diff --git a/.github/workflows/action-build.yml b/.github/workflows/action-build.yml index 566ef1348..159952ef4 100644 --- a/.github/workflows/action-build.yml +++ b/.github/workflows/action-build.yml @@ -22,12 +22,9 @@ on: arch: required: false type: string - sign: - default: false - type: boolean jobs: - build-sign-upload: + build-upload: permissions: id-token: write name: build for ${{ inputs.slug }} @@ -60,12 +57,6 @@ jobs: run: | make test-${{ inputs.runtime }} if: ${{ inputs.arch == 'x86_64' }} - - name: Sign the binary - if: ${{ inputs.runtime != 'common' && inputs.slug != 'windows' && inputs.sign }} - uses: ./.github/workflows/action-sign.yml - with: - runtime: ${{ inputs.runtime }} - os: ${{ inputs.os }} - name: Package artifacts if: ${{ inputs.runtime != 'common' }} shell: bash diff --git a/.github/workflows/action-sign.yml b/.github/workflows/action-sign.yml index aed870300..874b254ad 100644 --- a/.github/workflows/action-sign.yml +++ b/.github/workflows/action-sign.yml @@ -8,14 +8,15 @@ on: runtime: required: true type: string - os: + path: required: true type: string jobs: sign: - name: Sign the binaries on ${{ inputs.os }} - runs-on: ${{ inputs.os }} + name: Sign the binaries + runs-on: "ubuntu-latest" steps: + - uses: actions/checkout@v4 - name: Setup cosign for signing uses: sigstore/cosign-installer@v3.3.0 with: @@ -24,29 +25,29 @@ jobs: run: | make dist-${{ inputs.runtime }} # Check if there's any files to archive as tar fails otherwise - if stat dist/bin/* >/dev/null 2>&1; then + if stat ${{ inputs.path }}/* >/dev/null 2>&1; then echo "::notice::Signing the binary" cosign sign-blob --yes \ --output-signature containerd-shim-${{ inputs.runtime }}-v1.sig \ --output-certificate containerd-shim-${{ inputs.runtime }}-v1.pem \ --bundle containerd-shim-${{ inputs.runtime }}-v1.bundle \ - dist/bin/containerd-shim-${{ inputs.runtime }}-v1 + ${{ inputs.path }}/containerd-shim-${{ inputs.runtime }}-v1 cosign sign-blob --yes \ --output-signature containerd-shim-${{ inputs.runtime }}d-v1.sig \ --output-certificate containerd-shim-${{ inputs.runtime }}d-v1.pem \ --bundle containerd-shim-${{ inputs.runtime }}d-v1.bundle \ - dist/bin/containerd-shim-${{ inputs.runtime }}d-v1 + ${{ inputs.path }}/containerd-shim-${{ inputs.runtime }}d-v1 cosign sign-blob --yes \ --output-signature containerd-${{ inputs.runtime }}d.sig \ --output-certificate containerd-${{ inputs.runtime }}d.pem \ --bundle containerd-${{ inputs.runtime }}d.bundle \ - dist/bin/containerd-${{ inputs.runtime }}d + ${{ inputs.path }}/containerd-${{ inputs.runtime }}d # Copy the certs to the dist/bin folder - cp *.sig dist/bin/ - cp *.pem dist/bin/ + cp *.sig ${{ inputs.path }}/ + cp *.pem ${{ inputs.path }}/ else echo "::warning::No files to sign" fi \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 30b89db6d..6edfc05cb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,9 +15,10 @@ jobs: push_tag: ${{ steps.tag.outputs.push_tag }} dry_run: ${{ steps.parse.outputs.dry_run }} crate: ${{ steps.parse.outputs.crate }} + runtime: ${{ steps.parse.outputs.runtime }} version: ${{ steps.parse.outputs.version }} - is_binary: ${{ steps.parse_crate.outputs.is_binary }} - is_crate: ${{ steps.parse_crate.outputs.is_crate }} + is_binary: ${{ steps.parse.outputs.is_binary }} + is_crate: ${{ steps.parse.outputs.is_crate }} steps: - uses: actions/checkout@v4 with: @@ -39,27 +40,7 @@ jobs: id: parse if: steps.tag.outputs.push_tag == 'yes' run: | - dry_run=false - crate=$(grep 'Release ' main.log | sed 's/.*Release \([a-zA-Z0-9_-]*\).