Add support for AMD SEV-SNP #2184

Workflow file for this run

	name: Veracruz-CI

	# Controls when the workflow will run
	on:
	# Triggers the workflow on push or pull request events but only for the main branch
	push:
	branches: [ main ]
	pull_request:
	branches: [ main ]

	# Allows you to run this workflow manually from the Actions tab
	workflow_dispatch:

	env:
	WASMTIME_VERSION: v9.0.4

	jobs:
	check:
	runs-on: ubuntu-latest
	steps:
	- name: Install cosign
	# https://github.com/sigstore/cosign-installer
	uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
	with:
	cosign-release: "v2.2.1"
	- name: Check image signature
	id: cosign-verify
	run: \|
	COSIGN_EXPERIMENTAL=true cosign verify \
	--certificate-identity-regexp 'https://github.com/veracruz-project/veracruz/.github/workflows/docker.yml@refs/heads/dreemkiller_amd_sev' \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	ghcr.io/veracruz-project/veracruz/ci@sha256:48fbfbe4af44372b5cad15e80c7e17f523bb76cc157cf492860a48b37db4bd3f

	linux:
	runs-on: ubuntu-latest
	needs: [check]
	outputs:
	output: ${{ steps.check-diff.outputs.cargo-lock }}
	container:
	image: ghcr.io/veracruz-project/veracruz/ci@sha256:48fbfbe4af44372b5cad15e80c7e17f523bb76cc157cf492860a48b37db4bd3f
	volumes:
	- ${{ github.workspace }}:/work/veracruz
	steps:
	- name: Check out the Veracruz repository
	uses: actions/checkout@v3
	with:
	submodules: recursive
	- name: Build Veracruz-Linux
	id: linux-build
	run: \|
	make -C /work/veracruz/workspaces linux
	- name: Running linux test script
	id: linux-build-and-test
	run: \|
	make -C /work/veracruz/workspaces linux-tests
	- name: Move back to veracruz root
	run: \|
	cd /work/veracruz
	git config --global --add safe.directory "$GITHUB_WORKSPACE"
	- name: Check modification to Cargo.lock
	id: check-diff
	run: \|
	# Find if any Cargo.lock changed, pad them into a line and trim leading and trailing whitespace.
	file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' \| tr '\n' ' ' \| xargs)
	echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
	if [ -n "$file_changed" ] ; then
	echo "::warning::Cargo.lock files modified";
	echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
	fi
	- name: Upload Cargo.lock files
	id: upload-changed-cargo-lock
	if: steps.check-diff.outputs.cargo-lock != ''
	uses: actions/upload-artifact@v3
	with:
	name: linux
	path: workspaces/**/Cargo.lock
	- name: Prepare deployment artifacts
	run: \|
	# Strip binaries
	strip \
	workspaces/host/target/debug/freestanding-execution-engine \
	workspaces/host/target/debug/generate-policy \
	workspaces/linux-host/target/debug/veracruz-client \
	workspaces/linux-host/target/debug/linux-veracruz-server \
	workspaces/linux-runtime/target/debug/linux-runtime-manager
	# Copy artifacts to new directory
	mkdir -p artifacts
	cp -a \
	sdk/proxy_cleanup.sh \
	workspaces/ca-cert.conf \
	workspaces/cert.conf \
	workspaces/host/target/debug/freestanding-execution-engine \
	workspaces/host/target/debug/generate-policy \
	workspaces/linux-host/target/debug/veracruz-client \
	workspaces/linux-host/target/debug/linux-veracruz-server \
	workspaces/linux-runtime/target/debug/linux-runtime-manager \
	artifacts/
	- name: Upload deployment artifacts
	id: upload-deployment-artifacts
	uses: actions/upload-artifact@v3
	with:
	name: linux_deployment_artifacts
	path: \|
	artifacts/*

