Merge pull request #938 from kubewarden/dependabot/cargo/wasmparser-0… #149
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: kwctl build | |
| on: | |
| workflow_call: | |
| push: | |
| branches: | |
| - "main" | |
| - "feat-**" | |
| env: | |
| CARGO_TERM_COLOR: always | |
| jobs: | |
| build-linux-binaries: | |
| name: Build linux binaries | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| targetarch: | |
| - aarch64 | |
| - x86_64 | |
| permissions: | |
| packages: write | |
| id-token: write | |
| steps: | |
| - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: checkout code | |
| uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - name: setup rust toolchain | |
| uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 | |
| with: | |
| toolchain: stable | |
| target: ${{matrix.targetarch}}-unknown-linux-musl | |
| override: true | |
| - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 | |
| with: | |
| use-cross: true | |
| command: build | |
| args: --release --target ${{matrix.targetarch}}-unknown-linux-musl | |
| - name: Sign kwctl | |
| run: | | |
| mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }} | |
| cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig | |
| - run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem | |
| - name: Upload binary | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| with: | |
| name: kwctl-linux-${{ matrix.targetarch }} | |
| path: kwctl-linux-${{ matrix.targetarch }}.zip | |
| - name: Install the syft command | |
| uses: kubewarden/github-actions/syft-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5 | |
| - name: Create SBOM file | |
| shell: bash | |
| run: | | |
| syft \ | |
| --file kwctl-linux-${{ matrix.targetarch }}-sbom.spdx \ | |
| --output spdx-json \ | |
| --source-name kwctl-linux-${{ matrix.targetarch }} \ | |
| --source-version ${{ github.sha }} \ | |
| -vv \ | |
| dir:. # use dir default catalogers, which includes Cargo.toml | |
| - name: Sign SBOM file | |
| run: | | |
| cosign sign-blob --yes \ | |
| --output-certificate kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert \ | |
| --output-signature kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig \ | |
| kwctl-linux-${{ matrix.targetarch }}-sbom.spdx | |
| - name: Upload kwctl SBOM files | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| with: | |
| name: kwctl-linux-${{ matrix.targetarch }}-sbom | |
| path: | | |
| kwctl-linux-${{ matrix.targetarch }}-sbom.spdx | |
| kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert | |
| kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig | |
| - name: Upload kwctl air gap scripts | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| if: matrix.targetarch == 'x86_64' # only upload the scripts once | |
| with: | |
| name: kwctl-airgap-scripts | |
| path: | | |
| scripts/kubewarden-load-policies.sh | |
| scripts/kubewarden-save-policies.sh | |
| build-darwin-binaries: | |
| name: Build darwin binary | |
| strategy: | |
| matrix: | |
| targetarch: ["aarch64", "x86_64"] | |
| runs-on: macos-latest | |
| permissions: | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Setup rust toolchain | |
| uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 | |
| with: | |
| toolchain: stable | |
| target: ${{ matrix.targetarch }}-apple-darwin | |
| override: true | |
| - run: rustup target add ${{ matrix.targetarch }}-apple-darwin | |
| - name: Build kwctl | |
| uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 | |
| with: | |
| command: build | |
| args: --target=${{ matrix.targetarch }}-apple-darwin --release | |
| - run: mv target/${{ matrix.targetarch }}-apple-darwin/release/kwctl kwctl-darwin-${{ matrix.targetarch }} | |
| - name: Smoke test build | |
| if: matrix.targetarch == 'x86_64' | |
| run: ./kwctl-darwin-x86_64 --help | |
| - name: Sign kwctl | |
| run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig | |
| - run: zip -j9 kwctl-darwin-${{ matrix.targetarch }}.zip kwctl-darwin-${{ matrix.targetarch }} kwctl-darwin-${{ matrix.targetarch }}.sig kwctl-darwin-${{ matrix.targetarch }}.pem | |
| - name: Upload binary | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| with: | |
| name: kwctl-darwin-${{ matrix.targetarch }} | |
| path: kwctl-darwin-${{ matrix.targetarch }}.zip | |
| - name: Install the syft command | |
| uses: kubewarden/github-actions/syft-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5 | |
| with: | |
| arch: darwin_amd64 | |
| - name: Create SBOM file | |
| shell: bash | |
| run: | | |
| syft \ | |
| --file kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx \ | |
| --output spdx-json \ | |
| --source-name kwctl-darwin-${{ matrix.targetarch }} \ | |
| --source-version ${{ github.sha }} \ | |
| -vv \ | |
| dir:. # use dir default catalogers, which includes Cargo.toml | |
| - name: Sign SBOM file | |
| run: | | |
| cosign sign-blob --yes \ | |
| --output-certificate kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert \ | |
| --output-signature kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig \ | |
| kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx | |
| - name: Upload kwctl SBOM files | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| with: | |
| name: kwctl-darwin-${{ matrix.targetarch }}-sbom | |
| path: | | |
| kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx | |
| kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert | |
| kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig | |
| build-windows-x86_64: | |
| name: Build windows (x86_64) binary | |
| strategy: | |
| matrix: | |
| # workaround to have the same GH UI for all jobs | |
| targetarch: ["x86_64"] | |
| os: ["windows-latest"] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
| - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Setup rust toolchain | |
| uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 | |
| with: | |
| toolchain: stable | |
| - run: rustup target add x86_64-pc-windows-msvc | |
| - name: enable git long paths on Windows | |
| if: matrix.os == 'windows-latest' | |
| run: git config --global core.longpaths true | |
| - name: Build kwctl | |
| uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 | |
| with: | |
| command: build | |
| args: --target=x86_64-pc-windows-msvc --release | |
| - run: mv target/x86_64-pc-windows-msvc/release/kwctl.exe kwctl-windows-x86_64.exe | |
| - name: Smoke test build | |
| run: .\kwctl-windows-x86_64.exe --help | |
| - name: Sign kwctl | |
| run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig | |
| - run: | | |
| "/c/Program Files/7-Zip/7z.exe" a kwctl-windows-x86_64.exe.zip kwctl-windows-x86_64.exe kwctl-windows-x86_64.sig kwctl-windows-x86_64.pem | |
| shell: bash | |
| - name: Upload binary | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| with: | |
| name: kwctl-windows-x86_64 | |
| path: kwctl-windows-x86_64.exe.zip | |
| - name: Install the syft command | |
| uses: kubewarden/github-actions/syft-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5 | |
| with: | |
| arch: windows_amd64 | |
| - name: Create SBOM file | |
| shell: bash | |
| run: | | |
| syft \ | |
| --file kwctl-windows-x86_64-sbom.spdx \ | |
| --output spdx-json \ | |
| --source-name kwctl-windows-x86_64 \ | |
| --source-version ${{ github.sha }} \ | |
| -vv \ | |
| dir:. # use dir default catalogers, which includes Cargo.toml | |
| - name: Sign SBOM file | |
| shell: bash | |
| run: | | |
| cosign sign-blob --yes \ | |
| --output-certificate kwctl-windows-x86_64-sbom.spdx.cert \ | |
| --output-signature kwctl-windows-x86_64-sbom.spdx.sig \ | |
| kwctl-windows-x86_64-sbom.spdx | |
| - name: Upload kwctl SBOM files | |
| uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 | |
| with: | |
| name: kwctl-windows-x86_64-sbom | |
| path: | | |
| kwctl-windows-x86_64-sbom.spdx | |
| kwctl-windows-x86_64-sbom.spdx.cert | |
| kwctl-windows-x86_64-sbom.spdx.sig |