.github/workflows/release: no cargo publish if the repo is not upstream #31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yaml-language-server: $schema=https://json.schemastore.org/github-action.json | ||
name: Release | ||
run-name: ${{ inputs.crate }}@${{ inputs.version }} (DryRun:${{ inputs.dry_run }}) | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
dry_run: | ||
description: "Run the release without actually releasing bits" | ||
type: boolean | ||
default: true | ||
crate: | ||
description: "The crate to release" | ||
required: true | ||
type: choice | ||
options: | ||
- containerd-shim-wasm-test-modules | ||
- oci-tar-builder | ||
- containerd-shim-wasm | ||
# shims | ||
- containerd-shim-wasmer | ||
- containerd-shim-wasmedge | ||
- containerd-shim-wasmtime | ||
version: | ||
description: "The version of the crate to release. (e.g., 1.2.3)" | ||
type: string | ||
required: true | ||
concurrency: | ||
group: release-${{ github.workflow }}-${{ inputs.crate }}-${{ inputs.version }} | ||
cancel-in-progress: true | ||
env: | ||
CARGO_TERM_COLOR: always | ||
jobs: | ||
pre-release: | ||
name: pre-release checks | ||
runs-on: "ubuntu-latest" | ||
outputs: | ||
crate: ${{ inputs.crate }} | ||
runtime: ${{ steps.runtime_sub.outputs.runtime }} | ||
version: ${{ inputs.version }} | ||
### is_shim is a string, not a boolean, so use: is_shim == 'true' | ||
is_shim: ${{ steps.runtime_sub.outputs.is_shim }} | ||
steps: | ||
- name: Fail if branch is not main | ||
if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main' | ||
run: | | ||
echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main" | ||
exit 1 | ||
- uses: actions/checkout@v4 | ||
### Determine the name of the runtime and if it is a binary release or crates.io | ||
- name: verify version input | ||
uses: actions/github-script@v7 | ||
with: | ||
script: | | ||
const version = '${{ inputs.version }}'; | ||
if(!version.match(/^[0-9]+.[0-9]+.*/)) { | ||
core.setFailed(`The version '${version}' does not match regex /^[0-9]+.[0-9]+.*/.`); | ||
} | ||
- name: substring runtime | ||
id: runtime_sub | ||
uses: actions/github-script@v7 | ||
with: | ||
script: | | ||
const crate = '${{ inputs.crate }}'; | ||
const runtime = crate.replace(/^containerd-shim-/, ''); | ||
const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder']; | ||
if (non_shim_crates.includes(runtime)) { | ||
core.setOutput('runtime', 'common'); | ||
core.setOutput('is_shim', false) | ||
} else { | ||
core.setOutput('runtime', runtime); | ||
core.setOutput('is_shim', true); | ||
} | ||
### If we are releasing a crate rather than producing a bin, check for crates.io access | ||
<<<<<<< Updated upstream | ||
- name: Check crates.io ownership | ||
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }} | ||
======= | ||
- name: Add crates.io ownership | ||
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' && github.repository == 'containerd/runwasi' }} | ||
>>>>>>> Stashed changes | ||
run: | | ||
cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \ | ||
cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }} | ||
env: | ||
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }} | ||
- name: Verify version matches | ||
run: | | ||
if [ "$(grep -c "version = \"${{ inputs.version }}\"" crates/${{ inputs.crate }}/Cargo.toml)" -ne 1 ]; then | ||
echo "::error::Version in Cargo.toml does not match the version input" | ||
exit 1 | ||
fi | ||
build-and-sign: | ||
permissions: | ||
id-token: write | ||
needs: | ||
- pre-release | ||
strategy: | ||
matrix: | ||
arch: ["x86_64", "aarch64"] | ||
include: | ||
- ${{ needs.pre-release.outputs }} | ||
uses: ./.github/workflows/action-build.yml | ||
with: | ||
os: "ubuntu-22.04" | ||
runtime: ${{ matrix.runtime }} | ||
target: "${{ matrix.arch }}-unknown-linux-musl" | ||
slug: "${{ matrix.arch }}-linux-musl" | ||
arch: ${{ matrix.arch }} | ||
sign: true | ||
release: | ||
permissions: | ||
contents: write | ||
needs: | ||
- pre-release | ||
- build-and-sign | ||
strategy: | ||
matrix: | ||
os: ["ubuntu-latest"] | ||
include: | ||
- ${{ needs.pre-release.outputs }} | ||
runs-on: ${{ matrix.os }} | ||
steps: | ||
- name: Matrix description | ||
run: | | ||
echo "::notice::Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'." | ||
- uses: actions/checkout@v4 | ||
- name: Setup build env | ||
run: ./scripts/setup-linux.sh | ||
- name: Download artifacts | ||
if: ${{ matrix.is_shim == 'true' }} | ||
uses: actions/download-artifact@master | ||
with: | ||
path: release | ||
- name: Cargo publish | ||
if: ${{ matrix.is_shim != 'true' && github.repository == 'containerd/runwasi' }} | ||
run: cargo publish ${{ inputs.dry_run && '--dry-run' || '' }} --package ${{ matrix.crate }} --verbose --locked | ||
env: | ||
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }} | ||
- name: Tag the the release | ||
if: ${{ !inputs.dry_run }} | ||
run: | | ||
git tag "${{matrix.crate}}/v${{matrix.version}}" | ||
git push origin "${{matrix.crate}}/v${{matrix.version}}" | ||
- name: Extract release notes | ||
if: ${{ matrix.crate == 'containerd-shim-wasm' && !inputs.dry_run }} | ||
run: | ||
cd $GITHUB_WORKSPACE | ||
./scripts/extract-changelog.sh ${{matrix.version}} > RELEASE_NOTES.md | ||
cat RELEASE_NOTES.md | ||
- name: Create release | ||
if: ${{ !inputs.dry_run }} | ||
run: | | ||
TAG_NAME=${{matrix.version}} | ||
if [[ "$TAG_NAME" =~ .+-pre.* ]]; then | ||
PRERELEASE_ARGS="--prerelease --latest=false" | ||
else | ||
PRERELEASE_ARGS="" | ||
fi | ||
gh release create 'refs/tags/${{matrix.crate}}/v${{matrix.version}}' \ | ||
--title "${{matrix.crate}}/v${{matrix.version}}" \ | ||
--notes-file RELEASE_NOTES.md \ | ||
--verify-tag \ | ||
$PRERELEASE_ARGS | ||
env: | ||
GH_TOKEN: ${{ github.token }} | ||
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }} | ||
- name: Upload release artifacts | ||
if: ${{ matrix.is_shim == 'true' && !inputs.dry_run }} | ||
run: | | ||
for i in release/*/*; do | ||
gh release upload ${RELEASE_NAME} $i | ||
done | ||
env: | ||
GH_TOKEN: ${{ github.token }} | ||
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }} |