iExecBlockchainComputing · nabil-Tounarti · Aug 28, 2025 · Aug 13, 2025 · Aug 18, 2025 · Aug 18, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,35 @@
+# Git
+.git
+.gitignore
+
+# Rust
+target/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+
+# Documentation
+README.md
+docs/
+
+# Docker
+Dockerfile
+.dockerignore
+
+# CI/CD
+.github/
+
+# Tests
+tests/
+**/*_test.rs
+**/*_tests.rs
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,6 +2,7 @@ name: Rust CI
 
 on:
   pull_request:
+    types: [opened]
   push:
 
 jobs:
@@ -12,3 +13,47 @@ jobs:
       working-directory: "."
       enable-cache: true
       publish-crates-io: false
+
+  prepare:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    if: github.ref_name == 'main' || startsWith(github.ref_name, 'feature/') || startsWith(github.ref_name, 'bugfix/')
+    outputs:
+      tag: ${{ steps.determine-tag.outputs.tag }}
+    steps:
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-8)
+
+          if [[ "${{ github.ref_name }}" == "main" ]]; then
+            TAG_NAME="dev-${SHORT_SHA}"
+            echo "Processing main branch push -> ${TAG_NAME}"
+          else
+            # This covers feature/ and bugfix/ branches
+            TAG_NAME="feature-${SHORT_SHA}"
+            echo "Processing feature/bugfix branch: ${{ github.ref_name }} -> ${TAG_NAME}"
+          fi
+
+          echo "tag=${TAG_NAME}" >> "$GITHUB_OUTPUT"
+          echo "Determined image tag: ${TAG_NAME}"
+
+  build-and-publish:
+    name: Build and Publish to Registry
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@main
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
+      image-tag: ${{ needs.prepare.outputs.tag }}
+      dockerfile: Dockerfile
+      context: .
+      platforms: linux/amd64
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
diff --git a/.github/workflows/docker-build-on-tag.yaml b/.github/workflows/docker-build-on-tag.yaml
@@ -0,0 +1,56 @@
+name: Build and Push OCI Image
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  prepare:
+    name: Determine Image Tag
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.determine-tag.outputs.tag }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine Docker tag based on Git ref
+        id: determine-tag
+        run: |
+          # Since this workflow only triggers on tags matching 'v*.*.*' we know we're always dealing with a version tag, we know we're always dealing with a version tag
+          TAG_BRANCHES=$(git branch -r --contains ${{ github.sha }} | grep -E '(origin/main|origin/master)' || true)
+
+          if [[ -n "$TAG_BRANCHES" ]]; then
+            TAG_NAME="${{ github.ref_name }}"
+            TAG_NAME="${TAG_NAME#v}"  # Remove 'v' prefix
+            echo "Processing tag on main branch: ${{ github.ref_name }} -> ${TAG_NAME}"
+          else
+            echo "Error: Tag ${{ github.ref_name }} is not on main branch"
+            echo "Tags must be created on main branch to generate X.Y.Z image tags"
+            exit 1
+          fi
+
+          echo "tag=${TAG_NAME}" >> "$GITHUB_OUTPUT"
+          echo "Determined image tag: ${TAG_NAME}"
+
+  build-and-publish:
+    name: Build and Publish to Registry On Tag
+    needs: prepare
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/docker-build.yml@main
+    with:
+      image-name: docker-regis.iex.ec/tee-worker-pre-compute-rust
+      image-tag: ${{ needs.prepare.outputs.tag }}
+      dockerfile: Dockerfile
+      context: .
+      platforms: linux/amd64
+      registry: docker-regis.iex.ec
+      push: true
+      security-scan: true
+      security-report: "sarif"
+      hadolint: true
+    secrets:
+      username: ${{ secrets.NEXUS_USERNAME }}
+      password: ${{ secrets.NEXUS_PASSWORD }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,26 @@
+FROM rust:1.88-alpine3.22 AS builder
+
+# Install build dependencies
+RUN apk add --no-cache musl-dev openssl-dev
+
+WORKDIR /app
+
+# Copy manifest and source files
+COPY . .
+
+# Build the application
+RUN cargo build --release
+
+FROM alpine:3.22
+
+# Install required runtime dependencies
+RUN apk add --no-cache libgcc
+
+# Set working directory
+WORKDIR /app
+
+# Copy the binary from builder stage
+COPY --from=builder /app/target/release/tee-worker-pre-compute .
+
+# Run the application
+CMD ["/app/tee-worker-pre-compute"]