Skip to content

workflows/v2: defer confidential workflows when the TEE runner is unavailable#23149

Open
nadahalli wants to merge 4 commits into
developfrom
tejaswi/confidential-graceful-gating
Open

workflows/v2: defer confidential workflows when the TEE runner is unavailable#23149
nadahalli wants to merge 4 commits into
developfrom
tejaswi/confidential-graceful-gating

Conversation

@nadahalli

Copy link
Copy Markdown
Contributor

What

When a confidential (HandlerInTee) workflow subscribes on a node where the confidential-workflows@1.0.0-alpha capability is not available yet (e.g. still rolling out across the DON), the engine hard-failed init with "cannot find a runner" and error-stormed Workflow Engine initialization failed on every sync tick. This defers the workflow and retries instead.

  • ConfidentialModule.Tee now honors the enabledGate in the subscribe path (not just Execute), so a settings-disabled feature is inert rather than fatal.
  • teeProvider no longer caches an empty region set permanently (the old sync.Once): it re-queries until the capability reports regions, so the module self-heals once the capability comes up.
  • Engine init treats host.ErrRunnerUnavailable (from chainlink-common) as a deferred (warn + retry) condition rather than a fatal Workflow Engine initialization failed.

Why

On a mixed/rolling DON, the confidential-workflows capability is not on every node yet; ConfidentialModule.providedTees reports zero regions on those nodes, so subscribe fails and every confidential workflow error-storms init until the capability arrives. Worse, the old sync.Once kept the module stuck on the cached-empty result even after the capability recovered. This makes confidential workflows degrade gracefully and self-heal.

Dependency

Depends on chainlink-common #2259 (adds host.ErrRunnerUnavailable + the runner-type-vs-unavailable distinction in requirement_selecting_module). The chainlink-common bump here points at that PR branch commit and will be re-pointed to its merged commit before merge.

Tests

core/services/workflows/v2 suite green. Added Tee cases: disabled-gate short-circuits without querying the capability; empty region set is not cached and re-queries until regions appear (self-heal).

…vailable

When a HandlerInTee workflow subscribes on a node where the confidential-
workflows capability is not available yet (e.g. still rolling out across the
DON), the engine hard-failed init and error-stormed every sync tick. Now it
holds the workflow and retries instead.

- ConfidentialModule.Tee honors the enabledGate in the subscribe path (not
  just Execute), so a settings-disabled feature is inert rather than fatal.
- teeProvider no longer caches an empty region set permanently (the old
  sync.Once): it re-queries until the capability reports regions, so the module
  self-heals once the capability comes up.
- Engine init treats host.ErrRunnerUnavailable as a deferred (warn + retry)
  condition rather than a fatal 'Workflow Engine initialization failed'.

Bumps chainlink-common for host.ErrRunnerUnavailable (chainlink-common #2259);
depends on that PR, the bump will be re-pointed to its merged commit.
@github-actions

Copy link
Copy Markdown
Contributor

✅ No conflicts with other open PRs targeting develop

@github-actions

Copy link
Copy Markdown
Contributor

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

@nadahalli
nadahalli marked this pull request as ready for review July 16, 2026 14:11
@nadahalli
nadahalli requested review from a team as code owners July 16, 2026 14:11
@trunk-io

trunk-io Bot commented Jul 16, 2026

Copy link
Copy Markdown

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@nadahalli
nadahalli requested a review from a team as a code owner July 16, 2026 14:51
@cl-sonarqube-production

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant