Skip to content

Merge pull request #1009 from kubewarden/dependabot/github_actions/ac… #215

Merge pull request #1009 from kubewarden/dependabot/github_actions/ac…

Merge pull request #1009 from kubewarden/dependabot/github_actions/ac… #215

Workflow file for this run

name: kwctl build
on:
workflow_call:
push:
branches:
- "main"
- "feat-**"
env:
CARGO_TERM_COLOR: always
jobs:
build-linux-binaries:
name: Build linux binaries
runs-on: ubuntu-latest
strategy:
matrix:
targetarch:
- aarch64
- x86_64
permissions:
id-token: write
attestations: write
steps:
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: setup rust toolchain
uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with:
toolchain: stable
target: ${{matrix.targetarch}}-unknown-linux-musl
override: true
- uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with:
use-cross: true
command: build
args: --release --target ${{matrix.targetarch}}-unknown-linux-musl
- run: mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }}
- name: Smoke test build
if: matrix.targetarch == 'x86_64'
run: ./kwctl-linux-x86_64 --help
- name: Generate attestations
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
id: attestations
with:
subject-path: kwctl-linux-${{ matrix.targetarch }}
- name: Sign kwctl
run: |
cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig
- run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem
- name: Upload binary
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: kwctl-linux-${{ matrix.targetarch }}
path: kwctl-linux-${{ matrix.targetarch }}.zip
- name: Install the syft command
uses: kubewarden/github-actions/syft-installer@23f81f83e6392c869faacd8bfe86a8053d213d99 # v3.4.2
- name: Create SBOM file
shell: bash
run: |
syft \
--file kwctl-linux-${{ matrix.targetarch }}-sbom.spdx \
--output spdx-json \
--source-name kwctl-linux-${{ matrix.targetarch }} \
--source-version ${{ github.sha }} \
-vv \
dir:. # use dir default catalogers, which includes Cargo.toml
- name: Sign SBOM file
run: |
cosign sign-blob --yes \
--output-certificate kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert \
--output-signature kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig \
kwctl-linux-${{ matrix.targetarch }}-sbom.spdx
- name: Upload kwctl SBOM files
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: kwctl-linux-${{ matrix.targetarch }}-sbom
path: |
kwctl-linux-${{ matrix.targetarch }}-sbom.spdx
kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert
kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig
- name: Upload kwctl air gap scripts
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: matrix.targetarch == 'x86_64' # only upload the scripts once
with:
name: kwctl-airgap-scripts
path: |
scripts/kubewarden-load-policies.sh
scripts/kubewarden-save-policies.sh
build-darwin-binaries:
name: Build darwin binary
strategy:
matrix:
targetarch: ["aarch64", "x86_64"]
runs-on: macos-latest
permissions:
id-token: write
attestations: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Setup rust toolchain
uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with:
toolchain: stable
target: ${{ matrix.targetarch }}-apple-darwin
override: true
- run: rustup target add ${{ matrix.targetarch }}-apple-darwin
- name: Build kwctl
uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with:
command: build
args: --target=${{ matrix.targetarch }}-apple-darwin --release
- run: mv target/${{ matrix.targetarch }}-apple-darwin/release/kwctl kwctl-darwin-${{ matrix.targetarch }}
- name: Smoke test build
if: matrix.targetarch == 'x86_64'
run: ./kwctl-darwin-x86_64 --help
- name: Generate attestations
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
id: attestations
with:
subject-path: kwctl-darwin-${{ matrix.targetarch }}
- name: Sign kwctl
run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig
- run: zip -j9 kwctl-darwin-${{ matrix.targetarch }}.zip kwctl-darwin-${{ matrix.targetarch }} kwctl-darwin-${{ matrix.targetarch }}.sig kwctl-darwin-${{ matrix.targetarch }}.pem
- name: Upload binary
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: kwctl-darwin-${{ matrix.targetarch }}
path: kwctl-darwin-${{ matrix.targetarch }}.zip
- name: Install the syft command
uses: kubewarden/github-actions/syft-installer@23f81f83e6392c869faacd8bfe86a8053d213d99 # v3.4.2
with:
arch: darwin_amd64
- name: Create SBOM file
shell: bash
run: |
syft \
--file kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx \
--output spdx-json \
--source-name kwctl-darwin-${{ matrix.targetarch }} \
--source-version ${{ github.sha }} \
-vv \
dir:. # use dir default catalogers, which includes Cargo.toml
- name: Sign SBOM file
run: |
cosign sign-blob --yes \
--output-certificate kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert \
--output-signature kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig \
kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx
- name: Upload kwctl SBOM files
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: kwctl-darwin-${{ matrix.targetarch }}-sbom
path: |
kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx
kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert
kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig
build-windows-x86_64:
name: Build windows (x86_64) binary
strategy:
matrix:
# workaround to have the same GH UI for all jobs
targetarch: ["x86_64"]
os: ["windows-latest"]
runs-on: ${{ matrix.os }}
permissions:
id-token: write
attestations: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Setup rust toolchain
uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with:
toolchain: stable
- run: rustup target add x86_64-pc-windows-msvc
- name: enable git long paths on Windows
if: matrix.os == 'windows-latest'
run: git config --global core.longpaths true
- name: Build kwctl
uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
with:
command: build
args: --target=x86_64-pc-windows-msvc --release
- run: mv target/x86_64-pc-windows-msvc/release/kwctl.exe kwctl-windows-x86_64.exe
- name: Smoke test build
run: .\kwctl-windows-x86_64.exe --help
- name: Generate attestations
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
id: attestations
with:
subject-path: kwctl-windows-${{ matrix.targetarch }}.exe
- name: Sign kwctl
run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig
- run: |
"/c/Program Files/7-Zip/7z.exe" a kwctl-windows-x86_64.exe.zip kwctl-windows-x86_64.exe kwctl-windows-x86_64.sig kwctl-windows-x86_64.pem
shell: bash
- name: Upload binary
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: kwctl-windows-x86_64
path: kwctl-windows-x86_64.exe.zip
- name: Install the syft command
uses: kubewarden/github-actions/syft-installer@23f81f83e6392c869faacd8bfe86a8053d213d99 # v3.4.2
with:
arch: windows_amd64
- name: Create SBOM file
shell: bash
run: |
syft \
--file kwctl-windows-x86_64-sbom.spdx \
--output spdx-json \
--source-name kwctl-windows-x86_64 \
--source-version ${{ github.sha }} \
-vv \
dir:. # use dir default catalogers, which includes Cargo.toml
- name: Sign SBOM file
shell: bash
run: |
cosign sign-blob --yes \
--output-certificate kwctl-windows-x86_64-sbom.spdx.cert \
--output-signature kwctl-windows-x86_64-sbom.spdx.sig \
kwctl-windows-x86_64-sbom.spdx
- name: Upload kwctl SBOM files
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: kwctl-windows-x86_64-sbom
path: |
kwctl-windows-x86_64-sbom.spdx
kwctl-windows-x86_64-sbom.spdx.cert
kwctl-windows-x86_64-sbom.spdx.sig