Mossaka · github-actions · Apr 4, 2024 · Apr 4, 2024 · Apr 4, 2024 · Apr 5, 2024
diff --git a/.github/workflows/action-build.yml b/.github/workflows/action-build.yml
@@ -22,12 +22,9 @@ on:
       arch:
         required: false
         type: string
-      sign:
-        default: false
-        type: boolean
 
 jobs:
-  build-sign-upload:
+  build-upload:
     permissions:
       id-token: write
     name: build for ${{ inputs.slug }}
@@ -60,12 +57,6 @@ jobs:
         run: |
           make test-${{ inputs.runtime }}
         if: ${{ inputs.arch == 'x86_64' }}
-      - name: Sign the binary
-        if: ${{ inputs.runtime != 'common' && inputs.slug != 'windows' && inputs.sign }}
-        uses: ./.github/workflows/action-sign.yml
-        with:
-          runtime: ${{ inputs.runtime }}
-          os: ${{ inputs.os }}
       - name: Package artifacts
         if: ${{ inputs.runtime != 'common' }}
         shell: bash

diff --git a/.github/workflows/action-sign.yml b/.github/workflows/action-sign.yml
@@ -8,45 +8,73 @@ on:
       runtime:
         required: true
         type: string
-      os:
+      is_binary:
         required: true
         type: string
 jobs:
   sign:
-    name: Sign the binaries on ${{ inputs.os }}
-    runs-on: ${{ inputs.os }}
+    name: Sign the binaries
+    runs-on: "ubuntu-latest"
+    if: ${{ inputs.is_binary == 'true' }}
     steps:
+    - uses: actions/checkout@v4
     - name: Setup cosign for signing
       uses: sigstore/cosign-installer@v3.3.0
       with:
         cosign-release: 'v2.2.2'
+    - name: download artifact from main
+      uses: dawidd6/action-download-artifact@v3
+      with:
+        github_token: ${{secrets.GITHUB_TOKEN}}
+        branch: main
+        path: artifacts
+    - name: unpack artifact
+      run: |
+        mkdir -p dist  
+        if stat artifacts/* >/dev/null 2>&1; then
+          tar -xzf artifacts/containerd-shim-${{ inputs.runtime }}.tar.gz -C dist
+        else
+          echo "::warning::No artifacts"
+        fi
+
     - name: Sign the binaries
       run: |
-        make dist-${{ inputs.runtime }}
         # Check if there's any files to archive as tar fails otherwise
-        if stat dist/bin/* >/dev/null 2>&1; then
+        if stat dist/* >/dev/null 2>&1; then
           echo "::notice::Signing the binary"
           cosign sign-blob --yes \
             --output-signature containerd-shim-${{ inputs.runtime }}-v1.sig \
             --output-certificate containerd-shim-${{ inputs.runtime }}-v1.pem \
             --bundle containerd-shim-${{ inputs.runtime }}-v1.bundle \
-            dist/bin/containerd-shim-${{ inputs.runtime }}-v1
+            dist/containerd-shim-${{ inputs.runtime }}-v1
 
           cosign sign-blob --yes \
             --output-signature containerd-shim-${{ inputs.runtime }}d-v1.sig \
             --output-certificate containerd-shim-${{ inputs.runtime }}d-v1.pem \
             --bundle containerd-shim-${{ inputs.runtime }}d-v1.bundle \
-            dist/bin/containerd-shim-${{ inputs.runtime }}d-v1
+            dist/containerd-shim-${{ inputs.runtime }}d-v1
 
           cosign sign-blob --yes \
             --output-signature containerd-${{ inputs.runtime }}d.sig \
             --output-certificate containerd-${{ inputs.runtime }}d.pem \
             --bundle containerd-${{ inputs.runtime }}d.bundle \
-            dist/bin/containerd-${{ inputs.runtime }}d
+            dist/containerd-${{ inputs.runtime }}d
 
