Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add CI builds + attestation #3

Merged
merged 1 commit into from
May 9, 2024
Merged

feat: add CI builds + attestation #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 98 additions & 0 deletions .github/workflows/cloud-hello.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
name: cloud-hello

on:
pull_request:
paths:
- 'cloud-hello/**'
merge_group:
workflow_dispatch:
push:
branches:
- main
tags:
- cloud-hello-v*
env:
REGISTRY: ghcr.io
REPOSITORY: ${{ github.repository }}

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: cargo clippy --no-deps
working-directory: cloud-hello
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: |
rustup target add wasm32-wasi
cargo build --target wasm32-wasi
working-directory: cloud-hello
joonas marked this conversation as resolved.
Show resolved Hide resolved

release:
runs-on: ubuntu-latest
needs: [build]
if: startsWith(github.ref, 'refs/tags/cloud-hello-v')
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Extract tag context
id: ctx
run: |
sha_short=$(git rev-parse --short HEAD)
echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
echo "sha_short=${sha_short}" >> "$GITHUB_OUTPUT"
echo "version=${GITHUB_REF#refs/tags/cloud-hello-v}" >> "$GITHUB_OUTPUT"

- run: rustup target add wasm32-wasi
- uses: taiki-e/install-action@v2
with:
tool: wash-cli@0.27

- name: Build and push
run: |
wash build
working-directory: cloud-hello

# Used later in the build process to push provenance info
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: imjasonh/setup-crane@v0.1

- name: Push
id: push
env:
WASH_REG_USER: ${{ github.repository_owner }}
WASH_REG_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
WASH_ISSUER_KEY: ${{ secrets.COSMONIC_LABS_SIGNING_ACCOUNT}}
WASH_SUBJECT_KEY: ${{ secrets.CLOUD_HELLO_COMPONENT_KEY}}
run: |
if [ -z "$WASH_ISSUER_KEY" ]; then
echo "WASH_ISSUER_KEY is not set"
exit 1
fi
wash push ${{env.REGISTRY}}/${{env.REPOSITORY}}/cloud-hello:$GITHUB_SHA build/cloud_hello_s.wasm
wash push ${{env.REGISTRY}}/${{env.REPOSITORY}}/cloud-hello:$(git rev-parse --short HEAD) build/cloud_hello_s.wasm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as below about the substring expansion, replacing $(git rev-parse --short HEAD) with just ${GITHUB_SHA::7}

#wash push ${{env.REGISTRY}}/${{env.REPOSITORY}}/cloud-hello:${{steps.ctx.outputs.version}} build/cloud_hello_s.wasm
digest=$(crane digest ${{env.REGISTRY}}/${{env.REPOSITORY}}/cloud-hello:$GITHUB_SHA)
echo "digest=$digest" >> "$GITHUB_OUTPUT"
shell: bash
working-directory: cloud-hello

- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{env.REGISTRY}}/${{env.REPOSITORY}}/cloud-hello
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
39 changes: 39 additions & 0 deletions .github/workflows/fly-io-metadata.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: fly-io-metadata

on:
pull_request:
paths:
- 'fly-io-metadata/**'
merge_group:
workflow_dispatch:
push:
branches:
- main
tags:
- fly-io-metadata-v*
env:
REGISTRY: ghcr.io
REPOSITORY: ${{ github.repository }}

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: cargo clippy --no-deps
working-directory: fly-io-metadata

build:
needs:
- lint
permissions:
packages: write
id-token: write
attestations: write
contents: read
uses: ./.github/workflows/provider.yml
with:
name: fly-io-metadata
secrets:
issuer: ${{secrets.COSMONIC_LABS_SIGNING_ACCOUNT}}
subject: ${{secrets.FLY_IO_PROVIDER_KEY}}
39 changes: 39 additions & 0 deletions .github/workflows/kind-metadata.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: kind-metadata

on:
pull_request:
paths:
- 'kind-metadata/**'
merge_group:
workflow_dispatch:
push:
branches:
- main
tags:
- kind-metadata-v*
env:
REGISTRY: ghcr.io
REPOSITORY: ${{ github.repository }}

jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: cargo clippy --no-deps
working-directory: kind-metadata

build:
needs:
- lint
permissions:
packages: write
id-token: write
attestations: write
contents: read
uses: ./.github/workflows/provider.yml
with:
name: kind-metadata
secrets:
issuer: ${{secrets.COSMONIC_LABS_SIGNING_ACCOUNT}}
subject: ${{secrets.FLY_IO_PROVIDER_KEY}}
131 changes: 131 additions & 0 deletions .github/workflows/provider.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
name: Build and release a provider

on:
workflow_call:
inputs:
name:
description: Provider name
required: true
type: string
secrets:
subject:
required: true
description: Capability provider issuer subject key
issuer:
required: true
description: Capability provider issuer key
env:
REGISTRY: ghcr.io
REPOSITORY: ${{ github.repository }}
jobs:
build:
strategy:
matrix:
arch: ["x86_64", "aarch64"]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: goto-bus-stop/setup-zig@v2

- name: Add musl targets
run: |
rustup target add ${{ matrix.arch }}-unknown-linux-musl

- name: Install cargo-zigbuild
run: |
cargo install cargo-zigbuild

- name: Build
run: |
cargo zigbuild --release --target ${{matrix.arch}}-unknown-linux-musl
name=$(echo ${{inputs.name}} | tr '-' '_')
mv target/${{matrix.arch}}-unknown-linux-musl/release/$name ${{inputs.name}}
working-directory: ${{inputs.name}}

- name: Store artifact
uses: actions/upload-artifact@v4
with:
name: ${{inputs.name}}-${{matrix.arch}}
path: ${{inputs.name}}/${{inputs.name}}
release:
needs: [build]
if: startsWith(github.ref, 'refs/tags/${{inputs.name}}-v')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Extract tag context
id: ctx
run: |
sha_short=$(git rev-parse --short HEAD)
echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
echo "sha_short=${sha_short}" >> "$GITHUB_OUTPUT"
echo "version=${GITHUB_REF#refs/tags/${{inputs.name}}v}" >> "$GITHUB_OUTPUT"
echo "artifact_name=$(echo ${{inputs.name}} | tr '- "')" >> "$GITHUB_OUTPUT"
- uses: taiki-e/install-action@v2
with:
tool: wash-cli@0.28.0

# Used later in the build process to push provenance info
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: imjasonh/setup-crane@v0.1

- uses: actions/download-artifact@v4
with:
path: artifacts

- name: Fix permissions and architectures
run: |
tree artifacts
mv artifacts/${{inputs.name}}-x86_64/${{inputs.name}} ${{inputs.name}}-x86_64
mv artifacts/${{inputs.name}}-aarch64/${{inputs.name}} ${{inputs.name}}-aarch64
chmod +x ${{inputs.name}}-*

- name: Push
env:
WASH_REG_USER: ${{ github.repository_owner }}
WASH_REG_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
WASH_ISSUER_KEY: ${{ secrets.subject}}
WASH_SUBJECT_KEY: ${{ secrets.issuer}}
run: |
if [ -z $WASH_SUBJECT_KEY ]; then
echo "WASH_SUBJECT_KEY is required"
exit 1
fi

if [ -z $WASH_ISSUER_KEY ]; then
echo "WASH_ISSUER_KEY is required"
exit 1
fi

wash par create \
--binary "${{ inputs.name }}-x86_64" \
--compress \
--destination "${{ inputs.name }}.par.gz" \
--name "${{ inputs.name }}-provider" \
--vendor cosmonic-labs \
--version ${{ steps.ctx.outputs.version }}

wash par insert --arch aarch64-linux --binary "${{inputs.name }}-aarch64" "${{ inputs.name }}.par.gz"

wash push ${{env.REGISTRY}}/${{env.REPOSITORY}}/${{inputs.name}}:$GITHUB_SHA ${{inputs.name}}.par.gz
wash push ${{env.REGISTRY}}/${{env.REPOSITORY}}/${{inputs.name}}:$(git rev-parse --short HEAD) ${{inputs.name}}.par.gz
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is admittedly nitpicky, but if you wanted to avoid having to fetch the short SHA to match GitHub's style, you could also use substring expansion with ${GITHUB_SHA::7} here

#wash push ${{env.REGISTRY}}/${{env.REPOSITORY}}/${{inputs.name}}:${{steps.ctx.outputs.version}} ${{inputs.name}}.par.gz

- name: Get digest
id: digest
run: |
digest=$(crane digest ${{env.REGISTRY}}/${{env.REPOSITORY}}/${{inputs.name}}:$GITHUB_SHA)
echo "digest=$digest" >> "$GITHUB_OUTPUT"

- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{env.REGISTRY}}/${{env.REPOSITORY}}/${{inputs.name}}
subject-digest: ${{ steps.digest.outputs.digest }}
push-to-registry: true
3 changes: 2 additions & 1 deletion cloud-hello/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
#![allow(clippy::missing_safety_doc)]
wit_bindgen::generate!();

use axum::{
Expand All @@ -18,7 +19,7 @@ use std::{collections::BTreeMap, io::Write};
use tower_service::Service;
use wasi::http::types::*;
use wasi::logging::logging::*;
use wrpc::keyvalue::{atomics, batch, store};
use wrpc::keyvalue::{atomics, store};

mod helpers;
use helpers::*;
Expand Down