Merge branch 'master' into kent-3/patch-1

Author: assafmo

.github/workflows/ci.yaml

@@ -19,17 +19,17 @@ jobs:
           chmod +x "$SDK_BIN"
           echo yes | ./"$SDK_BIN"
       - name: Cache cargo registry
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cargo/registry
           key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
       - name: Cache xargo sysroot
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.xargo
           key: ${{ runner.os }}-xargo-sysroot
       - name: Cache build artifacts
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cache/sccache
           key: ${{ runner.os }}-sccache
@@ -193,17 +193,17 @@ jobs:
           chmod +x "$SDK_BIN"
           echo yes | ./"$SDK_BIN"
       - name: Cache cargo registry
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cargo/registry
           key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}
       - name: Cache xargo sysroot
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.xargo
           key: ${{ runner.os }}-xargo-sysroot
       - name: Cache build artifacts
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cache/sccache
           key: ${{ runner.os }}-sccache

.github/workflows/release.yaml

@@ -31,7 +31,7 @@ jobs:
           echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
           echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
       - name: Cache build artifacts
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cache/sccache
           key: ${{ runner.os }}-sccache

Makefile

@@ -1,12 +1,13 @@
-PACKAGES=$(shell go list ./... | grep -v '/simulation')
 VERSION ?= $(shell echo $(shell git describe --tags) | sed 's/^v//')
 COMMIT := $(shell git log -1 --format='%H')
 DOCKER := $(shell which docker)
 DOCKER_BUF := $(DOCKER) run --rm -v $(CURDIR):/workspace --workdir /workspace bufbuild/buf
 
+# SPID and API_KEY are used for Intel SGX attestation
 SPID ?= 00000000000000000000000000000000
 API_KEY ?= FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
 
+# Environment variables and build tags setup
 LEDGER_ENABLED ?= true
 BINDIR ?= $(GOPATH)/bin
 BUILD_PROFILE ?= release
@@ -22,24 +23,23 @@ DOCKER_TAG ?= latest
 
 TM_SGX ?= true
 
+# Paths for contracts and modules
 CW_CONTRACTS_V010_PATH = ./cosmwasm/contracts/v010/
 CW_CONTRACTS_V1_PATH = ./cosmwasm/contracts/v1/
-
 TEST_CONTRACT_V010_PATH = ./cosmwasm/contracts/v010/compute-tests
 TEST_CONTRACT_V1_PATH = ./cosmwasm/contracts/v1/compute-tests
-
 TEST_COMPUTE_MODULE_PATH = ./x/compute/internal/keeper/testdata/
-
 ENCLAVE_PATH = cosmwasm/enclaves/
 EXECUTE_ENCLAVE_PATH = $(ENCLAVE_PATH)/execute/
-DOCKER_BUILD_ARGS ?=
 
+# Determine if Docker Buildx is available for multi-platform builds
+DOCKER_BUILD_ARGS ?=
 DOCKER_BUILDX_CHECK = $(@shell docker build --load test)
-
 ifeq (Building,$(findstring Building,$(DOCKER_BUILDX_CHECK)))
 	DOCKER_BUILD_ARGS += "--load"
 endif
 
+# Check and set the SGX_MODE to either HW or SW, error if not set
 ifeq ($(SGX_MODE), HW)
 	ext := hw
 else ifeq ($(SGX_MODE), SW)
@@ -48,6 +48,7 @@ else
 $(error SGX_MODE must be either HW or SW)
 endif
 
+# Set CGO flags based on the selected database backend (unused - currently only cleveldb is supported)
 ifeq ($(DB_BACKEND), rocksdb)
 	DB_BACKEND = rocksdb
 	DOCKER_CGO_LDFLAGS = "-L/usr/lib/x86_64-linux-gnu/ -lrocksdb -lstdc++ -llz4 -lm -lz -lbz2 -lsnappy"
@@ -63,6 +64,7 @@ endif
 
