From c7970595974b8c8f6eb06a446c62620bcf2b821f Mon Sep 17 00:00:00 2001 From: Evan Sangaline Date: Sat, 24 Feb 2024 18:20:22 -0700 Subject: [PATCH] Add production deployment for circomspect This adds a new github actions workflow which builds and deploys optimized images for every circomspect tag. This runs whenever a PR is delivered, and also runs nightly at 3 or 4am Eastern. The workflow can also be run manually. The PR job now deploys all of the images with a `dev` tag instead of `latest`. Merges #8 --- .github/workflows/deploy.yaml | 64 +++++++++++++++++++++++ .github/workflows/{build.yaml => pr.yaml} | 12 ++--- images/circomspect/Dockerfile | 4 +- images/circomspect/test.sh | 12 +---- scripts/list-tags.sh | 20 +++++++ 5 files changed, 93 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/deploy.yaml rename .github/workflows/{build.yaml => pr.yaml} (85%) create mode 100755 scripts/list-tags.sh diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml new file mode 100644 index 0000000..951e56c --- /dev/null +++ b/.github/workflows/deploy.yaml @@ -0,0 +1,64 @@ +name: Build and Deploy Tagged Versions + +on: + # Runs on pushes targeting the default branch. + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab. + workflow_dispatch: + + schedule: + # Runs at 08:00 UTC every day, 3 or 4am Eastern depending on DST. + - cron: "0 8 * * *" + +jobs: + deploy: + strategy: + matrix: + include: + - image: "circomspect" + github_repository: "trailofbits/circomspect" + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Install SlimTookit + run: | + curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash - + + - name: Build and Deploy Images + run: | + echo "Building all tags for ${{ matrix.github_repository }}..." + for tag in $(./scripts/list-tags.sh ${{ matrix.github_repository }}); do + echo "Freeing up disk space with docker prune..." + docker system prune --all --force --volumes + + echo "Building ${{ matrix.image }}:${tag}..." + docker buildx build -f images/${{ matrix.image }}/Dockerfile --build-arg "TAG=${tag}" -t ${{ matrix.image }}:unoptimized --load images/${{ matrix.image }}/ + + echo "Optimizing ${{ matrix.image }}:${tag}..." + slim build --target ${{ matrix.image }}:unoptimized \ + --tag "sindrilabs/${{ matrix.image }}:${tag}" \ + --tag sindrilabs/${{ matrix.image }}:latest \ + --http-probe=false \ + --exclude-pattern '/tmp/*' \ + --mount "./images/${{ matrix.image }}/:/sindri/" \ + --exec "./test.sh" + + echo "Publishing ${{ matrix.image }}:${tag}..." + docker push "sindrilabs/${{ matrix.image }}:${tag}" + done + + echo "Publishing ${{ matrix.image }}:latest..." + docker push sindrilabs/${{ matrix.image }}:latest diff --git a/.github/workflows/build.yaml b/.github/workflows/pr.yaml similarity index 85% rename from .github/workflows/build.yaml rename to .github/workflows/pr.yaml index 334fb02..1ffbfba 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/pr.yaml @@ -1,14 +1,10 @@ -name: Build Images +name: Build Dev Images on: - push: - branches: ["main"] - tags: - - "v*" pull_request: jobs: - build: + pr: strategy: matrix: image: ["circom", "circomspect", "nargo", "snarkjs"] @@ -37,7 +33,7 @@ jobs: - name: Build Optimized Image run: | slim build --target ${{ matrix.image }}:unoptimized \ - --tag sindrilabs/${{ matrix.image }}:latest \ + --tag sindrilabs/${{ matrix.image }}:dev \ --http-probe=false \ --exclude-pattern '/tmp/*' \ --mount "./images/${{ matrix.image }}/:/sindri/" \ @@ -45,4 +41,4 @@ jobs: - name: Deploy to DockerHub run: | - docker push sindrilabs/${{ matrix.image }}:latest + docker push sindrilabs/${{ matrix.image }}:dev diff --git a/images/circomspect/Dockerfile b/images/circomspect/Dockerfile index d1bf550..03dc10e 100644 --- a/images/circomspect/Dockerfile +++ b/images/circomspect/Dockerfile @@ -1,5 +1,7 @@ FROM node:lts-bookworm-slim +ARG TAG=main + # Install Rust. RUN apt update && apt install -y curl bash gcc git tar gzip libc++-dev RUN curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf > /tmp/rustup.sh \ @@ -9,7 +11,7 @@ RUN curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf > /tmp/rustup.sh \ ENV PATH="/root/.cargo/bin:$PATH" # Install Circomspect. -RUN git clone https://github.com/trailofbits/circomspect.git \ +RUN git clone --depth 1 --branch "${TAG}" https://github.com/trailofbits/circomspect.git \ && cd circomspect \ && cargo build --release \ && cargo install --path cli diff --git a/images/circomspect/test.sh b/images/circomspect/test.sh index f42fbfc..8286000 100755 --- a/images/circomspect/test.sh +++ b/images/circomspect/test.sh @@ -1,15 +1,7 @@ #! /bin/sh -e -# Analyze circuit. -circomspect -l INFO -v circuit.circom - # Show help information. circomspect --help -# Test analysis with each supported curve. -for curve in BN254 BLS12_381 GOLDILOCKS; do - circomspect -c $curve circuit.circom -done - -# Output analysis results to a Sarif file. -circomspect -s analysis.sarif circuit.circom +# Analyze circuit and write results to a Sarif file. +circomspect -l INFO -v --allow CS0003 --allow CS0004 --allow CS0005 --allow CS0010 --allow CS0014 --allow P1004 -s analysis.sarif circuit.circom diff --git a/scripts/list-tags.sh b/scripts/list-tags.sh new file mode 100755 index 0000000..d2672e6 --- /dev/null +++ b/scripts/list-tags.sh @@ -0,0 +1,20 @@ +#! /bin/bash + +# Parse the arguments and log usage. +if [ "$#" -ne 1 ]; then + echo "Usage: $0 username/repository" + exit 1 +fi +REPO_URL="https://github.com/$1.git" + +# Make a temporary directory to clone the repo and ensure it's cleaned up after. +TEMP_DIR=$(mktemp -d) +trap "rm -rf $TEMP_DIR" EXIT + +# Clone the repository. +git clone --bare --depth 1 $REPO_URL $TEMP_DIR > /dev/null 2>&1 +cd $TEMP_DIR +git fetch --depth=1 origin +refs/tags/*:refs/tags/* > /dev/null 2>&1 + +# List and sort tags by date, from oldest to newest. +git for-each-ref --sort=creatordate --format '%(refname:short)' refs/tags | grep '^v'