Skip to content

Commit

Permalink
ci: setup basic CI
Browse files Browse the repository at this point in the history
Signed-off-by: Roman Volosatovs <[email protected]>
rvolosatovs committed Sep 13, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent ce8a697 commit ec68138
Showing 10 changed files with 463 additions and 8 deletions.
1 change: 1 addition & 0 deletions .github/CODEOWNERS
This CODEOWNERS file is valid.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @rvolosatovs
18 changes: 18 additions & 0 deletions .github/actions/build-nix/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: build via Nix

inputs:
package:
description: package specification to build
required: true

runs:
using: composite
steps:
- run: nix build -L '.#${{ inputs.package }}'
shell: bash
- run: nix run -L --inputs-from . 'nixpkgs#coreutils' -- --coreutils-prog=cp -RLv ./result '${{ inputs.package }}'
shell: bash
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: ${{ inputs.package }}
path: ${{ inputs.package }}
21 changes: 21 additions & 0 deletions .github/actions/install-nix/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: install Nix

inputs:
cachixAuthToken:
description: auth token for https://app.cachix.org/organization/wasmcloud/cache/west

runs:
using: composite
steps:
- uses: DeterminateSystems/nix-installer-action@v14
with:
extra-conf: |
accept-flake-config = true
- uses: DeterminateSystems/magic-nix-cache-action@v8

- uses: cachix/cachix-action@v15
continue-on-error: true
with:
name: west
authToken: '${{ inputs.cachixAuthToken }}'
24 changes: 24 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
version: 2
updates:
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "daily"

- package-ecosystem: "gomod"
directory: "/go"
schedule:
interval: "daily"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "github-actions"
directory: "/.github/actions/build-nix"
schedule:
interval: "daily"
- package-ecosystem: "github-actions"
directory: "/.github/actions/install-nix"
schedule:
interval: "daily"
43 changes: 43 additions & 0 deletions .github/workflows/nix.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: nix

on:
merge_group:
pull_request:
push:
branches:
- main

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-nix
with:
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: nix fmt

shell:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-nix
with:
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: |
nix profile install
wit-bindgen-wrpc --version
wrpc-wasmtime-nats --version
develop:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-nix
with:
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: nix develop -L --ignore-environment -c cargo tree
72 changes: 72 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '45 1 * * 1'
push:
branches: [ "main" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read

steps:
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}

# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
sarif_file: results.sarif
20 changes: 20 additions & 0 deletions .github/workflows/update.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: nix-flake-update

on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:

jobs:
nix-flake-update:
runs-on: ubuntu-latest
steps:
- uses: rvolosatovs/nix-flake-update-action@60ed905545151a290d73ce1302c23f4fb7ff43f0 # v2.0.4
with:
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
assignees: rvolosatovs
reviewers: rvolosatovs
delete-branch: true
signoff: true
labels: dependencies
260 changes: 260 additions & 0 deletions .github/workflows/west.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,260 @@
name: west

on:
merge_group:
pull_request:
push:
branches:
- main
tags:
- 'crates/passthrough/v[0-9].[0-9]+.[0-9]+'
- 'crates/passthrough/v[0-9].[0-9]+.[0-9]+-*'
- 'crates/west-sys/v[0-9].[0-9]+.[0-9]+'
- 'crates/west-sys/v[0-9].[0-9]+.[0-9]+-*'
- 'crates/west/v[0-9].[0-9]+.[0-9]+'
- 'crates/west/v[0-9].[0-9]+.[0-9]+-*'
- 'v[0-9].[0-9]+.[0-9]+'
- 'v[0-9].[0-9]+.[0-9]+-*'
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
build:
strategy:
matrix:
target:
- aarch64-unknown-linux-musl
- aarch64-apple-darwin
- aarch64-linux-android
- x86_64-apple-darwin
- x86_64-pc-windows-gnu
- x86_64-unknown-linux-musl

name: west-${{ matrix.target }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-nix
with:
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- uses: ./.github/actions/build-nix
with:
package: west-${{ matrix.target }}

test-dev:
strategy:
matrix:
os:
- ubuntu-latest
- windows-latest
- macos-13
- macos-14
if: ${{ !startsWith(github.ref, 'refs/tags/go/') }}
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: rustup show
- run: go generate ./go/...
- run: go test -v ./go/...

test-lib:
strategy:
matrix:
config:
- os: ubuntu-latest
lib: x86_64-linux
target: west-x86_64-unknown-linux-musl

- os: windows-latest
lib: x86_64-windows
target: west-x86_64-pc-windows-gnu

- os: macos-13
lib: x86_64-darwin
target: west-x86_64-apple-darwin

- os: macos-14
lib: aarch64-darwin
target: west-aarch64-apple-darwin

if: ${{ !startsWith(github.ref, 'refs/tags/go/') }}
runs-on: ${{ matrix.config.os }}
needs: build
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- run: rustup show
- run: go generate ./go/...
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: west-${{ matrix.config.target }}
path: lib/${{ matrix.config.lib }}
- run: go test ./go/...

cargo:
strategy:
matrix:
check:
- audit
- fmt
- clippy
- nextest

name: cargo ${{ matrix.check }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-nix
with:
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: go work vendor -e -v
if: ${{ matrix.check }} == "nextest"
- run: git add .
if: ${{ matrix.check }} == "nextest"
- run: nix build -L .#checks.x86_64-linux.${{ matrix.check }}

crates:
if: ${{ !startsWith(github.ref, 'refs/tags/go/') }}
strategy:
matrix:
include:
- crate: passthrough

