Merge pull request #2934 from fermyon/dependabot/cargo/rustls-0.23.18 #1456
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- "v[0-9]+.[0-9]+" | |
tags: | |
- "v*" | |
# Serialize workflow runs | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
env: | |
RUST_VERSION: 1.79 | |
jobs: | |
build-and-sign: | |
name: build and sign release assets | |
runs-on: ${{ matrix.config.os }} | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
strategy: | |
matrix: | |
config: | |
- { | |
os: "ubuntu-20.04", | |
arch: "amd64", | |
extension: "", | |
# Ubuntu 22.04 no longer ships libssl1.1, so we statically | |
# link it here to preserve release binary compatibility. | |
extraArgs: "--features openssl/vendored", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "ubuntu-20.04", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu", | |
target: "aarch64-unknown-linux-gnu", | |
targetDir: "target/aarch64-unknown-linux-gnu/release", | |
} | |
- { | |
os: "macos-13", | |
arch: "amd64", | |
extension: "", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "macos-14", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release/", | |
} | |
- { | |
os: "windows-latest", | |
arch: "amd64", | |
extension: ".exe", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.2.3 | |
- name: Install Rust toolchain | |
shell: bash | |
run: | | |
rustup toolchain install ${{ env.RUST_VERSION }} --no-self-update | |
rustup default ${{ env.RUST_VERSION }} | |
- name: Install target | |
if: matrix.config.target != '' | |
shell: bash | |
run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }} | |
- name: "Install Wasm Rust target" | |
run: rustup target add wasm32-wasip1 wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }} | |
- name: setup for cross-compiled linux aarch64 build | |
if: matrix.config.target == 'aarch64-unknown-linux-gnu' | |
run: | | |
sudo apt update | |
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml | |
echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml | |
echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml | |
- name: setup dependencies | |
uses: ./.github/actions/spin-ci-dependencies | |
with: | |
openssl-windows: "${{ matrix.os == 'windows-latest' }}" | |
- name: build release | |
shell: bash | |
run: cargo build --release ${{ matrix.config.extraArgs }} | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os != 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os == 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
7z a -tzip \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: upload binary as GitHub artifact | |
if: runner.os != 'Windows' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: spin-${{ env.RUNNER_OS }}-${{ matrix.config.arch }} | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
- name: upload binary as GitHub artifact | |
if: runner.os == 'Windows' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: spin-${{ env.RUNNER_OS }}-${{ matrix.config.arch }} | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip | |
- name: Configure AWS Credentials | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }} | |
role-session-name: spin-release-artifacts | |
aws-region: ${{ secrets.AWS_REGION }} | |
- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }} | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
run: | | |
aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read | |
checksums: | |
name: generate release checksums | |
runs-on: ubuntu-latest | |
needs: [build-and-sign, build-spin-static] | |
steps: | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: download release assets | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: spin-* | |
merge-multiple: true | |
- name: generate checksums | |
run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: spin-checksums | |
path: checksums-${{ env.RELEASE_VERSION }}.txt | |
create-gh-release: | |
name: create GitHub release | |
runs-on: ubuntu-latest | |
needs: checksums | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: download release assets | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: spin-* | |
path: _dist | |
merge-multiple: true | |
- name: check if pre-release | |
shell: bash | |
run: | | |
if [[ ! "${{ github.ref_name }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] | |
then | |
echo "PRERELEASE=--prerelease" >> "$GITHUB_ENV" | |
fi | |
- name: create GitHub release (canary) | |
if: github.ref == 'refs/heads/main' | |
run: | | |
gh release delete canary --cleanup-tag | |
gh release create canary _dist/* \ | |
--title canary \ | |
--prerelease \ | |
--notes-file - <<- EOF | |
This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**. | |
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented. | |
EOF | |
- name: create GitHub release | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
