diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ba76f62..7db7281 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,9 +4,11 @@ updates: directory: "/" schedule: interval: daily - open-pull-requests-limit: 10 - package-ecosystem: cargo directory: "/" schedule: interval: daily - open-pull-requests-limit: 10 +- package-ecosystem: rust-toolchain + directory: "/" + schedule: + interval: daily diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a53d0e8..ce44fbd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -3,7 +3,8 @@ name: CI on: push: branches: - - main + - '**' + - '!dependabot/**' tags: - 'v[0-9]+\.[0-9]+\.[0-9]+-?**' pull_request: {} @@ -22,6 +23,8 @@ jobs: run: cargo binstall --force cargo-component - name: Install wasm-tools run: cargo binstall --force wasm-tools + - name: Install wac-cli + run: cargo binstall --force wac-cli - name: Fetch wit run: make wit - name: Check for drift in generated wit @@ -41,18 +44,19 @@ jobs: working-directory: ./lib run: | for component in *.wasm ; do - echo "::group::${component}" + echo "::group::${component} ($(du -h ${component} | cut -f1 ))" wasm-tools component wit "${component}" echo "::endgroup::" done publish: - if: startsWith(github.ref, 'refs/tags/') + if: github.event_name == 'push' && ( startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' ) needs: - build permissions: contents: write packages: write + id-token: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -61,7 +65,10 @@ jobs: uses: cargo-bins/cargo-binstall@main - name: Install wkg run: cargo binstall --force wkg - - name: Get the version + - name: Install cosign + uses: sigstore/cosign-installer@v4.1.2 + - name: Get tag version + if: startsWith(github.ref, 'refs/tags/v') id: get_version run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} - name: Download components.tar @@ -80,8 +87,9 @@ jobs: run: make publish env: REPOSITORY: "ghcr.io/${{ github.repository }}" - VERSION: "${{ steps.get_version.outputs.VERSION }}" + VERSION: "${{ case(github.ref == 'refs/heads/main', 'dev', steps.get_version.outputs.VERSION) }}" - name: Draft GitHub Release + if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v3 with: draft: true diff --git a/Makefile b/Makefile index c9eb511..17fb6a6 100644 --- a/Makefile +++ b/Makefile @@ -41,7 +41,7 @@ wit/deps: wkg.toml $(shell find wit -type f -name "*.wit" -not -path "deps") wkg wit fetch .PHONY: publish -publish: $(shell find lib -type f -name "*.wasm" | sed -e 's:^lib/:publish-:g') +publish: $(shell find lib -type f -name "*.wasm" -maxdepth 1 | sed -e 's:^lib/:publish-:g') .PHONY: publish-% publish-%: @@ -57,12 +57,20 @@ endif @$(eval REVISION := $(shell git rev-parse HEAD)$(shell git diff --quiet HEAD && echo "+dirty")) @$(eval TAG := $(shell echo "${VERSION}" | sed 's/[^a-zA-Z0-9_.\-]/--/g')) - wkg oci push \ - --annotation "org.opencontainers.image.title=${COMPONENT}" \ - --annotation "org.opencontainers.image.description=${DESCRIPTION}" \ - --annotation "org.opencontainers.image.version=${VERSION}" \ - --annotation "org.opencontainers.image.source=https://github.com/componentized/filesystem.git" \ - --annotation "org.opencontainers.image.revision=${REVISION}" \ - --annotation "org.opencontainers.image.licenses=Apache-2.0" \ - "${REPOSITORY}/${COMPONENT}:${TAG}" \ - "lib/${FILE}" + @echo "::group::${FILE} -> ${REPOSITORY}/${COMPONENT}:${TAG}" + @DIGEST=$$( \ + wkg oci push \ + --annotation "org.opencontainers.image.title=${COMPONENT}" \ + --annotation "org.opencontainers.image.description=${DESCRIPTION}" \ + --annotation "org.opencontainers.image.version=${VERSION}" \ + --annotation "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git" \ + --annotation "org.opencontainers.image.revision=${REVISION}" \ + --annotation "org.opencontainers.image.licenses=Apache-2.0" \ + "${REPOSITORY}/${COMPONENT}:${TAG}" \ + "lib/${FILE}" \ + 2>&1 \ + | tee /dev/stderr \ + | grep -o 'sha256:[a-f0-9]\{64\}' \ + ) ; \ + cosign sign --yes "${REPOSITORY}/${COMPONENT}:${TAG}@$${DIGEST}" + @echo "::endgroup::"