 CUR_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
+# Build tags setup for various configurations like ledger, database, etc.
 build_tags = netgo
 ifeq ($(LEDGER_ENABLED),true)
   ifeq ($(OS),Windows_NT)
@@ -120,6 +122,7 @@ whitespace += $(whitespace)
 comma := ,
 build_tags_comma_sep := $(subst $(whitespace),$(comma),$(build_tags))
 
+# Linker flags to embed version information and other metadata into the binaries
 ldflags = -X github.com/cosmos/cosmos-sdk/version.Name=SecretNetwork \
 	-X github.com/cosmos/cosmos-sdk/version.AppName=secretd \
 	-X github.com/scrtlabs/SecretNetwork/cmd/secretcli/version.ClientName=secretcli \
@@ -151,6 +154,7 @@ go.sum: go.mod
 	@echo "--> Ensure dependencies have not been modified"
 	GO111MODULE=on go mod verify
 
+# Build the CLI tool
 build_cli:
 	go build -o secretcli -mod=readonly -tags "$(filter-out sgx, $(GO_TAGS)) secretcli" -ldflags '$(LD_FLAGS)' ./cmd/secretd
 
@@ -173,6 +177,7 @@ build-tm-secret-enclave:
 	rustup component add rust-src
 	SGX_MODE=$(SGX_MODE) $(MAKE) -C /tmp/tm-secret-enclave build
 
+# Targets for building the cli on various platforms like Windows, macOS, Linux
 build_windows_cli:
 	$(MAKE) xgo_build_secretcli XGO_TARGET=windows/amd64
 	sudo mv github.com/scrtlabs/SecretNetwork-windows-* secretcli-windows-amd64.exe
@@ -195,6 +200,7 @@ build_linux_arm64_cli:
 
 build_all: build-linux build_windows_cli build_macos_cli build_linux_arm64_cli
 
+# Build Debian package
 deb: build-linux deb-no-compile
 
 deb-no-compile:
@@ -226,6 +232,7 @@ deb-no-compile:
 	dpkg-deb --build /tmp/SecretNetwork/deb/ .
 	-rm -rf /tmp/SecretNetwork
 
+# Clean up generated files and reset the environment
 clean:
 	-rm -rf /tmp/SecretNetwork
 	-rm -f ./secretcli*
@@ -247,6 +254,11 @@ clean:
 	$(MAKE) -C $(TEST_CONTRACT_V1_PATH)/test-compute-contract clean
 	$(MAKE) -C $(TEST_CONTRACT_V1_PATH)/test-compute-contract-v2 clean
 
+###############################################################################
+###                         Dockerized Build Targets                        ###
+###############################################################################
+
+# Build localsecret - dockerized local chain for development and testing. In this version SGX is ran in software/simulation mode
 localsecret:
 	DOCKER_BUILDKIT=1 docker build \
 			--build-arg FEATURES="${FEATURES},debug-print,random,light-client-validation" \
@@ -309,6 +321,7 @@ build-testnet:
 				 --target build-deb .
 	docker run -e VERSION=${VERSION} -v $(CUR_DIR)/build:/build deb_build
 
+# special targets for building a deb package that compiles a new secretd but takes the enclaves from the latest package - used for upgrades when we don't want to replace the enclave
 build-mainnet-upgrade:
 	@mkdir build 2>&3 || true
 	DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production, ${FEATURES}" \
@@ -336,6 +349,8 @@ build-mainnet-upgrade:
 				 -t deb_build \
 				 --target build-deb-mainnet .
 	docker run -e VERSION=${VERSION} -v $(CUR_DIR)/build:/build deb_build
+
+# full mainnet build - will end up with a .deb package in the ./build folder
 build-mainnet:
 	@mkdir build 2>&3 || true
 	DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="verify-validator-whitelist,light-client-validation,production,random, ${FEATURES}" \
@@ -367,6 +382,7 @@ build-mainnet:
 				 --target build-deb .
 	docker run -e VERSION=${VERSION} -v $(CUR_DIR)/build:/build deb_build
 
