Skip to content

Commit

Permalink
ci: use crane flake to build with nix
Browse files Browse the repository at this point in the history
This enables to add cargo `fmt`, `clippy` and `deny` to nix, using cached results.

Move the `teepot` crate to the `crates` subdir to make the life easier for
the `crane` flake.

Signed-off-by: Harald Hoyer <[email protected]>
  • Loading branch information
haraldh committed Mar 11, 2024
1 parent 1249048 commit 0654bac
Show file tree
Hide file tree
Showing 41 changed files with 314 additions and 141 deletions.
30 changes: 25 additions & 5 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,38 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Setup Rust toolchain
run: rustup show
- run: cargo fmt --all -- --check
- uses: cachix/install-nix-action@v26
with:
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: cargo fmt
run: nix build -L .#cargoFmt

deny:
name: cargo deny
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: EmbarkStudios/cargo-deny-action@v1
- uses: cachix/install-nix-action@v26
with:
arguments: --workspace
extra_nix_config: |
access-tokens = github.com=${{ github.token }}
- uses: cachix/cachix-action@v14
with:
name: nixsgx
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: cargo deny
run: nix build -L .#cargoDeny

check-spdx-headers:
runs-on: ubuntu-latest
Expand Down
23 changes: 16 additions & 7 deletions .github/workflows/nix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ concurrency:
cancel-in-progress: true

jobs:
check:
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
Expand All @@ -22,11 +22,14 @@ jobs:
- uses: cachix/cachix-action@v14
with:
name: nixsgx
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- run: nix flake check -L --show-trace --keep-going
- run: nix fmt . -- --check

fmt:
clippy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
Expand All @@ -37,11 +40,16 @@ jobs:
- uses: cachix/cachix-action@v14
with:
name: nixsgx
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- run: nix fmt . -- --check
- name: cargo clippy
run: nix build -L .#cargoClippy

clippy:
check:
needs: clippy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
Expand All @@ -52,14 +60,15 @@ jobs:
- uses: cachix/cachix-action@v14
with:
name: nixsgx
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
extraPullNames: vault-auth-tee
- name: Enable magic Nix cache
uses: DeterminateSystems/magic-nix-cache-action@main

- name: cargo clippy
run: nix develop -L --ignore-environment -c cargo clippy --all
- run: nix flake check -L --show-trace --keep-going

build:
needs: check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
Expand Down
8 changes: 4 additions & 4 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

56 changes: 3 additions & 53 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,56 +1,6 @@
[package]
name = "teepot"
description = "TEE secret manager"
# no MIT license, because of copied code from:
# * https://github.com/enarx/enarx
# * https://github.com/enarx/sgx
license = "Apache-2.0"
version.workspace = true
edition.workspace = true
authors.workspace = true
repository.workspace = true

[dependencies]
actix-http.workspace = true
actix-web.workspace = true
anyhow.workspace = true
awc.workspace = true
bytemuck.workspace = true
bytes.workspace = true
clap.workspace = true
const-oid.workspace = true
enumset.workspace = true
futures-core.workspace = true
getrandom.workspace = true
hex.workspace = true
intel-tee-quote-verification-rs.workspace = true
num-integer.workspace = true
num-traits.workspace = true
p256.workspace = true
pgp.workspace = true
pkcs8.workspace = true
rand.workspace = true
rsa.workspace = true
rustls.workspace = true
serde.workspace = true
serde_json.workspace = true
serde_with.workspace = true
sha2.workspace = true
signature.workspace = true
thiserror.workspace = true
tracing.workspace = true
webpki-roots.workspace = true
x509-cert.workspace = true
zeroize.workspace = true

[dev-dependencies]
anyhow.workspace = true
base64.workspace = true
hex.workspace = true
testaso.workspace = true

[workspace]
members = ["crates/*", "bin/*"]
resolver = "2"

[workspace.package]
version = "0.1.0"
Expand Down Expand Up @@ -78,7 +28,7 @@ enumset = { version = "1.1", features = ["serde", "std"] }
futures-core = { version = "0.3.30", features = ["alloc"], default-features = false }
getrandom = "0.2.12"
hex = { version = "0.4.3", features = ["std"], default-features = false }
intel-tee-quote-verification-rs = { path = "crates/intel-tee-quote-verification-rs", version = "0.2.1" }
intel-tee-quote-verification-rs = { path = "crates/intel-tee-quote-verification-rs" }
intel-tee-quote-verification-sys = { version = "0.2.1" }
k256 = "0.13"
log = "0.4"
Expand All @@ -99,7 +49,7 @@ serde_json = "1"
serde_with = { version = "3.6", features = ["base64", "hex"] }
sha2 = "0.10.8"
signature = "2.2.0"
teepot = { path = "." }
teepot = { path = "crates/teepot" }
testaso = "0.1.0"
thiserror = "1.0.57"
tokio = { version = "1", features = ["sync", "macros", "rt-multi-thread", "fs", "time"] }
Expand Down
2 changes: 1 addition & 1 deletion bin/tee-vault-admin/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ mod tests {
use serde_json::json;
use teepot::json::http::{VaultCommand, VaultCommands};

const TEST_DATA: &str = include_str!("../../../tests/data/test.json");
const TEST_DATA: &str = include_str!("../../../crates/teepot/tests/data/test.json");

