diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..a1dcffb --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @rvolosatovs diff --git a/.github/actions/build-nix/action.yml b/.github/actions/build-nix/action.yml new file mode 100644 index 0000000..1c53307 --- /dev/null +++ b/.github/actions/build-nix/action.yml @@ -0,0 +1,18 @@ +name: build via Nix + +inputs: + package: + description: package specification to build + required: true + +runs: + using: composite + steps: + - run: nix build -L '.#${{ inputs.package }}' + shell: bash + - run: nix run -L --inputs-from . 'nixpkgs#coreutils' -- --coreutils-prog=cp -RLv ./result '${{ inputs.package }}' + shell: bash + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: ${{ inputs.package }} + path: ${{ inputs.package }} diff --git a/.github/actions/install-nix/action.yml b/.github/actions/install-nix/action.yml new file mode 100644 index 0000000..dd182d2 --- /dev/null +++ b/.github/actions/install-nix/action.yml @@ -0,0 +1,21 @@ +name: install Nix + +inputs: + cachixAuthToken: + description: auth token for https://app.cachix.org/organization/wasmcloud/cache/west + +runs: + using: composite + steps: + - uses: DeterminateSystems/nix-installer-action@v14 + with: + extra-conf: | + accept-flake-config = true + + - uses: DeterminateSystems/magic-nix-cache-action@v8 + + - uses: cachix/cachix-action@v15 + continue-on-error: true + with: + name: west + authToken: '${{ inputs.cachixAuthToken }}' diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..57412ea --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,24 @@ +version: 2 +updates: +- package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "daily" + +- package-ecosystem: "gomod" + directory: "/go" + schedule: + interval: "daily" + +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" +- package-ecosystem: "github-actions" + directory: "/.github/actions/build-nix" + schedule: + interval: "daily" +- package-ecosystem: "github-actions" + directory: "/.github/actions/install-nix" + schedule: + interval: "daily" diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml new file mode 100644 index 0000000..d0f4bb5 --- /dev/null +++ b/.github/workflows/nix.yml @@ -0,0 +1,43 @@ +name: nix + +on: + merge_group: + pull_request: + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + fmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/install-nix + with: + cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: nix fmt + + shell: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/install-nix + with: + cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: | + nix profile install + wit-bindgen-wrpc --version + wrpc-wasmtime-nats --version + + develop: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/install-nix + with: + cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: nix develop -L --ignore-environment -c cargo tree diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..cabc220 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '45 1 * * 1' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + with: + sarif_file: results.sarif diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml new file mode 100644 index 0000000..77fbf3a --- /dev/null +++ b/.github/workflows/update.yml @@ -0,0 +1,20 @@ +name: nix-flake-update + +on: + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +jobs: + nix-flake-update: + runs-on: ubuntu-latest + steps: + - uses: rvolosatovs/nix-flake-update-action@60ed905545151a290d73ce1302c23f4fb7ff43f0 # v2.0.4 + with: + app-id: ${{ secrets.BOT_APP_ID }} + private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} + assignees: rvolosatovs + reviewers: rvolosatovs + delete-branch: true + signoff: true + labels: dependencies diff --git a/.github/workflows/west.yml b/.github/workflows/west.yml new file mode 100644 index 0000000..0a502ca --- /dev/null +++ b/.github/workflows/west.yml @@ -0,0 +1,260 @@ +name: west + +on: + merge_group: + pull_request: + push: + branches: + - main + tags: + - 'crates/passthrough/v[0-9].[0-9]+.[0-9]+' + - 'crates/passthrough/v[0-9].[0-9]+.[0-9]+-*' + - 'crates/west-sys/v[0-9].[0-9]+.[0-9]+' + - 'crates/west-sys/v[0-9].[0-9]+.[0-9]+-*' + - 'crates/west/v[0-9].[0-9]+.[0-9]+' + - 'crates/west/v[0-9].[0-9]+.[0-9]+-*' + - 'v[0-9].[0-9]+.[0-9]+' + - 'v[0-9].[0-9]+.[0-9]+-*' + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build: + strategy: + matrix: + target: + - aarch64-unknown-linux-musl + - aarch64-apple-darwin + - aarch64-linux-android + - x86_64-apple-darwin + - x86_64-pc-windows-gnu + - x86_64-unknown-linux-musl + + name: west-${{ matrix.target }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/install-nix + with: + cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - uses: ./.github/actions/build-nix + with: + package: west-${{ matrix.target }} + + test-dev: + strategy: + matrix: + os: + - ubuntu-latest + - windows-latest + - macos-13 + - macos-14 + if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - run: nix profile install --inputs-from . 'nixpkgs-unstable#go_1_23' '.#rust' + - run: go generate ./go/... + - run: go test -v ./go/... + + test-lib: + strategy: + matrix: + config: + - os: ubuntu-latest + lib: x86_64-linux + target: west-x86_64-unknown-linux-musl + + - os: windows-latest + lib: x86_64-windows + target: west-x86_64-pc-windows-gnu + + - os: macos-13 + lib: x86_64-darwin + target: west-x86_64-apple-darwin + + - os: macos-14 + lib: aarch64-darwin + target: west-aarch64-apple-darwin + + if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} + runs-on: ${{ matrix.config.os }} + needs: build + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - run: nix profile install --inputs-from . 'nixpkgs-unstable#go_1_23' '.#rust' + - run: go generate ./go/... + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: west-${{ matrix.config.target }} + path: lib/${{ matrix.config.lib }} + - run: go test ./go/... + + cargo: + strategy: + matrix: + check: + - audit + - fmt + - clippy + - nextest + + name: cargo ${{ matrix.check }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/install-nix + with: + cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: go work vendor -e -v + if: ${{ matrix.check }} == "nextest" + - run: git add . + if: ${{ matrix.check }} == "nextest" + - run: nix build -L .#checks.x86_64-linux.${{ matrix.check }} + + crates: + if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} + strategy: + matrix: + include: + - crate: passthrough + + - crate: west + + - crate: west-sys + workspace-dependencies: true + + name: publish ${{ matrix.crate }} to crates.io + needs: cargo + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Extract tag context + id: ctx + run: | + version=${GITHUB_REF_NAME#crates/${{ matrix.crate }}/v} + echo "version=${version}" >> "$GITHUB_OUTPUT" + echo "version is ${version}" + if [[ $version == *"-"* ]]; then + echo "version ${version} is a pre-release" + echo "prerelease=true" >> "$GITHUB_OUTPUT" + fi + + - name: dry-run publish ${{ matrix.crate }} to crates.io + if: ${{ !startsWith(github.ref, 'refs/tags/') }} + continue-on-error: ${{ matrix.workspace-dependencies }} # publish may fail due to workspace crates not being published yet + run: cargo publish --dry-run + working-directory: ./crates/${{ matrix.crate }} + + - name: publish ${{ matrix.crate }} to crates.io + if: startsWith(github.ref, format('refs/tags/crates/{0}/v', matrix.crate)) && !steps.ctx.outputs.prerelease + continue-on-error: ${{ github.repository_owner != 'rvolosatovs' }} + run: | + pkgver=$(cargo pkgid | cut -d '@' -f 2) + tagver="${{ steps.ctx.outputs.version }}" + if ! [ "$pkgver" = "$tagver" ]; then + echo "version mismatch, $pkgver (package) != $tagver (tag)" + exit 1 + fi + cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} + working-directory: ./crates/${{ matrix.crate }} + + build-doc: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: ./.github/actions/install-nix + with: + cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - run: nix build -L .#checks.x86_64-linux.doc + - run: cp --no-preserve=mode -R ./result/share/doc ./doc + - run: rm -f doc/.lock + - name: Create `.nojekyll` + run: touch doc/.nojekyll + - name: Write `index.html` + run: | + cat < doc/index.html + + + Redirecting to west/index.html + + + EOF + - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 + with: + path: doc + + deploy-doc: + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: build-doc + permissions: + pages: write + id-token: write + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 + id: deployment + + release: + if: startsWith(github.ref, 'refs/tags/v') + needs: + - build + - cargo + - crates + - test-lib + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Extract tag context + id: ctx + run: | + version=${GITHUB_REF_NAME#v} + echo "version=${version}" >> "$GITHUB_OUTPUT" + echo "version is ${version}" + if [[ $version == *"-"* ]]; then + echo "version ${version} is a pre-release" + echo "prerelease=true" >> "$GITHUB_OUTPUT" + fi + + - name: publish west to crates.io + run: | + pkgver=$(cargo pkgid | cut -d '@' -f 2) + tagver="${{ steps.ctx.outputs.version }}" + if ![ "$pkgver" = "$tagver" ]; then + echo "version mismatch, $pkgver (package) != $tagver (tag)" + exit 1 + fi + cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} + + - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + path: artifacts + + - run: | + for dir in ./artifacts/west-*; do + target=${dir#./artifacts/west-} + for lib_path in $(find ${dir}/lib -type f); do + lib=$(basename ${lib_path}) + mkdir -p ./${lib} + mv ${lib_path} ./${lib}/${lib}-${target}.a + done + done + + - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + with: + draft: true + prerelease: true + generate_release_notes: true + files: | + ./libwest/* + diff --git a/.gitignore b/.gitignore index 7792a7e..7d6997e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ /target *.wasm *.a -*.h diff --git a/flake.lock b/flake.lock index 61e9ed1..7951a9f 100644 --- a/flake.lock +++ b/flake.lock @@ -303,15 +303,16 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1724748661, - "narHash": "sha256-9gCQQX/9+hll9wDB2qaTyv1m8VeNqNZ4v4vNaCVPxbs=", + "lastModified": 1726246280, + "narHash": "sha256-AM4IpTtNKZpM4qWiOMOZI5OmVxy9t8GGwf13Tu6i9zY=", "owner": "rvolosatovs", "repo": "nixify", - "rev": "aaa7d3682dfff6cacc597e2a22e0b98aa95bc0ba", + "rev": "6c0ee3654bb282b25c923dd654afeefbe567bbb5", "type": "github" }, "original": { "owner": "rvolosatovs", + "ref": "fix/target-rustflags", "repo": "nixify", "type": "github" } @@ -372,11 +373,11 @@ }, "nixlib_3": { "locked": { - "lastModified": 1724547350, - "narHash": "sha256-WKkGeNpenNMKD1gOF0Xuqi3VsKX/QCAiwz9qe5PDvzA=", + "lastModified": 1725757153, + "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "b741d900fecd2f0c32d90f853b24be9f5f098b7d", + "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", "type": "github" }, "original": { @@ -435,11 +436,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1724748588, - "narHash": "sha256-NlpGA4+AIf1dKNq76ps90rxowlFXUsV9x7vK/mN37JM=", + "lastModified": 1726142289, + "narHash": "sha256-Jks8O42La+nm5AMTSq/PvM5O+fUAhIy0Ce1QYqLkyZ4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a6292e34000dc93d43bccf78338770c1c5ec8a99", + "rev": "280db3decab4cbeb22a4599bd472229ab74d25e1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5ed6708..f6bcbea 100644 --- a/flake.nix +++ b/flake.nix @@ -1,25 +1,25 @@ { nixConfig.extra-substituters = [ - "https://wrpc.cachix.org" - "https://wasmcloud.cachix.org" + "https://west.cachix.org" "https://nixify.cachix.org" "https://crane.cachix.org" + "https://wasmcloud.cachix.org" "https://bytecodealliance.cachix.org" "https://nix-community.cachix.org" "https://cache.garnix.io" ]; nixConfig.extra-trusted-public-keys = [ - "wrpc.cachix.org-1:J1xnzWo1nnhlzOmZCA10/5wz87LwCFwQtnqCibCy67w=" - "wasmcloud.cachix.org-1:9gRBzsKh+x2HbVVspreFg/6iFRiD4aOcUQfXVDl3hiM=" + "west.cachix.org-1:F8ZwKSRWiSCh+rMyZAP7xhgUP6ZW88AGXE7KOR30Fg0=" "nixify.cachix.org-1:95SiUQuf8Ij0hwDweALJsLtnMyv/otZamWNRp1Q1pXw=" "crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" + "wasmcloud.cachix.org-1:9gRBzsKh+x2HbVVspreFg/6iFRiD4aOcUQfXVDl3hiM=" "bytecodealliance.cachix.org-1:0SBgh//n2n0heh0sDFhTm+ZKBRy2sInakzFGfzN531Y=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ]; inputs.nixify.inputs.nixlib.follows = "nixlib"; - inputs.nixify.url = "github:rvolosatovs/nixify"; + inputs.nixify.url = "github:rvolosatovs/nixify/fix/target-rustflags"; inputs.nixlib.url = "github:nix-community/nixpkgs.lib"; inputs.nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; inputs.wit-deps.inputs.nixify.follows = "nixify"; @@ -75,6 +75,10 @@ doCheck = false; # testing is performed in checks via `nextest` + build.packages = [ + "west-sys" + ]; + targets.arm-unknown-linux-gnueabihf = false; targets.arm-unknown-linux-musleabihf = false; targets.armv7-unknown-linux-gnueabihf = false; @@ -137,12 +141,20 @@ nativeCheckInputs = nativeCheckInputs ++ [ - pkgs.nats-server - pkgs.pkgsUnstable.go ]; }; + withPackages = { + hostRustToolchain, + packages, + ... + }: + packages + // { + rust = hostRustToolchain; + }; + withDevShells = { devShells, pkgs, @@ -152,7 +164,7 @@ buildInputs = [ pkgs.wit-deps - pkgs.pkgsUnstable.binaryen + pkgs.pkgsUnstable.cargo-audit pkgs.pkgsUnstable.go_1_23 pkgs.pkgsUnstable.wasm-tools pkgs.pkgsUnstable.wasmtime