Skip to content

Commit

Permalink
ci(*): remove signing from the build CI
Browse files Browse the repository at this point in the history 
this commit removes signing from the build CI as the release
pipeline will now handle signing of the binaries downloaded
using actions/download-artifact.

the biggest change is that the parse script is re-write to
be able to output all the necessary variables such as
`runtime`, `dry_run` and more.

the action-sign workflow is also modified to take an extra
`path` input to replace the hard-coded `dist/bin` path

Signed-off-by: jiaxiao zhou <jiazho@microsoft.com>
  • Loading branch information
@Mossaka
Mossaka committed Apr 17, 2024
1 parent 8e154f9 commit 0f3fe7c
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 62 deletions.
11 changes: 1 addition & 10 deletions .github/workflows/action-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,9 @@ on:
arch:
required: false
type: string
sign:
default: false
type: boolean

jobs:
build-sign-upload:
build-upload:
permissions:
id-token: write
name: build for ${{ inputs.slug }}
Expand Down Expand Up @@ -60,12 +57,6 @@ jobs:
run: |
make test-${{ inputs.runtime }}
if: ${{ inputs.arch == 'x86_64' }}
- name: Sign the binary
if: ${{ inputs.runtime != 'common' && inputs.slug != 'windows' && inputs.sign }}
uses: ./.github/workflows/action-sign.yml
with:
runtime: ${{ inputs.runtime }}
os: ${{ inputs.os }}
- name: Package artifacts
if: ${{ inputs.runtime != 'common' }}
shell: bash
Expand Down
19 changes: 10 additions & 9 deletions .github/workflows/action-sign.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,15 @@ on:
runtime:
required: true
type: string
os:
path:
required: true
type: string
jobs:
sign:
name: Sign the binaries on ${{ inputs.os }}
runs-on: ${{ inputs.os }}
name: Sign the binaries
runs-on: "ubuntu-latest"
steps:
- uses: actions/checkout@v4
- name: Setup cosign for signing
uses: sigstore/cosign-installer@v3.3.0
with:
Expand All @@ -24,29 +25,29 @@ jobs:
run: |
make dist-${{ inputs.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
if stat ${{ inputs.path }}/* >/dev/null 2>&1; then
echo "::notice::Signing the binary"
cosign sign-blob --yes \
--output-signature containerd-shim-${{ inputs.runtime }}-v1.sig \
--output-certificate containerd-shim-${{ inputs.runtime }}-v1.pem \
--bundle containerd-shim-${{ inputs.runtime }}-v1.bundle \
dist/bin/containerd-shim-${{ inputs.runtime }}-v1
${{ inputs.path }}/containerd-shim-${{ inputs.runtime }}-v1
cosign sign-blob --yes \
--output-signature containerd-shim-${{ inputs.runtime }}d-v1.sig \
--output-certificate containerd-shim-${{ inputs.runtime }}d-v1.pem \
--bundle containerd-shim-${{ inputs.runtime }}d-v1.bundle \
dist/bin/containerd-shim-${{ inputs.runtime }}d-v1
${{ inputs.path }}/containerd-shim-${{ inputs.runtime }}d-v1
cosign sign-blob --yes \
--output-signature containerd-${{ inputs.runtime }}d.sig \
--output-certificate containerd-${{ inputs.runtime }}d.pem \
--bundle containerd-${{ inputs.runtime }}d.bundle \
dist/bin/containerd-${{ inputs.runtime }}d
${{ inputs.path }}/containerd-${{ inputs.runtime }}d
# Copy the certs to the dist/bin folder
cp *.sig dist/bin/
cp *.pem dist/bin/
cp *.sig ${{ inputs.path }}/
cp *.pem ${{ inputs.path }}/
else
echo "::warning::No files to sign"
fi
34 changes: 11 additions & 23 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,10 @@ jobs:
push_tag: ${{ steps.tag.outputs.push_tag }}
dry_run: ${{ steps.parse.outputs.dry_run }}
crate: ${{ steps.parse.outputs.crate }}
runtime: ${{ steps.parse.outputs.runtime }}
version: ${{ steps.parse.outputs.version }}
is_binary: ${{ steps.parse_crate.outputs.is_binary }}
is_crate: ${{ steps.parse_crate.outputs.is_crate }}
is_binary: ${{ steps.parse.outputs.is_binary }}
is_crate: ${{ steps.parse.outputs.is_crate }}
steps:
- uses: actions/checkout@v4
with:
Expand All @@ -39,27 +40,7 @@ jobs:
id: parse
if: steps.tag.outputs.push_tag == 'yes'
run: |
dry_run=false
crate=$(grep 'Release ' main.log | sed 's/.*Release \([a-zA-Z0-9_-]*\).*/\1/')
version=$(grep 'Release ' main.log | sed 's/.* v\(.*\)/\1/')
if grep -q '\[dry-run\]' main.log; then
dry_run=true
fi
echo "dry_run: $dry_run"
echo "crate: $crate"
echo "version: $version"
echo "dry_run=$dry_run" >> $GITHUB_OUTPUT
echo "crate=$crate" >> $GITHUB_OUTPUT
echo "version=$version" >> $GITHUB_OUTPUT
- name: parse crate
id: parse_crate
if: steps.tag.outputs.push_tag == 'yes'
run: |
./scripts/parse-crate.sh ${{ steps.parse.outputs.crate }} >> $GITHUB_OUTPUT
./scripts/parse-crate.sh main.log >> $GITHUB_OUTPUT
release:
runs-on: "ubuntu-latest"
needs: parse
Expand All @@ -72,6 +53,13 @@ jobs:
uses: actions/download-artifact@master
with:
path: release

- name: Sign
if: needs.parse.outputs.is_binary == 'true'
uses: ./.github/workflows/action-sign.yml
with:
path: release
runtime: ${{ needs.parse.outputs.runtime }}

- name: Cargo publish
if: needs.parse.outputs.is_crate == 'true'
Expand Down
21 changes: 5 additions & 16 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,24 +45,13 @@ jobs:
echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main"
exit 1
- uses: actions/checkout@v4
- name: substring runtime
id: runtime_sub
uses: actions/github-script@v7
with:
script: |
const crate = '${{ inputs.crate }}';
const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder'];
if non_shim_crates.includes(runtime) {
core.setOutput('runtime', 'common');
core.setOutput('is_shim', false)
} else {
const runtime = crate.replace(/^containerd-shim-/, '');
core.setOutput('runtime', runtime);
core.setOutput('is_shim', true);
}
- name: parse crate
id: parse_crate
run: |
./scripts/parse-crate.sh ${{ steps.parse.outputs.crate }} >> $GITHUB_OUTPUT
### If we are releasing a crate rather than producing a bin, check for crates.io access
- name: Check crates.io ownership
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }}
if: steps.parse_crate.outputs.is_crate == 'true'
run: |
cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \
cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
Expand Down
35 changes: 31 additions & 4 deletions scripts/parse-crate.sh
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,20 @@
#!/bin/bash

crate_name=$1
if [ -z "$1" ]; then
echo "Usage: $0 <path-to-main.log>"
exit 1
fi

log_file="$1"

# extract crate and version from log file
dry_run=false
crate=$(grep 'Release ' "$log_file" | sed 's/.*Release \([a-zA-Z0-9_-]*\).*/\1/')
version=$(grep 'Release ' "$log_file" | sed 's/.* v\(.*\)/\1/')
if grep -q '\[dry-run\]' "$log_file"; then
dry_run=true
fi

is_binary="false"
is_crate="false"

Expand All @@ -20,14 +34,27 @@ declare -A crate_map=(
)

# Check and assign based on the binary_map
if [[ "${binary_map[$crate_name]}" == "true" ]]; then
if [[ "${binary_map[$crate]}" == "true" ]]; then
is_binary="true"
fi

# Check and assign based on the crate_map
if [[ "${crate_map[$crate_name]}" == "true" ]]; then
if [[ "${crate_map[$crate]}" == "true" ]]; then
is_crate="true"
fi

# Runtime logic
declare -a non_shim_crates=("containerd-shim-wasm" "containerd-shim-wasm-test-modules" "oci-tar-builder")
runtime=""

if printf '%s\n' "${non_shim_crates[@]}" | grep -q "^$crate$"; then
runtime="common"
else
runtime="${crate#containerd-shim-}"
fi
echo "dry_run=$dry_run"
echo "crate=$crate"
echo "version=$version"
echo "is_binary=$is_binary"
echo "is_crate=$is_crate"
echo "is_crate=$is_crate"
echo "runtime=$runtime"

0 comments on commit 0f3fe7c

Please sign in to comment.