Release #85
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| dry_run: | |
| description: "Run the release without actually releasing bits" | |
| type: boolean | |
| default: true | |
| crate: | |
| description: "The crate to release. (containerd-shim-wasmtime)" | |
| type: string | |
| version: | |
| description: "The version of the crate to release. (e.g., 1.2.3)" | |
| type: string | |
| concurrency: | |
| group: release-${{ github.workflow }}-${{ inputs.crate }}-${{ inputs.version }} | |
| cancel-in-progress: true | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| pre-release: | |
| name: pre-release checks | |
| runs-on: "ubuntu-latest" | |
| outputs: | |
| crate: ${{ inputs.crate }} | |
| runtime: ${{ steps.runtime_sub.outputs.runtime }} | |
| version: ${{ inputs.version }} | |
| ### is_shim is a string, not a boolean, so use: is_shim == 'true' | |
| is_shim: ${{ steps.runtime_sub.outputs.is_shim }} | |
| steps: | |
| ### Determine the name of the runtime and if it is a binary release or crates.io | |
| - name: substring runtime | |
| id: runtime_sub | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const crate = '${{ inputs.crate }}'; | |
| let runtime = crate.replace(/^containerd-shim-/, ''); | |
| core.setOutput('runtime', runtime); | |
| const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder']; | |
| core.setOutput('is_shim', !non_shim_crates.includes(runtime)); | |
| ### If we are releasing a crate rather than producing a bin, check for crates.io access | |
| - name: Check crates.io ownership | |
| if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }} | |
| run: | | |
| cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \ | |
| cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }} | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }} | |
| build-and-sign: | |
| permissions: | |
| # cosign uses the GitHub OIDC token | |
| id-token: write | |
| needs: | |
| - pre-release | |
| strategy: | |
| matrix: | |
| arch: ["x86_64", "aarch64"] | |
| include: | |
| - ${{ needs.pre-release.outputs }} | |
| runs-on: "ubuntu-22.04" | |
| steps: | |
| - name: matrix description | |
| run: | | |
| echo "Running job with crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'." | |
| # - name: Fail if branch is not main | |
| # if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main' | |
| # run: | | |
| # echo "This workflow should not be triggered with workflow_dispatch on a branch other than main" | |
| # exit 1 | |
| - uses: actions/checkout@v4 | |
| - name: Setup build env | |
| run: ./scripts/setup-linux.sh | |
| - name: Setup rust toolchain | |
| uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| env: | |
| RUST_CACHE_KEY_OS: rust-release-cache-${{ matrix.crate }}-${{ matrix.arch }} | |
| with: | |
| rustflags: '' #Disable. By default this action sets environment variable is set to -D warnings. We manage this in the Makefile | |
| - name: Setup cross-rs | |
| run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl | |
| - name: Setup build profile | |
| shell: bash | |
| run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV} | |
| - name: Setup cosign for signing | |
| if: ${{ matrix.is_shim == 'true' }} | |
| uses: sigstore/[email protected] | |
| with: | |
| cosign-release: 'v2.2.2' | |
| ### | |
| ### update the crate version, commit the change to main, then proceed with the release. | |
| ### (not on dry-run) | |
| ### | |
| - name: Build | |
| timeout-minutes: 20 | |
| run: make build-${{ matrix.runtime }} | |
| - name: Test | |
| if: ${{ matrix.arch == 'x86_64' }} | |
| timeout-minutes: 10 | |
| run: make test-${{ matrix.runtime }} | |
| - name: Sign the binary | |
| if: ${{ matrix.is_shim == 'true' }} | |
| run: | | |
| make dist-${{ matrix.runtime }} | |
| # Check if there's any files to archive as tar fails otherwise | |
| if stat dist/bin/* >/dev/null 2>&1; then | |
| cosign sign-blob --yes \ | |
| --output-signature containerd-shim-${{ matrix.runtime }}-v1.sig \ | |
| --output-certificate containerd-shim-${{ matrix.runtime }}-v1.pem \ | |
| --bundle containerd-shim-${{ matrix.runtime }}-v1.bundle \ | |
| dist/bin/containerd-shim-${{ matrix.runtime }}-v1 | |
| cosign sign-blob --yes \ | |
| --output-signature containerd-shim-${{ matrix.runtime }}d-v1.sig \ | |
| --output-certificate containerd-shim-${{ matrix.runtime }}d-v1.pem \ | |
| --bundle containerd-shim-${{ matrix.runtime }}d-v1.bundle \ | |
| dist/bin/containerd-shim-${{ matrix.runtime }}d-v1 | |
| cosign sign-blob --yes \ | |
| --output-signature containerd-${{ matrix.runtime }}d.sig \ | |
| --output-certificate containerd-${{ matrix.runtime }}d.pem \ | |
| --bundle containerd-${{ matrix.runtime }}d.bundle \ | |
| dist/bin/containerd-${{ matrix.runtime }}d | |
| # Copy the certs to the dist/bin folder | |
| cp *.sig dist/bin/ | |
| cp *.pem dist/bin/ | |
| else | |
| echo "No files to sign" | |
| fi | |
| - name: Package artifacts | |
| if: ${{ matrix.is_shim == 'true' }} | |
| shell: bash | |
| run: | | |
| # Check if there's any files to archive as tar fails otherwise | |
| if stat dist/bin/* >/dev/null 2>&1; then | |
| tar -czf dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin . | |
| else | |
| tar -czf dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz -T /dev/null | |
| fi | |
| - name: Upload artifacts | |
| if: ${{ matrix.is_shim == 'true' }} | |
| uses: actions/upload-artifact@master | |
| with: | |
| name: containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }} | |
| path: dist/containerd-shim-${{ matrix.runtime }}-${{ matrix.arch }}.tar.gz | |
| release: | |
| permissions: | |
| contents: write | |
| needs: | |
| - pre-release | |
| - build-and-sign | |
| strategy: | |
| matrix: | |
| os: ["ubuntu-latest"] | |
| include: | |
| - ${{ needs.pre-release.outputs }} | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: matrix description | |
| run: | | |
| echo "Running job with crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'." | |
| - uses: actions/checkout@v4 | |
| - name: Setup build env | |
| run: ./scripts/setup-linux.sh | |
| - name: Download artifacts | |
| if: ${{ matrix.is_shim == 'true' }} | |
| uses: actions/download-artifact@master | |
| with: | |
| path: release | |
| - name: Tag the the release | |
| if: ${{ !inputs.dry_run }} | |
| run: | | |
| git tag "${{matrix.crate}}/v${{matrix.version}}" | |
| git push origin "${{matrix.crate}}/v${{matrix.version}}" | |
| - name: Create release | |
| if: ${{ !inputs.dry_run }} | |
| run: | | |
| gh release create 'refs/tags/${{matrix.crate}}/v${{matrix.version}}' --generate-notes --prerelease | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| RELEASE_NAME: ${{ matrix.crate }}/${{ matrix.version }} | |
| - name: Upload release artifacts | |
| if: ${{ matrix.is_shim == 'true' && !inputs.dry_run }} | |
| run: | | |
| for i in release/*/*; do | |
| gh release upload ${RELEASE_NAME} $i | |
| done | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| RELEASE_NAME: ${{ matrix.crate }}/${{ matrix.version }} | |
| - name: Cargo publish | |
| if: ${{ matrix.is_shim != 'true' }} | |
| run: cargo publish ${{ inputs.dry_run && '--dry-run' || '' }} --package ${{ matrix.crate }} --verbose --locked | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }} |