Skip to content

security upgrade for h2 and upgrade to rust 1.77.1 (#28) #53

security upgrade for h2 and upgrade to rust 1.77.1 (#28)

security upgrade for h2 and upgrade to rust 1.77.1 (#28) #53

Workflow file for this run

name: nix:deploy
on:
push:
branches:
- main
tags:
- 'v*'
jobs:
binary:
name: deploy::binary
runs-on: ubuntu-latest
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@v3
- name: Install Nix ❄
uses: DeterminateSystems/nix-installer-action@v4
- name: Link Cachix πŸ”Œ
uses: cachix/cachix-action@v12
with:
name: '${{ vars.CACHIX_CACHE_NAME }}'
authToken: '${{ secrets.CACHIX_CACHE_AUTH_TOKEN }}'
- name: Login to GitHub Container Registry πŸ“¦
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: build the crate using nix πŸ”¨
run: nix build --print-build-logs
- name: Create release πŸš€
uses: actions/upload-artifact@v3
with:
name: mongodb-connector
path: result/bin/mongodb-connector
docker:
name: deploy::docker
needs: binary
runs-on: ubuntu-latest
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@v3
- name: Install Nix ❄
uses: DeterminateSystems/nix-installer-action@v4
- name: Link Cachix πŸ”Œ
uses: cachix/cachix-action@v12
with:
name: '${{ vars.CACHIX_CACHE_NAME }}'
authToken: '${{ secrets.CACHIX_CACHE_AUTH_TOKEN }}'
- name: Login to GitHub Container Registry πŸ“¦
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Deploy πŸš€
run: nix run .#publish-docker-image ${{ github.ref }}
connector-definition:
# For now, only run on tagged releases because main builds generate a Docker image tag name that
# is not easily accessible here
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build connector definition
run: |
set -e pipefail
export DOCKER_IMAGE="ghcr.io/hasura/ndc-mongodb:$GITHUB_REF_NAME"
export CLI_VERSION=$GITHUB_REF_NAME
make build
working-directory: ./connector-definition
- uses: actions/upload-artifact@v4
with:
name: connector-definition.tgz
path: ./connector-definition/dist/connector-definition.tgz
compression-level: 0 # Already compressed
build-cli-binaries:
name: build the CLI binaries
strategy:
matrix:
include:
- runner: ubuntu-latest
target: x86_64-unknown-linux-musl
rustflags: -C target-feature=+crt-static
linux-packages: musl-tools
- runner: ubuntu-latest
target: aarch64-unknown-linux-musl
rustflags: -C target-feature=+crt-static
linux-packages: gcc-aarch64-linux-gnu musl-tools
linker: /usr/bin/aarch64-linux-gnu-gcc
- runner: macos-latest
target: x86_64-apple-darwin
- runner: macos-latest
target: aarch64-apple-darwin
- runner: windows-latest
target: x86_64-pc-windows-msvc
rustflags: -C target-feature=+crt-static
extension: .exe
runs-on: ${{ matrix.runner }}
env:
CARGO_BUILD_TARGET: ${{ matrix.target }}
CARGO_NET_GIT_FETCH_WITH_CLI: "true"
RUSTFLAGS: "-D warnings ${{ matrix.rustflags }}"
defaults:
run:
shell: bash
steps:
- uses: actions/checkout@v4
- name: install protoc
uses: arduino/setup-protoc@v3
with:
version: "25.x"
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: install tools
run: |
rustup show
rustup target add ${{ matrix.target }}
- name: install other packages required
if: matrix.linux-packages
run: |
sudo apt-get update
sudo apt-get install -y ${{ matrix.linux-packages }}
- uses: Swatinem/rust-cache@v2
with:
shared-key: "build" # share the cache across jobs
- name: build the CLI
run: |
# If we're on a tag, use the tag name as the release version.
if [[ "$GITHUB_REF_TYPE" == 'tag' ]]; then
# Ensure that the version specified in Cargo.toml is the same as the tag (with a 'v' prefix).
CARGO_VERSION="$(cargo metadata --format-version=1 | jq -r '.packages | .[] | select(.name == "mongodb-cli-plugin") | .version')"
echo "Git tag: ${GITHUB_REF_NAME}"
echo "Cargo version: ${CARGO_VERSION}"
if [[ "${GITHUB_REF_NAME}" != "v${CARGO_VERSION}" ]]; then
echo >&2 "The Git tag is \"${GITHUB_REF_NAME}\", but the version in Cargo.toml is \"${CARGO_VERSION}\"."
echo >&2 'These must be the same, with a "v" prefix for the tag. Aborting.'
exit 1
fi
export RELEASE_VERSION="$GITHUB_REF_NAME"
echo "RELEASE_VERSION = ${RELEASE_VERSION}"
fi
if [[ -n '${{ matrix.linker }}' ]]; then
TARGET_SCREAMING="$(echo '${{ matrix.target }}' | tr '[:lower:]' '[:upper:]' | tr '-' '_')"
echo "CARGO_TARGET_${TARGET_SCREAMING}_LINKER"='${{ matrix.linker }}'
declare "CARGO_TARGET_${TARGET_SCREAMING}_LINKER"='${{ matrix.linker }}'
export "CARGO_TARGET_${TARGET_SCREAMING}_LINKER"
fi
echo "Building for target: ${CARGO_BUILD_TARGET}"
cargo build --release --package=mongodb-cli-plugin
mkdir -p release
mv -v target/${{ matrix.target }}/release/mongodb-cli-plugin release/mongodb-cli-plugin-${{ matrix.target }}${{ matrix.extension }}
- uses: actions/upload-artifact@v4
with:
name: mongodb-cli-plugin-${{ matrix.target }}${{ matrix.extension }}
path: release
if-no-files-found: error
release:
name: release to GitHub
needs:
- docker
- connector-definition
- build-cli-binaries
runs-on: ubuntu-latest
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
path: release/artifacts
merge-multiple: true
- name: generate SHA-256 checksums
run: |
cd release/artifacts
sha256sum * > ./sha256sum
cat ./sha256sum
- name: generate CLI manifest
run: |
export VERSION="$GITHUB_REF_NAME"
./scripts/generate-manifest.sh
- uses: actions/upload-artifact@v4
with:
name: manifest.yaml
path: release/manifest.yaml
if-no-files-found: error
- name: Get version from tag
id: get-version
run: |
echo "tagged_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
shell: bash
- uses: mindsers/changelog-reader-action@v2
id: changelog-reader
with:
version: ${{ steps.get-version.outputs.tagged_version }}
path: ./CHANGELOG.md
- name: create a draft release
uses: ncipollo/release-action@v1
with:
draft: true
tag: v${{ steps.get-version.outputs.tagged_version }}
body: ${{ steps.changelog-reader.outputs.changes }}
artifacts: release/artifacts/*