build(deps): bump github/codeql-action from 3.27.1 to 3.27.3 #1678
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: wrpc | |
on: | |
merge_group: | |
pull_request: | |
push: | |
branches: | |
- main | |
tags: | |
- 'crates/cli/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/cli/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/introspect/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/introspect/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/pack/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/pack/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/runtime-wasmtime/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/runtime-wasmtime/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/test/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/test/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/transport-nats/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/transport-nats/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/transport-quic/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/transport-quic/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/transport-web/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/transport-web/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/transport/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/transport/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wasi-keyvalue-mem/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wasi-keyvalue-mem/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wasi-keyvalue-redis/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wasi-keyvalue-redis/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wasi-keyvalue/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wasi-keyvalue/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wasmtime-cli/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wasmtime-cli/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wit-bindgen-go/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wit-bindgen-go/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wit-bindgen-rust-macro/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wit-bindgen-rust-macro/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wit-bindgen-rust/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wit-bindgen-rust/v[0-9].[0-9]+.[0-9]+-*' | |
- 'crates/wit-bindgen/v[0-9].[0-9]+.[0-9]+' | |
- 'crates/wit-bindgen/v[0-9].[0-9]+.[0-9]+-*' | |
- 'v[0-9].[0-9]+.[0-9]+' | |
- 'v[0-9].[0-9]+.[0-9]+-*' | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build-bin: | |
strategy: | |
matrix: | |
config: | |
- target: aarch64-unknown-linux-musl | |
test-bin: | | |
nix profile install --inputs-from . 'nixpkgs#qemu' | |
qemu-aarch64 ./result/bin/wit-bindgen-wrpc --version | |
qemu-aarch64 ./result/bin/wrpc-wasmtime --version | |
test-oci: docker load < ./result | |
# TODO: Run aarch64 binary within OCI | |
- target: aarch64-apple-darwin | |
test-bin: | | |
file ./result/bin/wit-bindgen-wrpc | |
file ./result/bin/wrpc-wasmtime | |
test-oci: docker load < ./result | |
- target: aarch64-linux-android | |
test-bin: | | |
file ./result/bin/wit-bindgen-wrpc | |
file ./result/bin/wrpc-wasmtime | |
test-oci: docker load < ./result | |
- target: riscv64gc-unknown-linux-gnu-fhs | |
test-bin: | | |
nix build -L '.#wrpc-riscv64gc-unknown-linux-gnu' | |
nix shell --inputs-from . 'nixpkgs#qemu' -c qemu-riscv64 ./result/bin/wit-bindgen-wrpc --version | |
nix shell --inputs-from . 'nixpkgs#qemu' -c qemu-riscv64 ./result/bin/wrpc-wasmtime --version | |
- target: x86_64-apple-darwin | |
test-bin: | | |
file ./result/bin/wit-bindgen-wrpc | |
file ./result/bin/wrpc-wasmtime | |
test-oci: docker load < ./result | |
- target: x86_64-pc-windows-gnu | |
test-bin: | | |
nix profile install --inputs-from . 'nixpkgs#wine64' | |
wine64 ./result/bin/wit-bindgen-wrpc.exe --version | |
wine64 ./result/bin/wrpc-wasmtime.exe --version | |
test-oci: docker load < ./result | |
# TODO: Run win64 binary within OCI | |
- target: x86_64-unknown-linux-musl | |
test-bin: | | |
./result/bin/wit-bindgen-wrpc --version | |
./result/bin/wrpc-wasmtime --version | |
test-oci: | | |
docker load < ./result | |
docker run --rm wrpc:$(nix eval --raw .#wrpc-x86_64-unknown-linux-musl-oci.imageTag) wit-bindgen-wrpc --version | |
docker run --rm wrpc:$(nix eval --raw .#wrpc-x86_64-unknown-linux-musl-oci.imageTag) wrpc-wasmtime --version | |
name: wrpc-${{ matrix.config.target }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: ./.github/actions/install-nix | |
with: | |
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- uses: ./.github/actions/build-nix | |
with: | |
package: wrpc-${{ matrix.config.target }} | |
- run: ${{ matrix.config.test-bin }} | |
- uses: ./.github/actions/build-nix | |
if: ${{ !endsWith(matrix.config.target, 'fhs') }} | |
with: | |
package: wrpc-${{ matrix.config.target }}-oci | |
- run: ${{ matrix.config.test-oci }} | |
if: ${{ !endsWith(matrix.config.target, 'fhs') }} | |
