confidential-computing.sgx/.github/workflows/c-cpp.yml at main · intel/confidential-computing.sgx · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: C/C++ CI

on:
  push:
    branches: [ "main*", "release*" ]
  pull_request:
    branches: [ "main*", "release*" ]

permissions:
  actions: read
  checks: read
  contents: read
  issues: write
  pull-requests: write

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build:
    name: "SGX SDK build"
    runs-on: ${{ vars.RUNNER_CI_BUILD || 'ubuntu-latest' }}

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
      with:
        submodules: recursive
        token: ${{ secrets.ALL_REPO_CONTENTS_READ_PAT || github.token }}

    - name: Install build prerequisites
      shell: bash
      run: |
        set -xeuo pipefail

        sudo -E apt-get update -o Acquire::Retries=3 -o Acquire::http::Timeout=15 -o Acquire::https::Timeout=15

        sudo -E apt-get install -y --no-install-recommends \
          build-essential \
          ocaml \
          ocamlbuild \
          automake \
          autoconf \
          libtool \
          wget \
          python-is-python3 \
          libssl-dev \
          cmake \
          perl \
          file

    - name: Build SGX SDK (x64 install package = Linux)
      run: make preparation; make sdk_install_pkg

    - name: Adjust output artifact name and add provenance disclaimer
      shell: bash
      run: |
        set -euo pipefail

        SRC=$(ls -1 linux/installer/bin/sgx_linux_x64_sdk_*.bin | head -n 1)
        [[ -n "${SRC:-}" ]] || { echo "No SDK installer found in build outputs"; exit 1; }

        mv -v "$SRC" "${SRC%.bin}_ci-build-${GITHUB_RUN_ID}_NON-PROD.bin"

        # Create a disclaimer with CI provenance information
        {
           echo "Produced by smoke test CI build: ${GITHUB_WORKFLOW_REF}."
           echo "--------------"
           echo "Run ID/Number: ${GITHUB_RUN_ID} / ${GITHUB_RUN_NUMBER}"
           echo "Source Branch: ${GITHUB_REPOSITORY:-}/${GITHUB_REF_NAME:-unknown}"
           echo "Commit SHA:    ${GITHUB_SHA}"
           echo "--------------"
           echo "Note:  This artifact was auto-generated by a smoke test CI build, and is not an official signed release."
           echo "       It is intended for build pipeline testing only, not for production use or external distribution."
           echo "       For official Intel(R) SGX SDK releases, visit: https://download.01.org/intel-sgx/"
           echo ""
        } > linux/installer/bin/DISCLAIMER.txt

        echo "⚠️ This CI workflow is only smoke testing the build pipeline; artifact outputs are not production-ready." >> "$GITHUB_STEP_SUMMARY"

    - name: Upload the output artifact (SDK installer)
      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
      with:
        name: sdk_installer-ci-preview
        path: |
           linux/installer/bin/sgx_linux_x64_sdk_*.bin
           linux/installer/bin/DISCLAIMER.txt
        if-no-files-found: error
        retention-days: 3