forked from containerd/runwasi
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request containerd#733 from Mossaka/pub-wasi-demo-app
.github/workflows: add wasi-demo-app to the publish pipeline
- Loading branch information
Showing
6 changed files
with
295 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json | ||
|
||
name: Release wasi-demo-app | ||
run-name: wasi-demo-app@${{ inputs.version }} | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
version: | ||
description: "The version of the image to release. (e.g., 1.2.3)" | ||
type: string | ||
required: true | ||
dry_run: | ||
description: "Run the release without actually releasing bits" | ||
type: boolean | ||
default: true | ||
|
||
env: | ||
CARGO_TERM_COLOR: always | ||
IMAGES: "wasi-demo-app wasi-demo-oci wasi-demo-oci-artifact wasi-http" | ||
|
||
jobs: | ||
release-wasi-demo: | ||
permissions: | ||
packages: write | ||
runs-on: ubuntu-latest | ||
outputs: | ||
wasi_demo_app: ${{ steps.get_digests.outputs.wasi_demo_app }} | ||
wasi_demo_oci: ${{ steps.get_digests.outputs.wasi_demo_oci }} | ||
wasi_demo_oci_artifact: ${{ steps.get_digests.outputs.wasi_demo_oci_artifact }} | ||
wasi_http: ${{ steps.get_digests.outputs.wasi_http }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Setup build env | ||
run: ./scripts/setup-linux.sh | ||
- name: Install Rust and wasm32-wasi target | ||
uses: actions-rs/toolchain@v1 | ||
with: | ||
toolchain: stable | ||
target: wasm32-wasip1 | ||
override: true | ||
|
||
- name: Convert repository name to lowercase | ||
id: prep | ||
run: echo "repo=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT | ||
|
||
- name: Login to GitHub container registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Enable containerd image store | ||
run: | | ||
echo '{ "features": { "containerd-snapshotter": true } }' | sudo tee /etc/docker/daemon.json | ||
sudo systemctl restart docker | ||
docker info -f '{{ .DriverStatus }}' | ||
- name: Build oci tarballs | ||
run: | | ||
make docker/load | ||
make docker/load/oci | ||
make docker/load/http | ||
docker image ls | ||
- name: Tagging images | ||
run: | | ||
for image in $IMAGES; do | ||
docker tag ghcr.io/containerd/runwasi/$image:latest ghcr.io/${{ steps.prep.outputs.repo }}/$image:${{ inputs.version }} | ||
docker tag ghcr.io/containerd/runwasi/$image:latest ghcr.io/${{ steps.prep.outputs.repo }}/$image:latest | ||
done | ||
- name: Push images to ghcr.io | ||
if: ${{ inputs.dry_run == false }} | ||
run: | | ||
for image in $IMAGES; do | ||
docker push ghcr.io/${{ steps.prep.outputs.repo }}/$image:${{ inputs.version }} | ||
docker push ghcr.io/${{ steps.prep.outputs.repo }}/$image:latest | ||
done | ||
- name: Display image digests | ||
id: get_digests | ||
run: | | ||
for image in $IMAGES; do | ||
DIGEST=$(docker inspect ghcr.io/${{ steps.prep.outputs.repo }}/$image --format '{{ .Id }}' --type image) | ||
echo "Digest for $image: $DIGEST" | ||
sanitized_image="${image//-/_}" | ||
echo "$sanitized_image=$DIGEST" >> $GITHUB_OUTPUT | ||
done | ||
sign: | ||
if: ${{ inputs.dry_run == false }} | ||
needs: | ||
- release-wasi-demo | ||
strategy: | ||
matrix: | ||
image: ["wasi_demo_app", "wasi_demo_oci", "wasi_demo_oci_artifact", "wasi_http"] | ||
uses: ./.github/workflows/sign.yml | ||
with: | ||
image-name: ${{ matrix.image }} | ||
image-digest: ${{ needs.release-wasi-demo.outputs[matrix.image] }} | ||
|
||
sbom: | ||
if: ${{ inputs.dry_run == false }} | ||
needs: | ||
- release-wasi-demo | ||
strategy: | ||
matrix: | ||
image: ["wasi_demo_app", "wasi_demo_oci", "wasi_demo_oci_artifact", "wasi_http"] | ||
uses: ./.github/workflows/sbom.yml | ||
with: | ||
image-name: ${{ matrix.image }} | ||
image-digest: ${{ needs.release-wasi-demo.outputs[matrix.image] }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -182,3 +182,4 @@ jobs: | |
env: | ||
GH_TOKEN: ${{ github.token }} | ||
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
name: Generate SBOMs | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
image-name: | ||
type: string | ||
required: true | ||
image-digest: | ||
type: string | ||
required: true | ||
|
||
jobs: | ||
sbom: | ||
name: Generate SBOM, sign and attach them to OCI image | ||
permissions: | ||
packages: write | ||
id-token: write | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Sanitize image name | ||
run: | | ||
image="${{ inputs.image-name }}" | ||
image="${image//_/-}" | ||
echo "image=$image" >> $GITHUB_ENV | ||
- name: Install cosign | ||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | ||
|
||
- name: Install syft | ||
uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Find repository name | ||
shell: bash | ||
run: | | ||
set -e | ||
IMG_REPOSITORY_NAME=$( echo ${{ github.repository }} | awk '{print tolower($0)}' ) | ||
echo IMG_REPOSITORY_NAME=${IMG_REPOSITORY_NAME} >> $GITHUB_ENV | ||
- name: Create SBOM file | ||
shell: bash | ||
run: | | ||
SYFT=$(which syft) | ||
sudo $SYFT \ | ||
-o spdx-json \ | ||
--file $image-sbom.spdx \ | ||
ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/$image@${{ inputs.image-digest }} | ||
- name: Sign SBOM file | ||
run: | | ||
cosign sign-blob --yes \ | ||
--output-certificate $image-sbom.spdx.cert \ | ||
--output-signature $image-sbom.spdx.sig \ | ||
$image-sbom.spdx | ||
- name: Attach SBOM to container image | ||
shell: bash | ||
run: | | ||
cosign attach \ | ||
sbom --sbom $image-sbom.spdx \ | ||
ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/$image@${{ inputs.image-digest }} | ||
- name: Sign SBOM file pushed to OCI registry | ||
shell: bash | ||
run: | | ||
set -e | ||
SBOM_TAG="$(echo ${{ inputs.image-digest }} | sed -e 's/:/-/g').sbom" | ||
cosign sign --yes \ | ||
ghcr.io/${{ env.IMG_REPOSITORY_NAME }}/$image:${SBOM_TAG} | ||
- name: Upload SBOMs as artifacts | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: sbom | ||
path: $image-sbom-* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
name: Sign image | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
image-name: | ||
type: string | ||
required: true | ||
image-digest: | ||
type: string | ||
required: true | ||
|
||
jobs: | ||
sign: | ||
name: Sign image | ||
permissions: | ||
packages: write | ||
id-token: write | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Sanitize image name | ||
run: | | ||
image="${{ inputs.image-name }}" | ||
image="${image//_/-}" | ||
echo "image=$image" >> $GITHUB_ENV | ||
- name: Install cosign | ||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Sign container image | ||
run: | | ||
IMG_REPOSITORY_NAME=$( echo ${{ github.repository }} | awk '{print tolower($0)}' ) | ||
cosign sign --yes \ | ||
ghcr.io/${IMG_REPOSITORY_NAME}/$image@${{ inputs.image-digest }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters