Merge pull request #987 from jvanz/main #192

Workflow file for this run

	name: kwctl build
	on:
	workflow_call:
	push:
	branches:
	- "main"
	- "feat-**"

	env:
	CARGO_TERM_COLOR: always

	jobs:
	build-linux-binaries:
	name: Build linux binaries
	runs-on: ubuntu-latest
	strategy:
	matrix:
	targetarch:
	- aarch64
	- x86_64
	permissions:
	id-token: write
	attestations: write
	steps:
	- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: setup rust toolchain
	uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
	with:
	toolchain: stable
	target: ${{matrix.targetarch}}-unknown-linux-musl
	override: true

	- uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
	with:
	use-cross: true
	command: build
	args: --release --target ${{matrix.targetarch}}-unknown-linux-musl

	- run: mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }}

	- name: Smoke test build
	if: matrix.targetarch == 'x86_64'
	run: ./kwctl-linux-x86_64 --help

	- name: Generate attestations
	uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
	id: attestations
	with:
	subject-path: kwctl-linux-${{ matrix.targetarch }}

	- name: Sign kwctl
	run: \|
	cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig

	- run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem

	- name: Upload binary
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: kwctl-linux-${{ matrix.targetarch }}
	path: kwctl-linux-${{ matrix.targetarch }}.zip

	- name: Install the syft command
	uses: kubewarden/github-actions/syft-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5

	- name: Create SBOM file
	shell: bash
	run: \|
	syft \
	--file kwctl-linux-${{ matrix.targetarch }}-sbom.spdx \
	--output spdx-json \
	--source-name kwctl-linux-${{ matrix.targetarch }} \
	--source-version ${{ github.sha }} \
	-vv \
	dir:. # use dir default catalogers, which includes Cargo.toml

	- name: Sign SBOM file
	run: \|
	cosign sign-blob --yes \
	--output-certificate kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert \
	--output-signature kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig \
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx

	- name: Upload kwctl SBOM files
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: kwctl-linux-${{ matrix.targetarch }}-sbom
	path: \|
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig

	- name: Upload kwctl air gap scripts
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	if: matrix.targetarch == 'x86_64' # only upload the scripts once
	with:
	name: kwctl-airgap-scripts
	path: \|
	scripts/kubewarden-load-policies.sh
	scripts/kubewarden-save-policies.sh

	build-darwin-binaries:
	name: Build darwin binary
	strategy:
	matrix:
	targetarch: ["aarch64", "x86_64"]
	runs-on: macos-latest
	permissions:
	id-token: write
	attestations: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: Setup rust toolchain
	uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
	with:
	toolchain: stable
	target: ${{ matrix.targetarch }}-apple-darwin
	override: true

	- run: rustup target add ${{ matrix.targetarch }}-apple-darwin

	- name: Build kwctl
	uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
	with:
	command: build
	args: --target=${{ matrix.targetarch }}-apple-darwin --release

	- run: mv target/${{ matrix.targetarch }}-apple-darwin/release/kwctl kwctl-darwin-${{ matrix.targetarch }}

	- name: Smoke test build
	if: matrix.targetarch == 'x86_64'
	run: ./kwctl-darwin-x86_64 --help

	- name: Generate attestations
	uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
	id: attestations
	with:
	subject-path: kwctl-darwin-${{ matrix.targetarch }}

	- name: Sign kwctl
	run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig

	- run: zip -j9 kwctl-darwin-${{ matrix.targetarch }}.zip kwctl-darwin-${{ matrix.targetarch }} kwctl-darwin-${{ matrix.targetarch }}.sig kwctl-darwin-${{ matrix.targetarch }}.pem

	- name: Upload binary
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: kwctl-darwin-${{ matrix.targetarch }}
	path: kwctl-darwin-${{ matrix.targetarch }}.zip

	- name: Install the syft command
	uses: kubewarden/github-actions/syft-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
	with:
	arch: darwin_amd64

	- name: Create SBOM file
	shell: bash
	run: \|
	syft \
	--file kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx \
	--output spdx-json \
	--source-name kwctl-darwin-${{ matrix.targetarch }} \
	--source-version ${{ github.sha }} \
	-vv \
	dir:. # use dir default catalogers, which includes Cargo.toml

	- name: Sign SBOM file
	run: \|
	cosign sign-blob --yes \
	--output-certificate kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert \
	--output-signature kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig \
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx

	- name: Upload kwctl SBOM files
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: kwctl-darwin-${{ matrix.targetarch }}-sbom
	path: \|
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig

	build-windows-x86_64:
	name: Build windows (x86_64) binary
	strategy:
	matrix:
	# workaround to have the same GH UI for all jobs
	targetarch: ["x86_64"]
	os: ["windows-latest"]
	runs-on: ${{ matrix.os }}
	permissions:
	id-token: write
	attestations: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: Setup rust toolchain
	uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
	with:
	toolchain: stable
	- run: rustup target add x86_64-pc-windows-msvc

	- name: enable git long paths on Windows
	if: matrix.os == 'windows-latest'
	run: git config --global core.longpaths true

	- name: Build kwctl
	uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
	with:
	command: build
	args: --target=x86_64-pc-windows-msvc --release

	- run: mv target/x86_64-pc-windows-msvc/release/kwctl.exe kwctl-windows-x86_64.exe

	- name: Smoke test build
	run: .\kwctl-windows-x86_64.exe --help

	- name: Generate attestations
	uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
	id: attestations
	with:
	subject-path: kwctl-windows-${{ matrix.targetarch }}.exe

	- name: Sign kwctl
	run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig

	- run: \|
	"/c/Program Files/7-Zip/7z.exe" a kwctl-windows-x86_64.exe.zip kwctl-windows-x86_64.exe kwctl-windows-x86_64.sig kwctl-windows-x86_64.pem
	shell: bash

	- name: Upload binary
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: kwctl-windows-x86_64
	path: kwctl-windows-x86_64.exe.zip

	- name: Install the syft command
	uses: kubewarden/github-actions/syft-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
	with:
	arch: windows_amd64

	- name: Create SBOM file
	shell: bash
	run: \|
	syft \
	--file kwctl-windows-x86_64-sbom.spdx \
	--output spdx-json \
	--source-name kwctl-windows-x86_64 \
	--source-version ${{ github.sha }} \
	-vv \
	dir:. # use dir default catalogers, which includes Cargo.toml

	- name: Sign SBOM file
	shell: bash
	run: \|
	cosign sign-blob --yes \
	--output-certificate kwctl-windows-x86_64-sbom.spdx.cert \
	--output-signature kwctl-windows-x86_64-sbom.spdx.sig \
	kwctl-windows-x86_64-sbom.spdx

	- name: Upload kwctl SBOM files
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: kwctl-windows-x86_64-sbom
	path: \|
	kwctl-windows-x86_64-sbom.spdx
	kwctl-windows-x86_64-sbom.spdx.cert
	kwctl-windows-x86_64-sbom.spdx.sig

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #987 from jvanz/main #192

Workflow file

Merge pull request #987 from jvanz/main #192

Jobs

Run details

Workflow file for this run