Enable workflows to request a TEE#2004
Open
nolag wants to merge 21 commits into
Open
Conversation
|
nolag
force-pushed
the
rtinianov_teeWorkflows
branch
from
f98af19 to
f4e51a4
Compare
nolag
force-pushed
the
rtinianov_teeWorkflows
branch
from
f4e51a4 to
937bc20
Compare
nolag
force-pushed
the
rtinianov_teeWorkflows
branch
2 times, most recently
from
8441040 to
da5bccc
Compare
nolag
force-pushed
the
rtinianov_teeWorkflows
branch
3 times, most recently
from
d5fedb0 to
e01fae1
Compare
…, not just region.
nolag
force-pushed
the
rtinianov_teeWorkflows
branch
from
e01fae1 to
8e8598d
Compare
product-security-plaid-production
Bot
requested review from
Unheilbar,
hendoxc,
patrickhuie19 and
silaslenihan
hendoxc
previously approved these changes
May 20, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces workflow “requirements” support focused on requesting a Trusted Execution Environment (TEE), and adds host-side selection/routing utilities so workflows (and capabilities) can advertise and satisfy TEE constraints.
Changes:
- Adds TEE requirement evaluation utilities (
teeProvider, selection provider, and a generatedCheckRequirementshelper) and aRequirementSelectingModulerouter to execute triggers on a module that can satisfy subscription requirements. - Updates WASM host tests/standard test binaries to exercise TEE requirements in subscriptions, plus adds negative requirement test WASM binaries.
- Updates capability/proto-generated code and dependency versions to include new TEE-related API surface (e.g., confidential workflow fields / ProvidedTees).
Reviewed changes
Copilot reviewed 24 out of 40 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflows/wasm/host/wasm_nodag_test.go | Switches to shared host ExecutionHelper mock package. |
| pkg/workflows/wasm/host/time_test.go | Switches to shared host ExecutionHelper mock package. |
| pkg/workflows/wasm/host/test/requirements/invalid_proto/main_wasip1.go | Adds a WASM test binary that sends invalid proto requirements bytes. |
| pkg/workflows/wasm/host/test/requirements/invalid_memory/main_wasip1.go | Adds a WASM test binary that sends invalid memory pointer/len for requirements. |
| pkg/workflows/wasm/host/standard_tests/tee_runtime/main_wasip1.go | Adds a WASM test binary that subscribes with a TEE requirement on one trigger. |
| pkg/workflows/wasm/host/standard_test.go | Adds a standard test validating TEE requirements are emitted in subscriptions; refactors module creation to accept config. |
| pkg/workflows/wasm/host/module.go | Re-exports/aliases module interfaces from new pkg/workflows/host package. |
| pkg/workflows/wasm/host/module_test.go | Switches to shared host ExecutionHelper mock package. |
| pkg/workflows/wasm/host/mocks/module_v2.go | Replaces generated mock with backward-compatible alias to new host module mock. |
| pkg/workflows/wasm/host/internal/rawsdk/helpers_wasip1.go | Ensures SendSubscription exits after sending response (aligns with other helpers). |
| pkg/workflows/host/tee_selection_provider.go | Adds helper to build a provider predicate from available TEE types/regions. |
| pkg/workflows/host/tee_selection_provider_test.go | Adds test coverage for selection-provider behavior across shapes and cases. |
| pkg/workflows/host/tee_provider.go | Adds TEE provider predicate for matching requested type/regions. |
| pkg/workflows/host/tee_provider_test.go | Adds tests for TEE provider behavior. |
| pkg/workflows/host/requirements_helper_gen.go | Adds generated requirement-checking helper for sdk.Requirements. |
| pkg/workflows/host/requirements_helper_gen_test.go | Adds tests for unknown proto fields and handler behavior. |
| pkg/workflows/host/requirements_gen/requirements_helper.go.tmpl | Adds generator template for requirements helper. |
| pkg/workflows/host/requirements_gen/main.go | Adds generator main to produce/format the requirements helper. |
| pkg/workflows/host/requirement_selecting_module.go | Adds router module that selects a runner per-trigger based on subscription requirements. |
| pkg/workflows/host/requirement_selecting_module_test.go | Adds extensive tests for routing, caching, and lazy start/close behavior. |
| pkg/workflows/host/module.go | Introduces shared host Module/ExecutionHelper interfaces and requirement-enforcing hook. |
| pkg/workflows/host/mocks/module.go | Adds mock for new host Module interface. |
| pkg/workflows/host/mocks/execution_helper.go | Adds mock for new host ExecutionHelper interface. |
| pkg/workflows/host/mock_execution_helper_test.go | Adds in-package test-only mock for ExecutionHelper used by host tests. |
| pkg/workflows/artifacts/artifacts_test.go | Updates expected artifact hashes/content checks to match new build output. |