	vod-full-deployment:
	runs-on: ubuntu-latest
	needs: [linux]
	container:
	image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068
	volumes:
	- ${{ github.workspace }}:/work/video-object-detection
	steps:
	- name: Check out the VOD repository
	uses: actions/checkout@v3
	with:
	repository: 'veracruz-project/video-object-detection'
	ref: '20230704'
	submodules: recursive
	set-safe-directory: true
	- name: Build
	run: \|
	# grab every bash code block for this step, remove line continuation,
	# and only keep lines that start with '$' (of course removing that '$'
	# in the process)
	sed -n '/```.*veracruz-ci-build/,/```/{/```/d; p}' README.md \
	\| sed ':a; /\\$/{N; s/\\\n//; ta}' \
	\| sed -n '/^ \$/{s/^ \$ \?//; p}' \
	> README.md.veracruz-ci-build.sh
	# run the script
	bash -euxo pipefail README.md.veracruz-ci-build.sh
	# Add current directory to $GITHUB_PATH
	echo "$GITHUB_WORKSPACE" >> $GITHUB_PATH
	- name: Download artifacts
	uses: actions/download-artifact@v3
	with:
	name: linux_deployment_artifacts
	path: artifacts
	- name: Post-process artifacts
	run: \|
	chmod -R 755 artifacts
	# Add artifacts to $GITHUB_PATH
	echo "artifacts" >> $GITHUB_PATH
	- name: Download example video
	run: \|
	# grab every bash code block for this step, remove line continuation,
	# and only keep lines that start with '$' (of course removing that '$'
	# in the process)
	sed -n '/```.*veracruz-ci-video/,/```/{/```/d; p}' README.md \
	\| sed ':a; /\\$/{N; s/\\\n//; ta}' \
	\| sed -n '/^ \$/{s/^ \$ \?//; p}' \
	> README.md.veracruz-ci-video.sh
	# run the script
	bash -euxo pipefail README.md.veracruz-ci-video.sh
	- name: Replace big YOLO model with small one
	run: \|
	cd program_data
	ln -sf yolov3-tiny.cfg yolov3.cfg
	ln -sf yolov3-tiny.weights yolov3.weights
	- name: Run VOD as standalone native binary
	run: \|
	# grab every bash code block for this step, remove line continuation,
	# and only keep lines that start with '$' (of course removing that '$'
	# in the process)
	sed -n '/```.*veracruz-ci-run-native/,/```/{/```/d; p}' README.md \
	\| sed ':a; /\\$/{N; s/\\\n//; ta}' \
	\| sed -n '/^ \$/{s/^ \$ \?//; p}' \
	> README.md.veracruz-ci-run-native.sh
	# run the script
	bash -euxo pipefail README.md.veracruz-ci-run-native.sh
	# Check results
	file output/prediction.0.jpg \| grep "JPEG image data"
	rm -rf output
	- name: Run VOD in wasmtime
	run: \|
	# Install wasmtime
	curl https://wasmtime.dev/install.sh -sSf \| bash -s -- --version $WASMTIME_VERSION && \
	. ~/.bashrc
	# grab every bash code block for this step, remove line continuation,
	# and only keep lines that start with '$' (of course removing that '$'
	# in the process)
	sed -n '/```.*veracruz-ci-run-wasmtime/,/```/{/```/d; p}' README.md \
	\| sed ':a; /\\$/{N; s/\\\n//; ta}' \
	\| sed -n '/^ \$/{s/^ \$ \?//; p}' \
	> README.md.veracruz-ci-run-wasmtime.sh
	# run the script
	bash -euxo pipefail README.md.veracruz-ci-run-wasmtime.sh
	# Check results
	file output/prediction.0.jpg \| grep "JPEG image data"
	rm -rf output
	- name: Run VOD in Freestanding Execution Engine
	run: \|
	# grab every bash code block for this step, remove line continuation,
	# and only keep lines that start with '$' (of course removing that '$'
	# in the process)
	sed -n '/```.*veracruz-ci-run-fee/,/```/{/```/d; p}' README.md \
	\| sed ':a; /\\$/{N; s/\\\n//; ta}' \
	\| sed -n '/^ \$/{s/^ \$ \?//; p}' \
	> README.md.veracruz-ci-run-fee.sh
	# run the script
	bash -euxo pipefail README.md.veracruz-ci-run-fee.sh
	# Check results
	file output/prediction.0.jpg \| grep "JPEG image data"
	rm -rf output
	- name: Run VOD in Veracruz-Linux
	run: \|
	POLICY_GENERATOR_PATH="artifacts/generate-policy" CLIENT_PATH="artifacts/veracruz-client" SERVER_PATH="artifacts/linux-veracruz-server" RUNTIME_MANAGER_PATH="artifacts/linux-runtime-manager" CA_CERT_CONF_PATH="artifacts/ca-cert.conf" CERT_CONF_PATH="artifacts/cert.conf" PROXY_CLEANUP_SCRIPT_PATH="artifacts/proxy_cleanup.sh" SERVER_LOG="server.log" POLICY_PATH="policy.json" ./deploy_linux_wasm.sh
	# Check results
	file prediction.0.jpg \| grep "JPEG image data"
	- name: Upload VOD artifacts
	id: upload-vod-artifacts
	uses: actions/upload-artifact@v3
	with:
	name: linux-vod
	path: \|
	policy.json
	server.log

