Merge pull request #2678 from devigned/az-key-vault #1338
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- "v[0-9]+.[0-9]+" | |
tags: | |
- "v*" | |
# Serialize workflow runs | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
env: | |
RUST_VERSION: 1.76 | |
jobs: | |
build-and-sign: | |
name: build and sign release assets | |
runs-on: ${{ matrix.config.os }} | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
strategy: | |
matrix: | |
config: | |
- { | |
os: "ubuntu-20.04", | |
arch: "amd64", | |
extension: "", | |
# Ubuntu 22.04 no longer ships libssl1.1, so we statically | |
# link it here to preserve release binary compatibility. | |
extraArgs: "--features openssl/vendored", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "ubuntu-20.04", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu", | |
target: "aarch64-unknown-linux-gnu", | |
targetDir: "target/aarch64-unknown-linux-gnu/release", | |
} | |
- { | |
os: "macos-13", | |
arch: "amd64", | |
extension: "", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
- { | |
os: "macos-14", | |
arch: "aarch64", | |
extension: "", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release/", | |
} | |
- { | |
os: "windows-latest", | |
arch: "amd64", | |
extension: ".exe", | |
extraArgs: "", | |
target: "", | |
targetDir: "target/release", | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.2.3 | |
- name: Install Rust toolchain | |
shell: bash | |
run: | | |
rustup toolchain install ${{ env.RUST_VERSION }} --no-self-update | |
rustup default ${{ env.RUST_VERSION }} | |
- name: Install target | |
if: matrix.config.target != '' | |
shell: bash | |
run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }} | |
- name: "Install Wasm Rust target" | |
run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }} | |
- name: setup for cross-compiled linux aarch64 build | |
if: matrix.config.target == 'aarch64-unknown-linux-gnu' | |
run: | | |
sudo apt update | |
sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu | |
echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml | |
echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml | |
echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml | |
- name: setup dependencies | |
uses: ./.github/actions/spin-ci-dependencies | |
with: | |
openssl-windows: "${{ matrix.os == 'windows-latest' }}" | |
- name: build release | |
shell: bash | |
run: cargo build --release ${{ matrix.config.extraArgs }} | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os != 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: package release assets | |
if: runner.os == 'Windows' | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/ | |
cd _dist | |
7z a -tzip \ | |
spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \ | |
crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }} | |
- name: upload binary as GitHub artifact | |
if: runner.os != 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
- name: upload binary as GitHub artifact | |
if: runner.os == 'Windows' | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip | |
- name: Configure AWS Credentials | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }} | |
role-session-name: spin-release-artifacts | |
aws-region: ${{ secrets.AWS_REGION }} | |
- name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }} | |
if: | | |
runner.os == 'linux' && | |
matrix.config.arch == 'amd64' && | |
github.repository_owner == 'fermyon' && | |
github.ref == 'refs/heads/main' | |
run: | | |
aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read | |
checksums: | |
name: generate release checksums | |
runs-on: ubuntu-latest | |
needs: [build-and-sign, build-spin-static] | |
steps: | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: download release assets | |
uses: actions/download-artifact@v3 | |
with: | |
name: spin | |
- name: generate checksums | |
run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: checksums-${{ env.RELEASE_VERSION }}.txt | |
create-gh-release: | |
name: create GitHub release | |
runs-on: ubuntu-latest | |
needs: checksums | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: download release assets | |
uses: actions/download-artifact@v3 | |
with: | |
name: spin | |
path: _dist | |
- name: check if pre-release | |
shell: bash | |
