != '' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: linux | |
path: workspaces/**/Cargo.lock | |
- name: Prepare deployment artifacts | |
run: | | |
# Strip binaries | |
strip \ | |
workspaces/host/target/debug/freestanding-execution-engine \ | |
workspaces/host/target/debug/generate-policy \ | |
workspaces/linux-host/target/debug/veracruz-client \ | |
workspaces/linux-host/target/debug/linux-veracruz-server \ | |
workspaces/linux-runtime/target/debug/linux-runtime-manager | |
# Copy artifacts to new directory | |
mkdir -p artifacts | |
cp -a \ | |
sdk/proxy_cleanup.sh \ | |
workspaces/ca-cert.conf \ | |
workspaces/cert.conf \ | |
workspaces/host/target/debug/freestanding-execution-engine \ | |
workspaces/host/target/debug/generate-policy \ | |
workspaces/linux-host/target/debug/veracruz-client \ | |
workspaces/linux-host/target/debug/linux-veracruz-server \ | |
workspaces/linux-runtime/target/debug/linux-runtime-manager \ | |
artifacts/ | |
- name: Upload deployment artifacts | |
id: upload-deployment-artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: linux_deployment_artifacts | |
path: | | |
artifacts/* | |
vod-full-deployment: | |
runs-on: ubuntu-latest | |
needs: [linux] | |
container: | |
image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068 | |
volumes: | |
- ${{ github.workspace }}:/work/video-object-detection | |
steps: | |
- name: Check out the VOD repository | |
uses: actions/checkout@v3 | |
with: | |
repository: 'veracruz-project/video-object-detection' | |
ref: '20230704' | |
submodules: recursive | |
set-safe-directory: true | |
- name: Build | |
run: | | |
# grab every bash code block for this step, remove line continuation, | |
# and only keep lines that start with '$' (of course removing that '$' | |
# in the process) | |
sed -n '/```.*veracruz-ci-build/,/```/{/```/d; p}' README.md \ | |
| sed ':a; /\\$/{N; s/\\\n//; ta}' \ | |
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \ | |
> README.md.veracruz-ci-build.sh | |
# run the script | |
bash -euxo pipefail README.md.veracruz-ci-build.sh | |
# Add current directory to $GITHUB_PATH | |
echo "$GITHUB_WORKSPACE" >> $GITHUB_PATH | |
- name: Download artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: linux_deployment_artifacts | |
path: artifacts | |
- name: Post-process artifacts | |
run: | | |
chmod -R 755 artifacts | |
# Add artifacts to $GITHUB_PATH | |
echo "artifacts" >> $GITHUB_PATH | |
- name: Download example video | |
run: | | |
# grab every bash code block for this step, remove line continuation, | |
# and only keep lines that start with '$' (of course removing that '$' | |
# in the process) | |
sed -n '/```.*veracruz-ci-video/,/```/{/```/d; p}' README.md \ | |
| sed ':a; /\\$/{N; s/\\\n//; ta}' \ | |
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \ | |
> README.md.veracruz-ci-video.sh | |
# run the script | |
bash -euxo pipefail README.md.veracruz-ci-video.sh | |
- name: Replace big YOLO model with small one | |
run: | | |
cd program_data | |
ln -sf yolov3-tiny.cfg yolov3.cfg | |
ln -sf yolov3-tiny.weights yolov3.weights | |
- name: Run VOD as standalone native binary | |
run: | | |
# grab every bash code block for this step, remove line continuation, | |
# and only keep lines that start with '$' (of course removing that '$' | |
# in the process) | |
sed -n '/```.*veracruz-ci-run-native/,/```/{/```/d; p}' README.md \ | |
| sed ':a; /\\$/{N; s/\\\n//; ta}' \ | |
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \ | |
> README.md.veracruz-ci-run-native.sh | |
# run the script | |
bash -euxo pipefail README.md.veracruz-ci-run-native.sh | |
# Check results | |
file output/prediction.0.jpg | grep "JPEG image data" | |
rm -rf output | |
- name: Run VOD in wasmtime | |
run: | | |
# Install wasmtime | |
curl https://wasmtime.dev/install.sh -sSf | bash -s -- --version $WASMTIME_VERSION && \ | |
. ~/.bashrc | |
# grab every bash code block for this step, remove line continuation, | |
# and only keep lines that start with '$' (of course removing that '$' | |
# in the process) | |
sed -n '/```.*veracruz-ci-run-wasmtime/,/```/{/```/d; p}' README.md \ | |
| sed ':a; /\\$/{N; s/\\\n//; ta}' \ | |
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \ | |
> README.md.veracruz-ci-run-wasmtime.sh | |
# run the script | |
bash -euxo pipefail README.md.veracruz-ci-run-wasmtime.sh | |
# Check results | |
file output/prediction.0.jpg | grep "JPEG image data" | |
rm -rf output | |
- name: Run VOD in Freestanding Execution Engine | |
run: | | |
# grab every bash code block for this step, remove line continuation, | |
# and only keep lines that start with '$' (of course removing that '$' | |
# in the process) | |
sed -n '/```.*veracruz-ci-run-fee/,/```/{/```/d; p}' README.md \ | |