gh release create ${{ github.ref_name }} _dist/* \ | |
--title ${{ github.ref_name }} \ | |
--generate-notes ${{ env.PRERELEASE }} | |
push-templates-tag: | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the tag to spin/templates/v* | |
shell: bash | |
run: | | |
spin_tag=$(echo "${{ github.ref }}" | grep -Eo "v[0-9.]+") | |
IFS=. read -r major minor patch <<< "${spin_tag}" | |
echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV | |
- name: Tag spin/templates/v* and push it | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git tag ${{ env.TEMPLATE_TAG }} -f | |
git push origin ${{ env.TEMPLATE_TAG }} -f | |
## statically linked spin binaries | |
build-spin-static: | |
name: Build Spin static | |
runs-on: ubuntu-20.04 | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
strategy: | |
matrix: | |
config: | |
- { | |
arch: "aarch64", | |
target: "aarch64-unknown-linux-musl" | |
} | |
- { | |
arch: "amd64", | |
target: "x86_64-unknown-linux-musl" | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Check if pre-release | |
id: release-version | |
shell: bash | |
run: | | |
[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \ | |
echo "prerelease=false" >> "$GITHUB_OUTPUT" || \ | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
- name: setup dependencies | |
uses: ./.github/actions/spin-ci-dependencies | |
with: | |
rust: true | |
rust-cross: true | |
rust-cache: true | |
- name: Cargo Build | |
run: cross build --target ${{ matrix.config.target }} --release --features openssl/vendored | |
env: | |
CARGO_INCREMENTAL: 0 | |
BUILD_SPIN_EXAMPLES: 0 | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.2.3 | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
target/${{ matrix.config.target }}/release/spin | |
- name: package release assets | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE target/${{ matrix.config.target }}/release/spin _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin | |
- name: upload binary as GitHub artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: spin-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }} | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
dispatch-homebrew-tap: | |
name: Dispatch spin-release event to fermyon/homebrew-tap | |
needs: create-gh-release | |
runs-on: ubuntu-latest | |
if: github.repository_owner == 'fermyon' && startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- name: Repository Dispatch | |
uses: peter-evans/repository-dispatch@v3 | |
with: | |
token: ${{ secrets.DEST_REPO_ACCESS_TOKEN }} | |
repository: fermyon/homebrew-tap | |
event-type: spin-release | |
client-payload: '{"version": "${{ github.ref_name }}"}' | |
docker: | |
runs-on: "ubuntu-20.04" | |
needs: [build-and-sign, build-spin-static] | |
# Only build/push Docker images if this is a v* tag or if this is main/canary | |
# i.e. skip for v* release branches | |
if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' | |
permissions: | |
contents: read | |
packages: write | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: ${{ github.repository }} | |
strategy: | |
matrix: | |
config: | |
- { dockerfile: "Dockerfile", tag-suffix: "" } | |
- { dockerfile: "distroless.Dockerfile", tag-suffix: "-distroless" } | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Setup version info | |
id: version | |
run: | | |
if [[ "${{ startsWith(github.ref, 'refs/tags/v') }}" == "true" ]]; then | |
echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT | |
else | |
echo "version=canary" >> $GITHUB_OUTPUT | |
fi | |
- name: download release assets | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: spin-* | |
merge-multiple: true | |
- name: extract binaries | |
shell: bash | |
run: | | |
if [[ "${{ matrix.config.tag-suffix }}" == "-distroless" ]]; then | |
static="-static" | |
fi | |
tar xvf spin-${{ steps.version.outputs.version }}${static}-linux-amd64.tar.gz | |
mv spin spin${static}-linux-amd64 | |
tar xvf spin-${{ steps.version.outputs.version }}${static}-linux-aarch64.tar.gz | |
# Note: here we s/aarch64/arm64 to conform to Docker's TARGETARCH standards | |
mv spin spin${static}-linux-arm64 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Log into registry ${{ env.REGISTRY }} | |
uses: docker/login-action@v3 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract Docker metadata | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
- name: Build and Push | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: .github/${{ matrix.config.dockerfile }} | |
push: true | |
labels: ${{ steps.meta.outputs.labels }} | |
annotations: ${{ steps.meta.outputs.annotations }} | |
platforms: linux/amd64,linux/arm64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
tags: | | |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}${{ matrix.config.tag-suffix }} |