#[test]
fn test_vault_commands() {
Expand Down
50 changes: 50 additions & 0 deletions crates/teepot/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
[package]
name = "teepot"
description = "TEE secret manager"
# no MIT license, because of copied code from:
# * https://github.com/enarx/enarx
# * https://github.com/enarx/sgx
license = "Apache-2.0"
version.workspace = true
edition.workspace = true
authors.workspace = true
repository.workspace = true

[dependencies]
actix-http.workspace = true
actix-web.workspace = true
anyhow.workspace = true
awc.workspace = true
bytemuck.workspace = true
bytes.workspace = true
clap.workspace = true
const-oid.workspace = true
enumset.workspace = true
futures-core.workspace = true
getrandom.workspace = true
hex.workspace = true
intel-tee-quote-verification-rs.workspace = true
num-integer.workspace = true
num-traits.workspace = true
p256.workspace = true
pgp.workspace = true
pkcs8.workspace = true
rand.workspace = true
rsa.workspace = true
rustls.workspace = true
serde.workspace = true
serde_json.workspace = true
serde_with.workspace = true
sha2.workspace = true
signature.workspace = true
thiserror.workspace = true
tracing.workspace = true
webpki-roots.workspace = true
x509-cert.workspace = true
zeroize.workspace = true

[dev-dependencies]
anyhow.workspace = true
base64.workspace = true
hex.workspace = true
testaso.workspace = true
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
3 changes: 2 additions & 1 deletion src/sgx/sign.rs → crates/teepot/src/sgx/sign.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023 Matter Labs
// Copyright (c) 2023-2024 Matter Labs

// Copyright (c) The Enarx Project Developers https://github.com/enarx/sgx

Expand Down Expand Up @@ -357,6 +357,7 @@ mod test {
}

#[test]
#[allow(clippy::unusual_byte_groupings)]
fn author_instantiation() {
let author = Author::new(0x2000_03_30, 0u32);
assert_eq!(author.header1, Author::HEADER1);
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
13 changes: 5 additions & 8 deletions deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ allow = [
"Unlicense",
"MPL-2.0",
"Unicode-DFS-2016",
"CC0-1.0",
# "CC0-1.0", # not yet seen
"BSD-2-Clause",
"BSD-3-Clause",
"OpenSSL",
Expand Down Expand Up @@ -65,12 +65,9 @@ skip-tree = []
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = [
# we need the mio override to disable eventfd for SGX
"https://github.com/tokio-rs/mio?rev=ec0776f5af29548e4e1f48f86f5fa123a46caa07#ec0776f5af29548e4e1f48f86f5fa123a46caa07",
]
# allow-git = []

[sources.allow-org]
github = [""]
gitlab = [""]
bitbucket = [""]
#github = [""]
#gitlab = [""]
#bitbucket = [""]
21 changes: 21 additions & 0 deletions flake.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 22 additions & 0 deletions flake.nix
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
{
description = "teepot";

nixConfig.extra-substituters = [
"https://nixsgx.cachix.org"
];
nixConfig.extra-trusted-public-keys = [
"nixsgx.cachix.org-1:tGi36DlY2joNsIXOlGnSgWW0+E094V6hW0umQRo/KoE="
];

inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";

Expand All @@ -23,6 +30,11 @@
url = "github:oxalica/rust-overlay?rev=3ad32bb27c700b59306224e285b66577e3532dfc";
inputs.nixpkgs.follows = "nixpkgs";
};

crane = {
url = "github:ipetkov/crane";
inputs.nixpkgs.follows = "nixpkgs";
};
};

outputs = inputs:
Expand All @@ -49,6 +61,16 @@

outputs-builder = channels: {
formatter = channels.nixpkgs.nixpkgs-fmt;

checks = {
inherit
(channels.nixpkgs.teepot) cargoFmt;
inherit
(channels.nixpkgs.teepot) cargoClippy;
inherit
(channels.nixpkgs.teepot) cargoDeny;
};

};
};
}
Loading

0 comments on commit 0654bac

Please sign in to comment.