+# Build the hardware compatability checker - this is a binary that just runs attestation and provides details on the result
 build-check-hw-tool:
 	@mkdir build 2>&3 || true
 	DOCKER_BUILDKIT=1 docker build --build-arg FEATURES="${FEATURES}" \
@@ -383,23 +399,22 @@ build-check-hw-tool:
                  -t compile-check-hw-tool \
                  --target compile-check-hw-tool .
 
-# while developing:
+###############################################################################
+###                         Local Build Targets                             ###
+###############################################################################
+
 build-enclave:
 	$(MAKE) -C $(EXECUTE_ENCLAVE_PATH) enclave
 
-# while developing:
 check-enclave:
 	$(MAKE) -C $(EXECUTE_ENCLAVE_PATH) check
 
-# while developing:
 clippy-enclave:
 	$(MAKE) -C $(EXECUTE_ENCLAVE_PATH) clippy
 
-# while developing:
 clean-enclave:
 	$(MAKE) -C $(EXECUTE_ENCLAVE_PATH) clean
 
-# while developing:
 clippy: clippy-enclave
 	$(MAKE) -C check-hw clippy
 

README.md

@@ -2,8 +2,8 @@
 
 <div align="center">
 
-[![version](https://img.shields.io/badge/version-1.3.1-blue)](https://github.com/scrtlabs/SecretNetwork/releases/tag/v1.3.1)
-[![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md)
+[![version](https://img.shields.io/badge/version-1.12.1-blue)](https://github.com/scrtlabs/SecretNetwork/releases/tag/v1.12.1)
+[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md)
 <a href="https://twitter.com/intent/follow?screen_name=SecretNetwork">
 <img src="https://img.shields.io/twitter/follow/SecretNetwork?style=social&logo=twitter"
 alt="Follow"></a>
@@ -42,7 +42,16 @@ Click the button below to start a new development environment:
 ### Install prerequisite packages
 
 ```
-apt-get install -y --no-install-recommends g++ libtool autoconf clang
+apt-get install -y --no-install-recommends g++ libtool automake autoconf clang
+```
+
+#### Ubuntu 22+
+
+The build depends on libssl1.1. Install using:
+
+```bash
+wget https://debian.mirror.ac.za/debian/pool/main/o/openssl/libssl1.1_1.1.1w-0%2Bdeb11u1_amd64.deb
+dpkg -i libssl1.1_1.1.1w-0%2Bdeb11u1_amd64.deb
 ```
 
 ### Clone Repo
@@ -111,15 +120,11 @@ Use `make build-linux` to build the entire codebase. This will build both the Ru
 
 To build just the rust code, you can use `make build-linux`, while to build just the Go code, there is the aptly named `make build_local_no_rust`.
 
-
 Tip:
-```text
 For a production build the enclave must be copied from the most recent release. 
-
 This is due to non-reproducible builds, and the fact that enclaves must be signed with a specific key to be accepted on mainnet. 
-
 Still, the non-enclave code can be modified and ran on mainnet as long as there are no consensus-breaking changes
-```
+
 
 # Running Something
 
@@ -145,7 +150,3 @@ For the latest documentation, check out [https://docs.scrt.network](https://docs
 - Twitter: [https://twitter.com/SecretNetwork](https://twitter.com/SecretNetwork)
 - Community Telegram Channel: [https://t.me/SCRTnetwork](https://t.me/SCRTnetwork)
 - Community Secret Nodes Telegram: [https://t.me/secretnodes](https://t.me/secretnodes)
-
-# License
-
-SecretNetwork is free software: you can redistribute it and/or modify it under the terms of the [GNU Affero General Public License](LICENSE) as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. The GNU Affero General Public License is based on the GNU GPL, but has an additional term to allow users who interact with the licensed software over a network to receive the source for that program.