| pkg/settings/cresettings/settings.go | Formatting/alignment changes in schema defaults/struct fields. |
| pkg/loop/config.go | Formatting/alignment changes for env constants and config struct fields. |
| pkg/capabilities/v2/protoc/pkg/template_generator.go | Adds TeeEnabled helper and simplifies metadata mapping logic. |
| pkg/capabilities/v2/chain-capabilities/evm/client.pb.go | Updates generated proto output to new descriptor content. |
| pkg/capabilities/v2/actions/http/client.pb.go | Updates generated proto output to new descriptor content. |
| pkg/capabilities/v2/actions/confidentialworkflow/server/client_server_gen.go | Adds ProvidedTees method wiring to generated client/server glue. |
| pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go | Updates generated proto types to include requirements/TEE and new RPC response types. |
| pkg/capabilities/errors/error_codes.go | Formatting-only map alignment changes. |
| pkg/beholder/config.go | Formatting/alignment changes. |
| pkg/beholder/config_test.go | Formatting/alignment changes. |
| pkg/beholder/client_test.go | Formatting/alignment changes. |
| pkg/beholder/chip_ingress_emitter.go | Formatting/alignment change. |
| go.mod | Bumps chainlink-protos/cre/go dependency version. |
| go.sum | Updates checksums for bumped dependency. |
| .mockery.yaml | Updates mockery config to generate mocks for new host interfaces and adjust execution helper mock naming. |
Files not reviewed (7)
- pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go: Language not supported
- pkg/capabilities/v2/actions/confidentialworkflow/server/client_server_gen.go: Language not supported
- pkg/capabilities/v2/actions/http/client.pb.go: Language not supported
- pkg/capabilities/v2/chain-capabilities/evm/client.pb.go: Language not supported
- pkg/workflows/host/mocks/execution_helper.go: Language not supported
- pkg/workflows/host/mocks/module.go: Language not supported
- pkg/workflows/host/requirements_helper_gen.go: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+22
to
+35
| return func(tee *sdkpb.Tee) bool { | ||
| switch teet := tee.Item.(type) { | ||
| case *sdkpb.Tee_AnyRegions: | ||
| for _, provider := range providers { | ||
| if provider(tee) { | ||
| return true | ||
| } | ||
| } | ||
|
|
||
| return false | ||
| case *sdkpb.Tee_TeeTypesAndRegions: | ||
| for _, requestedType := range teet.TeeTypesAndRegions.TeeTypeAndRegions { | ||
| provider, ok := providers[requestedType.Type] | ||
| if !ok { |
Comment on lines
621
to
625
| absPath, err := filepath.Abs(testPath) | ||
| require.NoError(t, err, "Failed to get absolute path for test directory") | ||
| cmd.Dir = absPath | ||
| fmt.Printf("Compiling test module from %s with command %s\n:", cmd.Dir, cmd.String()) | ||
|
|
Comment on lines
+16
to
+27
| // lazyModule wraps a ModuleAndHandler so that Start is called at most once. | ||
| type lazyModule struct { | ||
| ModuleAndHandler | ||
| startOnce sync.Once | ||
| started bool | ||
| } | ||
|
|
||
| func (l *lazyModule) ensureStarted() { | ||
| l.startOnce.Do(func() { | ||
| l.Module.Start() | ||
| l.started = true | ||
| }) |
Comment on lines
+146
to
+167
| t.Run("AnyRegions with empty region list returns false", func(t *testing.T) { | ||
| provides := NewTeeProvider(sdkpb.TeeType_TEE_TYPE_AWS_NITRO, []string{"us-west-2"}) | ||
| tee := &sdkpb.Tee{Item: &sdkpb.Tee_AnyRegions{AnyRegions: &sdkpb.Regions{}}} | ||
| assert.True(t, provides(tee)) | ||
| }) | ||
|
|
||
| t.Run("TeeTypesAndRegions with empty region list returns true", func(t *testing.T) { | ||
| provides := NewTeeProvider(sdkpb.TeeType_TEE_TYPE_AWS_NITRO, []string{"us-west-2"}) | ||
| tee := &sdkpb.Tee{Item: &sdkpb.Tee_TeeTypesAndRegions{TeeTypesAndRegions: &sdkpb.TeeTypesAndRegions{ | ||
| TeeTypeAndRegions: []*sdkpb.TeeTypeAndRegions{ | ||
| {Type: sdkpb.TeeType_TEE_TYPE_AWS_NITRO}, | ||
| }, | ||
| }}} | ||
| assert.True(t, provides(tee)) | ||
| }) | ||
|
|
||
| t.Run("TeeTypesAndRegions with nil regions returns false", func(t *testing.T) { | ||
| provides := NewTeeProvider(sdkpb.TeeType_TEE_TYPE_AWS_NITRO, []string{"us-west-2"}) | ||
| tee := &sdkpb.Tee{Item: &sdkpb.Tee_TeeTypesAndRegions{TeeTypesAndRegions: &sdkpb.TeeTypesAndRegions{ | ||
| TeeTypeAndRegions: []*sdkpb.TeeTypeAndRegions{ | ||
| {Type: sdkpb.TeeType_TEE_TYPE_AWS_NITRO, Regions: nil}, | ||
| }, |
| ) | ||
|
|
||
| // RequirementsHandler contains a callback for each public field in sdk.Requirements. | ||
| // Each callback receives the field value and returns a list of strings or an error. |
… the public package
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.