iExecBlockchainComputing · nabil-Tounarti · Aug 28, 2025 · Aug 13, 2025 · Aug 18, 2025 · Aug 18, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,36 @@
+# Git
+.git
+.gitignore
+
+# Rust
+target/
+Cargo.lock
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+
+# Documentation
+README.md
+docs/
+
+# Docker
+Dockerfile
+.dockerignore
+
+# CI/CD
+.github/
+
+# Tests
+tests/
+**/*_test.rs
+**/*_tests.rs
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
@@ -0,0 +1,53 @@
+name: Build and Push OCI Image
+
+on:
+  push:
+    branches:
+      - main
+      - 'feature/*'
+      - 'bugfix/*'
+    tags:
+      - 'v*.*.*' # Triggers on version tags like v1.0.0
+
+jobs:
+  prepare:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.determine-tag.outputs.tag }}
+    steps:
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
+
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            TAG_NAME="${{ github.ref_name }}"
+            TAG_NAME="${TAG_NAME#v}"  # Remove 'v' prefix using bash parameter expansion
+          elif [[ "${{ github.ref_name }}" == "main" ]]; then
+            TAG_NAME="dev-${SHORT_SHA}"
+          elif [[ "${{ github.ref_name }}" =~ ^feature/ ]] || [[ "${{ github.ref_name }}" =~ ^bugfix/ ]]; then
+            TAG_NAME="feature-${SHORT_SHA}"
+          fi
+
+          echo "tag=${TAG_NAME}" >> "$GITHUB_OUTPUT"
+          echo "Determined image tag: ${TAG_NAME}"
+
+  build-and-publish:
+    name: Build and Publish to Registry
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@main
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
+      image-tag: ${{ needs.prepare.outputs.tag }}
+      dockerfile: Dockerfile
+      context: .
+      platforms: linux/amd64
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,42 @@
+# Multi-stage Dockerfile for iExec tee-worker-pre-compute API
+# Stage 1: Build stage with Rust toolchain
+FROM rust:1.88-alpine3.20 AS builder
+
+# Install build dependencies
+RUN apk add --no-cache \
+    openssl-dev \
+    musl-dev \
+    gcc \
+    libc-dev
+
+WORKDIR /app
+
+# Copy Cargo files first for better caching
+COPY Cargo.* /app/
+
+# Create a dummy main.rs to build dependencies
+RUN mkdir src && \
+    echo "fn main() {}" > src/main.rs && \
+    cargo build --release && \
+    rm -rf src
+
+# Copy source code
+COPY src/ /app/src/
+
+# Build the application
+RUN cargo build --release --bin tee-worker-pre-compute
+
+# Stage 2: Runtime stage with minimal image
+FROM alpine:3.22.1 AS runtime
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder stage
+COPY --from=builder /app/target/release/tee-worker-pre-compute /app/tee-worker-pre-compute
+
+# Expose port
+EXPOSE 3000
+
+# Run the application
+CMD ["/app/tee-worker-pre-compute"]