-          # Copy the certs to the dist/bin folder
-          cp *.sig dist/bin/
-          cp *.pem dist/bin/
+          # Copy the certs to the dist folder
+          cp *.sig dist/
+          cp *.pem dist/
         else
           echo "::warning::No files to sign"
-        fi
+        fi
+    - name: package artifacts
+      run: |
+        if stat dist/* >/dev/null 2>&1; then
+          tar -czf dist-${{ inputs.runtime }}.tar.gz -C dist .
+        else
+          echo "::warning::No files to package"
+        fi
+    - name: Upload the signed binaries
+      uses: actions/upload-artifact@v2
+      with:
+        name: dist-${{ inputs.runtime }}
+        path: dist/dist-${{ inputs.runtime }}.tar.gz
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,99 @@
+
+name: Publish Artifacts
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+    contents: write
+
+jobs:
+  parse:
+    runs-on: ubuntu-latest
+    outputs:
+      push_tag: ${{ steps.tag.outputs.push_tag }}
+      dry_run: ${{ steps.parse.outputs.dry_run }}
+      crate: ${{ steps.parse.outputs.crate }}
+      runtime: ${{ steps.parse.outputs.runtime }}
+      version: ${{ steps.parse.outputs.version }}
+      is_binary: ${{ steps.parse.outputs.is_binary }}
+      is_crate: ${{ steps.parse.outputs.is_crate }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+          fetch-depth: 0
+      - name: Test if tag is needed
+        id: tag
+        run: |
+          git log -n 2 | cat
+          git log ${{ github.event.before }}...${{ github.event.after }} | tee main.log
+          if grep -q "automatically-tag-and-release-this-commit" main.log; then
+            echo push-tag
+            echo "push_tag=yes" >> $GITHUB_OUTPUT
+          else
+            echo no-push-tag
+            echo "push_tag=no" >> $GITHUB_OUTPUT
+            echo "::notice::No tag needed, skipping release"
+          fi
+      - name: Parse commit message
+        id: parse
+        if: steps.tag.outputs.push_tag == 'yes'
+        run: |
+          ./scripts/parse-crate.sh main.log >> $GITHUB_OUTPUT
+  sign:
+    needs: [parse]
+    if: needs.parse.outputs.push_tag == 'yes'
+    uses: ./.github/workflows/action-sign.yml
+    with:
+      runtime: ${{ needs.parse.outputs.runtime }}
+      is_binary: ${{ needs.parse.outputs.is_binary }}
+
+  release:
+    runs-on: "ubuntu-latest"
+    needs: [parse, sign]
+    if: needs.parse.outputs.push_tag == 'yes'
+    steps:
+      - name: describe runner
+        run: |
+          echo "::notice::Running job with push_tag: '${{ needs.parse.outputs.push_tag }}', dry_run: '${{ needs.parse.outputs.dry_run }}', crate: '${{ needs.parse.outputs.crate }}', runtime: '${{ needs.parse.outputs.runtime }}', version: '${{ needs.parse.outputs.version }}', is_binary: '${{ needs.parse.outputs.is_binary }}', is_crate: '${{ needs.parse.outputs.is_crate }}'"
+
+      - uses: actions/checkout@v4
+      - name: Download artifacts
+        if: needs.parse.outputs.is_binary == 'true'
+        uses: actions/download-artifact@master
+        with:
+          path: release
+
+      - name: Cargo publish
+        if: needs.parse.outputs.is_crate == 'true'
+        run: |
+          echo "DRY_RUN_FLAG=$( [ '${{ needs.parse.outputs.dry_run }}' = 'true' ] && echo '--dry-run' || echo '' )" >> $GITHUB_ENV
+          cargo publish $DRY_RUN_FLAG --package ${{ needs.parse.outputs.crate }} --verbose --locked
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
+
+      - name: Tag the the release
+        if: needs.parse.outputs.dry_run == 'false'
+        run: |
+          git tag "${{ needs.parse.outputs.crate }}/v${{ needs.parse.outputs.version }}"
+          git push origin "${{ needs.parse.outputs.crate }}/v${{ needs.parse.outputs.version }}"
+
+      - name: Create release
+        if: needs.parse.outputs.dry_run == 'false'
+        run: |
+          gh release create 'refs/tags/${{ needs.parse.outputs.crate }}/v${{ needs.parse.outputs.version }}' --generate-notes
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_NAME: ${{ needs.parse.outputs.crate }}/v${{ needs.parse.outputs.version }}
+
+      - name: Upload release artifacts
+        if: needs.parse.outputs.dry_run == 'false'
+        run: |
+          for i in release/*/*; do
+            gh release upload ${RELEASE_NAME} $i
+          done
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_NAME: ${{ needs.parse.outputs.crate }}/v${{ needs.parse.outputs.version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -38,43 +38,22 @@ jobs:
   pre-release:
     name: pre-release checks
     runs-on: "ubuntu-latest"
-    outputs:
-      crate: ${{ inputs.crate }}
-      runtime: ${{ steps.runtime_sub.outputs.runtime }}
-      version: ${{ inputs.version }}
-      ### is_shim is a string, not a boolean, so use: is_shim == 'true'
-      is_shim: ${{ steps.runtime_sub.outputs.is_shim }}
     steps:
       - name: Fail if branch is not main
         if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
         run: |
           echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main"
           exit 1
       - uses: actions/checkout@v4
-      ### Determine the name of the runtime and if it is a binary release or crates.io
-      - name: verify version input
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const version = '${{ inputs.version }}';
-            if(!version.match(/^[0-9]+.[0-9]+.*/)) {
-              core.setFailed(`The version '${version}' does not match regex /^[0-9]+.[0-9]+.*/.`);
-            }
       - name: substring runtime
         id: runtime_sub
         uses: actions/github-script@v7
         with:
           script: |
             const crate = '${{ inputs.crate }}';
+            let runtime = crate.replace(/^containerd-shim-/, '');
             const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder'];
-            if non_shim_crates.includes(runtime) {
-              core.setOutput('runtime', 'common');
-              core.setOutput('is_shim', false)
-            } else {
-              const runtime = crate.replace(/^containerd-shim-/, '');
-              core.setOutput('runtime', runtime);
-              core.setOutput('is_shim', true);
-            }
+            core.setOutput('is_shim', !non_shim_crates.includes(runtime));
       ### If we are releasing a crate rather than producing a bin, check for crates.io access
       - name: Check crates.io ownership
         if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }}
@@ -83,79 +62,47 @@ jobs:
           cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
         env:
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
-      - name: Verify version matches
+      - name: Update crate version and make a PR
         run: |
-          if [ "$(grep -c "version = \"${{ inputs.version }}\"" crates/${{ inputs.crate }}/Cargo.toml)" -ne 1 ]; then
-            echo "::error::Version in Cargo.toml does not match the version input"
-            exit 1
+          # replace the version inline in the Cargo.toml
+          set -ex
+          git fetch origin
+
+          sed -i -E 's/^version.+=.+".+"/version = "${{ inputs.version }}"/' crates/${{ inputs.crate }}/Cargo.toml
+          git diff
+          git config user.name "${GITHUB_ACTOR}"
+          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+          if [ "${{ inputs.dry_run }}" = true ]; then
+            TITLE="[dry-run] Release ${{ inputs.crate }} v${{ inputs.version }}"
+          else
+            TITLE="Release ${{ inputs.crate }} v${{ inputs.version }}"
           fi
 
-  build-and-sign:
-    permissions:
-      id-token: write
-    needs:
-      - pre-release
-    strategy:
-      matrix:
-        arch: ["x86_64", "aarch64"]
-        include: 
-          - ${{ needs.pre-release.outputs }}
-    uses: ./.github/workflows/action-build.yml
-    with:
-      os: "ubuntu-22.04"
-      runtime: ${{ matrix.runtime }}
-      target: "${{ matrix.arch }}-unknown-linux-musl"
-      slug: "${{ matrix.arch }}-linux-musl"
-      arch: ${{ matrix.arch }}
-      sign: true
+          git commit --allow-empty -a -F-<<EOF
+          $TITLE
 
-  release:
-    permissions:
-      contents: write
-    needs:
-      - pre-release
-      - build-and-sign
-    strategy:
-      matrix:
-        os: ["ubuntu-latest"]
-        include: 
-          - ${{ needs.pre-release.outputs }}
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Matrix description
-        run: |
-          echo "::notice::Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
-      - uses: actions/checkout@v4
-      - name: Setup build env
-        run: ./scripts/setup-linux.sh
-      - name: Download artifacts
-        if: ${{ matrix.is_shim == 'true' }}
-        uses: actions/download-artifact@master
-        with:
-          path: release
-      - name: Cargo publish
-        if: ${{ matrix.is_shim  != 'true' }}
-        run: cargo publish ${{ inputs.dry_run && '--dry-run' || '' }} --package ${{ matrix.crate }} --verbose --locked
-        env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
-      - name: Tag the the release
-        if: ${{ !inputs.dry_run }}
-        run: |
-          git tag "${{matrix.crate}}/v${{matrix.version}}"
-          git push origin "${{matrix.crate}}/v${{matrix.version}}"
-      - name: Create release
-        if: ${{ !inputs.dry_run }}
-        run: |
-          gh release create 'refs/tags/${{matrix.crate}}/v${{matrix.version}}' --generate-notes
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}
-      - name: Upload release artifacts
-        if: ${{ matrix.is_shim == 'true' && !inputs.dry_run }}
-        run: |
-          for i in release/*/*; do
-            gh release upload ${RELEASE_NAME} $i
-          done
+          [automatically-tag-and-release-this-commit]
+          Version: v${{ inputs.version }}
+          Crate: ${{ inputs.crate }}
+          EOF
+
+          git push origin HEAD:ci/release-${{ inputs.crate }}-${{ inputs.version }}
+
+          echo "PR_HEAD=ci/release-${{ inputs.crate }}-${{ inputs.version }}" >> $GITHUB_ENV
+          echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
+          echo "PR_BASE=main" >> $GITHUB_ENV
+          cat > pr-body <<-EOF
+          This is an automated pull request from CI to release
+          ${{ inputs.crate }} v${{ inputs.version }} when merged. The commit
+          message for this PR has a marker that is detected by CI to create
+          tags and publish crate artifacts.
+
+          When first opened this PR will not have CI run because it is generated
+          by a bot. A maintainer should close this PR and then reopen it to
+          trigger CI to execute which will then enable merging this PR.
+          EOF
+      - name: Make a PR
+        run: gh pr create -B "$PR_BASE" -H "$PR_HEAD" --title "$PR_TITLE" --body "$(cat ./pr-body)"
         env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/crates/containerd-shim-wasmtime/Cargo.toml b/crates/containerd-shim-wasmtime/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "containerd-shim-wasmtime"
-version = "0.4.0"
+version = "0.5.0"
 edition.workspace = true
 
 [dependencies]