Merge pull request #5 from geofmureithi/chore/api-improvements #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release plugins | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - 'v*' | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Required to create GH releases | |
| contents: write | |
| # Required to push to GHCR | |
| packages: write | |
| # Required by cosign keyless signing | |
| id-token: write | |
| env: | |
| plugin-name: tasks | |
| oci-target: ghcr.io/${{ github.repository_owner }}/kasuku/plugins/tasks | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - | |
| name: Setup rust toolchain | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| profile: minimal | |
| toolchain: stable | |
| target: wasm32-unknown-unknown | |
| - name: Install wasm-to-oci | |
| run: | | |
| #!/bin/bash | |
| set -e | |
| INSTALL_DIR=$HOME/.wasm-to-oci | |
| mkdir -p $INSTALL_DIR | |
| curl -sL https://github.com/engineerd/wasm-to-oci/releases/download/v0.1.2/linux-amd64-wasm-to-oci -o $INSTALL_DIR/wasm-to-oci | |
| chmod 755 $INSTALL_DIR/wasm-to-oci | |
| echo $INSTALL_DIR >> $GITHUB_PATH | |
| - | |
| name: Install cosign | |
| uses: sigstore/cosign-installer@main | |
| - | |
| name: Build Wasm module | |
| uses: actions-rs/cargo@v1 | |
| with: | |
| command: build | |
| args: -p tasks --target=wasm32-unknown-unknown --release | |
| - run: mv target/wasm32-unknown-unknown/release/${{ env.plugin-name }}.wasm ${{ env.plugin-name }}.wasm | |
| - | |
| name: Login to GitHub Container Registry | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - | |
| name: Publish Wasm artifact to OCI registry with the 'latest' tag | |
| shell: bash | |
| if: ${{ startsWith(github.ref, 'refs/heads/') }} | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| set -ex | |
| echo Pushing policy to OCI container registry | |
| IMMUTABLE_REF=$(wasm-to-oci push ${{ env.plugin-name }}.wasm ${{ env.oci-target }}:latest 2>&1 | grep Digest | awk {'print $4'} | sed -e 's/"//') | |
| echo Keyless signing of plugin using cosign | |
| cosign sign --yes ${{ env.oci-target }}@${IMMUTABLE_REF} | |
| - | |
| name: Publish Wasm artifact to OCI registry with the version tag and 'latest' | |
| shell: bash | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| set -ex | |
| export OCI_TAG=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") | |
| echo Pushing plugin to OCI container registry | |
| IMMUTABLE_REF=$(wasm-to-oci push ${{ env.plugin-name }}.wasm ${{ env.oci-target }}:${OCI_TAG} 2>&1 | grep Digest | awk {'print $4'} | sed -e 's/"//') | |
| echo Keyless signing of plugin using cosign | |
| cosign sign --yes ${{ env.oci-target }}@${IMMUTABLE_REF} | |
| - | |
| name: Create Release | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ github.ref }} | |
| release_name: Release ${{ github.ref }} | |
| draft: false | |
| prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }} | |
| - | |
| name: Upload Release Asset | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| id: upload-release-asset | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} | |
| asset_path: ${{ env.plugin-name }}.wasm | |
| asset_name: ${{ env.plugin-name }}.wasm | |
| asset_content_type: application/wasm |