run: | | |
if [[ ! "${{ github.ref_name }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] | |
then | |
echo "PRERELEASE=--prerelease" >> "$GITHUB_ENV" | |
fi | |
- name: create GitHub release (canary) | |
if: github.ref == 'refs/heads/main' | |
run: | | |
gh release delete canary --cleanup-tag | |
gh release create canary _dist/* \ | |
--title canary \ | |
--prerelease \ | |
--notes-file - <<- EOF | |
This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**. | |
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented. | |
EOF | |
- name: create GitHub release | |
if: startsWith(github.ref, 'refs/tags/v') | |
run: | | |
gh release create ${{ github.ref_name }} _dist/* \ | |
--title ${{ github.ref_name }} \ | |
--generate-notes ${{ env.PRERELEASE }} | |
push-templates-tag: | |
runs-on: ubuntu-latest | |
needs: build-and-sign | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set the tag to spin/templates/v* | |
shell: bash | |
run: | | |
spin_tag=$(echo "${{ github.ref }}" | grep -Eo "v[0-9.]+") | |
IFS=. read -r major minor patch <<< "${spin_tag}" | |
echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV | |
- name: Tag spin/templates/v* and push it | |
shell: bash | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git tag ${{ env.TEMPLATE_TAG }} -f | |
git push origin ${{ env.TEMPLATE_TAG }} -f | |
## statically linked spin binaries | |
build-spin-static: | |
name: Build Spin static | |
runs-on: ubuntu-20.04 | |
permissions: | |
# cosign uses the GitHub OIDC token | |
id-token: write | |
# needed to upload artifacts to a GH release | |
contents: write | |
strategy: | |
matrix: | |
config: | |
- { | |
arch: "aarch64", | |
target: "aarch64-unknown-linux-musl" | |
} | |
- { | |
arch: "amd64", | |
target: "x86_64-unknown-linux-musl" | |
} | |
steps: | |
- uses: actions/checkout@v3 | |
- name: set the release version (tag) | |
if: startsWith(github.ref, 'refs/tags/v') | |
shell: bash | |
run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV | |
- name: set the release version (main) | |
if: github.ref == 'refs/heads/main' | |
shell: bash | |
run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV | |
- name: lowercase the runner OS name | |
shell: bash | |
run: | | |
OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]') | |
echo "RUNNER_OS=$OS" >> $GITHUB_ENV | |
- name: Check if pre-release | |
id: release-version | |
shell: bash | |
run: | | |
[[ "${{ env.RELEASE_VERSION }}" =~ ^v[0-9]+.[0-9]+.[0-9]+$ ]] && \ | |
echo "prerelease=false" >> "$GITHUB_OUTPUT" || \ | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
- name: setup dependencies | |
uses: ./.github/actions/spin-ci-dependencies | |
with: | |
rust: true | |
rust-cross: true | |
rust-cache: true | |
- name: Cargo Build | |
run: cross build --target ${{ matrix.config.target }} --release --features openssl/vendored | |
env: | |
CARGO_INCREMENTAL: 0 | |
BUILD_SPIN_EXAMPLES: 0 | |
- name: Install Cosign for signing Spin binary | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: v2.2.3 | |
- name: Sign the binary with GitHub OIDC token | |
shell: bash | |
run: | | |
cosign sign-blob \ | |
--yes \ | |
--output-certificate crt.pem \ | |
--output-signature spin.sig \ | |
target/${{ matrix.config.target }}/release/spin | |
- name: package release assets | |
shell: bash | |
run: | | |
mkdir _dist | |
cp crt.pem spin.sig README.md LICENSE target/${{ matrix.config.target }}/release/spin _dist/ | |
cd _dist | |
tar czf \ | |
spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \ | |
crt.pem spin.sig README.md LICENSE spin | |
- name: upload binary as GitHub artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: spin | |
path: _dist/spin-${{ env.RELEASE_VERSION }}-static-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz | |
dispatch-homebrew-tap: | |
name: Dispatch spin-release event to fermyon/homebrew-tap | |
needs: create-gh-release | |
runs-on: ubuntu-latest | |
if: github.repository_owner == 'fermyon' && startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- name: Repository Dispatch | |
uses: peter-evans/repository-dispatch@v3 | |
with: | |
token: ${{ secrets.DEST_REPO_ACCESS_TOKEN }} | |
repository: fermyon/homebrew-tap | |
event-type: spin-release | |
client-payload: '{"version": "${{ github.ref_name }}"}' |