Skip to content

Release

Release #45

Workflow file for this run

name: release
concurrency:
group: release-${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
on:
push:
tags:
- '**/v[0-9]+.[0-9]+.*'
schedule:
- cron: '0 0 * * *' # run every night at midnight
workflow_dispatch:
inputs:
dryRun:
description: "run the workflow without publishing any artifacts"
required: true
default: true
type: boolean
env:
CARGO_TERM_COLOR: always
DRY_RUN: ${{ inputs.dryRun || github.event.schedule }}
REF: ${{ github.ref }}
jobs:
parse:
runs-on: ubuntu-latest
name: Parse ref
outputs:
crate: ${{ steps.parse.outputs.crate }}
version: ${{ steps.parse.outputs.version }}
runtime: ${{ steps.parse.outputs.runtime }}
steps:
- uses: actions/checkout@v3
if: ${{ env.DRY_RUN }}
- name: First ref
if: ${{ env.DRY_RUN }}
shell: bash
run: echo "REF=refs/tags/$(git describe --tags --abbrev=0)" >> ${GITHUB_OUTPUT}
- uses: actions/checkout@v3
with:
ref: ${{ env.REF }}
- id: parse
name: Parse ref
shell: bash
run: ./scripts/parse_ref.sh ${{ env.REF }} >> ${GITHUB_OUTPUT}
build-and-sign:
permissions:
# cosign uses the GitHub OIDC token
id-token: write
needs:
- parse
strategy:
matrix:
arch: ["x86_64", "aarch64"]
runs-on: "ubuntu-22.04"
steps:
- uses: actions/checkout@v3
- name: Setup build env
run: ./scripts/setup-linux.sh
- name: Setup rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@v1
env:
RUST_CACHE_KEY_OS: rust-release-cache-${{ needs.parse.outputs.crate }}-${{ matrix.arch }}
with:
rustflags: '' #Disable. By default this action sets environment variable is set to -D warnings. We manage this in the Makefile
- name: Setup cross-rs
run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl
- name: Setup build profile
shell: bash
run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV}
- name: Setup cosign for signing
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'
- name: Build
timeout-minutes: 20
run: make build-${{ needs.parse.outputs.runtime }}
- name: Test
if: ${{ matrix.arch == 'x86_64' }}
timeout-minutes: 10
run: make test-${{ needs.parse.outputs.runtime }}
- name: Sign the binary
if: ${{ needs.parse.outputs.runtime != 'wasm' }}
run: |
make dist-${{ needs.parse.outputs.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
cosign sign-blob --yes \
--bundle containerd-shim-${{ needs.parse.outputs.runtime }}-v1.bundle \
dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}-v1
cosign sign-blob --yes \
--bundle containerd-shim-${{ needs.parse.outputs.runtime }}d-v1.bundle \
dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}d-v1
cosign sign-blob --yes \
--bundle containerd-${{ needs.parse.outputs.runtime }}d.bundle \
dist/bin/containerd-${{ needs.parse.outputs.runtime }}d
# Copy the certs to the dist/bin folder
cp *.sig dist/bin/
cp *.pem dist/bin/
else
echo "No files to sign"
fi
- name: Package artifacts
if: ${{ needs.parse.outputs.runtime != 'wasm' }}
shell: bash
run: |
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
tar -czf dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin .
else
tar -czf dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz -T /dev/null
fi
- name: Upload artifacts
if: ${{ needs.parse.outputs.runtime != 'wasm' && !env.DRY_RUN}}
uses: actions/upload-artifact@master
with:
name: containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}
path: dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz
release:
permissions:
contents: write
needs:
- build-and-sign
- parse
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup build env
run: ./scripts/setup-linux.sh
- name: Download artifacts
if: ${{ needs.parse.outputs.runtime != 'wasm' }}
uses: actions/download-artifact@master
with:
path: release
- name: Create release
if: ${{ !env.DRY_RUN }}
run: |
gh release create ${{ github.ref }} --generate-notes --prerelease
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ needs.parse.outputs.crate }}/${{ needs.parse.outputs.version }}
- name: Upload release artifacts
if: ${{ needs.parse.outputs.runtime != 'wasm' && !env.DRY_RUN }}
run: |
for i in release/*/*; do
gh release upload ${RELEASE_NAME} $i
done
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ needs.parse.outputs.crate }}/${{ needs.parse.outputs.version }}
- name: Cargo publish
if: ${{ !env.DRY_RUN }}
run: cargo publish --package ${{ needs.parse.outputs.crate }} --verbose --locked
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Check crates.io ownership
if: ${{ !env.DRY_RUN }}
run: |
cargo owner --add github:containerd:runwasi-committers ${{ needs.parse.outputs.crate }}
cargo owner --list ${{ needs.parse.outputs.crate }} | grep github:containerd:runwasi-committers
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}