ci: sgx ci/cd

[maceip]

ci: tee ci/cd to build and deploy sgx notary-server
Note: the cd script is temporary and should not live beyond 2024. I will replace the janky reverse proxy update.sh and docker kill / start logic with k8s / compose / helm

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 54.32%. Comparing base (61ff3a8) to head (90c495b).
Report is 4 commits behind head on dev.

Additional details and impacted files

@@            Coverage Diff             @@
##              dev     #631      +/-   ##
==========================================
- Coverage   54.40%   54.32%   -0.09%     
==========================================
  Files         191      192       +1     
  Lines       20454    20487      +33     
==========================================
+ Hits        11129    11130       +1     
- Misses       9325     9357      +32     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[heeckhau]

only for this branch?

[heeckhau]

Does anything need to happen to the result? Store or check maybe?

[heeckhau]

Is this temporary?

[heeckhau]

Move to script

[heeckhau]

remove?

[heeckhau]

???

[heeckhau]

No need to add directory of dockerfile here? context argument?

[yuroitaki]

🚀 great stuff especially with the caddy reverse proxy! pretty much covered all the main features the current aws deployment setup has; the only missing piece is stopping the oldest version in the server upon a new release — currently we only maintain the 3 latest versions

[yuroitaki]

does github.event.repository.updated_at always refer to the timestamp of the head commit? It seems like the timestamp ll also be updated if someone updates e.g. the description of the repo (https://github.com/orgs/community/discussions/24442)

[maceip]

• help me understand how you are using the timestamp value downstream
• how would this workflow get triggered in a way where the timestamp value was wrong?
  • is someone updating the description not a relevant timestamp update?

[yuroitaki]

The timestamp ll be returned as part of the /info endpoint:

{
    "version": "0.1.0-alpha.7",
    "publicKey": "-----BEGIN PUBLIC KEY----- ...",
    "gitCommitHash": "99e02fb388c2e791d03c3426bd0411395bfaf453",
    "gitCommitTimestamp": "2024-10-14T20:23:19+02:00"
}

It's just an extra metadata to let end user know 'when' the code running in the server was last updated, as it's the timestamp of "gitCommitHash", the head commit.

So ya it shouldn't be the timestamp when someone updates the repo description / create a wiki page some time after the head commit is committed.

[yuroitaki]

tlsn release workflow is triggered by a push of the new version tag to GH upstream, so the event_name should be push instead, together with an extra tag check, i.e. if [ "${{ github.event_name }}" = "push" ] && [[ "${{ github.ref }}" = "refs/tags/"* ]]

[maceip]

the spirit of this line is to make sure caching is off if the event that triggered the workflow is 'release'. are you suggesting that this does not work?

[yuroitaki]

since we do tag push to trigger release, instead of github.event.release.tag_name, it should be $GITHUB_REF_NAME

[maceip]

• why does github.event.release.tag_name not suffice here?

[yuroitaki]

can we add a check to ensure that these cd steps only run after the ci integration test passes, i.e. https://github.com/tlsnotary/tlsn/blob/main/.github/workflows/cd-server.yml#L47-L56

[maceip]

• the trigger is on release publish, so implicity the ci step would have ran ? Or is there something im missing?

[maceip]

• going to refactor this to be a core part of cd, needs more testing

• initially this was built as a sidecar deployment, hence the trigger being post-release.

[yuroitaki]

For the other comments on the release trigger: instead of the release-triggered ci/cd approach, tlsn uses the tag-triggered approach — I think we prefer to ensure the new version is successfully deployed and running before the release is announced.

Anyway, as discussed yesterday in the meeting, since this tee-ci/cd will one day replace cd-server.yml (the current aws deployment), I think this ci/cd can just run upon successful completion of the ci.yml integration test job? like this

[maceip]

For the other comments on the release trigger: instead of the release-triggered ci/cd approach, tlsn uses the tag-triggered approach — I think we prefer to ensure the new version is successfully deployed and running before the release is announced.

Anyway, as discussed yesterday in the meeting, since this tee-ci/cd will one day replace cd-server.yml (the current aws deployment), I think this ci/cd can just run upon successful completion of the ci.yml integration test job? like this

100

i just commented somewhere above im refactoring it to fit in with cd.yml, and not as a sidecar/lesser cd -- needs more testing but will have a cut tmmrw and will ping you

[heeckhau]

Suggested change

	# what this is supposed to do -> $ref is the tag: e.g., v0.1.0-alpha.7; pass the $ref string to the cd script and update reverse proxy / deploy
	# pass the $ref string to the cd script and update reverse proxy / deploy
	# $ref is the tag: e.g., v0.1.0-alpha.7

[heeckhau]

Suggested change

	trigger-deployment:
	trigger-tee-deployment:

[heeckhau]

remove or activate?

[yuroitaki]

wouldn't this deployment run everytime a PR is raised? as the trigger condition in this ci.yml is

on:
  push:
    branches:
      - dev
    tags:
      - "[v]?[0-9]+.[0-9]+.[0-9]+*"
  pull_request:
     ...

[heeckhau]

We can add this to the trigger-tee-deployment job:

    # only for dev branch and tags
    if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/dev')