ci: build and publish pre-compute OCI image to docker-regis (#29)

Author: nabil-Tounarti

.dockerignore

@@ -0,0 +1,35 @@
+# Git
+.git
+.gitignore
+
+# Rust
+target/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+
+# Documentation
+README.md
+docs/
+
+# Docker
+Dockerfile
+.dockerignore
+
+# CI/CD
+.github/
+
+# Tests
+tests/
+**/*_test.rs
+**/*_tests.rs

.github/workflows/ci.yaml

@@ -3,6 +3,8 @@ name: Rust CI
 on:
   pull_request:
   push:
+    branches: [main]
+  workflow_dispatch:
 
 jobs:
   build-and-test:
@@ -12,3 +14,55 @@ jobs:
       working-directory: "."
       enable-cache: true
       publish-crates-io: false
+  
+  prepare:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    if: |
+      github.ref_name == 'main' ||
+      startsWith(github.head_ref, 'feature/') ||
+      startsWith(github.head_ref, 'bugfix/') ||
+      (github.event_name == 'workflow_dispatch' && (startsWith(github.ref_name, 'feature/') || startsWith(github.ref_name, 'bugfix/')))
+    outputs:
+      tag: ${{ steps.determine-tag.outputs.tag }}
+    steps:
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            SHORT_SHA=$(echo ${{ github.event.pull_request.head.sha }} | cut -c1-8)
+          else
+            SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
+          fi
+
+          if [[ "${{ github.ref_name }}" == "main" ]]; then
+            TAG_NAME="dev-${SHORT_SHA}"
+            echo "Processing main branch push -> ${TAG_NAME}"
+          else
+            # This covers feature/ and bugfix/ branches
+            TAG_NAME="feature-${SHORT_SHA}"
+            echo "Processing feature/bugfix branch: ${{ github.head_ref }} -> ${TAG_NAME}"
+          fi
+          
+          echo "tag=${TAG_NAME}" >> "$GITHUB_OUTPUT"
+          echo "Determined image tag: ${TAG_NAME}"
+  
+  build-and-publish:
+    name: Build and Publish to Registry
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
+      image-tag: ${{ needs.prepare.outputs.tag }}
+      dockerfile: Dockerfile
+      context: .
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platforms: linux/amd64
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}

.github/workflows/docker-build-on-tag.yaml

@@ -0,0 +1,56 @@
+name: Build and Push Release Image
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  prepare:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.determine-tag.outputs.tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag
+          TAG_ON_MAIN=$(git branch -r --contains ${{ github.sha }} 'origin/main')
+
+          if [[ -n "$TAG_ON_MAIN" ]]; then
+            TAG_NAME="${{ github.ref_name }}"
+            TAG_NAME="${TAG_NAME#v}"  # Remove 'v' prefix
+            echo "Processing tag on main branch: ${{ github.ref_name }} -> ${TAG_NAME}"
+          else
+            echo "Error: Tag ${{ github.ref_name }} is not on main branch"
+            echo "Tags must be created on main branch to generate X.Y.Z image tags"
+            exit 1
+          fi
+          
+          echo "tag=${TAG_NAME}" >> "$GITHUB_OUTPUT"
+          echo "Determined image tag: ${TAG_NAME}"
+
+  build-and-publish:
+    name: Build and Publish to Registry On Tag
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/[email protected]
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
+      image-tag: ${{ needs.prepare.outputs.tag }}
+      dockerfile: Dockerfile
+      context: .
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+      platforms: linux/amd64
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}

Dockerfile

@@ -0,0 +1,26 @@
+FROM rust:1.88-alpine3.22 AS builder
+
+# Install build dependencies with pinned versions
+RUN apk add --no-cache musl-dev=1.2.5-r10 openssl-dev=3.5.2-r0
+
+WORKDIR /app
+
+# Copy manifest and source files
+COPY . .
+
+# Build the application
+RUN cargo build --release
+
+FROM alpine:3.22
+
+# Install required runtime dependencies with pinned versions
+RUN apk add --no-cache libgcc=14.2.0-r6
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder stage
+COPY --from=builder /app/target/release/tee-worker-pre-compute .
+
+# Run the application
+ENTRYPOINT ["/app/tee-worker-pre-compute"]