Merge pull request #2258 from itowlson/fix-regrettable-trigger-help-h… #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- "v[0-9]+.[0-9]+" | |
tags: | |
- "v*" | |
# Serialize workflow runs | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
env: | |
RUST_VERSION: 1.73 | |
jobs: | |
build-and-sign: | |
name: build and sign release assets | |
runs-on: ${{ matrix.config.os }} | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
strategy: | |
matrix: | |
config: | |
- { | |
os: "ubuntu-20.04", | |
arch: "amd64", | |
extension: "", | |
# Ubuntu 22.04 no longer ships libssl1.1, so we statically | |
# link it here to preserve release binary compatibility. | |
extraArgs: "--features openssl/vendored", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "ubuntu-20.04", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu", | |
target: "aarch64-unknown-linux-gnu", | |
targetDir: "target/aarch64-unknown-linux-gnu/release", | |
} | |
- { | |
os: "macos-latest", | |
arch: "amd64", | |
extension: "", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "macos-latest", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "--target aarch64-apple-darwin", | |
target: "aarch64-apple-darwin", | |
targetDir: "target/aarch64-apple-darwin/release/", | |
} | |
- { | |
os: "windows-latest", | |
arch: "amd64", | |
extension: ".exe", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.0.0 | |
- name: Install Rust toolchain | |
shell: bash | |
run: | | |
rustup toolchain install ${{ env.RUST_VERSION }} | |
rustup default ${{ env.RUST_VERSION }} | |
- name: Install target | |
if: matrix.config.target != '' | |
shell: bash | |
run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }} | |
- name: "Install Wasm Rust target" | |
run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }} | |
- name: setup for cross-compiled linux aarch64 build | |
if: matrix.config.target == 'aarch64-unknown-linux-gnu' | |
run: | | |
sudo apt update | |
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml | |
echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml | |
echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml | |
- name: build release | |
shell: bash | |
run: cargo build --release ${{ matrix.config.extraArgs }} | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os != 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os == 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
7z a -tzip \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: upload binary as GitHub artifact | |
if: runner.os != 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
- name: upload binary as GitHub artifact | |
if: runner.os == 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip | |
- name: Configure AWS Credentials | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }} | |
role-session-name: spin-release-artifacts | |
aws-region: ${{ secrets.AWS_REGION }} | |
- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }} | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
run: | | |
aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read | |
checksums: | |
name: generate release checksums | |
runs-on: ubuntu-latest | |
needs: [build-and-sign, build-spin-static] | |
steps: | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: download release assets | |
uses: actions/download-artifact@v3 | |
with: | |
name: spin | |
- name: generate checksums | |
run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: checksums-${{ env.RELEASE_VERSION }}.txt | |
create-gh-release: | |
name: create GitHub release | |
runs-on: ubuntu-latest | |
needs: checksums | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: download release assets | |
uses: actions/download-artifact@v3 | |
with: | |
name: spin | |
path: _dist | |
- name: check if pre-release | |
shell: bash | |
run: | | |
if [[ ! "${{ github.ref_name }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] | |
then | |
echo "PRERELEASE=--prerelease" >> "$GITHUB_ENV" | |
fi | |
- name: create GitHub release (canary) | |
if: github.ref == 'refs/heads/main' | |
run: | | |
gh release delete canary --cleanup-tag | |
gh release create canary _dist/* \ | |
--title canary \ | |
--prerelease \ | |
--notes-file - <<- EOF | |
This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**. | |
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented. | |
EOF | |
- name: create GitHub release | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
gh release create ${{ github.ref_name }} _dist/* \ | |
--title ${{ github.ref_name }} \ | |
--generate-notes ${{ env.PRERELEASE }} | |
create-go-sdk-tag: | |
name: create tag sdk/go/v* | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the tag to sdk/go/v* | |
shell: bash | |
run: echo "GO_SDK_TAG=sdk/go/${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: Tag sdk/go/v* and push it | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git tag ${{ env.GO_SDK_TAG }} | |
git push origin ${{ env.GO_SDK_TAG }} | |
create-template-sdk-update-pr: | |
name: Create PR with template SDK updates | |
runs-on: ubuntu-latest | |
needs: create-go-sdk-tag | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the spin tag | |
shell: bash | |
run: | | |
echo "SPIN_TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: Set the PR base branch | |
shell: bash | |
run: | | |
IFS=. read -r major minor patch <<< "${{ env.SPIN_TAG }}" | |
echo "RELEASE_BRANCH=$major.$minor" >> $GITHUB_ENV | |
- name: Change sdk version | |
shell: bash | |
run: | | |
cd templates | |
SDK_VERSION=${{ env.SPIN_TAG }} make | |
- name: Import GPG key | |
uses: crazy-max/ghaction-import-gpg@v5 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.PASSPHRASE }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Create Pull Request | |
uses: peter-evans/create-pull-request@v4 | |
with: | |
commit-message: "feat(templates): update sdk to ${{ env.SPIN_TAG }}" | |
title: "feat(templates): update sdk to ${{ env.SPIN_TAG }}" | |
body: Update the SDK version used by the templates | |
branch: update-sdk-${{ env.SPIN_TAG }} | |
base: ${{ env.RELEASE_BRANCH }} | |
delete-branch: true | |
committer: fermybot <[email protected]> | |
author: fermybot <[email protected]> | |
signoff: true | |
# This will run when the PR above is approved and merged into main via a merge commit | |
push-templates-tag: | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: github.event.commits[0].author.name == 'fermybot' && contains(github.event.commits[0].message, 'update sdk') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the tag to spin/templates/v* | |
shell: bash | |
run: | | |
spin_tag=$(echo "${{ github.event.commits[0].message }}" | grep -Eo v[0-9.]+) | |
IFS=. read -r major minor patch <<< "${spin_tag}" | |
echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV | |
- name: Tag spin/templates/v* and push it | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git tag ${{ env.TEMPLATE_TAG }} -f | |
git push origin ${{ env.TEMPLATE_TAG }} -f | |
## statically linked spin binaries | |
build-spin-static: | |
name: Build Spin static | |
runs-on: ubuntu-latest | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
strategy: | |
matrix: | |
config: | |
- { | |
arch: "aarch64", | |
target: "aarch64-unknown-linux-musl", | |
rustflags: '-C target-feature=+fp16 -C target-feature=+crt-static -C link-self-contained=yes' | |
} | |
- { | |
arch: "amd64", | |
target: "x86_64-unknown-linux-musl", | |
rustflags: '-C target-feature=+crt-static -C link-self-contained=yes' | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Check if pre-release | |
id: release-version | |
shell: bash | |
run: | | |
[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \ | |
echo "prerelease=false" >> "$GITHUB_OUTPUT" || \ | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
- name: setup dependencies | |
uses: ./.github/actions/spin-ci-dependencies | |
with: | |
rust: true | |
rust-cross: true | |
rust-cache: true | |
- name: Cargo Build | |
run: cross build --target ${{ matrix.config.target }} --release --features openssl/vendored | |
env: | |
CARGO_INCREMENTAL: 0 | |
BUILD_SPIN_EXAMPLES: 0 | |
RUSTFLAGS: ${{ matrix.config.rustflags }} | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.0.0 | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
target/${{ matrix.config.target }}/release/spin | |
- name: package release assets | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE target/${{ matrix.config.target }}/release/spin _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin | |
- name: upload binary as GitHub artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
crates: | |
name: Publish to crates.io | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: | | |
startsWith(github.ref, 'refs/tags/v') && | |
github.repository_owner == 'fermyon' | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Publish spin-macro to crates.io | |
working-directory: ./sdk/rust/macro | |
run: | | |
cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | |
- name: Publish spin-sdk to crates.io | |
working-directory: ./sdk/rust | |
run: | | |
cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} |