Merge pull request #548 from containerd/opt-release

ci(*): merge build action
containerd · Apr 15, 2024 · 5f3317f · 5f3317f
2 parents 3d0fb2e + 9599c79
commit 5f3317f
Show file tree

Hide file tree

Showing 9 changed files with 127 additions and 95 deletions.
diff --git a/.github/workflows/action-build.yml b/.github/workflows/action-build.yml
@@ -1,3 +1,7 @@
+
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
+# this action will require write permission to id-token
 name: Build shims
 
 on:
@@ -15,13 +19,24 @@ on:
       slug:
         required: true
         type: string
+      arch:
+        required: false
+        type: string
+      sign:
+        default: false
+        type: boolean
 
 jobs:
-  build:
+  build-sign-upload:
+    permissions:
+      id-token: write
     name: build for ${{ inputs.slug }}
     runs-on: ${{ inputs.os }}
     steps:
-      - uses: actions/checkout@v3
+      - name: describe runner
+        run: |
+          echo "::notice::Running job with os: '${{ inputs.os }}', arch: '${{ inputs.arch }}', slug: '${{ inputs.slug }}', runtime: '${{ inputs.runtime }}', target: '${{ inputs.target }}'"
+      - uses: actions/checkout@v4
       - name: Setup build env
         run: |
           os=$(echo "$RUNNER_OS" | tr '[:upper:]' '[:lower:]')
@@ -35,12 +50,22 @@ jobs:
       - name: Setup cross-rs
         if: runner.os == 'Linux'
         run: ./scripts/setup-cross.sh ${{ inputs.target }}
+      - name: Setup build profile
+        shell: bash
+        run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV}
       - name: Build
         run: make build-${{ inputs.runtime }}
       - name: Run tests
         timeout-minutes: 5
         run: |
           make test-${{ inputs.runtime }}
+        if: ${{ inputs.arch == 'x86_64' }}
+      - name: Sign the binary
+        if: ${{ inputs.runtime != 'common' && inputs.slug != 'windows' && inputs.sign }}
+        uses: ./.github/workflows/action-sign.yml
+        with:
+          runtime: ${{ inputs.runtime }}
+          os: ${{ inputs.os }}
       - name: Package artifacts
         if: ${{ inputs.runtime != 'common' }}
         shell: bash

diff --git a/.github/workflows/action-fmt.yml b/.github/workflows/action-fmt.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Run lint
 
 on:

diff --git a/.github/workflows/action-sign.yml b/.github/workflows/action-sign.yml
@@ -0,0 +1,52 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
+name: Signing
+
+on:
+  workflow_call:
+    inputs:
+      runtime:
+        required: true
+        type: string
+      os:
+        required: true
+        type: string
+jobs:
+  sign:
+    name: Sign the binaries on ${{ inputs.os }}
+    runs-on: ${{ inputs.os }}
+    steps:
+    - name: Setup cosign for signing
+      uses: sigstore/[email protected]
+      with:
+        cosign-release: 'v2.2.2'
+    - name: Sign the binaries
+      run: |
+        make dist-${{ inputs.runtime }}
+        # Check if there's any files to archive as tar fails otherwise
+        if stat dist/bin/* >/dev/null 2>&1; then
+          echo "::notice::Signing the binary"
+          cosign sign-blob --yes \
+            --output-signature containerd-shim-${{ inputs.runtime }}-v1.sig \
+            --output-certificate containerd-shim-${{ inputs.runtime }}-v1.pem \
+            --bundle containerd-shim-${{ inputs.runtime }}-v1.bundle \
+            dist/bin/containerd-shim-${{ inputs.runtime }}-v1
+          
+          cosign sign-blob --yes \
+            --output-signature containerd-shim-${{ inputs.runtime }}d-v1.sig \
+            --output-certificate containerd-shim-${{ inputs.runtime }}d-v1.pem \
+            --bundle containerd-shim-${{ inputs.runtime }}d-v1.bundle \
+            dist/bin/containerd-shim-${{ inputs.runtime }}d-v1
+
+          cosign sign-blob --yes \
+            --output-signature containerd-${{ inputs.runtime }}d.sig \
+            --output-certificate containerd-${{ inputs.runtime }}d.pem \
+            --bundle containerd-${{ inputs.runtime }}d.bundle \
+            dist/bin/containerd-${{ inputs.runtime }}d
+          
+          # Copy the certs to the dist/bin folder
+          cp *.sig dist/bin/
+          cp *.pem dist/bin/
+        else
+          echo "::warning::No files to sign"
+        fi
diff --git a/.github/workflows/action-test-image.yml b/.github/workflows/action-test-image.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Run end to end tests on kind
 
 on:

diff --git a/.github/workflows/action-test-k3s.yml b/.github/workflows/action-test-k3s.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Run end to end tests on k3s
 
 on:
@@ -22,13 +24,13 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@master
         with:
-          name: containerd-shim-${{ inputs.runtime }}-linux-musl
+          name: containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl
           path: dist
       - name: Unpack artifats
         shell: bash
         run: |
           mkdir -p dist/bin
-          tar -xzf dist/containerd-shim-${{ inputs.runtime }}-linux-musl.tar.gz -C dist/bin
+          tar -xzf dist/containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl.tar.gz -C dist/bin
       - name: Download test image
         uses: actions/download-artifact@master
         with:

diff --git a/.github/workflows/action-test-kind.yml b/.github/workflows/action-test-kind.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Run end to end tests on kind
 
 on:
@@ -28,13 +30,13 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@master
         with:
-          name: containerd-shim-${{ inputs.runtime }}-linux-musl
+          name: containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl
           path: dist
       - name: Unpack artifats
         shell: bash
         run: |
           mkdir -p dist/bin
-          tar -xzf dist/containerd-shim-${{ inputs.runtime }}-linux-musl.tar.gz -C dist/bin
+          tar -xzf dist/containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl.tar.gz -C dist/bin
       - name: Download test image
         uses: actions/download-artifact@master
         with:

diff --git a/.github/workflows/action-test-smoke.yml b/.github/workflows/action-test-smoke.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Run smoke tests
 
 on:
@@ -22,13 +24,13 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@master
         with:
-          name: containerd-shim-${{ inputs.runtime }}-linux-musl
+          name: containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl
           path: dist
       - name: Unpack artifats
         shell: bash
         run: |
           mkdir -p dist/bin
-          tar -xzf dist/containerd-shim-${{ inputs.runtime }}-linux-musl.tar.gz -C dist/bin
+          tar -xzf dist/containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl.tar.gz -C dist/bin
       - name: Download test image
         uses: actions/download-artifact@master
         with:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: CI
 
 on:
@@ -39,20 +41,26 @@ jobs:
 
   build-ubuntu:
     name: ${{ matrix.runtime }}
+    permissions:
+      id-token: write
     strategy:
       matrix:
         os: ["ubuntu-22.04"]
         runtime: ["common", "wasmtime", "wasmedge", "wasmer"]
         libc: ["musl", "gnu"]
+        arch: ["x86_64", "aarch64"]
     uses: ./.github/workflows/action-build.yml
     with:
       os: ${{ matrix.os }}
       runtime: ${{ matrix.runtime }}
-      target: "x86_64-unknown-linux-${{ matrix.libc }}"
-      slug: "linux-${{ matrix.libc }}"
+      target: "${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}"
+      slug: "${{ matrix.arch }}-linux-${{ matrix.libc }}"
+      arch: ${{ matrix.arch }}
 
   build-windows:
     name: ${{ matrix.runtime }}
+    permissions:
+      id-token: write
     strategy:
       matrix:
         os: ["windows-latest"]

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
+
 name: Release
 run-name: ${{ inputs.crate }}@${{ inputs.version }} (DryRun:${{ inputs.dry_run }})
 
@@ -46,7 +48,7 @@ jobs:
       - name: Fail if branch is not main
         if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
         run: |
-          echo "This workflow should not be triggered with workflow_dispatch on a branch other than main"
+          echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main"
           exit 1
       - uses: actions/checkout@v4
       ### Determine the name of the runtime and if it is a binary release or crates.io
@@ -64,28 +66,32 @@ jobs:
         with:
           script: |
             const crate = '${{ inputs.crate }}';
-            let runtime = crate.replace(/^containerd-shim-/, '');
-            core.setOutput('runtime', runtime);
             const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder'];
-            core.setOutput('is_shim', !non_shim_crates.includes(runtime));
+            if non_shim_crates.includes(runtime) {
+              core.setOutput('runtime', 'common');
+              core.setOutput('is_shim', false)
+            } else {
+              const runtime = crate.replace(/^containerd-shim-/, '');
+              core.setOutput('runtime', runtime);
+              core.setOutput('is_shim', true);
+            }
       ### If we are releasing a crate rather than producing a bin, check for crates.io access
       - name: Check crates.io ownership
         if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }}
         run: |
           cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \
-            cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
+          cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
         env:
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
       - name: Verify version matches
         run: |
           if [ "$(grep -c "version = \"${{ inputs.version }}\"" crates/${{ inputs.crate }}/Cargo.toml)" -ne 1 ]; then
-            echo "Version in Cargo.toml does not match the version input"
+            echo "::error::Version in Cargo.toml does not match the version input"
             exit 1
           fi
 
   build-and-sign:
     permissions:
-      # cosign uses the GitHub OIDC token
       id-token: write
     needs:
       - pre-release
@@ -94,83 +100,14 @@ jobs:
         arch: ["x86_64", "aarch64"]
         include: 
           - ${{ needs.pre-release.outputs }}
-    runs-on: "ubuntu-22.04"
-    steps:
-      - name: Matrix description
-        run: |
-          echo "Running job with dry_run: '${{ inputs.dry_run }}' crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
-      - uses: actions/checkout@v4
-      - name: Setup build env
-        run: ./scripts/setup-linux.sh
-      - name: Setup rust toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@v1
-        env:
-          RUST_CACHE_KEY_OS: rust-release-cache-${{ matrix.crate }}-${{ matrix.arch }}
-        with:
-          rustflags: '' #Disable.  By default this action sets environment variable is set to -D warnings.  We manage this in the Makefile
-      - name: Setup cross-rs
-        run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl
-      - name: Setup build profile
-        shell: bash
-        run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV}
-      - name: Setup cosign for signing
-        if: ${{ matrix.is_shim == 'true' }}
-        uses: sigstore/[email protected]
-        with:
-          cosign-release: 'v2.2.2'
-      - name: Build
-        timeout-minutes: 20
-        run: make build-${{ matrix.runtime }}
-      - name: Test
-        if: ${{ matrix.arch == 'x86_64' }}
-        timeout-minutes: 10
-        run: make test-${{ matrix.runtime }}
-      - name: Sign the binary
-        if: ${{ matrix.is_shim == 'true' }}
-        run: |
-          make dist-${{ matrix.runtime }}
-          # Check if there's any files to archive as tar fails otherwise
-          if stat dist/bin/* >/dev/null 2>&1; then
-            cosign sign-blob --yes \
-              --output-signature containerd-shim-${{ matrix.runtime }}-v1.sig \
-              --output-certificate containerd-shim-${{ matrix.runtime }}-v1.pem \
-              --bundle containerd-shim-${{ matrix.runtime }}-v1.bundle \
-              dist/bin/containerd-shim-${{ matrix.runtime }}-v1
-            
-            cosign sign-blob --yes \
-              --output-signature containerd-shim-${{ matrix.runtime }}d-v1.sig \
-              --output-certificate containerd-shim-${{ matrix.runtime }}d-v1.pem \
-              --bundle containerd-shim-${{ matrix.runtime }}d-v1.bundle \
-              dist/bin/containerd-shim-${{ matrix.runtime }}d-v1
-
-            cosign sign-blob --yes \
-              --output-signature containerd-${{ matrix.runtime }}d.sig \
-              --output-certificate containerd-${{ matrix.runtime }}d.pem \
-              --bundle containerd-${{ matrix.runtime }}d.bundle \
-              dist/bin/containerd-${{ matrix.runtime }}d
-            
-            # Copy the certs to the dist/bin folder
-            cp *.sig dist/bin/
-            cp *.pem dist/bin/
-          else
-            echo "No files to sign"
-          fi
-      - name: Package artifacts
-        if: ${{ matrix.is_shim == 'true' }}
-        shell: bash
-        run: |
-          # Check if there's any files to archive as tar fails otherwise
-          if stat dist/bin/* >/dev/null 2>&1; then
-            tar -czf dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin .
-          else
-            tar -czf dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz -T /dev/null
-          fi
-      - name: Upload artifacts
-        if: ${{ matrix.is_shim == 'true' }}
-        uses: actions/upload-artifact@master
-        with:
-          name: containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}
-          path: dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz
+    uses: ./.github/workflows/action-build.yml
+    with:
+      os: "ubuntu-22.04"
+      runtime: ${{ matrix.runtime }}
+      target: "${{ matrix.arch }}-unknown-linux-musl"
+      slug: "${{ matrix.arch }}-linux-musl"
+      arch: ${{ matrix.arch }}
+      sign: true
 
   release:
     permissions:
@@ -187,7 +124,7 @@ jobs:
     steps:
       - name: Matrix description
         run: |
-          echo "Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
+          echo "::notice::Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
       - uses: actions/checkout@v4
       - name: Setup build env
         run: ./scripts/setup-linux.sh