Enable workflows to request a TEE

[nolag]

No description provided.

[github-actions]

⚠️ API Diff Results - github.com/smartcontractkit/chainlink-common

⚠️ Breaking Changes (21)

pkg/capabilities/v2/actions/confidentialworkflow (1)

• SecretIdentifier — 🗑️ Removed

pkg/capabilities/v2/actions/confidentialworkflow.(*ConfidentialWorkflowRequest) (1)

• GetVaultDonSecrets — 🗑️ Removed

pkg/capabilities/v2/actions/confidentialworkflow.(*ConfidentialWorkflowResponse) (1)

• GetExecutionResult — Type changed:

func(
)
- []byte
+ *github.com/smartcontractkit/chainlink-protos/cre/go/sdk.ExecutionResult

pkg/capabilities/v2/actions/confidentialworkflow.(*WorkflowExecution) (2)

• GetBinaryUrl — 🗑️ Removed

• GetExecuteRequest — Type changed:

func(
)
- []byte
+ *github.com/smartcontractkit/chainlink-protos/cre/go/sdk.ExecuteRequest

pkg/capabilities/v2/actions/confidentialworkflow.ConfidentialWorkflowRequest (1)

• VaultDonSecrets — 🗑️ Removed

pkg/capabilities/v2/actions/confidentialworkflow.ConfidentialWorkflowResponse (1)

• ExecutionResult — Type changed:

  - []byte
  + *github.com/smartcontractkit/chainlink-protos/cre/go/sdk.ExecutionResult
)

pkg/capabilities/v2/actions/confidentialworkflow.WorkflowExecution (2)

• BinaryUrl — 🗑️ Removed

• ExecuteRequest — Type changed:

  - []byte
  + *github.com/smartcontractkit/chainlink-protos/cre/go/sdk.ExecuteRequest
)

pkg/capabilities/v2/actions/confidentialworkflow/server.ClientCapability (1)

• ProvidedTees — ➕ Added

pkg/workflows/wasm/host (3)

• ExecutionHelper — Type changed:

  - ExecutionHelper
  + github.com/smartcontractkit/chainlink-common/pkg/workflows/host.ExecutionHelper
)

• ModuleBase — Type changed:

  - ModuleBase
  + github.com/smartcontractkit/chainlink-common/pkg/workflows/host.ModuleBase
)

• ModuleV2 — Type changed:

  - ModuleV2
  + github.com/smartcontractkit/chainlink-common/pkg/workflows/host.Module
)

pkg/workflows/wasm/host.(*module) (1)

• Execute — Type changed:

func(
  context.Context, 
  *github.com/smartcontractkit/chainlink-protos/cre/go/sdk.ExecuteRequest, 
  ExecutionHelper
)
(*github.com/smartcontractkit/chainlink-protos/cre/go/sdk.ExecutionResult, error)

pkg/workflows/wasm/host/mocks (7)

• ModuleV2 — Type changed:

  - ModuleV2
  + github.com/smartcontractkit/chainlink-common/pkg/workflows/host/mocks.Module
)

• ModuleV2_Close_Call — 🗑️ Removed

• ModuleV2_Execute_Call — 🗑️ Removed

• ModuleV2_Expecter — 🗑️ Removed

• ModuleV2_IsLegacyDAG_Call — 🗑️ Removed

• ModuleV2_Start_Call — 🗑️ Removed

• NewModuleV2 — Type changed:

func(
  interface{Cleanup(func()); github.com/stretchr/testify/mock.TestingT}
)
*ModuleV2

✅ Compatible Changes (9)

package github (3)

• com/smartcontractkit/chainlink-common/pkg/workflows/host — ➕ Added

• com/smartcontractkit/chainlink-common/pkg/workflows/host/mocks — ➕ Added

• com/smartcontractkit/chainlink-common/pkg/workflows/host/requirements_gen — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow (1)

• ProvidedTeesResponse — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow.(*ConfidentialWorkflowRequest) (1)

• GetBinaryUrl — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow.(*WorkflowExecution) (1)

• GetRequirements — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow.ConfidentialWorkflowRequest (1)

• BinaryUrl — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow.WorkflowExecution (1)

• Requirements — ➕ Added

pkg/capabilities/v2/actions/confidentialworkflow/server.ClientCapability (1)

• ProvidedTees — ➕ Added

---

📄 View full apidiff report

[Copilot]

Pull request overview

This PR introduces workflow “requirements” support focused on requesting a Trusted Execution Environment (TEE), and adds host-side selection/routing utilities so workflows (and capabilities) can advertise and satisfy TEE constraints.

Changes:

• Adds TEE requirement evaluation utilities (teeProvider, selection provider, and a generated CheckRequirements helper) and a RequirementSelectingModule router to execute triggers on a module that can satisfy subscription requirements.
• Updates WASM host tests/standard test binaries to exercise TEE requirements in subscriptions, plus adds negative requirement test WASM binaries.
• Updates capability/proto-generated code and dependency versions to include new TEE-related API surface (e.g., confidential workflow fields / ProvidedTees).

Reviewed changes

Copilot reviewed 24 out of 40 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
pkg/workflows/wasm/host/wasm_nodag_test.go	Switches to shared host ExecutionHelper mock package.
pkg/workflows/wasm/host/time_test.go	Switches to shared host ExecutionHelper mock package.
pkg/workflows/wasm/host/test/requirements/invalid_proto/main_wasip1.go	Adds a WASM test binary that sends invalid proto requirements bytes.
pkg/workflows/wasm/host/test/requirements/invalid_memory/main_wasip1.go	Adds a WASM test binary that sends invalid memory pointer/len for requirements.
pkg/workflows/wasm/host/standard_tests/tee_runtime/main_wasip1.go	Adds a WASM test binary that subscribes with a TEE requirement on one trigger.
pkg/workflows/wasm/host/standard_test.go	Adds a standard test validating TEE requirements are emitted in subscriptions; refactors module creation to accept config.
pkg/workflows/wasm/host/module.go	Re-exports/aliases module interfaces from new pkg/workflows/host package.
pkg/workflows/wasm/host/module_test.go	Switches to shared host ExecutionHelper mock package.
pkg/workflows/wasm/host/mocks/module_v2.go	Replaces generated mock with backward-compatible alias to new host module mock.
pkg/workflows/wasm/host/internal/rawsdk/helpers_wasip1.go	Ensures SendSubscription exits after sending response (aligns with other helpers).
pkg/workflows/host/tee_selection_provider.go	Adds helper to build a provider predicate from available TEE types/regions.
pkg/workflows/host/tee_selection_provider_test.go	Adds test coverage for selection-provider behavior across shapes and cases.
pkg/workflows/host/tee_provider.go	Adds TEE provider predicate for matching requested type/regions.
pkg/workflows/host/tee_provider_test.go	Adds tests for TEE provider behavior.
pkg/workflows/host/requirements_helper_gen.go	Adds generated requirement-checking helper for sdk.Requirements.
pkg/workflows/host/requirements_helper_gen_test.go	Adds tests for unknown proto fields and handler behavior.
pkg/workflows/host/requirements_gen/requirements_helper.go.tmpl	Adds generator template for requirements helper.
pkg/workflows/host/requirements_gen/main.go	Adds generator main to produce/format the requirements helper.
pkg/workflows/host/requirement_selecting_module.go	Adds router module that selects a runner per-trigger based on subscription requirements.
pkg/workflows/host/requirement_selecting_module_test.go	Adds extensive tests for routing, caching, and lazy start/close behavior.
pkg/workflows/host/module.go	Introduces shared host Module/ExecutionHelper interfaces and requirement-enforcing hook.
pkg/workflows/host/mocks/module.go	Adds mock for new host Module interface.
pkg/workflows/host/mocks/execution_helper.go	Adds mock for new host ExecutionHelper interface.
pkg/workflows/host/mock_execution_helper_test.go	Adds in-package test-only mock for ExecutionHelper used by host tests.
pkg/workflows/artifacts/artifacts_test.go	Updates expected artifact hashes/content checks to match new build output.
pkg/settings/cresettings/settings.go	Formatting/alignment changes in schema defaults/struct fields.
pkg/loop/config.go	Formatting/alignment changes for env constants and config struct fields.
pkg/capabilities/v2/protoc/pkg/template_generator.go	Adds TeeEnabled helper and simplifies metadata mapping logic.
pkg/capabilities/v2/chain-capabilities/evm/client.pb.go	Updates generated proto output to new descriptor content.
pkg/capabilities/v2/actions/http/client.pb.go	Updates generated proto output to new descriptor content.
pkg/capabilities/v2/actions/confidentialworkflow/server/client_server_gen.go	Adds ProvidedTees method wiring to generated client/server glue.
pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go	Updates generated proto types to include requirements/TEE and new RPC response types.
pkg/capabilities/errors/error_codes.go	Formatting-only map alignment changes.
pkg/beholder/config.go	Formatting/alignment changes.
pkg/beholder/config_test.go	Formatting/alignment changes.
pkg/beholder/client_test.go	Formatting/alignment changes.
pkg/beholder/chip_ingress_emitter.go	Formatting/alignment change.
go.mod	Bumps chainlink-protos/cre/go dependency version.
go.sum	Updates checksums for bumped dependency.
.mockery.yaml	Updates mockery config to generate mocks for new host interfaces and adjust execution helper mock naming.

Files not reviewed (7)

• pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go: Language not supported
• pkg/capabilities/v2/actions/confidentialworkflow/server/client_server_gen.go: Language not supported
• pkg/capabilities/v2/actions/http/client.pb.go: Language not supported
• pkg/capabilities/v2/chain-capabilities/evm/client.pb.go: Language not supported
• pkg/workflows/host/mocks/execution_helper.go: Language not supported
• pkg/workflows/host/mocks/module.go: Language not supported
• pkg/workflows/host/requirements_helper_gen.go: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.