From 77a7a3670ab61954a8d7141efa6fae2ee95ff02f Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Wed, 10 Jun 2026 13:17:25 -0400 Subject: [PATCH] Maintenance - publish dev builds from main branch - sign images with cosign - drop cargo-component in favor of wasm-tools component new - manage rust toolchain with dependabot Signed-off-by: Scott Andrews --- .github/dependabot.yml | 6 ++++-- .github/workflows/ci.yaml | 20 +++++++++++++------- Makefile | 34 +++++++++++++++++++++------------- rust-toolchain.toml | 2 +- 4 files changed, 39 insertions(+), 23 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ba76f62..7db7281 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,9 +4,11 @@ updates: directory: "/" schedule: interval: daily - open-pull-requests-limit: 10 - package-ecosystem: cargo directory: "/" schedule: interval: daily - open-pull-requests-limit: 10 +- package-ecosystem: rust-toolchain + directory: "/" + schedule: + interval: daily diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d6c4798..dd0e991 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -3,7 +3,8 @@ name: CI on: push: branches: - - main + - '**' + - '!dependabot/**' tags: - 'v[0-9]+\.[0-9]+\.[0-9]+-?**' pull_request: {} @@ -16,12 +17,12 @@ jobs: - uses: actions-rust-lang/setup-rust-toolchain@v1 - name: Install cargo binstall uses: cargo-bins/cargo-binstall@main - - name: Install cargo component - run: cargo binstall --force cargo-component - name: Install wkg run: cargo binstall --force wkg - name: Install wasm-tools run: cargo binstall --force wasm-tools + - name: Install wac-cli + run: cargo binstall --force wac-cli - name: Fetch wit run: make wit - name: Check for drift in generated wit @@ -41,18 +42,19 @@ jobs: working-directory: ./lib run: | for component in *.wasm ; do - echo "::group::${component}" + echo "::group::${component} ($(du -h ${component} | cut -f1 ))" wasm-tools component wit "${component}" echo "::endgroup::" done publish: - if: startsWith(github.ref, 'refs/tags/') + if: github.event_name == 'push' && ( startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' ) needs: - build permissions: contents: write packages: write + id-token: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -61,7 +63,10 @@ jobs: uses: cargo-bins/cargo-binstall@main - name: Install wkg run: cargo binstall --force wkg - - name: Get the version + - name: Install cosign + uses: sigstore/cosign-installer@v4.1.2 + - name: Get tag version + if: startsWith(github.ref, 'refs/tags/v') id: get_version run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} - name: Download components.tar @@ -80,8 +85,9 @@ jobs: run: make publish env: REPOSITORY: "ghcr.io/${{ github.repository }}" - VERSION: "${{ steps.get_version.outputs.VERSION }}" + VERSION: "${{ case(github.ref == 'refs/heads/main', 'dev', steps.get_version.outputs.VERSION) }}" - name: Draft GitHub Release + if: startsWith(github.ref, 'refs/tags/v') uses: softprops/action-gh-release@v3 with: draft: true diff --git a/Makefile b/Makefile index 141a5b2..045121c 100644 --- a/Makefile +++ b/Makefile @@ -20,13 +20,13 @@ components: $(foreach component,$(COMPONENTS),lib/$(component).wasm $(foreach co define BUILD_COMPONENT lib/$1.wasm: Cargo.toml Cargo.lock wit/deps $(shell find components/$1 -type f) - cargo component build -p $1 --target wasm32-unknown-unknown --release - cp target/wasm32-unknown-unknown/release/$(subst -,_,$1).wasm lib/$1.wasm + cargo build -p $1 --target wasm32-unknown-unknown --release + wasm-tools component new target/wasm32-unknown-unknown/release/$(subst -,_,$1).wasm -o lib/$1.wasm cp components/$1/README.md lib/$1.wasm.md lib/$1.debug.wasm: Cargo.toml Cargo.lock wit/deps $(shell find components/$1 -type f) - cargo component build -p $1 --target wasm32-wasip2 - cp target/wasm32-wasip2/debug/$(subst -,_,$1).wasm lib/$1.debug.wasm + cargo build -p $1 --target wasm32-unknown-unknown + wasm-tools component new target/wasm32-unknown-unknown/debug/$(subst -,_,$1).wasm -o lib/$1.debug.wasm cp components/$1/README.md lib/$1.debug.wasm.md endef @@ -57,12 +57,20 @@ endif @$(eval REVISION := $(shell git rev-parse HEAD)$(shell git diff --quiet HEAD && echo "+dirty")) @$(eval TAG := $(shell echo "${VERSION}" | sed 's/[^a-zA-Z0-9_.\-]/--/g')) - wkg oci push \ - --annotation "org.opencontainers.image.title=${COMPONENT}" \ - --annotation "org.opencontainers.image.description=${DESCRIPTION}" \ - --annotation "org.opencontainers.image.version=${VERSION}" \ - --annotation "org.opencontainers.image.source=https://github.com/componentized/logging.git" \ - --annotation "org.opencontainers.image.revision=${REVISION}" \ - --annotation "org.opencontainers.image.licenses=Apache-2.0" \ - "${REPOSITORY}/${COMPONENT}:${TAG}" \ - "lib/${FILE}" + @echo "::group::${FILE} -> ${REPOSITORY}/${COMPONENT}:${TAG}" + @DIGEST=$$( \ + wkg oci push \ + --annotation "org.opencontainers.image.title=${COMPONENT}" \ + --annotation "org.opencontainers.image.description=${DESCRIPTION}" \ + --annotation "org.opencontainers.image.version=${VERSION}" \ + --annotation "org.opencontainers.image.source=https://github.com/${GITHUB_REPOSITORY}.git" \ + --annotation "org.opencontainers.image.revision=${REVISION}" \ + --annotation "org.opencontainers.image.licenses=Apache-2.0" \ + "${REPOSITORY}/${COMPONENT}:${TAG}" \ + "lib/${FILE}" \ + 2>&1 \ + | tee /dev/stderr \ + | grep -o 'sha256:[a-f0-9]\{64\}' \ + ) ; \ + cosign sign --yes "${REPOSITORY}/${COMPONENT}:${TAG}@$${DIGEST}" + @echo "::endgroup::" diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 798c4ad..8969b01 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,3 +1,3 @@ [toolchain] channel = "1.91" -targets = [ "wasm32-unknown-unknown", "wasm32-wasip2" ] +targets = [ "wasm32-unknown-unknown" ]