chore(ci): add docker image ci workflows for fhevm smart contracts

.github/workflows/common-docker.yml

@@ -0,0 +1,178 @@
+name: Docker Build and Push
+
+on:
+  workflow_call:
+    secrets:
+      BLOCKCHAIN_ACTIONS_TOKEN:
+        required: true
+      GRAVITON_BUILDER_SSH_PRIVATE_KEY:
+        required: true
+    inputs:
+      ref:
+        type: string
+        required: false
+        default: ""
+      working-directory:
+        type: string
+        required: true
+      docker-context:
+        type: string
+        required: false
+        default: "."
+      image-name:
+        type: string
+        required: true
+      image-dev-name:
+        type: string
+        required: false
+      image-dev-description:
+        type: string
+        required: false
+      push_image:
+        type: boolean
+        default: true
+        required: false
+      runs_on:
+        type: string
+        required: false
+        default: "ubuntu-latest"
+      generate-dev-image:
+        type: boolean
+        default: false
+        required: false
+      docker-file:
+        type: string
+        default: "ci.dockerfile"
+        required: false
+      docker-file-dev:
+        type: string
+        default: "dev.dockerfile"
+        required: false
+      graviton-build-host:
+        type: string
+        required: false
+        default: "ec2-15-188-101-126.eu-west-3.compute.amazonaws.com"
+      arm-build:
+        type: boolean
+        default: true
+        required: false
+      cache-from:
+        type: string
+        required: false
+        default: "type=gha"
+      cache-to:
+        type: string
+        required: false
+        default: "type=gha,mode=max"
+    outputs:
+      image_name:
+        description: "Image Name with Tag generated by this task"
+        value: "${{ jobs.build-and-push-docker.outputs.image_name }}"
+
+jobs:
+  build-and-push-docker:
+    runs-on: ${{ inputs.runs_on }}
+    outputs:
+      image_name: ${{ steps.export-image.outputs.image }}
+    env:
+      HOME: ${{ inputs.runs_on != 'ubuntu-latest' && '/root' || '/home/runner' }}
+    steps:
+      - name: Checkout Project
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+        with:
+          dockerfile: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file }}
+          failure-threshold: none
+
+      - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
+        if: ${{ inputs.generate-dev-image }}
+        with:
+          dockerfile: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file-dev }}
+          failure-threshold: none
+
+      - name: Set up SSH
+        if: inputs.arm-build
+        uses: MrSquaare/ssh-setup-action@2d028b70b5e397cf8314c6eaea229a6c3e34977a # v3.1.0
+        with:
+          host: ${{ inputs.graviton-build-host }}
+          private-key: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }}
+          private-key-name: docker_builder_arm
+
+      - name: Set up Docker Buildx
+        if: inputs.arm-build
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        with:
+          platforms: linux/amd64,linux/arm64
+          append: |
+            - endpoint: "ssh://ec2-user@${{ inputs.graviton-build-host }}"
+              platforms: linux/arm64
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Echo github event
+        run: echo "Github event ==> ${{ github.event_name }}"
+
+      - name: Current branch sha
+        if: github.event_name != 'release'
+        run: |
+          echo "DOCKER_TAG_IMAGE=$(git rev-parse --short "$GITHUB_SHA")" >> "$GITHUB_ENV"
+      - name: Current Tag
+        if: github.event_name == 'release'
+        run: |
+          echo "DOCKER_TAG_IMAGE=${{  github.ref_name }}" >> "$GITHUB_ENV"
+
+      - name: Docker Build and Push
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        with:
+          context: ${{ inputs.docker-context }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+          file: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file }}
+          push: ${{ inputs.push_image }}
+          pull: false
+          tags: ghcr.io/zama-ai/${{ inputs.image-name }}:${{env.DOCKER_TAG_IMAGE }},ghcr.io/zama-ai/${{ inputs.image-name }}:latest
+          cache-from: ${{ inputs.cache-from }}
+          cache-to: ${{ inputs.cache-to }}
+
+      - name: Extract Docker metadata
+        if: ${{ inputs.generate-dev-image }}
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          annotations: |
+            org.opencontainers.image.description="${{ inputs.image-dev-description }}"
+          labels: |
+            zama.fhevm.version=${{ env.DOCKER_TAG_IMAGE }}
+            zama.fhevm.description="${{ inputs.image-dev-description }}"
+          images: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{ env.DOCKER_TAG_IMAGE }}
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
+
+      - name: Docker Build and Push Dev Image
+        if: ${{ inputs.generate-dev-image }}
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
+        timeout-minutes: 360
+        with:
+          context: ${{ inputs.docker-context }}
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            BLOCKCHAIN_ACTIONS_TOKEN=${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+          file: ${{ inputs.working-directory }}/contracts/operations/docker/${{ inputs.docker-file-dev }}
+          push: ${{ inputs.push_image }}
+          pull: false
+          tags: ghcr.io/zama-ai/${{ inputs.image-dev-name }}:${{env.DOCKER_TAG_IMAGE}},ghcr.io/zama-ai/${{ inputs.image-dev-name }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+
+      - name: Export image name
+        id: export-image
+        run: echo "image=ghcr.io/zama-ai/${{inputs.image-name}}:${{env.DOCKER_TAG_IMAGE}}" >> "${GITHUB_OUTPUT}"