- crate: west

- crate: west-sys
workspace-dependencies: true

name: publish ${{ matrix.crate }} to crates.io
needs: cargo
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Extract tag context
id: ctx
run: |
version=${GITHUB_REF_NAME#crates/${{ matrix.crate }}/v}
echo "version=${version}" >> "$GITHUB_OUTPUT"
echo "version is ${version}"
if [[ $version == *"-"* ]]; then
echo "version ${version} is a pre-release"
echo "prerelease=true" >> "$GITHUB_OUTPUT"
fi
- name: dry-run publish ${{ matrix.crate }} to crates.io
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
continue-on-error: ${{ matrix.workspace-dependencies }} # publish may fail due to workspace crates not being published yet
run: cargo publish --dry-run
working-directory: ./crates/${{ matrix.crate }}

- name: publish ${{ matrix.crate }} to crates.io
if: startsWith(github.ref, format('refs/tags/crates/{0}/v', matrix.crate)) && !steps.ctx.outputs.prerelease
continue-on-error: ${{ github.repository_owner != 'rvolosatovs' }}
run: |
pkgver=$(cargo pkgid | cut -d '@' -f 2)
tagver="${{ steps.ctx.outputs.version }}"
if ! [ "$pkgver" = "$tagver" ]; then
echo "version mismatch, $pkgver (package) != $tagver (tag)"
exit 1
fi
cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
working-directory: ./crates/${{ matrix.crate }}

build-doc:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-nix
with:
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: nix build -L .#checks.x86_64-linux.doc
- run: cp --no-preserve=mode -R ./result/share/doc ./doc
- run: rm -f doc/.lock
- name: Create `.nojekyll`
run: touch doc/.nojekyll
- name: Write `index.html`
run: |
cat <<EOF > doc/index.html
<!DOCTYPE html>
<meta charset="utf-8">
<title>Redirecting to west/index.html</title>
<meta http-equiv="refresh" content="0; URL=west/index.html">
<link rel="canonical" href="https://${{ github.repository_owner }}.github.io/west/west/index.html">
EOF
- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: doc

deploy-doc:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: build-doc
permissions:
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
id: deployment

release:
if: startsWith(github.ref, 'refs/tags/v')
needs:
- build
- cargo
- crates
- test-lib
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Extract tag context
id: ctx
run: |
version=${GITHUB_REF_NAME#v}
echo "version=${version}" >> "$GITHUB_OUTPUT"
echo "version is ${version}"
if [[ $version == *"-"* ]]; then
echo "version ${version} is a pre-release"
echo "prerelease=true" >> "$GITHUB_OUTPUT"
fi
- name: publish west to crates.io
run: |
pkgver=$(cargo pkgid | cut -d '@' -f 2)
tagver="${{ steps.ctx.outputs.version }}"
if ![ "$pkgver" = "$tagver" ]; then
echo "version mismatch, $pkgver (package) != $tagver (tag)"
exit 1
fi
cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }}
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: artifacts

- run: |
for dir in ./artifacts/west-*; do
target=${dir#./artifacts/west-}
for lib_path in $(find ${dir}/lib -type f); do
lib=$(basename ${lib_path})
mkdir -p ./${lib}
mv ${lib_path} ./${lib}/${lib}-${target}.a
done
done
- uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
draft: true
prerelease: true
generate_release_notes: true
files: |
./libwest/*
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
/target
*.wasm
*.a
*.h
11 changes: 4 additions & 7 deletions flake.nix
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
{
nixConfig.extra-substituters = [
"https://wrpc.cachix.org"
"https://wasmcloud.cachix.org"
"https://west.cachix.org"
"https://nixify.cachix.org"
"https://crane.cachix.org"
"https://wasmcloud.cachix.org"
"https://bytecodealliance.cachix.org"
"https://nix-community.cachix.org"
"https://cache.garnix.io"
];
nixConfig.extra-trusted-public-keys = [
"wrpc.cachix.org-1:J1xnzWo1nnhlzOmZCA10/5wz87LwCFwQtnqCibCy67w="
"wasmcloud.cachix.org-1:9gRBzsKh+x2HbVVspreFg/6iFRiD4aOcUQfXVDl3hiM="
"west.cachix.org-1:F8ZwKSRWiSCh+rMyZAP7xhgUP6ZW88AGXE7KOR30Fg0="
"nixify.cachix.org-1:95SiUQuf8Ij0hwDweALJsLtnMyv/otZamWNRp1Q1pXw="
"crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk="
"wasmcloud.cachix.org-1:9gRBzsKh+x2HbVVspreFg/6iFRiD4aOcUQfXVDl3hiM="
"bytecodealliance.cachix.org-1:0SBgh//n2n0heh0sDFhTm+ZKBRy2sInakzFGfzN531Y="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
@@ -137,8 +137,6 @@
nativeCheckInputs =
nativeCheckInputs
++ [
pkgs.nats-server

pkgs.pkgsUnstable.go
];
};
@@ -152,7 +150,6 @@
buildInputs = [
pkgs.wit-deps

pkgs.pkgsUnstable.binaryen
pkgs.pkgsUnstable.go_1_23
pkgs.pkgsUnstable.wasm-tools
pkgs.pkgsUnstable.wasmtime

0 comments on commit ec68138

Please sign in to comment.