From 8d00abae00de05ab62a5904dc23d15168737eb3f Mon Sep 17 00:00:00 2001
From: Marcin <Marcin.Radecki@cardinals.cc>
Date: Thu, 17 Jul 2025 15:49:28 +0200
Subject: [PATCH 1/3] BAC-189: CI for Shielder Prover Server

---
 .../workflows/_build-enclave-artifacts.yml    |  7 +-
 .../build-and-push-prover-server.yml          | 50 ++++++++++++++
 .github/workflows/on-release.yml              | 66 +++++++++++++++++++
 tee/docker/Dockerfile                         |  4 --
 4 files changed, 121 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/build-and-push-prover-server.yml
 create mode 100644 .github/workflows/on-release.yml

diff --git a/.github/workflows/_build-enclave-artifacts.yml b/.github/workflows/_build-enclave-artifacts.yml
index 94238637..dc9a7976 100644
--- a/.github/workflows/_build-enclave-artifacts.yml
+++ b/.github/workflows/_build-enclave-artifacts.yml
@@ -44,7 +44,10 @@ jobs:
       - name: Build enclave for shielder-prover-tee
         # yamllint disable rule:line-length
         run: |
+          mkdir out
           nix build --override-input zkOS-monorepo "github:${GITHUB_REPOSITORY}/${{ steps.get-ref-properties.outputs.full-sha }}"
+          cp result/shielderProverTEE/image.eif out/shielder-prover-tee-${{ steps.get-ref-properties.outputs.sha }}.eif
+          cp result/shielderProverTEE/pcr.json out/pcr-${{ steps.get-ref-properties.outputs.sha }}.json
 
       - name: Get artifact names
         id: get-artifact-names
@@ -56,7 +59,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.get-artifact-names.outputs.eif }}
-          path: tee/nix/result/shielderProverTEE/image.eif
+          path: tee/nix/out/shielder-prover-tee-${{ steps.get-ref-properties.outputs.sha }}.eif
           if-no-files-found: error
           retention-days: 7
 
@@ -64,6 +67,6 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: ${{ steps.get-artifact-names.outputs.measurements }}
-          path: tee/nix/result/shielderProverTEE/pcr.json
+          path: tee/nix/out/pcr-${{ steps.get-ref-properties.outputs.sha }}.json
           if-no-files-found: error
           retention-days: 7
diff --git a/.github/workflows/build-and-push-prover-server.yml b/.github/workflows/build-and-push-prover-server.yml
new file mode 100644
index 00000000..e9a5e2c7
--- /dev/null
+++ b/.github/workflows/build-and-push-prover-server.yml
@@ -0,0 +1,50 @@
+---
+name: Build and push Shielder-Prover-Server docker image (host app)
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'git ref: hash, branch, tag to build shielder-prover-server files from'
+        type: string
+        required: true
+
+jobs:
+  main:
+    name: Build Shielder Prover Server (host app)
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+          fetch-depth: 0
+
+      - name: Call action get-ref-properties
+        id: get-ref-properties
+        uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7
+
+      - name: Login to Public Amazon ECR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.ECR_PUBLIC_HOST }}
+          username: ${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY_ID }}
+          password: ${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY }}
+
+      - name: DOCKER | Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+        with:
+          version: v0.9.1
+
+      - name: Build and push docker image
+        id: build-image
+        uses: docker/build-push-action@v3
+        with:
+          context: tee
+          builder: ${{ steps.buildx.outputs.name }}
+          file: ./tee/docker/Dockerfile
+          push: true
+          tags: |
+            ${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}shielder-prover:${{ steps.get-ref-properties.outputs.sha }}
+            ${{ vars.ECR_PUBLIC_HOST }}shielder-prover:latest
diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
new file mode 100644
index 00000000..d7ce366a
--- /dev/null
+++ b/.github/workflows/on-release.yml
@@ -0,0 +1,66 @@
+---
+name: Build and add Shielder Prover Server artifacts to GitHub Release
+
+on:
+  release:
+    types:
+      - published
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  check-vars-and-secrets:
+    name: Check vars and secrets
+    uses: ./.github/workflows/_check-vars-and-secrets.yml
+    secrets: inherit
+
+  build-enclave-artifacts:
+    name: Build enclave artifacts
+    uses: ./.github/workflows/_build-enclave-artifacts.yml
+    with:
+      ref: ${{ github.ref }}
+
+  add-ci-artifacts-to-release:
+    name: Add CI artifacts to the release
+    needs:
+      - check-vars-and-secrets
+      - build-enclave-artifacts
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Call action get-ref-properties
+        id: get-ref-properties
+        uses: Cardinal-Cryptography/github-actions/get-ref-properties@v7
+
+      - name: Download enclave artifacts - EIF
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-enclave-artifacts.outputs.artifact-name-eif }}
+          merge-multiple: true
+          path: artifacts
+
+      - name: Download enclave artifacts - Measurements
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-enclave-artifacts.outputs.artifact-name-measurements }}
+          merge-multiple: true
+          path: artifacts
+
+      - name: Generate release artifacts checksum (SHA256)
+        uses: jmgilman/actions-generate-checksum@v1
+        with:
+          output:
+            checksums.txt
+          patterns: |
+            artifacts/*
+
+      - name: Add CI artifacts to the release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            checksums.txt
+            artifacts/*
diff --git a/tee/docker/Dockerfile b/tee/docker/Dockerfile
index 7996bad9..e3d2e7b8 100644
--- a/tee/docker/Dockerfile
+++ b/tee/docker/Dockerfile
@@ -15,10 +15,6 @@ WORKDIR /app
 