*/\1/') - version=$(grep 'Release ' main.log | sed 's/.* v\(.*\)/\1/') - if grep -q '\[dry-run\]' main.log; then - dry_run=true - fi - - echo "dry_run: $dry_run" - echo "crate: $crate" - echo "version: $version" - - echo "dry_run=$dry_run" >> $GITHUB_OUTPUT - echo "crate=$crate" >> $GITHUB_OUTPUT - echo "version=$version" >> $GITHUB_OUTPUT - - - name: parse crate - id: parse_crate - if: steps.tag.outputs.push_tag == 'yes' - run: | - ./scripts/parse-crate.sh ${{ steps.parse.outputs.crate }} >> $GITHUB_OUTPUT - + ./scripts/parse-crate.sh main.log >> $GITHUB_OUTPUT release: runs-on: "ubuntu-latest" needs: parse @@ -72,6 +53,13 @@ jobs: uses: actions/download-artifact@master with: path: release + + - name: Sign + if: needs.parse.outputs.is_binary == 'true' + uses: ./.github/workflows/action-sign.yml + with: + path: release + runtime: ${{ needs.parse.outputs.runtime }} - name: Cargo publish if: needs.parse.outputs.is_crate == 'true' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 998fa5e54..6637a7cd7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,24 +45,13 @@ jobs: echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main" exit 1 - uses: actions/checkout@v4 - - name: substring runtime - id: runtime_sub - uses: actions/github-script@v7 - with: - script: | - const crate = '${{ inputs.crate }}'; - const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder']; - if non_shim_crates.includes(runtime) { - core.setOutput('runtime', 'common'); - core.setOutput('is_shim', false) - } else { - const runtime = crate.replace(/^containerd-shim-/, ''); - core.setOutput('runtime', runtime); - core.setOutput('is_shim', true); - } + - name: parse crate + id: parse_crate + run: | + ./scripts/parse-crate.sh ${{ steps.parse.outputs.crate }} >> $GITHUB_OUTPUT ### If we are releasing a crate rather than producing a bin, check for crates.io access - name: Check crates.io ownership - if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }} + if: steps.parse_crate.outputs.is_crate == 'true' run: | cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \ cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }} diff --git a/scripts/parse-crate.sh b/scripts/parse-crate.sh index 8fb9338f9..c50e2774a 100755 --- a/scripts/parse-crate.sh +++ b/scripts/parse-crate.sh @@ -1,6 +1,20 @@ #!/bin/bash -crate_name=$1 +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +log_file="$1" + +# extract crate and version from log file +dry_run=false +crate=$(grep 'Release ' "$log_file" | sed 's/.*Release \([a-zA-Z0-9_-]*\).*/\1/') +version=$(grep 'Release ' "$log_file" | sed 's/.* v\(.*\)/\1/') +if grep -q '\[dry-run\]' "$log_file"; then + dry_run=true +fi + is_binary="false" is_crate="false" @@ -20,14 +34,27 @@ declare -A crate_map=( ) # Check and assign based on the binary_map -if [[ "${binary_map[$crate_name]}" == "true" ]]; then +if [[ "${binary_map[$crate]}" == "true" ]]; then is_binary="true" fi # Check and assign based on the crate_map -if [[ "${crate_map[$crate_name]}" == "true" ]]; then +if [[ "${crate_map[$crate]}" == "true" ]]; then is_crate="true" fi +# Runtime logic +declare -a non_shim_crates=("containerd-shim-wasm" "containerd-shim-wasm-test-modules" "oci-tar-builder") +runtime="" + +if printf '%s\n' "${non_shim_crates[@]}" | grep -q "^$crate$"; then + runtime="common" +else + runtime="${crate#containerd-shim-}" +fi +echo "dry_run=$dry_run" +echo "crate=$crate" +echo "version=$version" echo "is_binary=$is_binary" -echo "is_crate=$is_crate" \ No newline at end of file +echo "is_crate=$is_crate" +echo "runtime=$runtime" \ No newline at end of file