Merge pull request #1978 from vdice/chore/tinygo-outbound-allowed #15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- "v[0-9]+.[0-9]+" | |
tags: | |
- "v*" | |
# Serialize workflow runs | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
env: | |
RUST_VERSION: 1.71 | |
jobs: | |
build-and-sign: | |
name: build and sign release assets | |
runs-on: ${{ matrix.config.os }} | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
outputs: | |
prerelease: ${{ steps.release-version.outputs.prerelease }} | |
strategy: | |
matrix: | |
config: | |
- { | |
os: "ubuntu-20.04", | |
arch: "amd64", | |
extension: "", | |
# Ubuntu 22.04 no longer ships libssl1.1, so we statically | |
# link it here to preserve release binary compatibility. | |
extraArgs: "--features openssl/vendored", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "ubuntu-20.04", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu", | |
target: "aarch64-unknown-linux-gnu", | |
targetDir: "target/aarch64-unknown-linux-gnu/release", | |
} | |
- { | |
os: "macos-latest", | |
arch: "amd64", | |
extension: "", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "macos-latest", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "--target aarch64-apple-darwin", | |
target: "aarch64-apple-darwin", | |
targetDir: "target/aarch64-apple-darwin/release/", | |
} | |
- { | |
os: "windows-latest", | |
arch: "amd64", | |
extension: ".exe", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.0.0 | |
- name: Install Rust toolchain | |
shell: bash | |
run: | | |
rustup toolchain install ${{ env.RUST_VERSION }} | |
rustup default ${{ env.RUST_VERSION }} | |
- name: Install target | |
if: matrix.config.target != '' | |
shell: bash | |
run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }} | |
- name: "Install Wasm Rust target" | |
run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }} | |
- name: setup for cross-compiled linux aarch64 build | |
if: matrix.config.target == 'aarch64-unknown-linux-gnu' | |
run: | | |
sudo apt update | |
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml | |
echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml | |
echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml | |
- name: Check if pre-release | |
id: release-version | |
shell: bash | |
run: | | |
[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \ | |
echo "prerelease=false" >> "$GITHUB_OUTPUT" || \ | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
- name: build release | |
shell: bash | |
run: cargo build --release ${{ matrix.config.extraArgs }} | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os != 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os == 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
7z a -tzip \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: upload binary as GitHub artifact | |
if: runner.os != 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
- name: upload binary to Github release | |
if: startsWith(github.ref, 'refs/tags/v') && runner.os != 'Windows' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
tag: ${{ github.ref }} | |
prerelease: ${{ steps.release-version.outputs.prerelease == 'true' }} | |
- name: upload binary as GitHub artifact | |
if: runner.os == 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip | |
- name: upload binary to Github release | |
if: startsWith(github.ref, 'refs/tags/v') && runner.os == 'Windows' | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip | |
tag: ${{ github.ref }} | |
prerelease: ${{ steps.release-version.outputs.prerelease == 'true' }} | |
- name: Configure AWS Credentials | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }} | |
role-session-name: spin-release-artifacts | |
aws-region: ${{ secrets.AWS_REGION }} | |
- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }} | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
run: | | |
aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read | |
checksums: | |
name: generate release checksums | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
steps: | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: download release assets | |
uses: actions/download-artifact@v3 | |
with: | |
name: spin | |
- name: generate checksums | |
run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: checksums-${{ env.RELEASE_VERSION }}.txt | |
- name: upload checksums to Github release | |
if: startsWith(github.ref, 'refs/tags/v') | |
uses: svenstaro/upload-release-action@v2 | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: checksums-${{ env.RELEASE_VERSION }}.txt | |
tag: ${{ github.ref }} | |
prerelease: ${{ needs.build-and-sign.outputs.prerelease == 'true' }} | |
update-canary: | |
name: update canary release | |
runs-on: ubuntu-latest | |
needs: checksums | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- name: Download release assets | |
uses: actions/download-artifact@v3 | |
with: | |
name: spin | |
- name: Delete canary tag | |
uses: dev-drprasad/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: canary | |
delete_release: true | |
- name: Recreate canary tag and release | |
uses: ncipollo/[email protected] | |
with: | |
tag: canary | |
allowUpdates: true | |
prerelease: true | |
artifacts: "checksums-canary.txt,spin-canary*" | |
commit: ${{ github.sha }} | |
body: | | |
This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**. | |
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented. | |
create-go-sdk-tag: | |
name: create tag sdk/go/v* | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the tag to sdk/go/v* | |
shell: bash | |
run: echo "GO_SDK_TAG=sdk/go/${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: Tag sdk/go/v* and push it | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git tag ${{ env.GO_SDK_TAG }} | |
git push origin ${{ env.GO_SDK_TAG }} | |
create-template-sdk-update-pr: | |
name: Create PR with template SDK updates | |
runs-on: ubuntu-latest | |
needs: create-go-sdk-tag | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the spin tag | |
shell: bash | |
run: | | |
echo "SPIN_TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: Set the PR base branch | |
shell: bash | |
run: | | |
IFS=. read -r major minor patch <<< "${{ env.SPIN_TAG }}" | |
echo "RELEASE_BRANCH=$major.$minor" >> $GITHUB_ENV | |
- name: Change sdk version | |
shell: bash | |
run: | | |
cd templates | |
SDK_VERSION=${{ env.SPIN_TAG }} make | |
- name: Import GPG key | |
uses: crazy-max/ghaction-import-gpg@v5 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Create Pull Request | |
uses: peter-evans/create-pull-request@v4 | |
with: | |
commit-message: "feat(templates): update sdk to ${{ env.SPIN_TAG }}" | |
title: "feat(templates): update sdk to ${{ env.SPIN_TAG }}" | |
body: Update the SDK version used by the templates | |
branch: update-sdk-${{ env.SPIN_TAG }} | |
base: ${{ env.RELEASE_BRANCH }} | |
delete-branch: true | |
committer: fermybot <[email protected]> | |
author: fermybot <[email protected]> | |
signoff: true | |
# This will run when the PR above is approved and merged into main via a merge commit | |
push-templates-tag: | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: github.event.commits[0].author.name == 'fermybot' && contains(github.event.commits[0].message, 'update sdk') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the tag to spin/templates/v* | |
shell: bash | |
run: | | |
spin_tag=$(echo "${{ github.event.commits[0].message }}" | grep -Eo v[0-9.]+) | |
IFS=. read -r major minor patch <<< "${spin_tag}" | |
echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV | |
- name: Tag spin/templates/v* and push it | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git tag ${{ env.TEMPLATE_TAG }} -f | |
git push origin ${{ env.TEMPLATE_TAG }} -f |