.github/workflows/fhevm-smart-contracts.yml

@@ -0,0 +1,43 @@
+name: "fhEVM smart contracts Docker Image"
+
+on:
+  push:
+    branches: ["amina/fhevm-sc-workflows"]
+    paths:
+      - .github/workflows/fhevm-smart-contracts.yml
+      - contracts/**
+
+concurrency:
+  group: fhevm-smart-contracts
+  cancel-in-progress: true
+
+jobs:
+  docker-smart-contracts:
+    uses: ./.github/workflows/common-docker.yml
+    permissions:
+      contents: "read"
+      id-token: "write"
+      packages: "write"
+    with:
+      working-directory: "."
+      push_image: true
+      image-name: "fhevm-smart-contracts"
+      image-dev-name: "fhevm-smart-contracts-dev"
+      generate-dev-image: true
+      docker-file: "ci.dockerfile"
+      docker-file-dev: "dev.dockerfile"
+      image-dev-description: "fhevm smart contracts dev image"
+      arm-build: true
+
+    secrets:
+      BLOCKCHAIN_ACTIONS_TOKEN: ${{ secrets.BLOCKCHAIN_ACTIONS_TOKEN }}
+      GRAVITON_BUILDER_SSH_PRIVATE_KEY: ${{ secrets.GRAVITON_BUILDER_SSH_PRIVATE_KEY }}
+
+  done:
+    runs-on: ubuntu-latest
+    name: Pipeline Done
+    steps:
+      - name: Success
+        run: echo Pipeline Done
+    needs:
+      - docker-smart-contracts

contracts/.env.example.deployment

@@ -0,0 +1,12 @@
+export PRIVATE_KEY_FHEVM_DEPLOYER="0c66d8cde71d2faa29d0cb6e3a567d31279b6eace67b0a9d9ba869c119843a5e"
+export PRIVATE_KEY_GATEWAY_DEPLOYER="717fd99986df414889fd8b51069d4f90a50af72e542c58ee065f5883779099c6"
+export ADDRESS_GATEWAY_RELAYER="0x97F272ccfef4026A1F3f0e0E879d514627B84E69"
+export NUM_KMS_SIGNERS="4"
+export ADDRESS_KMS_SIGNER_0="0x0971C80fF03B428fD2094dd5354600ab103201C5"
+export ADDRESS_KMS_SIGNER_1="0xB68deCb047B5e6Cc82280502A7E2318c6b3E5eC6"
+export ADDRESS_KMS_SIGNER_2="0xfe0fB0BCceb872ee7a6ef6c455e6E127Aef55DD7"
+export ADDRESS_KMS_SIGNER_3="0x2dac5193bE0AB0eD8871399E6Ae61EAe6cc8cAE1"
+export ADDRESS_COPROCESSOR_ACCOUNT="0xc9990FEfE0c27D31D0C2aa36196b085c0c4d456c"
+export IS_COPROCESSOR="true"
+export SEPOLIA_RPC_URL="https://sepolia.infura.io/v3/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+export ETHERSCAN_API_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

contracts/operations/docker/ci.dockerfile

@@ -0,0 +1,21 @@
+FROM node:20-slim
+
+# Set the working directory
+WORKDIR /app
+
+# Copy only necessary files for npm install
+COPY contracts/package.json contracts/package-lock.json ./
+
+# Install dependencies
+RUN npm install && \
+    npm cache clean --force
+
+# Copy the application files
+COPY contracts/.env.example.deployment contracts/*.sh contracts/*.ts contracts/tsconfig.json ./
+COPY contracts/addresses ./addresses/
+COPY contracts/contracts ./contracts/
+COPY contracts/lib ./lib/
+COPY contracts/tasks ./tasks/
+COPY contracts/gateway ./gateway/
+
+RUN chmod +x ./*.sh

contracts/operations/docker/dev.dockerfile

@@ -0,0 +1,38 @@
+FROM node:20-slim
+
+# Set the working directory
+WORKDIR /app
+
+# Copy only necessary files for npm install
+COPY contracts/package.json contracts/package-lock.json ./
+
+# Install dependencies
+RUN npm install && \
+    npm cache clean --force
+
+# Copy the application files
+COPY contracts/.env.example.deployment contracts/*.sh contracts/*.ts contracts/tsconfig.json ./
+COPY contracts/addresses ./addresses/
+COPY contracts/contracts ./contracts/
+COPY contracts/lib ./lib/
+COPY contracts/tasks ./tasks/
+COPY contracts/gateway ./gateway/
+
+# Set SHELL with pipefail option to handle pipe errors properly
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Set executable permissions and prepare the environment
+RUN chmod +x ./*.sh && \
+    cp .env.example.deployment .env && \
+    ./precompute-addresses.sh
+
+# Set up environment variables and compile contracts
+RUN PRIVATE_KEY_FHEVM_DEPLOYER="$(grep PRIVATE_KEY_FHEVM_DEPLOYER .env | cut -d '"' -f 2)" && \
+    export PRIVATE_KEY_FHEVM_DEPLOYER && \
+    NUM_KMS_SIGNERS="$(grep NUM_KMS_SIGNERS .env | cut -d '"' -f 2)" && \
+    export NUM_KMS_SIGNERS && \
+    npx hardhat clean && \
+    npx hardhat compile:specific --contract addresses && \
+    npx hardhat compile:specific --contract contracts && \
+    npx hardhat compile:specific --contract lib && \
+    npx hardhat compile:specific --contract gateway

contracts/precompute-addresses.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+npx hardhat clean
+
+PRIVATE_KEY_GATEWAY_DEPLOYER=$(grep PRIVATE_KEY_GATEWAY_DEPLOYER .env | cut -d '"' -f 2)
+PRIVATE_KEY_FHEVM_DEPLOYER=$(grep PRIVATE_KEY_FHEVM_DEPLOYER .env | cut -d '"' -f 2)
+
+npx hardhat task:computeGatewayAddress --private-key "$PRIVATE_KEY_GATEWAY_DEPLOYER"
+npx hardhat task:computeACLAddress --private-key "$PRIVATE_KEY_FHEVM_DEPLOYER"
+npx hardhat task:computeTFHEExecutorAddress --private-key "$PRIVATE_KEY_FHEVM_DEPLOYER"
+npx hardhat task:computeKMSVerifierAddress --private-key "$PRIVATE_KEY_FHEVM_DEPLOYER"
+npx hardhat task:computeInputVerifierAddress --private-key "$PRIVATE_KEY_FHEVM_DEPLOYER" --use-address true
+npx hardhat task:computeFHEPaymentAddress --private-key "$PRIVATE_KEY_FHEVM_DEPLOYER"