Dstack-TEE · h4x3rotab · May 11, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
diff --git a/.github/workflows/trusted-workload-launcher-release.yml b/.github/workflows/trusted-workload-launcher-release.yml
@@ -0,0 +1,92 @@
+name: trusted-workload-launcher Release
+on:
+  workflow_dispatch: {}
+  push:
+    tags:
+      - 'trusted-workload-launcher-v*'
+
+permissions:
+  contents: write
+  packages: write
+  attestations: write
+  id-token: write
+
+jobs:
+  build-and-attest:
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_REGISTRY: docker.io
+      IMAGE_REPOSITORY: ${{ vars.DOCKERHUB_ORG }}/trusted-workload-launcher
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse version from tag
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/trusted-workload-launcher-v}
+          if [ -z "${VERSION}" ]; then
+            echo "Unable to parse version from ref: ${GITHUB_REF}" >&2
+            exit 1
+          fi
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+          echo "IMAGE_REFERENCE=${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}:${VERSION}" >> "$GITHUB_ENV"
+          echo "Parsed version: ${VERSION}"
+
+      - name: Run launcher tests
+        working-directory: trusted-workload-launcher
+        run: ./tests/run-tests.sh
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        with:
+          context: trusted-workload-launcher
+          file: trusted-workload-launcher/docker/Dockerfile
+          push: true
+          tags: docker.io/${{ vars.DOCKERHUB_ORG }}/trusted-workload-launcher:${{ env.VERSION }}
+          platforms: linux/amd64
+          labels: |
+            org.opencontainers.image.title=trusted-workload-launcher
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ env.VERSION }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: docker.io/${{ vars.DOCKERHUB_ORG }}/trusted-workload-launcher
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Publish summary
+        env:
+          IMAGE_REFERENCE: ${{ env.IMAGE_REFERENCE }}
+          IMAGE_DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          {
+            echo "## trusted-workload-launcher image"
+            echo ""
+            echo "- Tag: \`${IMAGE_REFERENCE}\`"
+            echo "- Digest: \`${IMAGE_DIGEST}\`"
+            echo "- Sigstore: https://search.sigstore.dev/?hash=${IMAGE_DIGEST}"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          body: |
+            ## trusted-workload-launcher image (SHA256)
+
+            - Image: `${{ env.IMAGE_REFERENCE }}`
+            - Digest: `${{ steps.build-and-push.outputs.digest }}`
+            - Verification: https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }}
diff --git a/README.md b/README.md
@@ -230,7 +230,8 @@ Implementation details and infrastructure patterns.
 
 | Example | Description |
 |---------|-------------|
-| [launcher](./launcher) | Generic launcher pattern for Docker Compose apps |
+| [launcher](./launcher) | Generic launcher pattern for Docker Compose apps (auto-update) |
+| [trusted-workload-launcher](./trusted-workload-launcher) | Run a pinned Git commit in a TEE. |
 | [prelaunch-script](./prelaunch-script) | Pre-launch script patterns (Phala Cloud) |
 | [private-docker-image-deployment](./private-docker-image-deployment) | Using private Docker registries |
 | [attestation/rtmr3-based](./attestation/rtmr3-based) | RTMR3-based attestation (legacy) |

diff --git a/trusted-workload-launcher/.dockerignore b/trusted-workload-launcher/.dockerignore
@@ -0,0 +1,5 @@
+.git
+.github
+tests
+examples
+README.md