Deploy to TDX with attestation.
.github/workflows/deploy.yml:
name: Deploy to TDX
on:
workflow_dispatch:
inputs:
ssh:
description: 'Enable SSH'
type: boolean
default: false
jobs:
deploy:
uses: anthropics/easyenclave/.github/workflows/pipeline-dev.yml@main
with:
ssh: $
secrets: inherit
pipeline-dev.yml - development
pipeline-release.yml - production
jobs:
deploy-prod:
uses: anthropics/easyenclave/.github/workflows/pipeline-release.yml@main
secrets: inherit
| input | type | default | description |
|---|---|---|---|
| ssh | boolean | false | enable SSH access |
| compose_file | string | docker-compose.yml | compose path |
| public_dir | string | public/ | public files dir |
public - in docker-compose, bundled with artifact:
services:
app:
environment:
- LOG_LEVEL=info
- PUBLIC_URL=https://api.example.com
private - from github secrets, never persisted:
services:
app:
environment:
- DATABASE_URL=${DATABASE_URL}
- API_KEY=${API_KEY}
Add secrets: Settings > Secrets > Actions
Private vars are:
your-repo/
├── docker-compose.yml # required
├── public/ # optional
│ └── config.json
└── .github/workflows/
└── deploy.yml
version: '3.8'
services:
app:
image: ghcr.io/your-org/your-app:latest
ports:
- "8080:8080"
environment:
- DATABASE_URL=${DATABASE_URL}
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
interval: 30s
timeout: 10s
retries: 3
GitHub release with attestation.json:
{
"endpoint": "https://your-app.easyenclave.com",
"quote": "base64-tdx-quote...",
"sealed": true,
"rtmrs": {
"rtmr0": "abc123...",
"rtmr1": "def456...",
"rtmr2": "ghi789...",
"rtmr3": "jkl012..."
},
"timestamp": "2024-01-15T10:30:00Z"
}
UI: Actions > Deploy to TDX > Run workflow
CLI:
# dev with SSH
gh workflow run deploy.yml -f ssh=true
# prod sealed
gh workflow run deploy.yml
gh run watch
gh run list --workflow=deploy.yml
gh run view --log
stuck deployment
attestation failed
container won’t start
ssh=true