From 6e051f52b956a67838680d04d229d61ee306a28d Mon Sep 17 00:00:00 2001 From: Alex Zenla Date: Wed, 17 Jul 2024 20:48:54 -0700 Subject: [PATCH] chore(workflows): rework and simplify github actions workflows (#260) --- .github/workflows/check.yml | 185 +++++++++++++++++- .github/workflows/client.yml | 46 ----- .github/workflows/nightly.yml | 103 ++++++---- ...elease-binaries.yml => release-assets.yml} | 101 ++++++---- .github/workflows/release-plz.yml | 15 +- .github/workflows/server.yml | 100 ---------- 6 files changed, 311 insertions(+), 239 deletions(-) delete mode 100644 .github/workflows/client.yml rename .github/workflows/{release-binaries.yml => release-assets.yml} (56%) delete mode 100644 .github/workflows/server.yml diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index b45a259..326d3e5 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -7,31 +7,196 @@ on: branches: - main jobs: - fmt: - name: fmt + rustfmt: + name: rustfmt runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - run: | + - name: install stable rust toolchain with rustfmt + run: | rustup update --no-self-update stable rustup default stable rustup component add rustfmt - - run: ./hack/ci/install-linux-deps.sh + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh # Temporarily ignored: https://github.com/edera-dev/krata/issues/206 - - run: ./hack/build/cargo.sh fmt --all -- --check || true + - name: cargo fmt + run: ./hack/build/cargo.sh fmt --all -- --check || true shellcheck: name: shellcheck runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - run: ./hack/code/shellcheck.sh + - name: shellcheck + run: ./hack/code/shellcheck.sh + full-build: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + arch: + - x86_64 + - aarch64 + env: + TARGET_ARCH: "${{ matrix.arch }}" + name: full build linux-${{ matrix.arch }} + steps: + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - name: install stable rust toolchain + run: | + rustup update --no-self-update stable + rustup default stable + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh + - name: cargo build + run: ./hack/build/cargo.sh build + full-test: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + arch: + - x86_64 + - aarch64 + env: + TARGET_ARCH: "${{ matrix.arch }}" + name: full test linux-${{ matrix.arch }} + steps: + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - name: install stable rust toolchain + run: | + rustup update --no-self-update stable + rustup default stable + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh + - name: cargo test + run: ./hack/build/cargo.sh test + full-clippy: + runs-on: ubuntu-latest + strategy: + matrix: + arch: + - x86_64 + - aarch64 + env: + TARGET_ARCH: "${{ matrix.arch }}" + name: full clippy linux-${{ matrix.arch }} + steps: + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - name: install stable rust toolchain with clippy + run: | + rustup update --no-self-update stable + rustup default stable + rustup component add clippy + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh + - name: cargo clippy + run: ./hack/build/cargo.sh clippy + guest-init: + runs-on: ubuntu-latest + strategy: + matrix: + arch: + - x86_64 + - aarch64 + env: + TARGET_ARCH: "${{ matrix.arch }}" + name: guest-init ${{ matrix.arch }} + steps: + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets + run: | + rustup update --no-self-update stable + rustup default stable + rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh + - name: initrd build + run: ./hack/initrd/build.sh + kratactl-build: + strategy: + fail-fast: false + matrix: + platform: + - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux } + - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux } + - { os: darwin, arch: x86_64, on: macos-14, deps: darwin } + - { os: darwin, arch: aarch64, on: macos-14, deps: darwin } + - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux } + - { os: windows, arch: x86_64, on: windows-latest, deps: windows } + env: + TARGET_OS: "${{ matrix.platform.os }}" + TARGET_ARCH: "${{ matrix.platform.arch }}" + runs-on: "${{ matrix.platform.on }}" + name: kratactl build ${{ matrix.platform.os }}-${{ matrix.platform.arch }} + defaults: + run: + shell: bash + steps: + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: configure git line endings + run: git config --global core.autocrlf false && git config --global core.eol lf + if: ${{ matrix.platform.os == 'windows' }} + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + submodules: recursive + - name: install stable rust toolchain + run: | + rustup update --no-self-update stable + rustup default stable + - name: install ${{ matrix.platform.arch }}-apple-darwin rust target + run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin" + if: ${{ matrix.platform.os == 'darwin' }} + - name: setup homebrew + uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master + if: ${{ matrix.platform.os == 'darwin' }} + - name: install ${{ matrix.platform.deps }} dependencies + run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh + - name: cargo build kratactl + run: ./hack/build/cargo.sh build --bin kratactl diff --git a/.github/workflows/client.yml b/.github/workflows/client.yml deleted file mode 100644 index 499fe28..0000000 --- a/.github/workflows/client.