cosmwasm/Cargo.lock

@@ -61,7 +61,7 @@ enclave-ffi-types = { path = "../../enclaves/ffi-types", features = [
 sgx_types = { path = "../../../third_party/incubator-teaclave-sgx-sdk/sgx_types" }
 sgx_urts = { path = "../../../third_party/incubator-teaclave-sgx-sdk/sgx_urts" }
 log = "0.4.20"
-base64 = "0.21.5"
+base64 = "0.21.6"
 parking_lot = "0.11"
 num_cpus = "1.16.0"
 

cosmwasm/packages/sgx-vm/Cargo.toml

@@ -0,0 +1,46 @@
+The build process for SN is a bit complex, and can include some unexpected parts for those that have not been baptised in the waters of TEEs.
+
+### Build Targets Overview
+1. **`release-image`**: Creates a full node Docker image.
+2. **`build-deb`**: Generates a Debian (.deb) package
+3. **`build-deb-mainnet`**: Similar to `build-deb`, but specifically for generating a Debian package for mainnet.
+4. **`compile-secretd`**: Produces an image with the compiled enclave and `secretd`, a core component of the Secret Network - sometimes you don't need the whole image, just secretd.
+
+### Build Process Description
+
+#### 1. **Base Images and Environment Setup**
+- Defines two base images: 
+  * `SCRT_BASE_IMAGE_ENCLAVE` - Used as the base for building the enclave components, which are crucial for the secure execution of code in an SGX (Software Guard Extensions) environment.  
+  * `SCRT_RELEASE_BASE_IMAGE` - Serves as the base for the final release image that contains all the necessary components to run a full node.
+- Sets up the environment for subsequent stages, including installing dependencies like `clang-10`, setting `WORKDIR`, and other environment variables.
+
+#### 2. **Compilation of Enclaves**
+- **`prepare-compile-enclave` & `compile-enclave`**: Prepares the environment and compiles the enclaves.
+- **`compile-tendermint-enclave`**: Compiles the Tendermint enclave, which is a part of the blockchain consensus mechanism.
+
+#### 3. **Compilation of `secretd`**
+- Sets up the Go environment and downloads specific Go packages.
+- Copies source files and prepares the environment for building `secretd`.
+- Uses the compiled enclaves from previous steps.
+
+#### 4. **Release Image Creation (`release-image`)**
+- Creates the final node image with all necessary binaries and libraries.
+- Installs additional dependencies like `jq`, `openssl`, and Node.js - these are used for the faucet and for debugging tools.
+- Sets up environment variables and links libraries.
+
+#### 5. **Mainnet Upgrade (`mainnet-release`)**
+- Upgrades the `release-image` with specific binaries and libraries for the mainnet.
+
+#### 6. **Debian Package Creation (`build-deb` and `build-deb-mainnet`)**
+- Prepares an environment for building Debian packages.
+- Copies necessary binaries and libraries from previous stages.
+- Executes a script to build the Debian package.
+
+#### 7. **Compilation of `check-hw` Tool (`compile-check-hw-tool`)**
+- Compiles a hardware check tool, necessary for validating the hardware running the Secret Network nodes - this is unrelated to the release image or the network node directly.
+
+#### 8. **LocalSecret Setup (`build-localsecret`)**
+- A specialized setup for a local version of the Secret Network, including a faucet server and a health check mechanism for local development.
+
+### Summary
+Each target in this Dockerfile serves a distinct purpose in the build and deployment pipeline of the Secret Network. From compiling essential components like `secretd` and the Tendermint enclave, to packaging these components for deployment in various environments (development, mainnet), the Dockerfile covers a comprehensive range of tasks necessary for maintaining and deploying a blockchain network. The use of multi-stage builds optimizes the process by reusing stages and minimizing the final image size.