.github/workflows/release.yml

name: Release
on:
  push:
    branches:
      - main
    tags:
      - "v*"

# Serialize workflow runs
concurrency: ${{ github.workflow }}-${{ github.ref }}

env:
  RUST_VERSION: 1.71

jobs:
  build-and-sign:
    name: build and sign release assets
    runs-on: ${{ matrix.config.os }}
    permissions:
      # cosign uses the GitHub OIDC token
      id-token: write
      # needed to upload artifacts to a GH release
      contents: write
    strategy:
      matrix:
        config:
          - {
              os: "ubuntu-20.04",
              arch: "amd64",
              extension: "",
              # Ubuntu 22.04 no longer ships libssl1.1, so we statically
              # link it here to preserve release binary compatibility.
              extraArgs: "--features openssl/vendored",
              target: "",
              targetDir: "target/release",
            }
          - {
              os: "ubuntu-20.04",
              arch: "aarch64",
              extension: "",
              extraArgs: "--features openssl/vendored --target aarch64-unknown-linux-gnu",
              target: "aarch64-unknown-linux-gnu",
              targetDir: "target/aarch64-unknown-linux-gnu/release",
            }
          - {
              os: "macos-latest",
              arch: "amd64",
              extension: "",
              extraArgs: "",
              target: "",
              targetDir: "target/release",
            }
          - {
              os: "macos-latest",
              arch: "aarch64",
              extension: "",
              extraArgs: "--target aarch64-apple-darwin",
              target: "aarch64-apple-darwin",
              targetDir: "target/aarch64-apple-darwin/release/",
            }
          - {
              os: "windows-latest",
              arch: "amd64",
              extension: ".exe",
              extraArgs: "",
              target: "",
              targetDir: "target/release",
            }
    steps:
      - uses: actions/checkout@v3

      - name: set the release version (tag)
        if: startsWith(github.ref, 'refs/tags/v')
        shell: bash
        run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

      - name: set the release version (main)
        if: github.ref == 'refs/heads/main'
        shell: bash
        run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV

      - name: lowercase the runner OS name
        shell: bash
        run: |
          OS=$(echo "${{ runner.os }}" | tr '[:upper:]' '[:lower:]')
          echo "RUNNER_OS=$OS" >> $GITHUB_ENV

      - name: Install Cosign for signing Spin binary
        uses: sigstore/cosign-installer@v3.0.1
        with:
          cosign-release: v2.0.0

      - name: Install Rust toolchain
        shell: bash
        run: |
          rustup toolchain install ${{ env.RUST_VERSION }}
          rustup default ${{ env.RUST_VERSION }}

      - name: Install target
        if: matrix.config.target != ''
        shell: bash
        run: rustup target add --toolchain ${{ env.RUST_VERSION }} ${{ matrix.config.target }}

      - name: "Install Wasm Rust target"
        run: rustup target add wasm32-wasi --toolchain ${{ env.RUST_VERSION }} && rustup target add wasm32-unknown-unknown --toolchain ${{ env.RUST_VERSION }}

      - name: setup for cross-compiled linux aarch64 build
        if: matrix.config.target == 'aarch64-unknown-linux-gnu'
        run: |
          sudo apt update
          sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
          echo '[target.aarch64-unknown-linux-gnu]' >> ${HOME}/.cargo/config.toml
          echo 'linker = "aarch64-linux-gnu-gcc"' >> ${HOME}/.cargo/config.toml
          echo 'rustflags = ["-Ctarget-feature=+fp16"]' >> ${HOME}/.cargo/config.toml

      - name: build release
        shell: bash
        run: cargo build --release ${{ matrix.config.extraArgs }}

      - name: Sign the binary with GitHub OIDC token
        shell: bash
        run: |
          cosign sign-blob \
            --yes \
            --output-certificate crt.pem \
            --output-signature spin.sig \
            ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }}

      - name: package release assets
        if: runner.os != 'Windows'
        shell: bash
        run: |
          mkdir _dist
          cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
          cd _dist
          tar czf \
            spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz \
            crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}

      - name: package release assets
        if: runner.os == 'Windows'
        shell: bash
        run: |
          mkdir _dist
          cp crt.pem spin.sig README.md LICENSE ${{ matrix.config.targetDir }}/spin${{ matrix.config.extension }} _dist/
          cd _dist
          7z a -tzip \
            spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip \
            crt.pem spin.sig README.md LICENSE spin${{ matrix.config.extension }}

      - name: upload binary as GitHub artifact
        if: runner.os != 'Windows'
        uses: actions/upload-artifact@v3
        with:
          name: spin
          path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz

      - name: upload binary to Github release
        if: startsWith(github.ref, 'refs/tags/v') && runner.os != 'Windows'
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz
          tag: ${{ github.ref }}