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: client -on: - pull_request: - branches: - - main - merge_group: - branches: - - main -jobs: - build: - strategy: - fail-fast: false - matrix: - platform: - - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux } - - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux } - - { os: darwin, arch: x86_64, on: macos-14, deps: darwin } - - { os: darwin, arch: aarch64, on: macos-14, deps: darwin } - - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux } - - { os: windows, arch: x86_64, on: windows-latest, deps: windows } - env: - TARGET_OS: "${{ matrix.platform.os }}" - TARGET_ARCH: "${{ matrix.platform.arch }}" - runs-on: "${{ matrix.platform.on }}" - name: client build ${{ matrix.platform.os }}-${{ matrix.platform.arch }} - defaults: - run: - shell: bash - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - run: git config --global core.autocrlf false && git config --global core.eol lf - if: ${{ matrix.platform.os == 'windows' }} - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - submodules: recursive - - run: | - rustup update --no-self-update stable - rustup default stable - - run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin" - if: ${{ matrix.platform.os == 'darwin' }} - - uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master - if: ${{ matrix.platform.os == 'darwin' }} - - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh - - run: ./hack/build/cargo.sh build --bin kratactl diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index c71de9b..f465bee 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,7 +6,7 @@ on: permissions: contents: read jobs: - server: + full-build: runs-on: ubuntu-latest strategy: fail-fast: false @@ -16,46 +16,48 @@ jobs: - aarch64 env: TARGET_ARCH: "${{ matrix.arch }}" - name: nightly server ${{ matrix.arch }} + name: nightly full build ${{ matrix.arch }} steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - run: | + - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets + run: | rustup update --no-self-update stable rustup default stable rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl - - run: ./hack/ci/install-linux-deps.sh - - run: ./hack/dist/bundle.sh - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh + - name: build systemd bundle + run: ./hack/dist/bundle.sh + - name: upload systemd bundle + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: krata-bundle-systemd-${{ matrix.arch }} path: "target/dist/bundle-systemd-${{ matrix.arch }}.tgz" compression-level: 0 - - run: ./hack/dist/deb.sh - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - name: build deb package + run: ./hack/dist/deb.sh + - name: upload deb package + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: krata-debian-${{ matrix.arch }} path: "target/dist/*.deb" compression-level: 0 - - run: ./hack/dist/apk.sh - env: - KRATA_KERNEL_BUILD_SKIP: "1" - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - name: build apk package + run: ./hack/dist/apk.sh + - name: upload apk package + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: krata-alpine-${{ matrix.arch }} path: "target/dist/*_${{ matrix.arch }}.apk" compression-level: 0 - - run: ./hack/os/build.sh - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: krata-os-${{ matrix.arch }} - path: "target/os/krata-${{ matrix.arch }}.qcow2" - compression-level: 0 - client: + kratactl-build: strategy: fail-fast: false matrix: @@ -70,39 +72,49 @@ jobs: TARGET_OS: "${{ matrix.platform.os }}" TARGET_ARCH: "${{ matrix.platform.arch }}" runs-on: "${{ matrix.platform.on }}" - name: nightly client ${{ matrix.platform.os }}-${{ matrix.platform.arch }} + name: nightly kratactl build ${{ matrix.platform.os }}-${{ matrix.platform.arch }} defaults: run: shell: bash steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - run: git config --global core.autocrlf false && git config --global core.eol lf + - name: configure git line endings + run: git config --global core.autocrlf false && git config --global core.eol lf if: ${{ matrix.platform.os == 'windows' }} - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - run: | + - name: install stable rust toolchain + run: | rustup update --no-self-update stable rustup default stable - - run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin" + - name: install ${{ matrix.platform.arch }}-apple-darwin rust target + run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} - - uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master + - name: setup homebrew + uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master if: ${{ matrix.platform.os == 'darwin' }} - - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh - - run: ./hack/build/cargo.sh build --release --bin kratactl - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - name: install ${{ matrix.platform.deps }} dependencies + run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh + - name: cargo build kratactl + run: ./hack/build/cargo.sh build --release --bin kratactl + - name: upload kratactl + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }} path: "target/*/release/kratactl" if: ${{ matrix.platform.os != 'windows' }} - - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + - name: upload kratactl + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 with: name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }} path: "target/*/release/kratactl.exe" if: ${{ matrix.platform.os == 'windows' }} - oci: + oci-build: runs-on: ubuntu-latest strategy: fail-fast: false @@ -112,32 +124,39 @@ jobs: - kratad - kratanet - krata-guest-init - name: "oci build ${{ matrix.component }}" + name: nightly oci build ${{ matrix.component }} permissions: packages: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + - name: install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: setup docker buildx + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + - name: login to container registry + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: "${{ github.actor }}" password: "${{ secrets.GITHUB_TOKEN }}" - - uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0 + - name: docker build and push ${{ matrix.component }} + uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0 id: push with: file: ./images/Dockerfile.${{ matrix.component }} platforms: linux/amd64,linux/aarch64 tags: "ghcr.io/edera-dev/${{ matrix.component }}:nightly" push: true - - env: + - name: cosign sign ${{ matrix.component }} + run: cosign sign --yes "${TAGS}@${DIGEST}" + env: DIGEST: "${{ steps.push.outputs.digest }}" TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:nightly" COSIGN_EXPERIMENTAL: "true" - run: cosign sign --yes "${TAGS}@${DIGEST}" diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-assets.yml similarity index 56% rename from .github/workflows/release-binaries.yml rename to .github/workflows/release-assets.yml index a3b876a..9dc3334 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-assets.yml @@ -1,4 +1,4 @@ -name: release-binaries +name: release-assets on: release: types: @@ -11,7 +11,7 @@ env: RUST_BACKTRACE: 1 RUSTUP_MAX_RETRIES: 10 jobs: - server: + services: runs-on: ubuntu-latest strategy: fail-fast: false @@ -21,31 +21,42 @@ jobs: - aarch64 env: TARGET_ARCH: "${{ matrix.arch }}" - name: "release-binaries server ${{ matrix.arch }}" + name: release-assets services ${{ matrix.arch }} permissions: contents: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - run: | + - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets + run: | rustup update --no-self-update stable rustup default stable rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl - - run: ./hack/ci/install-linux-deps.sh - - run: ./hack/dist/bundle.sh - - run: "./hack/ci/assemble-release-assets.sh bundle-systemd ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/bundle-systemd-${{ matrix.arch }}.tgz" - - run: ./hack/dist/deb.sh - - run: "./hack/ci/assemble-release-assets.sh debian ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*.deb" - - run: ./hack/dist/apk.sh - - run: "./hack/ci/assemble-release-assets.sh alpine ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*_${{ matrix.arch }}.apk" - - run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}" + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh + - name: build systemd bundle + run: ./hack/dist/bundle.sh + - name: assemble systemd bundle + run: "./hack/ci/assemble-release-assets.sh bundle-systemd ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/bundle-systemd-${{ matrix.arch }}.tgz" + - name: build deb package + run: ./hack/dist/deb.sh + - name: assemble deb package + run: "./hack/ci/assemble-release-assets.sh debian ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*.deb" + - name: build apk package + run: ./hack/dist/apk.sh + - name: assemble apk package + run: "./hack/ci/assemble-release-assets.sh alpine ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*_${{ matrix.arch }}.apk" + - name: upload release artifacts + run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}" env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - client: + kratactl: strategy: fail-fast: false matrix: @@ -60,7 +71,7 @@ jobs: TARGET_OS: "${{ matrix.platform.os }}" TARGET_ARCH: "${{ matrix.platform.arch }}" runs-on: "${{ matrix.platform.on }}" - name: release-binaries client ${{ matrix.platform.os }}-${{ matrix.platform.arch }} + name: release-assets kratactl ${{ matrix.platform.os }}-${{ matrix.platform.arch }} defaults: run: shell: bash @@ -68,26 +79,36 @@ jobs: permissions: contents: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - run: | + - name: install stable rust toolchain + run: | rustup update --no-self-update stable rustup default stable - - run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin" + - name: install ${{ matrix.platform.arch }}-apple-darwin rust target + run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin" if: ${{ matrix.platform.os == 'darwin' }} - - uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master + - name: setup homebrew + uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master if: ${{ matrix.platform.os == 'darwin' }} - - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh - - run: ./hack/build/cargo.sh build --release --bin kratactl - - run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl" + - name: install ${{ matrix.platform.deps }} dependencies + run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh + - name: cargo build kratactl + run: ./hack/build/cargo.sh build --release --bin kratactl + - name: assemble kratactl executable + run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl" if: ${{ matrix.platform.os != 'windows' }} - - run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl.exe" + - name: assemble kratactl executable + run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl.exe" if: ${{ matrix.platform.os == 'windows' }} - - run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}" + - name: upload release artifacts + run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}" env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" oci: @@ -100,36 +121,44 @@ jobs: - kratad - kratanet - krata-guest-init - name: "release-binaries oci ${{ matrix.component }}" + name: release-assets oci ${{ matrix.component }} permissions: contents: write packages: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + - name: install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + - name: setup docker buildx + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + - name: login to container registry + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: ghcr.io username: "${{ github.actor }}" password: "${{ secrets.GITHUB_TOKEN }}" - - id: version + - name: capture krata version + id: version run: | echo "KRATA_VERSION=$(./hack/dist/version.sh)" >> "${GITHUB_OUTPUT}" - - uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0 + - name: docker build and push ${{ matrix.component }} + uses: docker/build-push-action@a254f8ca60a858f3136a2f1f23a60969f2c402dd # v6.4.0 id: push with: file: ./images/Dockerfile.${{ matrix.component }} platforms: linux/amd64,linux/aarch64 tags: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}" push: true - - env: + - name: cosign sign ${{ matrix.component }} + run: cosign sign --yes "${TAGS}@${DIGEST}" + env: DIGEST: "${{ steps.push.outputs.digest }}" TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}" COSIGN_EXPERIMENTAL: "true" - run: cosign sign --yes "${TAGS}@${DIGEST}" diff --git a/.github/workflows/release-plz.yml b/.github/workflows/release-plz.yml index cc874e7..c4fa7e5 100644 --- a/.github/workflows/release-plz.yml +++ b/.github/workflows/release-plz.yml @@ -14,23 +14,28 @@ jobs: pull-requests: write contents: write steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + - name: harden runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3 + - name: generate cultivator token + uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3 id: generate-token with: app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}" private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}" - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive fetch-depth: 0 token: "${{ steps.generate-token.outputs.token }}" - - run: | + - name: install stable rust toolchain + run: | rustup update --no-self-update stable rustup default stable - - run: ./hack/ci/install-linux-deps.sh + - name: install linux dependencies + run: ./hack/ci/install-linux-deps.sh - name: release-plz uses: MarcoIeni/release-plz-action@86afd21a7b114234aab55ba0005eed52f77d89e4 # v0.5.62 env: diff --git a/.github/workflows/server.yml b/.github/workflows/server.yml deleted file mode 100644 index 9b01b6a..0000000 --- a/.github/workflows/server.yml +++ /dev/null @@ -1,100 +0,0 @@ -name: server -on: - pull_request: - branches: - - main - merge_group: - branches: - - main -jobs: - build: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - arch: - - x86_64 - - aarch64 - env: - TARGET_ARCH: "${{ matrix.arch }}" - name: server build ${{ matrix.arch }} - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - submodules: recursive - - run: | - rustup update --no-self-update stable - rustup default stable - - run: ./hack/ci/install-linux-deps.sh - - run: ./hack/build/cargo.sh build - test: - runs-on: ubuntu-latest - strategy: - matrix: - arch: - - x86_64 - - aarch64 - env: - TARGET_ARCH: "${{ matrix.arch }}" - name: server test ${{ matrix.arch }} - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - submodules: recursive - - run: | - rustup update --no-self-update stable - rustup default stable - - run: ./hack/ci/install-linux-deps.sh - - run: ./hack/build/cargo.sh test - clippy: - runs-on: ubuntu-latest - strategy: - matrix: - arch: - - x86_64 - - aarch64 - env: - TARGET_ARCH: "${{ matrix.arch }}" - name: server clippy ${{ matrix.arch }} - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - submodules: recursive - - run: | - rustup update --no-self-update stable - rustup default stable - rustup component add clippy - - run: ./hack/ci/install-linux-deps.sh - - run: ./hack/build/cargo.sh clippy - initrd: - runs-on: ubuntu-latest - strategy: - matrix: - arch: - - x86_64 - - aarch64 - env: - TARGET_ARCH: "${{ matrix.arch }}" - name: server initrd ${{ matrix.arch }} - steps: - - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - submodules: recursive - - run: | - rustup update --no-self-update stable - rustup default stable - rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl - - run: ./hack/ci/install-linux-deps.sh - - run: ./hack/initrd/build.sh