diff --git a/Makefile b/Makefile index e63ce3c3..fe04fb92 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,6 @@ # Convenience targets for local dev and CI. -# format/format-check apply the unified ruff config to both packages. -# lint + typecheck stay scoped to deploy_gcp until deploy_tee is wired -# into CI (separate change). -PKG := deploy_gcp -FMT_PKG := deploy_gcp deploy_tee +PKG := deploy_gcp deploy_tee .PHONY: help lint format format-check typecheck check @@ -22,10 +18,10 @@ lint: uv run ruff check $(PKG) format: - uv run ruff format $(FMT_PKG) + uv run ruff format $(PKG) format-check: - uv run ruff format --check $(FMT_PKG) + uv run ruff format --check $(PKG) typecheck: uv run ty check $(PKG) diff --git a/deploy_tee/cloud/azure/api.py b/deploy_tee/cloud/azure/api.py index 321757e6..a294bfaf 100644 --- a/deploy_tee/cloud/azure/api.py +++ b/deploy_tee/cloud/azure/api.py @@ -440,7 +440,14 @@ def _copy_disk( ) -> None: # Copy disk logger.info("Copying disk") - cmd = ["azcopy", "copy", image_path, sas_uri, "--blob-type", "PageBlob"] + cmd = [ + "azcopy", + "copy", + str(image_path), + sas_uri, + "--blob-type", + "PageBlob", + ] cls.run_command(cmd, show_logs=show_logs) @classmethod @@ -520,7 +527,7 @@ def add_nsg_rule( cls.run_command(cmd, show_logs=config.show_logs) @staticmethod - def get_nsg_rules(config: DeployConfigs) -> list[str]: + def get_nsg_rules(config: DeployConfigs) -> list[tuple[str, ...]]: tcp_rules = [ (f"Allow{port}", f"{103 + i}", f"{port}", "tcp", "*", f"TCP {port} rule") for i, port in enumerate(OPEN_PORTS) diff --git a/deploy_tee/cloud/gcp/api.py b/deploy_tee/cloud/gcp/api.py index 6d5cc58d..19c70ad7 100644 --- a/deploy_tee/cloud/gcp/api.py +++ b/deploy_tee/cloud/gcp/api.py @@ -12,6 +12,7 @@ import time from pathlib import Path +from google.api_core.extended_operation import ExtendedOperation from google.cloud import compute_v1, resourcemanager_v3, storage from deploy_tee.cloud.azure.api import AzureApi @@ -33,7 +34,7 @@ # Disk Operations def wait_for_extended_operation( - operation: compute_v1.Operation, + operation: ExtendedOperation, operation_name: str, timeout: int = 600, ) -> None: diff --git a/deploy_tee/image/measurements.py b/deploy_tee/image/measurements.py index e0a282ec..82de70ff 100644 --- a/deploy_tee/image/measurements.py +++ b/deploy_tee/image/measurements.py @@ -13,10 +13,11 @@ def write_measurements_tmpfile(measurements: Measurements) -> Path: - measurements_tmpfile = Path(tempfile.mktemp()) - with open(measurements_tmpfile, "w+") as f: + # delete=False: the caller (Deployer) reads this file later and removes + # it in cleanup(). + with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as f: json.dump([measurements], f) - return measurements_tmpfile + return Path(f.name) def generate_measurements(image_path: Path, home: str) -> Measurements: diff --git a/deploy_tee/pulumi/seismic_node/Pulumi.yaml b/deploy_tee/pulumi/seismic_node/Pulumi.yaml index 56151377..2bfe6566 100644 --- a/deploy_tee/pulumi/seismic_node/Pulumi.yaml +++ b/deploy_tee/pulumi/seismic_node/Pulumi.yaml @@ -4,6 +4,6 @@ runtime: name: python options: # Use the repo-wide venv managed by uv at the deploy/ root. - # Operator runs `uv sync --group pulumi` once from the repo root - # to install pulumi + pulumi-azure-native into ../../.venv. + # Operator runs `uv sync` once from the repo root to install deps + # (incl. pulumi + pulumi-azure-native) into ../../../.venv. virtualenv: ../../../.venv diff --git a/deploy_tee/pulumi/seismic_node/README.md b/deploy_tee/pulumi/seismic_node/README.md index 5d4dbb5f..7cc8b40f 100644 --- a/deploy_tee/pulumi/seismic_node/README.md +++ b/deploy_tee/pulumi/seismic_node/README.md @@ -43,14 +43,14 @@ Stack outputs: macOS) and authenticated to a state backend. Local file works for personal/dev deployments: `pulumi login --local`. - `az login` for the Azure provider. -- Pulumi Python deps installed into the repo's shared venv: +- Python deps installed into the repo's shared venv: ```bash # from repo root - uv sync --group pulumi + uv sync ``` - Adds `pulumi` + `pulumi-azure-native` into `.venv/`. Pulumi.yaml - here is configured to use that venv via `virtualenv: ../../../.venv`, - so `pulumi up` finds it automatically. + Installs `pulumi` + `pulumi-azure-native` (regular deps) into + `.venv/`. Pulumi.yaml here is configured to use that venv via + `virtualenv: ../../../.venv`, so `pulumi up` finds it automatically. ## Deploy diff --git a/deploy_tee/tests/test_manifest.py b/deploy_tee/tests/test_manifest.py index 64530fd2..060fe677 100644 --- a/deploy_tee/tests/test_manifest.py +++ b/deploy_tee/tests/test_manifest.py @@ -277,7 +277,8 @@ def _assemble(self, **overrides) -> AssembledManifest: "genesis_hash_fn": lambda _p: self.ETH_HASH, } kwargs.update(overrides) - return assemble(**kwargs) + # ty can't verify a **kwargs dict-splat against typed params. + return assemble(**kwargs) # ty: ignore[invalid-argument-type] def _ctx(self, **overrides) -> GateContext: kwargs = { @@ -287,7 +288,8 @@ def _ctx(self, **overrides) -> GateContext: "genesis_hash_fn": lambda _p: self.ETH_HASH, } kwargs.update(overrides) - return GateContext(**kwargs) + # ty can't verify a **kwargs dict-splat against typed params. + return GateContext(**kwargs) # ty: ignore[invalid-argument-type] def test_assemble_passes_gates_and_is_deterministic(self): first = self._assemble() diff --git a/deploy_tee/utils/summit_client.py b/deploy_tee/utils/summit_client.py index 174400d9..d666bac2 100644 --- a/deploy_tee/utils/summit_client.py +++ b/deploy_tee/utils/summit_client.py @@ -27,7 +27,7 @@ def _get(self, path: str) -> str: response.raise_for_status() return response.text - def _get_json(self, path: str) -> str: + def _get_json(self, path: str) -> Json: response = requests.get(f"{self.url}/{path}") response.raise_for_status() return response.json() diff --git a/pyproject.toml b/pyproject.toml index 74331bf5..71a2fed5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -26,17 +26,13 @@ dependencies = [ "eth-account>=0.13.0", "azure-identity>=1.19.0", "azure-mgmt-compute>=33.0.0", + # pulumi is used to provision TDX CVMs under deploy_tee. + "pulumi>=3.130.0", + "pulumi-azure-native>=2.60.0", ] [dependency-groups] dev = ["ruff>=0.8.0", "ty>=0.0.1a1"] -# Pulumi-CLI program lives at deploy_tee/pulumi/. Heavy deps -# (pulumi-azure-native is ~150MB), so opt-in via: -# uv sync --group pulumi -pulumi = [ - "pulumi>=3.130.0", - "pulumi-azure-native>=2.60.0", -] [project.scripts] seismic-deploy = "deploy_gcp.seismic_deploy.cli:cli" diff --git a/uv.lock b/uv.lock index 01b78341..97faea30 100644 --- a/uv.lock +++ b/uv.lock @@ -687,6 +687,8 @@ dependencies = [ { name = "packaging" }, { name = "pathspec" }, { name = "platformdirs" }, + { name = "pulumi" }, + { name = "pulumi-azure-native" }, { name = "pydantic" }, { name = "requests" }, { name = "seismic-web3" }, @@ -698,10 +700,6 @@ dev = [ { name = "ruff" }, { name = "ty" }, ] -pulumi = [ - { name = "pulumi" }, - { name = "pulumi-azure-native" }, -] [package.metadata] requires-dist = [ @@ -719,6 +717,8 @@ requires-dist = [ { name = "packaging", specifier = ">=25.0" }, { name = "pathspec", specifier = ">=0.12.1" }, { name = "platformdirs", specifier = ">=4.5.0" }, + { name = "pulumi", specifier = ">=3.130.0" }, + { name = "pulumi-azure-native", specifier = ">=2.60.0" }, { name = "pydantic", specifier = ">=2.0" }, { name = "requests", specifier = ">=2.32.5" }, { name = "seismic-web3" }, @@ -730,10 +730,6 @@ dev = [ { name = "ruff", specifier = ">=0.8.0" }, { name = "ty", specifier = ">=0.0.1a1" }, ] -pulumi = [ - { name = "pulumi", specifier = ">=3.130.0" }, - { name = "pulumi-azure-native", specifier = ">=2.60.0" }, -] [[package]] name = "dill"