Merge pull request #478 from containerd/dependabot/cargo/wasmtime-dep… #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| concurrency: | |
| group: release-${{ github.workflow }}-${{ github.head_ref || github.ref }} | |
| cancel-in-progress: true | |
| on: | |
| push: | |
| tags: | |
| - '**/v[0-9]+.[0-9]+.*' | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| parse: | |
| runs-on: ubuntu-latest | |
| name: Parse ref | |
| outputs: | |
| crate: ${{ steps.parse.outputs.crate }} | |
| version: ${{ steps.parse.outputs.version }} | |
| runtime: ${{ steps.parse.outputs.runtime }} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.ref }} | |
| - id: parse | |
| name: Parse ref | |
| shell: bash | |
| run: ./scripts/parse_ref.sh ${{ github.ref }} >> ${GITHUB_OUTPUT} | |
| build-and-sign: | |
| permissions: | |
| # cosign uses the GitHub OIDC token | |
| id-token: write | |
| needs: | |
| - parse | |
| strategy: | |
| matrix: | |
| arch: ["x86_64", "aarch64"] | |
| runs-on: "ubuntu-22.04" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Setup build env | |
| run: ./scripts/setup-linux.sh | |
| - name: Setup rust toolchain | |
| uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| env: | |
| RUST_CACHE_KEY_OS: rust-release-cache-${{ needs.parse.outputs.crate }}-${{ matrix.arch }} | |
| with: | |
| rustflags: '' #Disable. By default this action sets environment variable is set to -D warnings. We manage this in the Makefile | |
| - name: Setup cross-rs | |
| run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl | |
| - name: Setup build profile | |
| shell: bash | |
| run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV} | |
| - name: Setup cosign for signing | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.2' | |
| - name: Build | |
| timeout-minutes: 20 | |
| run: make build-${{ needs.parse.outputs.runtime }} | |
| - name: Test | |
| if: ${{ matrix.arch == 'x86_64' }} | |
| timeout-minutes: 10 | |
| run: make test-${{ needs.parse.outputs.runtime }} | |
| - name: Sign the binary | |
| if: ${{ needs.parse.outputs.runtime != 'wasm' }} | |
| run: | | |
| make dist-${{ needs.parse.outputs.runtime }} | |
| # Check if there's any files to archive as tar fails otherwise | |
| if stat dist/bin/* >/dev/null 2>&1; then | |
| cosign sign-blob --yes \ | |
| --bundle containerd-shim-${{ needs.parse.outputs.runtime }}-v1.bundle \ | |
| dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}-v1 | |
| cosign sign-blob --yes \ | |
| --bundle containerd-shim-${{ needs.parse.outputs.runtime }}d-v1.bundle \ | |
| dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}d-v1 | |
| cosign sign-blob --yes \ | |
| --bundle containerd-${{ needs.parse.outputs.runtime }}d.bundle \ | |
| dist/bin/containerd-${{ needs.parse.outputs.runtime }}d | |
| # Copy the certs to the dist/bin folder | |
| cp *.sig dist/bin/ | |
| cp *.pem dist/bin/ | |
| else | |
| echo "No files to sign" | |
| fi | |
| - name: Package artifacts | |
| if: ${{ needs.parse.outputs.runtime != 'wasm' }} | |
| shell: bash | |
| run: | | |
| # Check if there's any files to archive as tar fails otherwise | |
| if stat dist/bin/* >/dev/null 2>&1; then | |
| tar -czf dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin . | |
| else | |
| tar -czf dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz -T /dev/null | |
| fi | |
| - name: Upload artifacts | |
| if: ${{ needs.parse.outputs.runtime != 'wasm' }} | |
| uses: actions/upload-artifact@master | |
| with: | |
| name: containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }} | |
| path: dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz | |
| release: | |
| permissions: | |
| contents: write | |
| needs: | |
| - build-and-sign | |
| - parse | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Setup build env | |
| run: ./scripts/setup-linux.sh | |
| - name: Download artifacts | |
| if: ${{ needs.parse.outputs.runtime != 'wasm' }} | |
| uses: actions/download-artifact@master | |
| with: | |
| path: release | |
| - name: Create release | |
| run: | | |
| gh release create ${{ github.ref }} --generate-notes --prerelease | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| RELEASE_NAME: ${{ needs.parse.outputs.crate }}/${{ needs.parse.outputs.version }} | |
| - name: Upload release artifacts | |
| if: ${{ needs.parse.outputs.runtime != 'wasm' }} | |
| run: | | |
| for i in release/*/*; do | |
| gh release upload ${RELEASE_NAME} $i | |
| done | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| RELEASE_NAME: ${{ needs.parse.outputs.crate }}/${{ needs.parse.outputs.version }} | |
| - name: Cargo publish | |
| run: cargo publish --package ${{ needs.parse.outputs.crate }} --verbose --locked | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }} | |
| - name: Check crates.io ownership | |
| run: | | |
| cargo owner --add github:containerd:runwasi-committers ${{ needs.parse.outputs.crate }} | |
| cargo owner --list ${{ needs.parse.outputs.crate }} | grep github:containerd:runwasi-committers | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }} |