ci(*): merge build action #548
Conversation
this commit merges the build step in the release action and the one in the ci action since they share a large overlap code. the build step not only builds the binary, but signs it, and upload as action artifacts. this step is now running for every ci run, including PR and release pipeline. Signed-off-by: jiaxiao zhou <[email protected]>
|
Are there implications for signing the binary every PR? |
| uses: ./.github/workflows/action-build.yml | ||
| with: | ||
| os: "ubuntu-22.04" | ||
| runtime: ${{ matrix.runtime }} |
There was a problem hiding this comment.
there will be times when this value won't be common as the check in the action is expecting
There was a problem hiding this comment.
Sorry, can you elaborate your concerns here?
There was a problem hiding this comment.
This value in the release.yml will be something like oci-tar-builder
runwasi/.github/workflows/release.yml
Lines 66 to 69 in 8c98100
and I think signing will fail in the new signing step at https://github.com/containerd/runwasi/pull/548/files#diff-43035769cde349b680ebf72f18e67b049e730d0d0ec91174e6455a685b3c2accR61-R64
There was a problem hiding this comment.
Good point! I have modified the logic of runtime_sub step to replace the name of non-shim crate to common in this commit: 61dc1ee
Since we are signing the artifacts that we publish on every build, I can imagine increased security and potentially degraded performance and increased complexity of managing keys. Although stated in the release doc for how to verify the binaries, we probably want to make that even clearer by copying the exact verification command in the release doc everytime we release signed artifacts. I am not sure if anyone would want to verify build artifacts for each PR / commit, but if they want, it's do-able. |
| @@ -22,13 +22,13 @@ jobs: | |||
| - name: Download artifacts | |||
| uses: actions/download-artifact@master | |||
| with: | |||
| name: containerd-shim-${{ inputs.runtime }}-linux-musl | |||
| name: containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl | |||
There was a problem hiding this comment.
interesting, I don't see where this arch was being included in the inputs.runtime before. Or is this extra field new?
There was a problem hiding this comment.
Before this PR, only the release pipeline runs both x86_64 and aarch64. The ci does not have a matrix for different archs. I added that to make the build job on par with the one in the release CI.
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
|
If you add |
| path: dist | ||
| - name: Unpack artifats | ||
| shell: bash | ||
| run: | | ||
| mkdir -p dist/bin | ||
| tar -xzf dist/containerd-shim-${{ inputs.runtime }}-linux-musl.tar.gz -C dist/bin | ||
| tar -xzf dist/containerd-shim-${{ inputs.runtime }}-x86_64-linux-musl.tar.gz -C dist/bin |
There was a problem hiding this comment.
nit: Maybe make this a makefile target since the tar command is repeated in multiple workflows?
Now that I thought more about the implications, and realized that I missed one of the biggest implication in my previous comment - signing requires feature branches to be pushed to upstream, because they require I am okay to put a condition on the signing to differentiate build / release pipelines so we can disable signing on build. Wdyt? |
this commit makes the signing step optional in the build-action and then disable signing required in the build CI. it is only necessary for releasing the artifacts see more discussion on #548 (comment) Signed-off-by: jiaxiao zhou <[email protected]>
this commit replaces the name of non-shim runtime to "common" in the runtime_sub step under the release pipeline because "common" is used in action-build action to determine artifact signing, packaging and uploading. Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
Signed-off-by: jiaxiao zhou <[email protected]>
|
Going to merge this now and any follow up can be addressed later |
this commit merges the build step in the release action and the one in the ci action since they share a large overlap code.
the build step not only builds the binary, but signs it, and upload as action artifacts. this step is now running for every ci run, including PR and release pipeline.