	nitro:
	runs-on: ubuntu-latest
	needs: [check]
	outputs:
	output: ${{ steps.check-diff.outputs.cargo-lock }}
	container:
	image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068
	volumes:
	- ${{ github.workspace }}:/work/veracruz
	steps:
	- name: Check out the Veracruz repository
	uses: actions/checkout@v3
	with:
	submodules: recursive
	- name: add the GITHUB_WORKSPACE into git config
	run: \|
	git config --global --add safe.directory "$GITHUB_WORKSPACE"
	- name: Running Nitro test script
	id: nitro-build
	run: \|
	make -C /work/veracruz/workspaces nitro
	- name: Check modification to Cargo.lock
	id: check-diff
	run: \|
	file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' \| tr '\n' ' ' \| xargs)
	echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
	if [ -n "$file_changed" ] ; then
	echo "::warning::Cargo.lock files modified";
	echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
	fi
	- name: Upload Cargo.lock files
	id: upload-changed-cargo-lock
	if: steps.check-diff.outputs.cargo-lock != ''
	uses: actions/upload-artifact@v3
	with:
	name: nitro
	path: workspaces/**/Cargo.lock

	# tests that the docs/CLI_QUICKSTART.md is still up to date
	quickstart:
	runs-on: ubuntu-latest
	needs: [check]
	outputs:
	output: ${{ steps.check-diff.outputs.cargo-lock }}
	container:
	image: ghcr.io/veracruz-project/veracruz/ci@sha256:dd434df33153bd8915859eb0f280270d2cdf07d6100ef4332bcd18c5e8525068
	volumes:
	- ${{ github.workspace }}:/work/veracruz
	steps:
	- name: Check out the Veracruz repository
	uses: actions/checkout@v3
	with:
	submodules: recursive
	- name: add the GITHUB_WORKSPACE into git config
	run: \|
	git config --global --add safe.directory "$GITHUB_WORKSPACE"
	- name: Running docs/CLI_QUICKSTART.md
	id: quickstart-test
	run: \|
	# grab every bash code block, remove line continuation, and only keep lines
	# that start with '$' (of course removing that '$' in the process)
	sed -n '/``` bash/,/```/{/```/d; p}' docs/CLI_QUICKSTART.md \
	\| sed ':a; /\\$/{N; s/\\\n//; ta}' \
	\| sed -n '/^\$/{s/^\$ \?//; p}' \
	> CLI_QUICKSTART.md.sh
	# run the quickstart
	bash -euxo pipefail CLI_QUICKSTART.md.sh
	- name: Running tlstest/README.md
	id: tlstest
	run: \|
	# Extract and execute bash code blocks from README.md:
	cd crates/tests/tlstest && \
	sed -n '/``` bash/,/```/{/```/d; p}' README.md > README.md.sh && \
	bash -euxo pipefail README.md.sh
	- name: Check modification to Cargo.lock
	id: check-diff
	run: \|
	file_changed=$(git diff --diff-filter=ACMUXTRD --name-only -- '**Cargo.lock' \| tr '\n' ' ' \| xargs)
	echo "cargo-lock=$file_changed" >> $GITHUB_OUTPUT
	if [ -n "$file_changed" ] ; then
	echo "::warning::Cargo.lock files modified";
	echo "::warning::Cargo.lock change list: ${{ steps.check-diff.outputs.cargo-lock }}";
	fi
	- name: Upload Cargo.lock files
	id: upload-changed-cargo-lock
	if: steps.check-diff.outputs.cargo-lock != ''
	uses: actions/upload-artifact@v3
	with:
	name: quickstart
	path: workspaces/**/Cargo.lock

	cargo-lock-check:
	needs: [linux, nitro, quickstart]
	runs-on: ubuntu-latest
	steps:
	- name: linux
	if: needs.linux.outputs.output != ''
	run: \|
	echo "::warning:: linux Cargo.lock change list: ${{ needs.linux.outputs.output }}"
	exit 1
	- name: nitro
	if: needs.nitro.outputs.output != ''
	run: \|
	echo "::warning:: nitro Cargo.lock change list: ${{ needs.nitro.outputs.output }}"
	exit 1
	- name: quickstart
	if: needs.quickstart.outputs.output != ''
	run: \|
	echo "::warning:: quickstart Cargo.lock change list: ${{ needs.quickstart.outputs.output }}"
	exit 1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for AMD SEV-SNP #2184

Workflow file

Add support for AMD SEV-SNP #2184

Jobs

Run details

Workflow file for this run