Skip to content

Merge pull request #2344 from suneetnangia/issue/2335/fix-swallowed-m… #1149

Merge pull request #2344 from suneetnangia/issue/2335/fix-swallowed-m…

Merge pull request #2344 from suneetnangia/issue/2335/fix-swallowed-m… #1149

Workflow file for this run

name: Release
on:
push:
branches:
- main
- "v[0-9]+.[0-9]+"
tags:
- "v*"
# Serialize workflow runs
concurrency: ${{ github.workflow }}-${{ github.ref }}
env:
RUST_VERSION: 1.74
jobs:
build-and-sign:
name: build and sign release assets
runs-on: ${{ matrix.config.os }}
permissions:
# cosign uses the GitHub OIDC token
id-token: write
# needed to upload artifacts to a GH release
contents: write
strategy:
matrix:
config:
- {
os: "ubuntu-20.04",
arch: "amd64",
extension: "",
# Ubuntu 22.04 no longer ships libssl1.1, so we statically
# link it here to preserve release binary compatibility.
extraArgs: "--features openssl/vendored",
target: "",
targetDir: "target/release",
}
- {
os: "ubuntu-20.04",
arch: "aarch64",
extension: "",
extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu",
target: "aarch64-unknown-linux-gnu",
targetDir: "target/aarch64-unknown-linux-gnu/release",
}
- {
os: "macos-latest",
arch: "amd64",
extension: "",
extraArgs: "",
target: "",
targetDir: "target/release",
}
- {
os: "macos-latest",
arch: "aarch64",
extension: "",
extraArgs: "--target aarch64-apple-darwin",
target: "aarch64-apple-darwin",
targetDir: "target/aarch64-apple-darwin/release/",
}
- {
os: "windows-latest",
arch: "amd64",
extension: ".exe",
extraArgs: "",
target: "",
targetDir: "target/release",
}
steps:
- uses: actions/checkout@v3
- name: set the release version (tag)
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: set the release version (main)
if: github.ref == 'refs/heads/main'
shell: bash
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV
- name: lowercase the runner OS name
shell: bash
run: |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]')
echo "RUNNER_OS=$OS" >> $GITHUB_ENV
- name: Install Cosign for signing Spin binary
uses: sigstore/[email protected]
with:
cosign-release: v2.0.0
- name: Install Rust toolchain
shell: bash
run: |
rustup toolchain install ${{ env.RUST_VERSION }}
rustup default ${{ env.RUST_VERSION }}
- name: Install target
if: matrix.config.target != ''
shell: bash
run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }}
- name: "Install Wasm Rust target"
run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }}
- name: setup for cross-compiled linux aarch64 build
if: matrix.config.target == 'aarch64-unknown-linux-gnu'
run: |
sudo apt update
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml
echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml
echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml
- name: setup dependencies
uses: ./.github/actions/spin-ci-dependencies
with:
vcpkg: "${{ matrix.os == 'windows-latest' }}"
- name: build release
shell: bash
run: cargo build --release ${{ matrix.config.extraArgs }}
- name: Sign the binary with GitHub OIDC token
shell: bash
run: |
cosign sign-blob \
--yes \
--output-certificate crt.pem \
--output-signature spin.sig \
${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }}
- name: package release assets
if: runner.os != 'Windows'
shell: bash
run: |
mkdir _dist
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
cd _dist
tar czf \
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}
- name: package release assets
if: runner.os == 'Windows'
shell: bash
run: |
mkdir _dist
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
cd _dist
7z a -tzip \
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}
- name: upload binary as GitHub artifact
if: runner.os != 'Windows'
uses: actions/upload-artifact@v3
with:
name: spin
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz
- name: upload binary as GitHub artifact
if: runner.os == 'Windows'
uses: actions/upload-artifact@v3
with:
name: spin
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip
- name: Configure AWS Credentials
if: |
runner.os == 'linux' &&
matrix.config.arch == 'amd64' &&
github.repository_owner == 'fermyon' &&
github.ref == 'refs/heads/main'
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}
role-session-name: spin-release-artifacts
aws-region: ${{ secrets.AWS_REGION }}
- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }}
if: |
runner.os == 'linux' &&
matrix.config.arch == 'amd64' &&
github.repository_owner == 'fermyon' &&
github.ref == 'refs/heads/main'
run: |
aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read
checksums:
name: generate release checksums
runs-on: ubuntu-latest
needs: [build-and-sign, build-spin-static]
steps:
- name: set the release version (tag)
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: set the release version (main)
if: github.ref == 'refs/heads/main'
shell: bash
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV
- name: download release assets
uses: actions/download-artifact@v3
with:
name: spin
- name: generate checksums
run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt
- uses: actions/upload-artifact@v3
with:
name: spin
path: checksums-${{ env.RELEASE_VERSION }}.txt
create-gh-release:
name: create GitHub release
runs-on: ubuntu-latest
needs: checksums
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v3
- name: download release assets
uses: actions/download-artifact@v3
with:
name: spin
path: _dist
- name: check if pre-release
shell: bash
run: |
if [[ ! "${{ github.ref_name }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]]
then
echo "PRERELEASE=--prerelease" >> "$GITHUB_ENV"
fi
- name: create GitHub release (canary)
if: github.ref == 'refs/heads/main'
run: |
gh release delete canary --cleanup-tag
gh release create canary _dist/* \
--title canary \
--prerelease \
--notes-file - <<- EOF
This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
EOF
- name: create GitHub release
if: startsWith(github.ref, 'refs/tags/v')
run: |
gh release create ${{ github.ref_name }} _dist/* \
--title ${{ github.ref_name }} \
--generate-notes ${{ env.PRERELEASE }}
push-templates-tag:
runs-on: ubuntu-latest
needs: build-and-sign
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v3
- name: Set the tag to spin/templates/v*
shell: bash
run: |
spin_tag=$(echo "${{ github.ref }}" | grep -Eo "v[0-9.]+")
IFS=. read -r major minor patch <<< "${spin_tag}"
echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV
- name: Tag spin/templates/v* and push it
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git tag ${{ env.TEMPLATE_TAG }} -f
git push origin ${{ env.TEMPLATE_TAG }} -f
## statically linked spin binaries
build-spin-static:
name: Build Spin static
runs-on: ubuntu-latest
permissions:
# cosign uses the GitHub OIDC token
id-token: write
# needed to upload artifacts to a GH release
contents: write
strategy:
matrix:
config:
- {
arch: "aarch64",
target: "aarch64-unknown-linux-musl"
}
- {
arch: "amd64",
target: "x86_64-unknown-linux-musl"
}
steps:
- uses: actions/checkout@v3
- name: set the release version (tag)
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: set the release version (main)
if: github.ref == 'refs/heads/main'
shell: bash
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV
- name: lowercase the runner OS name
shell: bash
run: |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]')
echo "RUNNER_OS=$OS" >> $GITHUB_ENV
- name: Check if pre-release
id: release-version
shell: bash
run: |
[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \
echo "prerelease=false" >> "$GITHUB_OUTPUT" || \
echo "prerelease=true" >> "$GITHUB_OUTPUT"
- name: setup dependencies
uses: ./.github/actions/spin-ci-dependencies
with:
rust: true
rust-cross: true
rust-cache: true
- name: Cargo Build
run: cross build --target ${{ matrix.config.target }} --release --features openssl/vendored
env:
CARGO_INCREMENTAL: 0
BUILD_SPIN_EXAMPLES: 0
- name: Install Cosign for signing Spin binary
uses: sigstore/[email protected]
with:
cosign-release: v2.0.0
- name: Sign the binary with GitHub OIDC token
shell: bash
run: |
cosign sign-blob \
--yes \
--output-certificate crt.pem \
--output-signature spin.sig \
target/${{ matrix.config.target }}/release/spin
- name: package release assets
shell: bash
run: |
mkdir _dist
cp crt.pem spin.sig README.md LICENSE target/${{ matrix.config.target }}/release/spin _dist/
cd _dist
tar czf \
spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \
crt.pem spin.sig README.md LICENSE spin
- name: upload binary as GitHub artifact
uses: actions/upload-artifact@v3
with:
name: spin
path: _dist/spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz