Merge pull request #2849 from fermyon/archivenim #1411

Workflow file for this run

.github/workflows/release.yml at e32139c

	name: Release
	on:
	push:
	branches:
	- main
	- "v[0-9]+.[0-9]+"
	tags:
	- "v*"

	# Serialize workflow runs
	concurrency: ${{ github.workflow }}-${{ github.ref }}

	env:
	RUST_VERSION: 1.79

	jobs:
	build-and-sign:
	name: build and sign release assets
	runs-on: ${{ matrix.config.os }}
	permissions:
	# cosign uses the GitHub OIDC token
	id-token: write
	# needed to upload artifacts to a GH release
	contents: write
	strategy:
	matrix:
	config:
	- {
	os: "ubuntu-20.04",
	arch: "amd64",
	extension: "",
	# Ubuntu 22.04 no longer ships libssl1.1, so we statically
	# link it here to preserve release binary compatibility.
	extraArgs: "--features openssl/vendored",
	target: "",
	targetDir: "target/release",
	}
	- {
	os: "ubuntu-20.04",
	arch: "aarch64",
	extension: "",
	extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu",
	target: "aarch64-unknown-linux-gnu",
	targetDir: "target/aarch64-unknown-linux-gnu/release",
	}
	- {
	os: "macos-13",
	arch: "amd64",
	extension: "",
	extraArgs: "",
	target: "",
	targetDir: "target/release",
	}
	- {
	os: "macos-14",
	arch: "aarch64",
	extension: "",
	extraArgs: "",
	target: "",
	targetDir: "target/release/",
	}
	- {
	os: "windows-latest",
	arch: "amd64",
	extension: ".exe",
	extraArgs: "",
	target: "",
	targetDir: "target/release",
	}
	steps:
	- uses: actions/checkout@v3

	- name: set the release version (tag)
	if: startsWith(github.ref, 'refs/tags/v')
	shell: bash
	run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

	- name: set the release version (main)
	if: github.ref == 'refs/heads/main'
	shell: bash
	run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV

	- name: lowercase the runner OS name
	shell: bash
	run: \|
	OS=$(echo "${{ runner.os }}" \| tr '[:upper:]' '[:lower:]')
	echo "RUNNER_OS=$OS" >> $GITHUB_ENV

	- name: Install Cosign for signing Spin binary
	uses: sigstore/[email protected]
	with:
	cosign-release: v2.2.3

	- name: Install Rust toolchain
	shell: bash
	run: \|
	rustup toolchain install ${{ env.RUST_VERSION }} --no-self-update
	rustup default ${{ env.RUST_VERSION }}

	- name: Install target
	if: matrix.config.target != ''
	shell: bash
	run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }}

	- name: "Install Wasm Rust target"
	run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }}

	- name: setup for cross-compiled linux aarch64 build
	if: matrix.config.target == 'aarch64-unknown-linux-gnu'
	run: \|
	sudo apt update
	sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
	echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml
	echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml
	echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml

	- name: setup dependencies
	uses: ./.github/actions/spin-ci-dependencies
	with:
	openssl-windows: "${{ matrix.os == 'windows-latest' }}"

	- name: build release
	shell: bash
	run: cargo build --release ${{ matrix.config.extraArgs }}

	- name: Sign the binary with GitHub OIDC token
	shell: bash
	run: \|
	cosign sign-blob \
	--yes \
	--output-certificate crt.pem \
	--output-signature spin.sig \
	${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }}

	- name: package release assets
	if: runner.os != 'Windows'
	shell: bash
	run: \|
	mkdir _dist
	cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
	cd _dist
	tar czf \
	spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \
	crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}

	- name: package release assets
	if: runner.os == 'Windows'
	shell: bash
	run: \|
	mkdir _dist
	cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
	cd _dist
	7z a -tzip \
	spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \
	crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}

	- name: upload binary as GitHub artifact
	if: runner.os != 'Windows'
	uses: actions/upload-artifact@v4
	with:
	name: spin-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}
	path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz

	- name: upload binary as GitHub artifact
	if: runner.os == 'Windows'
	uses: actions/upload-artifact@v4
	with:
	name: spin-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}
	path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip

	- name: Configure AWS Credentials
	if: \|
	runner.os == 'linux' &&
	matrix.config.arch == 'amd64' &&
	github.repository_owner == 'fermyon' &&
	github.ref == 'refs/heads/main'
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}
	role-session-name: spin-release-artifacts
	aws-region: ${{ secrets.AWS_REGION }}

	- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }}
	if: \|
	runner.os == 'linux' &&
	matrix.config.arch == 'amd64' &&
	github.repository_owner == 'fermyon' &&
	github.ref == 'refs/heads/main'
	run: \|
	aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read

	checksums:
	name: generate release checksums
	runs-on: ubuntu-latest
	needs: [build-and-sign, build-spin-static]
	steps:
	- name: set the release version (tag)
	if: startsWith(github.ref, 'refs/tags/v')
	shell: bash
	run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

	- name: set the release version (main)
	if: github.ref == 'refs/heads/main'
	shell: bash
	run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV

	- name: download release assets
	uses: actions/download-artifact@v4
	with:
	pattern: spin-*
	merge-multiple: true

	- name: generate checksums
	run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt

	- uses: actions/upload-artifact@v4
	with:
	name: spin-checksums
	path: checksums-${{ env.RELEASE_VERSION }}.txt

	create-gh-release:
	name: create GitHub release
	runs-on: ubuntu-latest
	needs: checksums
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	steps:
	- uses: actions/checkout@v3

	- name: download release assets
	uses: actions/download-artifact@v4
	with:
	pattern: spin-*
	path: _dist
	merge-multiple: true

	- name: check if pre-release
	shell: bash
	run: \|
	if [[ ! "${{ github.ref_name }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]]
	then
	echo "PRERELEASE=--prerelease" >> "$GITHUB_ENV"
	fi

	- name: create GitHub release (canary)
	if: github.ref == 'refs/heads/main'
	run: \|
	gh release delete canary --cleanup-tag
	gh release create canary _dist/* \
	--title canary \
	--prerelease \
	--notes-file - <<- EOF
	This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
	It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
	EOF

	- name: create GitHub release
	if: startsWith(github.ref, 'refs/tags/v')
	run: \|
	gh release create ${{ github.ref_name }} _dist/* \
	--title ${{ github.ref_name }} \
	--generate-notes ${{ env.PRERELEASE }}

	push-templates-tag:
	runs-on: ubuntu-latest
	needs: build-and-sign
	if: startsWith(github.ref, 'refs/tags/v')
	steps:
	- uses: actions/checkout@v3

	- name: Set the tag to spin/templates/v*
	shell: bash
	run: \|
	spin_tag=$(echo "${{ github.ref }}" \| grep -Eo "v[0-9.]+")
	IFS=. read -r major minor patch <<< "${spin_tag}"
	echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV

	- name: Tag spin/templates/v* and push it
	shell: bash
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	git tag ${{ env.TEMPLATE_TAG }} -f
	git push origin ${{ env.TEMPLATE_TAG }} -f

	## statically linked spin binaries
	build-spin-static:
	name: Build Spin static
	runs-on: ubuntu-20.04
	permissions:
	# cosign uses the GitHub OIDC token
	id-token: write
	# needed to upload artifacts to a GH release
	contents: write
	strategy:
	matrix:
	config:
	- {
	arch: "aarch64",
	target: "aarch64-unknown-linux-musl"
	}
	- {
	arch: "amd64",
	target: "x86_64-unknown-linux-musl"
	}
	steps:
	- uses: actions/checkout@v3

	- name: set the release version (tag)
	if: startsWith(github.ref, 'refs/tags/v')
	shell: bash
	run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

	- name: set the release version (main)
	if: github.ref == 'refs/heads/main'
	shell: bash
	run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV

	- name: lowercase the runner OS name
	shell: bash
	run: \|
	OS=$(echo "${{ runner.os }}" \| tr '[:upper:]' '[:lower:]')
	echo "RUNNER_OS=$OS" >> $GITHUB_ENV
	- name: Check if pre-release
	id: release-version
	shell: bash
	run: \|
	[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \
	echo "prerelease=false" >> "$GITHUB_OUTPUT" \|\| \
	echo "prerelease=true" >> "$GITHUB_OUTPUT"
	- name: setup dependencies
	uses: ./.github/actions/spin-ci-dependencies
	with:
	rust: true
	rust-cross: true
	rust-cache: true

	- name: Cargo Build
	run: cross build --target ${{ matrix.config.target }} --release --features openssl/vendored
	env:
	CARGO_INCREMENTAL: 0
	BUILD_SPIN_EXAMPLES: 0

	- name: Install Cosign for signing Spin binary
	uses: sigstore/[email protected]
	with:
	cosign-release: v2.2.3

	- name: Sign the binary with GitHub OIDC token
	shell: bash
	run: \|
	cosign sign-blob \
	--yes \
	--output-certificate crt.pem \
	--output-signature spin.sig \
	target/${{ matrix.config.target }}/release/spin
	- name: package release assets
	shell: bash
	run: \|
	mkdir _dist
	cp crt.pem spin.sig README.md LICENSE target/${{ matrix.config.target }}/release/spin _dist/
	cd _dist
	tar czf \
	spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \
	crt.pem spin.sig README.md LICENSE spin
	- name: upload binary as GitHub artifact
	uses: actions/upload-artifact@v4
	with:
	name: spin-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}
	path: _dist/spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz

	dispatch-homebrew-tap:
	name: Dispatch spin-release event to fermyon/homebrew-tap
	needs: create-gh-release
	runs-on: ubuntu-latest
	if: github.repository_owner == 'fermyon' && startsWith(github.ref, 'refs/tags/v')
	steps:
	- name: Repository Dispatch
	uses: peter-evans/repository-dispatch@v3
	with:
	token: ${{ secrets.DEST_REPO_ACCESS_TOKEN }}
	repository: fermyon/homebrew-tap
	event-type: spin-release
	client-payload: '{"version": "${{ github.ref_name }}"}'

	docker:
	runs-on: "ubuntu-20.04"
	needs: [build-and-sign, build-spin-static]
	permissions:
	contents: read
	packages: write
	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ${{ github.repository }}
	strategy:
	matrix:
	config:
	- { dockerfile: "Dockerfile", tag-suffix: "" }
	- { dockerfile: "distroless.Dockerfile", tag-suffix: "-distroless" }
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup version info
	id: version
	run: \|
	if [[ "${{ startsWith(github.ref, 'refs/tags/v') }}" == "true" ]]; then
	echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
	else
	echo "version=canary" >> $GITHUB_OUTPUT
	fi

	- name: download release assets
	uses: actions/download-artifact@v4
	with:
	pattern: spin-*
	merge-multiple: true

	- name: extract binaries
	shell: bash
	run: \|
	if [[ "${{ matrix.config.tag-suffix }}" == "-distroless" ]]; then
	static="-static"
	fi
	tar xvf spin-${{ steps.version.outputs.version }}${static}-linux-amd64.tar.gz
	mv spin spin${static}-linux-amd64
	tar xvf spin-${{ steps.version.outputs.version }}${static}-linux-aarch64.tar.gz
	# Note: here we s/aarch64/arm64 to conform to Docker's TARGETARCH standards
	mv spin spin${static}-linux-arm64

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Log into registry ${{ env.REGISTRY }}
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract Docker metadata
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

	- name: Build and Push
	uses: docker/build-push-action@v6
	with:
	context: .
	file: .github/${{ matrix.config.dockerfile }}
	push: true
	labels: ${{ steps.meta.outputs.labels }}
	annotations: ${{ steps.meta.outputs.annotations }}
	platforms: linux/amd64,linux/arm64
	cache-from: type=gha
	cache-to: type=gha,mode=max
	tags: \|
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}${{ matrix.config.tag-suffix }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #2849 from fermyon/archivenim #1411

Workflow file

Merge pull request #2849 from fermyon/archivenim #1411

Jobs

Run details

Workflow file for this run