{"id":50672915,"url":"https://github.com/oasisprotocol/build-deploy-rofl-action","last_synced_at":"2026-06-08T13:02:14.753Z","repository":{"id":328262465,"uuid":"1076870009","full_name":"oasisprotocol/build-deploy-rofl-action","owner":"oasisprotocol","description":"GitHub Action to build and deploy your app into Oasis ROFL","archived":false,"fork":false,"pushed_at":"2026-01-15T09:09:32.000Z","size":987,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-01-15T14:57:27.636Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oasisprotocol.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-15T13:08:31.000Z","updated_at":"2026-01-15T09:09:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/oasisprotocol/build-deploy-rofl-action","commit_stats":null,"previous_names":["oasisprotocol/build-deploy-rofl-action"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oasisprotocol/build-deploy-rofl-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oasisprotocol%2Fbuild-deploy-rofl-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oasisprotocol%2Fbuild-deploy-rofl-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oasisprotocol%2Fbuild-deploy-rofl-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oasisprotocol%2Fbuild-deploy-rofl-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oasisprotocol","download_url":"https://codeload.github.com/oasisprotocol/build-deploy-rofl-action/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oasisprotocol%2Fbuild-deploy-rofl-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34063159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-08T13:02:13.868Z","updated_at":"2026-06-08T13:02:14.747Z","avatar_url":"https://github.com/oasisprotocol.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Oasis ROFL GitHub Action\n\nA GitHub Action to build and deploy your app into [Oasis ROFL] using the [Oasis\nCLI], enabling seamless interaction with the [Oasis] technologies from your\nCI/CD pipelines.\n\n[Oasis ROFL]: https://docs.oasis.io/build/rofl/\n[Oasis CLI]: https://docs.oasis.io/build/tools/cli/\n[Oasis]: https://oasis.net/\n\n\u003e **Live Example:** See [ptrus/test-rofl](https://github.com/ptrus/test-rofl)\n\u003e for a complete working example with all CI/CD scenarios.\n\n## Usage\n\n### 1. Validate Only\n\nCatch config errors early without waiting for a full build.\n\n```yaml\n# Web2 equivalent: Linting or config validation (like `docker-compose config`)\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: testnet\n    only_validate: true\n```\n\n### 2. Build Only\n\nVerify your app compiles successfully.\n\n```yaml\n# Web2 equivalent: `docker build` without `docker push`\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: testnet\n    skip_update: true\n    skip_deploy: true\n```\n\n### 3. Build + Verify (reproducible builds)\n\nEnsure your local build produces the exact same artifact as what's registered\non-chain. Verification is enabled by default - builds fail if enclave IDs don't\nmatch the manifest.\n\n```yaml\n# Web2 equivalent: Verifying a Docker image hash matches what's in production\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: mainnet\n    skip_update: true\n    skip_deploy: true\n```\n\n### 3b. Test Deployment (auto-update manifest)\n\nFor test/dev environments where you want automatic enclave ID updates.\n\n```yaml\n# WARNING: Not for production - enclave IDs should be committed to source control\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: testnet\n    update_manifest: true\n    wallet_account: deployer\n    wallet_import: true\n    wallet_secret: ${{ secrets.WALLET_SECRET }}\n    wallet_algorithm: secp256k1-raw\n```\n\n### 4. Full Deployment\n\nBuild, update on-chain config, and deploy to ROFL nodes.\n\n```yaml\n# Web2 equivalent: `docker build \u0026\u0026 docker push \u0026\u0026 kubectl apply`\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: mainnet\n    wallet_account: deployer\n    wallet_import: true\n    wallet_secret: ${{ secrets.WALLET_SECRET }}\n    wallet_algorithm: secp256k1-raw\n```\n\n### 5. Safe Multisig Deployment\n\nPropose transactions to a [Safe multisig](https://safe.oasis.io/) for team\napproval. No single person has deploy access.\n\nSafe mode automatically enables when `safe_address` is provided. The\n`safe_proposer_key` is the private key of an EOA that is an owner of the Safe -\nthis account proposes the transaction for other owners to approve via the Safe\nUI.\n\n```yaml\n# Web2 equivalent: Creating a deployment PR that requires multiple approvals\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: mainnet\n    unsigned: true\n    format: cbor\n    update_output_file: update.cbor\n    skip_deploy: true\n    safe_address: ${{ vars.SAFE_ADDRESS }}\n    safe_proposer_key: ${{ secrets.SAFE_PROPOSER_KEY }}\n```\n\nHow it works in CI:\n\n- The action builds and produces unsigned CBOR transactions.