-
Notifications
You must be signed in to change notification settings - Fork 97
224 lines (215 loc) · 8.71 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
name: Release
run-name: ${{ inputs.crate }}@${{ inputs.version }} (DryRun:${{ inputs.dry_run }})
on:
workflow_dispatch:
inputs:
dry_run:
description: "Run the release without actually releasing bits"
type: boolean
default: true
crate:
description: "The crate to release"
required: true
type: choice
options:
- containerd-shim-wasm-test-modules
- oci-tar-builder
- containerd-shim-wasm
# shims
- containerd-shim-wasmer
- containerd-shim-wasmedge
- containerd-shim-wasmtime
version:
description: "The version of the crate to release. (e.g., 1.2.3)"
type: string
required: true
concurrency:
group: release-${{ github.workflow }}-${{ inputs.crate }}-${{ inputs.version }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
jobs:
pre-release:
name: pre-release checks
runs-on: "ubuntu-latest"
outputs:
crate: ${{ inputs.crate }}
runtime: ${{ steps.runtime_sub.outputs.runtime }}
version: ${{ inputs.version }}
### is_shim is a string, not a boolean, so use: is_shim == 'true'
is_shim: ${{ steps.runtime_sub.outputs.is_shim }}
steps:
- name: Fail if branch is not main
if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
run: |
echo "This workflow should not be triggered with workflow_dispatch on a branch other than main"
exit 1
- uses: actions/checkout@v4
### Determine the name of the runtime and if it is a binary release or crates.io
- name: verify version input
uses: actions/github-script@v7
with:
script: |
const version = '${{ inputs.version }}';
if(!version.match(/^[0-9]+.[0-9]+.*/)) {
core.setFailed(`The version '${version}' does not match regex /^[0-9]+.[0-9]+.*/.`);
}
- name: substring runtime
id: runtime_sub
uses: actions/github-script@v7
with:
script: |
const crate = '${{ inputs.crate }}';
let runtime = crate.replace(/^containerd-shim-/, '');
core.setOutput('runtime', runtime);
const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder'];
core.setOutput('is_shim', !non_shim_crates.includes(runtime));
### If we are releasing a crate rather than producing a bin, check for crates.io access
- name: Check crates.io ownership
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }}
run: |
cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \
cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Verify version matches
run: |
if [ "$(grep -c "version = \"${{ inputs.version }}\"" crates/${{ inputs.crate }}/Cargo.toml)" -ne 1 ]; then
echo "Version in Cargo.toml does not match the version input"
exit 1
fi
build-and-sign:
permissions:
# cosign uses the GitHub OIDC token
id-token: write
needs:
- pre-release
strategy:
matrix:
arch: ["x86_64", "aarch64"]
include:
- ${{ needs.pre-release.outputs }}
runs-on: "ubuntu-22.04"
steps:
- name: Matrix description
run: |
echo "Running job with dry_run: '${{ inputs.dry_run }}' crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
- uses: actions/checkout@v4
- name: Setup build env
run: ./scripts/setup-linux.sh
- name: Setup rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@v1
env:
RUST_CACHE_KEY_OS: rust-release-cache-${{ matrix.crate }}-${{ matrix.arch }}
with:
rustflags: '' #Disable. By default this action sets environment variable is set to -D warnings. We manage this in the Makefile
- name: Setup cross-rs
run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl
- name: Setup build profile
shell: bash
run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV}
- name: Setup cosign for signing
if: ${{ matrix.is_shim == 'true' }}
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'
- name: Build
timeout-minutes: 20
run: make build-${{ matrix.runtime }}
- name: Test
if: ${{ matrix.arch == 'x86_64' }}
timeout-minutes: 10
run: make test-${{ matrix.runtime }}
- name: Sign the binary
if: ${{ matrix.is_shim == 'true' }}
run: |
make dist-${{ matrix.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
cosign sign-blob --yes \
--output-signature containerd-shim-${{ matrix.runtime }}-v1.sig \
--output-certificate containerd-shim-${{ matrix.runtime }}-v1.pem \
--bundle containerd-shim-${{ matrix.runtime }}-v1.bundle \
dist/bin/containerd-shim-${{ matrix.runtime }}-v1
cosign sign-blob --yes \
--output-signature containerd-shim-${{ matrix.runtime }}d-v1.sig \
--output-certificate containerd-shim-${{ matrix.runtime }}d-v1.pem \
--bundle containerd-shim-${{ matrix.runtime }}d-v1.bundle \
dist/bin/containerd-shim-${{ matrix.runtime }}d-v1
cosign sign-blob --yes \
--output-signature containerd-${{ matrix.runtime }}d.sig \
--output-certificate containerd-${{ matrix.runtime }}d.pem \
--bundle containerd-${{ matrix.runtime }}d.bundle \
dist/bin/containerd-${{ matrix.runtime }}d
# Copy the certs to the dist/bin folder
cp *.sig dist/bin/
cp *.pem dist/bin/
else
echo "No files to sign"
fi
- name: Package artifacts
if: ${{ matrix.is_shim == 'true' }}
shell: bash
run: |
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
tar -czf dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin .
else
tar -czf dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz -T /dev/null
fi
- name: Upload artifacts
if: ${{ matrix.is_shim == 'true' }}
uses: actions/upload-artifact@master
with:
name: containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}
path: dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz
release:
permissions:
contents: write
needs:
- pre-release
- build-and-sign
strategy:
matrix:
os: ["ubuntu-latest"]
include:
- ${{ needs.pre-release.outputs }}
runs-on: ${{ matrix.os }}
steps:
- name: Matrix description
run: |
echo "Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
- uses: actions/checkout@v4
- name: Setup build env
run: ./scripts/setup-linux.sh
- name: Download artifacts
if: ${{ matrix.is_shim == 'true' }}
uses: actions/download-artifact@master
with:
path: release
- name: Cargo publish
if: ${{ matrix.is_shim != 'true' }}
run: cargo publish ${{ inputs.dry_run && '--dry-run' || '' }} --package ${{ matrix.crate }} --verbose --locked
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Tag the the release
if: ${{ !inputs.dry_run }}
run: |
git tag "${{matrix.crate}}/v${{matrix.version}}"
git push origin "${{matrix.crate}}/v${{matrix.version}}"
- name: Create release
if: ${{ !inputs.dry_run }}
run: |
gh release create 'refs/tags/${{matrix.crate}}/v${{matrix.version}}' --generate-notes --prerelease
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}
- name: Upload release artifacts
if: ${{ matrix.is_shim == 'true' && !inputs.dry_run }}
run: |
for i in release/*/*; do
gh release upload ${RELEASE_NAME} $i
done
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}