      - name: upload binary as GitHub artifact
        if: runner.os == 'Windows'
        uses: actions/upload-artifact@v3
        with:
          name: spin
          path: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip

      - name: upload binary to Github release
        if: startsWith(github.ref, 'refs/tags/v') &&  runner.os == 'Windows'
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.zip
          tag: ${{ github.ref }}

      - name: Configure AWS Credentials
        if: runner.os == 'linux' && matrix.config.arch == 'amd64' && github.repository_owner == 'fermyon'
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}
          role-session-name: spin-release-artifacts
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Copy Binary to S3 - ${{ env.RELEASE_VERSION }}
        if: runner.os == 'linux' && matrix.config.arch == 'amd64' && github.repository_owner == 'fermyon'
        run: |
          aws s3 cp _dist/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz s3://${{ secrets.SPIN_RELEASE_ARTIFACTS_REPO }}/spin-${{ env.RELEASE_VERSION }}-${{ env.RUNNER_OS }}-${{ matrix.config.arch }}.tar.gz --acl public-read

  checksums:
    name: generate release checksums
    runs-on: ubuntu-latest
    needs: build-and-sign
    steps:
      - name: set the release version (tag)
        if: startsWith(github.ref, 'refs/tags/v')
        shell: bash
        run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

      - name: set the release version (main)
        if: github.ref == 'refs/heads/main'
        shell: bash
        run: echo "RELEASE_VERSION=canary" >> $GITHUB_ENV

      - name: download release assets
        uses: actions/download-artifact@v3
        with:
          name: spin

      - name: generate checksums
        run: sha256sum * > checksums-${{ env.RELEASE_VERSION }}.txt

      - uses: actions/upload-artifact@v3
        with:
          name: spin
          path: checksums-${{ env.RELEASE_VERSION }}.txt

      - name: upload checksums to Github release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: svenstaro/upload-release-action@v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: checksums-${{ env.RELEASE_VERSION }}.txt
          tag: ${{ github.ref }}


  update-canary:
    name: update canary release
    runs-on: ubuntu-latest
    needs: checksums
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Download release assets
        uses: actions/download-artifact@v3
        with:
          name: spin

      - name: Delete canary tag
        uses: dev-drprasad/delete-tag-and-release@v0.2.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: canary
          delete_release: true

      - name: Recreate canary tag and release
        uses: ncipollo/release-action@v1.13.0
        with:
          tag: canary
          allowUpdates: true
          prerelease: true
          artifacts: "checksums-canary.txt,spin-canary*"
          commit: ${{ github.sha }}
          body: |
            This is a "canary" release of the most recent commits on our main branch. Canary is **not stable**.
            It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

  create-go-sdk-tag:
    name: create tag sdk/go/v*
    runs-on: ubuntu-latest
    needs: build-and-sign
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v3

      - name: Set the tag to sdk/go/v*
        shell: bash
        run: echo "GO_SDK_TAG=sdk/go/${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

      - name: Tag sdk/go/v* and push it
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git tag ${{ env.GO_SDK_TAG }}
          git push origin ${{ env.GO_SDK_TAG }}

  create-template-sdk-update-pr:
    name: Create PR with template SDK updates
    runs-on: ubuntu-latest
    needs: create-go-sdk-tag
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v3

      - name: Set the spin tag
        shell: bash
        run: echo "SPIN_TAG=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV

      - name: Change sdk version
        shell: bash
        run: |
          cd templates
          SDK_VERSION=${{ env.SPIN_TAG }} make

      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v4
        with:
          commit-message: "feat(templates): update sdk to ${{ env.SPIN_TAG }}"
          title: "feat(templates): update sdk to ${{ env.SPIN_TAG }}"
          body: Update the SDK version used by the templates
          branch: update-sdk-${{ env.SPIN_TAG }}
          base: main
          delete-branch: true
          committer: fermybot <103076628+fermybot@users.noreply.github.com>
          author: fermybot <103076628+fermybot@users.noreply.github.com>
          signoff: true

  # This will run when the PR above is approved and merged into main via a merge commit
  push-templates-tag:
    runs-on: ubuntu-latest
    needs: build-and-sign
    if: github.event.commits[0].author.name == 'fermybot' && contains(github.event.commits[0].message, 'update sdk')
    steps:
      - uses: actions/checkout@v3

      - name: Set the tag to spin/templates/v*
        shell: bash
        run: |
          spin_tag=$(echo "${{ github.event.commits[0].message }}" | grep -Eo v[0-9.]+)
          IFS=. read -r major minor patch <<< "${spin_tag}"
          echo "TEMPLATE_TAG=spin/templates/$major.$minor" >> $GITHUB_ENV

      - name: Tag spin/templates/v* and push it
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git tag ${{ env.TEMPLATE_TAG }} -f
          git push origin ${{ env.TEMPLATE_TAG }} -f