[CRE] Support confidential workflow engine path

[nadahalli]

Confidential CRE Workflows (implementation plan | E2E test design)

Summary

Three changes needed for the confidential workflows engine-path E2E test (confidential-compute#260). The test validates the full flow: syncer detects confidential=true workflow, creates ConfidentialModule, cron trigger fires, module delegates to the confidential-workflows capability, enclave runs WASM, mock capability on relay DON receives the request.

Stacked on #21298 (ConfidentialModule + attributes plumbing).

Changes

1. Workflow attributes plumbing

RegisterWithContract and registerWorkflowV2 now accept an attributes []byte parameter, passed through to registry.UpsertWorkflow. Confidential workflows set {"confidential":true,"vault_don_secrets":[{"key":"MOCK_SECRET"}]} so the syncer routes them to ConfidentialModule (see #21298).

All existing callers pass nil (no behavior change). CompileAndDeployConfidentialWorkflow helper added to t_helpers.go for E2E tests that need attributes.

Files: system-tests/lib/cre/workflow/workflow.go, system-tests/tests/test-helpers/t_helpers.go, core/scripts/cre/environment/environment/workflow.go

2. File fetcher HTTP URL support

Confidential workflows have a dual-use binary URL: the on-chain URL must be HTTP (so the enclave can fetch the binary), but the syncer's file-based fetcher reads from the local container filesystem. The file fetcher now detects HTTP(S) URLs and extracts the filename via filepath.Base(u.Path), resolving it against the configured base path.

Without this, the file fetcher rejects the HTTP URL with "request URL is not within the basePath".

Files: core/services/workflows/syncer/fetcher.go, core/services/workflows/syncer/v2/fetcher.go

3. FeatureFlags in confidential engine creation

tryConfidentialEngineCreate in handler.go was missing FeatureFlags: h.featureFlags in the engine config, causing a nil pointer panic when the engine checked feature flags during trigger registration.

File: core/services/workflows/syncer/v2/handler.go

Related PRs

• ConfidentialModule + attributes: chainlink#21298
• Relay handler wiring: chainlink#21375
• E2E test (engine path): confidential-compute#260

[github-actions]

✅ No conflicts with other open PRs targeting tejaswi/cw-phase4

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[cl-sonarqube-production]

Quality Gate failed

Failed conditions
80.0% Duplication on New Code (required ≤ 10%)

See analysis details on SonarQube

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs