Skip to content

.github/workflows/release: no cargo publish if the repo is not upstream #31

.github/workflows/release: no cargo publish if the repo is not upstream

.github/workflows/release: no cargo publish if the repo is not upstream #31

Workflow file for this run

# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
name: Release
run-name: ${{ inputs.crate }}@${{ inputs.version }} (DryRun:${{ inputs.dry_run }})
on:
workflow_dispatch:
inputs:
dry_run:
description: "Run the release without actually releasing bits"
type: boolean
default: true
crate:
description: "The crate to release"
required: true
type: choice
options:
- containerd-shim-wasm-test-modules
- oci-tar-builder
- containerd-shim-wasm
# shims
- containerd-shim-wasmer
- containerd-shim-wasmedge
- containerd-shim-wasmtime
version:
description: "The version of the crate to release. (e.g., 1.2.3)"
type: string
required: true
concurrency:
group: release-${{ github.workflow }}-${{ inputs.crate }}-${{ inputs.version }}
cancel-in-progress: true
env:
CARGO_TERM_COLOR: always
jobs:
pre-release:
name: pre-release checks
runs-on: "ubuntu-latest"
outputs:
crate: ${{ inputs.crate }}
runtime: ${{ steps.runtime_sub.outputs.runtime }}
version: ${{ inputs.version }}
### is_shim is a string, not a boolean, so use: is_shim == 'true'
is_shim: ${{ steps.runtime_sub.outputs.is_shim }}
steps:
- name: Fail if branch is not main
if: github.event_name == 'workflow_dispatch' && github.ref != 'refs/heads/main'
run: |
echo "::error::This workflow should not be triggered with workflow_dispatch on a branch other than main"
exit 1
- uses: actions/checkout@v4
### Determine the name of the runtime and if it is a binary release or crates.io
- name: verify version input
uses: actions/github-script@v7
with:
script: |
const version = '${{ inputs.version }}';
if(!version.match(/^[0-9]+.[0-9]+.*/)) {
core.setFailed(`The version '${version}' does not match regex /^[0-9]+.[0-9]+.*/.`);
}
- name: substring runtime
id: runtime_sub
uses: actions/github-script@v7
with:
script: |
const crate = '${{ inputs.crate }}';
const runtime = crate.replace(/^containerd-shim-/, '');
const non_shim_crates = ['wasm', 'wasm-test-modules', 'oci-tar-builder'];
if (non_shim_crates.includes(runtime)) {
core.setOutput('runtime', 'common');
core.setOutput('is_shim', false)
} else {
core.setOutput('runtime', runtime);
core.setOutput('is_shim', true);
}
### If we are releasing a crate rather than producing a bin, check for crates.io access
<<<<<<< Updated upstream

Check failure on line 79 in .github/workflows/release.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/release.yml

Invalid workflow file

You have an error in your yaml syntax on line 79
- name: Check crates.io ownership
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' }}
=======
- name: Add crates.io ownership
if: ${{ steps.runtime_sub.outputs.is_shim != 'true' && github.repository == 'containerd/runwasi' }}
>>>>>>> Stashed changes
run: |
cargo owner --list ${{ inputs.crate }} | grep github:containerd:runwasi-committers || \
cargo owner --add github:containerd:runwasi-committers ${{ inputs.crate }}
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Verify version matches
run: |
if [ "$(grep -c "version = \"${{ inputs.version }}\"" crates/${{ inputs.crate }}/Cargo.toml)" -ne 1 ]; then
echo "::error::Version in Cargo.toml does not match the version input"
exit 1
fi
build-and-sign:
permissions:
id-token: write
needs:
- pre-release
strategy:
matrix:
arch: ["x86_64", "aarch64"]
include:
- ${{ needs.pre-release.outputs }}
uses: ./.github/workflows/action-build.yml
with:
os: "ubuntu-22.04"
runtime: ${{ matrix.runtime }}
target: "${{ matrix.arch }}-unknown-linux-musl"
slug: "${{ matrix.arch }}-linux-musl"
arch: ${{ matrix.arch }}
sign: true
release:
permissions:
contents: write
needs:
- pre-release
- build-and-sign
strategy:
matrix:
os: ["ubuntu-latest"]
include:
- ${{ needs.pre-release.outputs }}
runs-on: ${{ matrix.os }}
steps:
- name: Matrix description
run: |
echo "::notice::Running job with dry_run: '${{ inputs.dry_run }}', crate: '${{ matrix.crate }}', version: '${{ matrix.version }}', runtime: '${{ matrix.runtime }}', and is_shim: '${{ matrix.is_shim }}'."
- uses: actions/checkout@v4
- name: Setup build env
run: ./scripts/setup-linux.sh
- name: Download artifacts
if: ${{ matrix.is_shim == 'true' }}
uses: actions/download-artifact@master
with:
path: release
- name: Cargo publish
if: ${{ matrix.is_shim != 'true' && github.repository == 'containerd/runwasi' }}
run: cargo publish ${{ inputs.dry_run && '--dry-run' || '' }} --package ${{ matrix.crate }} --verbose --locked
env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_PUBLISH_TOKEN }}
- name: Tag the the release
if: ${{ !inputs.dry_run }}
run: |
git tag "${{matrix.crate}}/v${{matrix.version}}"
git push origin "${{matrix.crate}}/v${{matrix.version}}"
- name: Extract release notes
if: ${{ matrix.crate == 'containerd-shim-wasm' && !inputs.dry_run }}
run:
cd $GITHUB_WORKSPACE
./scripts/extract-changelog.sh ${{matrix.version}} > RELEASE_NOTES.md
cat RELEASE_NOTES.md
- name: Create release
if: ${{ !inputs.dry_run }}
run: |
TAG_NAME=${{matrix.version}}
if [[ "$TAG_NAME" =~ .+-pre.* ]]; then
PRERELEASE_ARGS="--prerelease --latest=false"
else
PRERELEASE_ARGS=""
fi
gh release create 'refs/tags/${{matrix.crate}}/v${{matrix.version}}' \
--title "${{matrix.crate}}/v${{matrix.version}}" \
--notes-file RELEASE_NOTES.md \
--verify-tag \
$PRERELEASE_ARGS
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}
- name: Upload release artifacts
if: ${{ matrix.is_shim == 'true' && !inputs.dry_run }}
run: |
for i in release/*/*; do
gh release upload ${RELEASE_NAME} $i
done
env:
GH_TOKEN: ${{ github.token }}
RELEASE_NAME: ${{ matrix.crate }}/v${{ matrix.version }}