\n- It proposes them to the Safe Transaction Service (no on-chain change yet).\n- Safe owners approve/execute in the Safe UI; only then does the upgrade land.\n- Use `safe_dry_run: true` to exercise the full flow (including signing) without\n  submitting to the service.\n\n### 6. Generate Unsigned Transactions\n\nGenerate transaction files for manual signing (e.g., with a hardware wallet).\n\n```yaml\n# Web2 equivalent: Generating deployment manifests for manual review/apply\n- uses: oasisprotocol/build-deploy-rofl-action@v1\n  with:\n    network: mainnet\n    unsigned: true\n    format: cbor\n    update_output_file: update.cbor\n    deploy_output_file: deploy.cbor\n    skip_deploy: true\n```\n\n### 7. Check for Updates (scheduled)\n\nAutomatically check for artifact updates and create a PR when updates are\navailable. Perfect for scheduled workflows to keep your ROFL app up-to-date.\n\n```yaml\nname: Check ROFL Updates\non:\n  schedule:\n    - cron: '0 9 * * 1' # Weekly on Monday at 9am\n  workflow_dispatch:\n\njobs:\n  check-updates:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: write\n      pull-requests: write\n    steps:\n      - uses: actions/checkout@v4\n      - uses: oasisprotocol/build-deploy-rofl-action@v1\n        with:\n          check_updates: true\n          create_update_pr: true\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\nThis runs `oasis rofl upgrade` to check for newer artifact versions and creates\na PR if updates are found.\n\n\u003e **Note:** You must enable \"Allow GitHub Actions to create and approve pull\n\u003e requests\" in your repository settings (Settings → Actions → General → Workflow\n\u003e permissions) for PR creation to work.\n\n## Inputs\n\n### Core Inputs\n\n| Input               | Description                             | Required | Default      |\n| ------------------- | --------------------------------------- | -------- | ------------ |\n| `cli_version`       | Oasis CLI version to install            | No       | `latest`     |\n| `wallet_account`    | Oasis CLI account for wallet operations | No       | `test:alice` |\n| `network`           | Network to use                          | No       | `mainnet`    |\n| `deployment`        | Deployment name                         | No       | `default`    |\n| `working_directory` | Directory to run ROFL commands in       | No       | `.`          |\n\n### Auto-Update Options\n\n| Input              | Description                                   | Required | Default |\n| ------------------ | --------------------------------------------- | -------- | ------- |\n| `check_updates`    | Run `oasis rofl upgrade` to check for updates | No       | `false` |\n| `create_update_pr` | Create a PR if updates are found              | No       | `false` |\n\n### Build Options\n\n| Input             | Description                       | Required | Default |\n| ----------------- | --------------------------------- | -------- | ------- |\n| `offline`         | No network access during build    | No       | `false` |\n| `only_validate`   | Validate without building         | No       | `false` |\n| `output`          | Output bundle filename            | No       | -       |\n| `verify`          | Verify build against manifest     | No       | `true`  |\n| `update_manifest` | Auto-update rofl.yaml enclave IDs | No       | `false` |\n| `verbose`         | Verbose output                    | No       | `false` |\n| `no_container`    | Don't use containerized builder   | No       | `false` |\n\n\u003e **Note:** By default, builds verify that enclave IDs match the manifest and\n\u003e fail on mismatch. Set `update_manifest: true` for test deployments where you\n\u003e want to allow manifest updates. Not recommended for production.\n\n### Skip Flags\n\n| Input         | Description               | Required | Default |\n| ------------- | ------------------------- | -------- | ------- |\n| `skip_build`  | Skip the ROFL build step  | No       | `false` |\n| `skip_update` | Skip the ROFL update step | No       | `false` |\n| `skip_deploy` | Skip the ROFL deploy step | No       | `false` |\n\n### Transaction Options\n\n| Input                | Description                           | Required | Default |\n| -------------------- | ------------------------------------- | -------- | ------- |\n| `format`             | Transaction format (`json` or `cbor`) | No       | `json`  |\n| `unsigned`           | Don't sign transaction                | No       | `false` |\n| `nonce`              | Explicit transaction nonce            | No       | -       |\n| `gas_limit`          | Gas limit                             | No       | -       |\n| `gas_price`          | Gas price                             | No       | -       |\n| `output_file`        | Output transaction to file            | No       | -       |\n| `update_output_file` | Output file for update transaction    | No       | -       |\n| `deploy_output_file` | Output file for deploy transaction    | No       | -       |\n\n### Wallet Options\n\n| Input              | Description                | Required | Default |\n| ------------------ | -------------------------- | -------- | ------- |\n| `wallet_import`    | Import wallet before build | No       | `false` |\n| `wallet_secret`    | Mnemonic or private key    | No       | -       |\n| `wallet_algorithm` | Cryptographic algorithm    | No       | -       |\n| `wallet_number`    | Key derivation number      | No       | -       |\n\n**Supported algorithms:**\n\n- **Mnemonic-based** (BIP-39 phrase): `ed25519-adr8`, `secp256k1-bip44`,\n  `sr25519-adr8`\n- **Raw private key** (hex): `ed25519-raw`, `secp256k1-raw`, `sr25519-raw`\n\nUse `secp256k1-bip44` for Sapphire/EVM with a mnemonic, or `secp256k1-raw` with\na private key.\n\n### Safe Wallet Options\n\nSafe mode is enabled automatically when `safe_address` is provided. Requires\n`skip_deploy: true`. RPC URL, service URL, and chain ID are auto-detected from\nthe `network` input.\n\n| Input               | Description                  | Required | Default           |\n| ------------------- | ---------------------------- | -------- | ----------------- |\n| `safe_address`      | Safe contract address        | No       | -                 |\n| `safe_proposer_key` | Proposer private key         | No       | -                 |\n| `safe_rpc_url`      | Chain RPC URL                | No       | Auto from network |\n| `safe_service_url`  | Safe transaction service URL | No       | Auto from network |\n| `safe_chain_id`     | Chain ID                     | No       | Auto from network |\n| `safe_dry_run`      | Build/sign but do not submit | No       | `false`           |\n\nWhen using Safe mode, generate offline transactions (e.g., `format: cbor`,\n`unsigned: true`, `update_output_file`/`deploy_output_file`) and skip live\nupdate/deploy. The Safe proposer path is meant to produce artifacts for multisig\napproval, not to broadcast directly.\n\n## Outputs\n\n| Output              | Description                                    |\n| ------------------- | ---------------------------------------------- |\n| `build_output`      | Path to the built ROFL ORC bundle              |\n| `update_file`       | Path to the update transaction file            |\n| `deploy_file`       | Path to the deploy transaction file            |\n| `safe_tx_hash`      | Hash of the proposed Safe transaction          |\n| `update_pr_url`     | URL of the created PR (when using auto-update) |\n| `updates_available` | Whether updates are available (`true`/`false`) |\n\n## About Oasis ROFL\n\nRuntime off-chain logic (ROFL) enables you to wrap applications in trusted\nexecution environment (TEE) containers managed through [Oasis Sapphire]. This\nframework is ideal for deploying provably trusted oracles, compute-expensive\ntasks in AI or a backend for interactive games.\n\nROFL supports:\n\n- Docker-like containers or single-executable apps depending on your TCB demand\n  and threat model\n- Privacy and integrity through Intel SGX/TDX including fully auditable history\n  of updates\n- Uncensorable registration, management and deployment of your app on a\n  permissionless pool of ROFL nodes including billing\n- Built-in Key Management Service (KMS) for storing your app secrets and secure\n  derivation of keys within TEE\n- Integration with [Oasis Sapphire] enables EVM-compatible smart contracts to\n  verify the ROFL transaction origin\n\n[Oasis Sapphire]: https://docs.oasis.io/build/sapphire/\n\n## License\n\nThis project is licensed under the Apache License 2.0. See the\n[LICENSE](LICENSE) file for details.\n\nThis project is a fork of [GitHub Actions TypeScript template], which was\nlicensed under the MIT License. The original license and copyright notice are\npreserved in the [LICENSE-MIT](LICENSE-MIT) file.\n\n[GitHub Actions TypeScript template]:\n  https://github.com/actions/typescript-action\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foasisprotocol%2Fbuild-deploy-rofl-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foasisprotocol%2Fbuild-deploy-rofl-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foasisprotocol%2Fbuild-deploy-rofl-action/lists"}