| sed ':a; /\\$/{N; s/\\\n//; ta}' \ | |
| sed -n '/^ *\$/{s/^ *\$ \?//; p}' \ | |
> README.md.veracruz-ci-run-fee.sh | |
# run the script | |
bash -euxo pipefail README.md.veracruz-ci-run-fee.sh | |
# Check results | |
file output/prediction.0.jpg | grep "JPEG image data" | |
rm -rf output | |
- name: Run VOD in Veracruz-Linux | |
run: | | |
POLICY_GENERATOR_PATH="artifacts/generate-policy" CLIENT_PATH="artifacts/veracruz-client" SERVER_PATH="artifacts/linux-veracruz-server" RUNTIME_MANAGER_PATH="artifacts/linux-runtime-manager" CA_CERT_CONF_PATH="artifacts/ca-cert.conf" CERT_CONF_PATH="artifacts/cert.conf" PROXY_CLEANUP_SCRIPT_PATH="artifacts/proxy_cleanup.sh" SERVER_LOG="server.log" POLICY_PATH="policy.json" ./deploy_linux_wasm.sh | |
# Check results | |
file prediction.0.jpg | grep "JPEG image data" | |
- name: Upload VOD artifacts | |
id: upload-vod-artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: linux-vod | |
path: | | |
policy.json | |
server.log | |
nitro: | |
runs-on: ubuntu-latest | |
needs: [check] | |
outputs: | |
output: ${{ steps.check-diff.outputs.cargo-lock }} | |
container: | |
image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068 | |
volumes: | |
- ${{ github.workspace }}:/work/veracruz | |
steps: | |
- name: Check out the Veracruz repository | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: add the GITHUB_WORKSPACE into git config | |
run: | | |
git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Running Nitro test script | |
id: nitro-build | |
run: | | |
make -C /work/veracruz/workspaces nitro | |
- name: Check modification to Cargo.lock | |
id: check-diff | |
run: | | |
file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs) | |
echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT | |
if [ -n "$file_changed" ] ; then | |
echo "::warning::Cargo.lock files modified"; | |
echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}"; | |
fi | |
- name: Upload Cargo.lock files | |
id: upload-changed-cargo-lock | |
if: steps.check-diff.outputs.cargo-lock != '' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: nitro | |
path: workspaces/**/Cargo.lock | |
# tests that the docs/CLI_QUICKSTART.md is still up to date | |
quickstart: | |
runs-on: ubuntu-latest | |
needs: [check] | |
outputs: | |
output: ${{ steps.check-diff.outputs.cargo-lock }} | |
container: | |
image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068 | |
volumes: | |
- ${{ github.workspace }}:/work/veracruz | |
steps: | |
- name: Check out the Veracruz repository | |
uses: actions/checkout@v3 | |
with: | |
submodules: recursive | |
- name: add the GITHUB_WORKSPACE into git config | |
run: | | |
git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
- name: Running docs/CLI_QUICKSTART.md | |
id: quickstart-test | |
run: | | |
# grab every bash code block, remove line continuation, and only keep lines | |
# that start with '$' (of course removing that '$' in the process) | |
sed -n '/``` bash/,/```/{/```/d; p}' docs/CLI_QUICKSTART.md \ | |
| sed ':a; /\\$/{N; s/\\\n//; ta}' \ | |
| sed -n '/^\$/{s/^\$ \?//; p}' \ | |
> CLI_QUICKSTART.md.sh | |
# run the quickstart | |
bash -euxo pipefail CLI_QUICKSTART.md.sh | |
- name: Running tlstest/README.md | |
id: tlstest | |
run: | | |
# Extract and execute bash code blocks from README.md: | |
cd crates/tests/tlstest && \ | |
sed -n '/``` bash/,/```/{/```/d; p}' README.md > README.md.sh && \ | |
bash -euxo pipefail README.md.sh | |
- name: Check modification to Cargo.lock | |
id: check-diff | |
run: | | |
file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' | tr '\n' ' ' | xargs) | |
echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT | |
if [ -n "$file_changed" ] ; then | |
echo "::warning::Cargo.lock files modified"; | |
echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}"; | |
fi | |
- name: Upload Cargo.lock files | |
id: upload-changed-cargo-lock | |
if: steps.check-diff.outputs.cargo-lock != '' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: quickstart | |
path: workspaces/**/Cargo.lock | |
cargo-lock-check: | |
needs: [linux, nitro, quickstart] | |
runs-on: ubuntu-latest | |
steps: | |
- name: linux | |
if: needs.linux.outputs.output != '' | |
run: | | |
echo "::warning:: linux Cargo.lock change list: ${{ needs.linux.outputs.output }}" | |
exit 1 | |
- name: nitro | |
if: needs.nitro.outputs.output != '' | |
run: | | |
echo "::warning:: nitro Cargo.lock change list: ${{ needs.nitro.outputs.output }}" | |
exit 1 | |
- name: quickstart | |
if: needs.quickstart.outputs.output != '' | |
run: | | |
echo "::warning:: quickstart Cargo.lock change list: ${{ needs.quickstart.outputs.output }}" | |
exit 1 |