 COPY --from=builder /app/target/release/shielder-prover-server .
 
-COPY docker/dockerentrypoint.sh .
-
-RUN chmod +x dockerentrypoint.sh
-
 # Expose the default public port
 EXPOSE 3000
 

From e56ae0781406e91f43c5769bd518d1efad6d51b0 Mon Sep 17 00:00:00 2001
From: Marcin <Marcin.Radecki@cardinals.cc>
Date: Fri, 18 Jul 2025 11:41:35 +0200
Subject: [PATCH 2/3] Updated check vars and secrets

---
 .github/workflows/_check-vars-and-secrets.yml      | 4 ++++
 .github/workflows/build-and-push-prover-server.yml | 1 +
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/_check-vars-and-secrets.yml b/.github/workflows/_check-vars-and-secrets.yml
index 72fc5c9a..37ecf820 100644
--- a/.github/workflows/_check-vars-and-secrets.yml
+++ b/.github/workflows/_check-vars-and-secrets.yml
@@ -21,6 +21,8 @@ jobs:
             -z '${{ vars.CI_TESTNET_RELAYER_SIGNER_ADDRESSES }}' || \
             -z '${{ vars.CI_TESTNET_STAGE_OWNER_ADDRESS }}' || \
             -z '${{ vars.CI_TESTNET_TS_SDK_PUBLIC_KEY }}' || \
+            -z '${{ vars.ECR_PUBLIC_HOST }}' || \
+            -z '${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}' || \
             -z '${{ vars.MAINNET_PROD_OWNER_ADDRESS }}' || \
             -z '${{ vars.SHIELDER_CONTRACT_ADDRESS }}'
           ]]; then
@@ -34,6 +36,8 @@ jobs:
           if [[ \
             -z '${{ secrets.AWS_MAINNET_ECR_ACCESS_KEY }}' || \
             -z '${{ secrets.AWS_MAINNET_ECR_ACCESS_KEY_ID }}' || \
+            -z '${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY }}' || \
+            -z '${{ secrets.AWS_MAINNET_ECR_CC_ACCESS_KEY_ID }}' || \
             -z '${{ secrets.CI_GH_TOKEN }}' || \
             -z '${{ secrets.CI_MAINNET_DEPLOYER_PRIVATE_KEY }}' || \
             -z '${{ secrets.CI_TESTNET_ALICE_PRIVATE_KEY }}' || \
diff --git a/.github/workflows/build-and-push-prover-server.yml b/.github/workflows/build-and-push-prover-server.yml
index e9a5e2c7..6649e5e3 100644
--- a/.github/workflows/build-and-push-prover-server.yml
+++ b/.github/workflows/build-and-push-prover-server.yml
@@ -45,6 +45,7 @@ jobs:
           builder: ${{ steps.buildx.outputs.name }}
           file: ./tee/docker/Dockerfile
           push: true
+          # yamllint disable rule:line-length
           tags: |
             ${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}shielder-prover:${{ steps.get-ref-properties.outputs.sha }}
             ${{ vars.ECR_PUBLIC_HOST }}shielder-prover:latest

From 5d0f149f8468b8d3927a013bdab7c55e31d4e077 Mon Sep 17 00:00:00 2001
From: Marcin <Marcin.Radecki@cardinals.cc>
Date: Fri, 18 Jul 2025 11:53:46 +0200
Subject: [PATCH 3/3] Review

---
 .github/workflows/build-and-push-prover-server.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-and-push-prover-server.yml b/.github/workflows/build-and-push-prover-server.yml
index 6649e5e3..9f84614e 100644
--- a/.github/workflows/build-and-push-prover-server.yml
+++ b/.github/workflows/build-and-push-prover-server.yml
@@ -48,4 +48,4 @@ jobs:
           # yamllint disable rule:line-length
           tags: |
             ${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}shielder-prover:${{ steps.get-ref-properties.outputs.sha }}
-            ${{ vars.ECR_PUBLIC_HOST }}shielder-prover:latest
+            ${{ vars.ECR_CC_RES_PUBLIC_REGISTRY }}shielder-prover:latest