promote: dev -> test (TEE pipeline v0.0.27-alpha.1 + SEV-SNP per-template + baked LOG_LEVEL_*)#723
Merged
Conversation
…asurements, baked LOG_LEVEL_* in attestation manifest (#722) feat(cicd-tee): pin SecretVM v0.0.27-alpha.1, compute SEV-SNP per-template measurements, bake LOG_LEVEL_* into attestation manifest Brings the TEE CI/CD pipeline in line with SCRT Labs' new portal-mandated SecretVM release v0.0.27-alpha.1 and PRs #718/#720 (AMD SEV-SNP support in proxy-router runtime). Extends the cosign-signed attestation manifest so verifiers can match per-template SEV-SNP launch digests and prove that verbose logging cannot leak privacy data from a TEE-deployed image. Changes - .github/tee/secretvm.env: pin SECRETVM_RELEASE=v0.0.27-alpha.1; add TDX and SEV rootfs URLs/SHA-256s; add SEV artifact registry pointer - proxy-router/scripts/compute-sev-measurement.py (new): Python port of CalcSevMeasurement; computes SHA-384 launch digests for all 5 SecretVM vCPU templates (small/medium/large/2xlarge/4xlarge); mirrors the existing compute-rtmr3.py CI pattern - proxy-router/internal/attestation/sev_python_parity_test.go (new): hermetic Go-vs-Python parity test using a version-agnostic synthetic fixture (artifacts_ver=parity-test-fixture-v1) so future SecretVM bumps do not require touching the test - proxy-router/internal/attestation/golden.go: rename JSON tag amd_sev -> amd_sev_snp; add SEVMeasurements.PerTemplate map and GoldenValues.SEVPerTemplate + MatchSEVMeasurement helper - .github/workflows/build.yml: - download both TDX + SEV rootfs ISOs (SHA-verify both) - fetch SCRT Labs SEV artifact registry, record its SHA-256 - run compute-sev-measurement.py for all 5 templates, expose as job outputs - extract baked LOG_LEVEL_*/LOG_COLOR/LOG_JSON/LOG_IS_PROD from Dockerfile.tee with privacy gate (hard-fails build if LOG_LEVEL_APP=debug or any required LOG_LEVEL_* missing) - manifest now publishes measurements.amd_sev_snp.per_template (×5) and baked_env.LOG_* fields alongside intel_tdx.rtmr3 - proxy-router/.gitignore + .dockerignore: ignore Python __pycache__/ - .ai-docs/TEE_Attestation_Architecture.md + TEE_CICD_Supply_Chain_Hardening.md: document v0.0.27-alpha.1 pin, SEV per-template asymmetry, baked log levels, updated manifest schema Auto-deploy + RTMR3-poll (Deploy-SecretVM-Test) remains TDX-only for this PR; SEV auto-deploy is deferred (manual verifier flow works today via the SEVPerTemplate map). Validation - python3 -m py_compile compute-sev-measurement.py: clean - TestComputeSevMeasurementPythonParity: PASS (Go and Python produce identical SHA-384 chains for all 5 templates) - go vet ./internal/attestation/...: clean - yaml.safe_load(build.yml): clean - jq dry-run of manifest assembly: produces well-formed manifest with amd_sev_snp.per_template and baked_env.LOG_* populated Made-with: Cursor Co-authored-by: abs2023 <alan@titan.io>
nomadicrogue
approved these changes
Apr 29, 2026
7 tasks
nomadicrogue
added a commit
that referenced
this pull request
May 22, 2026
## Summary Docs-only promotion to `main` — same two commits validated on `test` (#728), cherry-picked onto current `main`: - Mintlify MDX site, `AGENTS.md`, `.cursor/rules/morpheus.mdc` - Unified `docs.yml` validate + OIDC deploy pipeline (Pagefind, llms.txt) On merge, the **Docs** workflow deploys to https://nodedocs.mor.org (`main` environment variables). **Not a full `test` → `main` merge.** `test` also carries TEE/SEV-SNP commits (#719–#723) that are intentionally excluded here. ## Prerequisites - [x] Nonprod validated at https://nodedocs.dev.mor.org - [x] CloudFront URL rewrite applied (`08-nodedocs-mor-org` dev + prd) - [x] `main` GitHub environment variables configured (`NODEDOCS_*`) ## Test plan - [ ] Merge; confirm **Docs** workflow completes validate + deploy - [ ] Verify https://nodedocs.mor.org loads and subpage navigation works (e.g. `/inference-api/overview`) - [ ] Confirm `/llms.txt` is present with prod URLs - [ ] Confirm main CI-CD pipeline does **not** run for this merge Made with [Cursor](https://cursor.com)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes #722 from `dev` to `test`. Single commit:
What this delivers to the test environment
Why this is safe
End-to-end already validated on the cicd branch (run 25120743562):
The dev-branch run (25122325951) is also green; per existing repo policy, GHCR-push and SecretVM-deploy jobs only fire for `cicd/*`, `test`, and `main` branches, so the dev run validated tests + tag generation only. Merging into `test` will retrigger the full pipeline (this time with `:latest-test` tag promotion).
Scope explicitly NOT in this PR
Test plan (after merge to test)
Made with Cursor