Skip to content

Merge pull request #1978 from vdice/chore/tinygo-outbound-allowed #15

Merge pull request #1978 from vdice/chore/tinygo-outbound-allowed

Merge pull request #1978 from vdice/chore/tinygo-outbound-allowed #15

Workflow file for this run

name: Release
on:
push:
branches:
- main
- "v[0-9]+.[0-9]+"
tags:
- "v*"
# Serialize workflow runs
concurrency: ${{ github.workflow }}-${{ github.ref }}
env:
RUST_VERSION: 1.71
jobs:
build-and-sign:
name: build and sign release assets
runs-on: ${{ matrix.config.os }}
permissions:
# cosign uses the GitHub OIDC token
id-token: write
# needed to upload artifacts to a GH release
contents: write
outputs:
prerelease: ${{ steps.release-version.outputs.prerelease }}
strategy:
matrix:
config:
- {
os: "ubuntu-20.04",
arch: "amd64",
extension: "",
# Ubuntu 22.04 no longer ships libssl1.1, so we statically
# link it here to preserve release binary compatibility.
extraArgs: "--features openssl/vendored",
target: "",
targetDir: "target/release",
}
- {
os: "ubuntu-20.04",
arch: "aarch64",
extension: "",
extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu",
target: "aarch64-unknown-linux-gnu",
targetDir: "target/aarch64-unknown-linux-gnu/release",
}
- {
os: "macos-latest",
arch: "amd64",
extension: "",
extraArgs: "",
target: "",
targetDir: "target/release",
}
- {
os: "macos-latest",
arch: "aarch64",
extension: "",
extraArgs: "--target aarch64-apple-darwin",
target: "aarch64-apple-darwin",
targetDir: "target/aarch64-apple-darwin/release/",
}
- {
os: "windows-latest",
arch: "amd64",
extension: ".exe",
extraArgs: "",
target: "",
targetDir: "target/release",
}
steps:
- uses: actions/checkout@v3
- name: set the release version (tag)
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: set the release version (main)
if: github.ref == 'refs/heads/main'
shell: bash
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV
- name: lowercase the runner OS name
shell: bash
run: |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]')
echo "RUNNER_OS=$OS" >> $GITHUB_ENV
- name: Install Cosign for signing Spin binary
uses: sigstore/[email protected]
with:
cosign-release: v2.0.0
- name: Install Rust toolchain
shell: bash
run: |
rustup toolchain install ${{ env.RUST_VERSION }}
rustup default ${{ env.RUST_VERSION }}
- name: Install target
if: matrix.config.target != ''
shell: bash
run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }}
- name: "Install Wasm Rust target"
run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }}
- name: setup for cross-compiled linux aarch64 build
if: matrix.config.target == 'aarch64-unknown-linux-gnu'
run: |
sudo apt update
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml
echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml
echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml
- name: Check if pre-release
id: release-version
shell: bash
run: |
[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \
echo "prerelease=false" >> "$GITHUB_OUTPUT" || \
echo "prerelease=true" >> "$GITHUB_OUTPUT"
- name: build release
shell: bash
run: cargo build --release ${{ matrix.config.extraArgs }}
- name: Sign the binary with GitHub OIDC token
shell: bash
run: |
cosign sign-blob \
--yes \
--output-certificate crt.pem \
--output-signature spin.sig \
${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }}
- name: package release assets
if: runner.os != 'Windows'
shell: bash
run: |
mkdir _dist
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
cd _dist
tar czf \
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}
- name: package release assets
if: runner.os == 'Windows'
shell: bash
run: |
mkdir _dist
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
cd _dist
7z a -tzip \
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}
- name: upload binary as GitHub artifact
if: runner.os != 'Windows'
uses: actions/upload-artifact@v3
with:
name: spin
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz
- name: upload binary to Github release
if: startsWith(github.ref, 'refs/tags/v') && runner.os != 'Windows'
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz
tag: ${{ github.ref }}
prerelease: ${{ steps.release-version.outputs.prerelease == 'true' }}
- name: upload binary as GitHub artifact
if: runner.os == 'Windows'
uses: actions/upload-artifact@v3
with:
name: spin
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip
- name: upload binary to Github release
if: startsWith(github.ref, 'refs/tags/v') && runner.os == 'Windows'
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip
tag: ${{ github.ref }}
prerelease: ${{ steps.release-version.outputs.prerelease == 'true' }}
- name: Configure AWS Credentials
if: |
runner.os == 'linux' &&
matrix.config.arch == 'amd64' &&
github.repository_owner == 'fermyon' &&
github.ref == 'refs/heads/main'
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}
role-session-name: spin-release-artifacts
aws-region: ${{ secrets.AWS_REGION }}
- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }}
if: |
runner.os == 'linux' &&
matrix.config.arch == 'amd64' &&
github.repository_owner == 'fermyon' &&
github.ref == 'refs/heads/main'
run: |
aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read
checksums:
name: generate release checksums
runs-on: ubuntu-latest
needs: build-and-sign
steps:
- name: set the release version (tag)
if: startsWith(github.ref, 'refs/tags/v')
shell: bash
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: set the release version (main)
if: github.ref == 'refs/heads/main'
shell: bash
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV
- name: download release assets
uses: actions/download-artifact@v3
with:
name: spin
- name: generate checksums
run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt
- uses: actions/upload-artifact@v3
with:
name: spin
path: checksums-${{ env.RELEASE_VERSION }}.txt
- name: upload checksums to Github release
if: startsWith(github.ref, 'refs/tags/v')
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: checksums-${{ env.RELEASE_VERSION }}.txt
tag: ${{ github.ref }}
prerelease: ${{ needs.build-and-sign.outputs.prerelease == 'true' }}
update-canary:
name: update canary release
runs-on: ubuntu-latest
needs: checksums
if: github.ref == 'refs/heads/main'
steps:
- name: Download release assets
uses: actions/download-artifact@v3
with:
name: spin
- name: Delete canary tag
uses: dev-drprasad/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: canary
delete_release: true
- name: Recreate canary tag and release
uses: ncipollo/[email protected]
with:
tag: canary
allowUpdates: true
prerelease: true
artifacts: "checksums-canary.txt,spin-canary*"
commit: ${{ github.sha }}
body: |
This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.
create-go-sdk-tag:
name: create tag sdk/go/v*
runs-on: ubuntu-latest
needs: build-and-sign
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v3
- name: Set the tag to sdk/go/v*
shell: bash
run: echo "GO_SDK_TAG=sdk/go/${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: Tag sdk/go/v* and push it
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git tag ${{ env.GO_SDK_TAG }}
git push origin ${{ env.GO_SDK_TAG }}
create-template-sdk-update-pr:
name: Create PR with template SDK updates
runs-on: ubuntu-latest
needs: create-go-sdk-tag
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v3
- name: Set the spin tag
shell: bash
run: |
echo "SPIN_TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV
- name: Set the PR base branch
shell: bash
run: |
IFS=. read -r major minor patch <<< "${{ env.SPIN_TAG }}"
echo "RELEASE_BRANCH=$major.$minor" >> $GITHUB_ENV
- name: Change sdk version
shell: bash
run: |
cd templates
SDK_VERSION=${{ env.SPIN_TAG }} make
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Create Pull Request
uses: peter-evans/create-pull-request@v4
with:
commit-message: "feat(templates): update sdk to ${{ env.SPIN_TAG }}"
title: "feat(templates): update sdk to ${{ env.SPIN_TAG }}"
body: Update the SDK version used by the templates
branch: update-sdk-${{ env.SPIN_TAG }}
base: ${{ env.RELEASE_BRANCH }}
delete-branch: true
committer: fermybot <[email protected]>
author: fermybot <[email protected]>
signoff: true
# This will run when the PR above is approved and merged into main via a merge commit
push-templates-tag:
runs-on: ubuntu-latest
needs: build-and-sign
if: github.event.commits[0].author.name == 'fermybot' && contains(github.event.commits[0].message, 'update sdk')
steps:
- uses: actions/checkout@v3
- name: Set the tag to spin/templates/v*
shell: bash
run: |
spin_tag=$(echo "${{ github.event.commits[0].message }}" | grep -Eo v[0-9.]+)
IFS=. read -r major minor patch <<< "${spin_tag}"
echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV
- name: Tag spin/templates/v* and push it
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git tag ${{ env.TEMPLATE_TAG }} -f
git push origin ${{ env.TEMPLATE_TAG }} -f