Add production deployment for circomspect

This adds a new github actions workflow which builds and deploys optimized images for every circomspect tag. This runs whenever a PR is delivered, and also runs nightly at 3 or 4am Eastern. The workflow can also be run manually. The PR job now deploys all of the images with a `dev` tag instead of `latest`. Merges #8
Sindri-Labs · Feb 25, 2024 · c797059 · c797059
1 parent 94195d0
commit c797059
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 19 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -0,0 +1,64 @@
+name: Build and Deploy Tagged Versions
+
+on:
+  # Runs on pushes targeting the default branch.
+  push:
+    branches: ["main"]
+
+  # Allows you to run this workflow manually from the Actions tab.
+  workflow_dispatch:
+
+  schedule:
+    # Runs at 08:00 UTC every day, 3 or 4am Eastern depending on DST.
+    - cron: "0 8 * * *"
+
+jobs:
+  deploy:
+    strategy:
+      matrix:
+        include:
+          - image: "circomspect"
+            github_repository: "trailofbits/circomspect"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Install SlimTookit
+        run: |
+          curl -sL https://raw.githubusercontent.com/slimtoolkit/slim/master/scripts/install-slim.sh | sudo -E bash -
+
+      - name: Build and Deploy Images
+        run: |
+          echo "Building all tags for ${{ matrix.github_repository }}..."
+          for tag in $(./scripts/list-tags.sh ${{ matrix.github_repository }}); do
+            echo "Freeing up disk space with docker prune..."
+            docker system prune --all --force --volumes
+
+            echo "Building ${{ matrix.image }}:${tag}..."
+            docker buildx build -f images/${{ matrix.image }}/Dockerfile --build-arg "TAG=${tag}" -t ${{ matrix.image }}:unoptimized --load images/${{ matrix.image }}/
+
+            echo "Optimizing ${{ matrix.image }}:${tag}..."
+            slim build --target ${{ matrix.image }}:unoptimized \
+              --tag "sindrilabs/${{ matrix.image }}:${tag}" \
+              --tag sindrilabs/${{ matrix.image }}:latest \
+              --http-probe=false \
+              --exclude-pattern '/tmp/*' \
+              --mount "./images/${{ matrix.image }}/:/sindri/" \
+              --exec "./test.sh"
+
+            echo "Publishing ${{ matrix.image }}:${tag}..."
+            docker push "sindrilabs/${{ matrix.image }}:${tag}"
+          done
+
+          echo "Publishing ${{ matrix.image }}:latest..."
+          docker push sindrilabs/${{ matrix.image }}:latest
diff --git a/.github/workflows/build.yaml → .github/workflows/pr.yaml b/.github/workflows/build.yaml → .github/workflows/pr.yaml
@@ -1,14 +1,10 @@
-name: Build Images
+name: Build Dev Images
 
 on:
-  push:
-    branches: ["main"]
-    tags:
-      - "v*"
   pull_request:
 
 jobs:
-  build:
+  pr:
     strategy:
       matrix:
         image: ["circom", "circomspect", "nargo", "snarkjs"]
@@ -37,12 +33,12 @@ jobs:
       - name: Build Optimized Image
         run: |
           slim build --target ${{ matrix.image }}:unoptimized \
-            --tag sindrilabs/${{ matrix.image }}:latest \
+            --tag sindrilabs/${{ matrix.image }}:dev \
             --http-probe=false \
             --exclude-pattern '/tmp/*' \
             --mount "./images/${{ matrix.image }}/:/sindri/" \
             --exec "./test.sh"
 
       - name: Deploy to DockerHub
         run: |
-          docker push sindrilabs/${{ matrix.image }}:latest
+          docker push sindrilabs/${{ matrix.image }}:dev
diff --git a/images/circomspect/Dockerfile b/images/circomspect/Dockerfile
@@ -1,5 +1,7 @@
 FROM node:lts-bookworm-slim
 
+ARG TAG=main
+
 # Install Rust.
 RUN apt update && apt install -y curl bash gcc git tar gzip libc++-dev
 RUN curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf > /tmp/rustup.sh \
@@ -9,7 +11,7 @@ RUN curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf > /tmp/rustup.sh \
 ENV PATH="/root/.cargo/bin:$PATH"
 
 # Install Circomspect.
-RUN git clone https://github.com/trailofbits/circomspect.git \
+RUN git clone --depth 1 --branch "${TAG}" https://github.com/trailofbits/circomspect.git \
     && cd circomspect \
     && cargo build --release \
     && cargo install --path cli

diff --git a/images/circomspect/test.sh b/images/circomspect/test.sh
@@ -1,15 +1,7 @@
 #! /bin/sh -e
 
-# Analyze circuit.
-circomspect -l INFO -v circuit.circom
-
 # Show help information.
 circomspect --help
 
-# Test analysis with each supported curve.
-for curve in BN254 BLS12_381 GOLDILOCKS; do
-    circomspect -c $curve circuit.circom
-done
-
-# Output analysis results to a Sarif file.
-circomspect -s analysis.sarif circuit.circom
+# Analyze circuit and write results to a Sarif file.
+circomspect -l INFO -v --allow CS0003 --allow CS0004 --allow CS0005 --allow CS0010 --allow CS0014 --allow P1004 -s analysis.sarif circuit.circom
diff --git a/scripts/list-tags.sh b/scripts/list-tags.sh
@@ -0,0 +1,20 @@
+#! /bin/bash
+
+# Parse the arguments and log usage.
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 username/repository"
+    exit 1
+fi
+REPO_URL="https://github.com/$1.git"
+
+# Make a temporary directory to clone the repo and ensure it's cleaned up after.
+TEMP_DIR=$(mktemp -d)
+trap "rm -rf $TEMP_DIR" EXIT
+
+# Clone the repository.
+git clone --bare --depth 1 $REPO_URL $TEMP_DIR > /dev/null 2>&1
+cd $TEMP_DIR
+git fetch --depth=1 origin +refs/tags/*:refs/tags/* > /dev/null 2>&1
+
+# List and sort tags by date, from oldest to newest.
+git for-each-ref --sort=creatordate --format '%(refname:short)' refs/tags | grep '^v'