build-lipo: | |
if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} | |
name: wrpc-universal-darwin | |
needs: build-bin | |
runs-on: macos-latest | |
steps: | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: wrpc-aarch64-apple-darwin | |
path: aarch64 | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: wrpc-x86_64-apple-darwin | |
path: x86_64 | |
- run: chmod +x ./x86_64/bin/* | |
- run: ./x86_64/bin/wit-bindgen-wrpc --version | |
- run: ./x86_64/bin/wrpc-wasmtime --version | |
- run: mkdir -p ./artifact/bin | |
- run: lipo -create ./aarch64/bin/wit-bindgen-wrpc ./x86_64/bin/wit-bindgen-wrpc -output ./artifact/bin/wit-bindgen-wrpc | |
- run: lipo -create ./aarch64/bin/wrpc-wasmtime ./x86_64/bin/wrpc-wasmtime -output ./artifact/bin/wrpc-wasmtime | |
- run: chmod +x ./artifact/bin/wit-bindgen-wrpc | |
- run: ./artifact/bin/wit-bindgen-wrpc --version | |
- run: chmod +x ./artifact/bin/wrpc-wasmtime | |
- run: ./artifact/bin/wrpc-wasmtime --version | |
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: wrpc-universal-darwin | |
path: artifact | |
test-linux: | |
if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} | |
runs-on: ubuntu-latest | |
needs: build-bin | |
steps: | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: wrpc-x86_64-unknown-linux-musl | |
- run: chmod +x ./bin/wit-bindgen-wrpc | |
- run: chmod +x ./bin/wrpc-wasmtime | |
- run: ./bin/wit-bindgen-wrpc --version | |
- run: ./bin/wrpc-wasmtime --version | |
test-windows: | |
if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} | |
runs-on: windows-latest | |
needs: build-bin | |
steps: | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: wrpc-x86_64-pc-windows-gnu | |
- run: .\bin\wit-bindgen-wrpc.exe --version | |
- run: .\bin\wrpc-wasmtime.exe --version | |
cargo: | |
strategy: | |
matrix: | |
check: | |
- audit | |
- fmt | |
- clippy | |
- nextest | |
name: cargo ${{ matrix.check }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: ./.github/actions/install-nix | |
with: | |
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- run: go work vendor -e -v | |
if: ${{ matrix.check }} == "nextest" | |
- run: git add . | |
if: ${{ matrix.check }} == "nextest" | |
- run: nix build -L .#checks.x86_64-linux.${{ matrix.check }} | |
crates: | |
if: ${{ !startsWith(github.ref, 'refs/tags/go/') }} | |
strategy: | |
matrix: | |
include: | |
- crate: cli | |
- crate: introspect | |
- crate: pack | |
workspace-dependencies: true | |
- crate: test | |
workspace-dependencies: true | |
- crate: runtime-wasmtime | |
workspace-dependencies: true | |
- crate: transport | |
- crate: transport-nats | |
workspace-dependencies: true | |
- crate: transport-quic | |
workspace-dependencies: true | |
- crate: transport-web | |
workspace-dependencies: true | |
- crate: wasi-keyvalue | |
workspace-dependencies: true | |
- crate: wasi-keyvalue-mem | |
workspace-dependencies: true | |
- crate: wasi-keyvalue-redis | |
workspace-dependencies: true | |
- crate: wasmtime-cli | |
workspace-dependencies: true | |
- crate: wit-bindgen | |
workspace-dependencies: true | |
- crate: wit-bindgen-go | |
workspace-dependencies: true | |
- crate: wit-bindgen-rust | |
workspace-dependencies: true | |
- crate: wit-bindgen-rust-macro | |
workspace-dependencies: true | |
name: publish ${{ matrix.crate }} to crates.io | |
needs: cargo | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Extract tag context | |
id: ctx | |
run: | | |
version=${GITHUB_REF_NAME#crates/${{ matrix.crate }}/v} | |
echo "version=${version}" >> "$GITHUB_OUTPUT" | |
echo "version is ${version}" | |
if [[ $version == *"-"* ]]; then | |
echo "version ${version} is a pre-release" | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
fi | |
- name: dry-run publish ${{ matrix.crate }} to crates.io | |
if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
continue-on-error: ${{ matrix.workspace-dependencies }} # publish may fail due to workspace crates not being published yet | |
run: cargo publish --dry-run | |
working-directory: ./crates/${{ matrix.crate }} | |
- name: publish ${{ matrix.crate }} to crates.io | |
if: startsWith(github.ref, format('refs/tags/crates/{0}/v', matrix.crate)) && !steps.ctx.outputs.prerelease | |
continue-on-error: ${{ github.repository_owner != 'bytecodealliance' }} | |
run: | | |
pkgver=$(cargo pkgid | cut -d '@' -f 2) | |
tagver="${{ steps.ctx.outputs.version }}" | |
if ! [ "$pkgver" = "$tagver" ]; then | |
echo "version mismatch, $pkgver (package) != $tagver (tag)" | |
exit 1 | |
fi | |
cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | |
working-directory: ./crates/${{ matrix.crate }} | |
build-doc: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: ./.github/actions/install-nix | |
with: | |
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- run: nix build -L .#checks.x86_64-linux.doc | |
- run: cp --no-preserve=mode -R ./result/share/doc ./doc | |
- run: rm -f doc/.lock | |
- name: Create `.nojekyll` | |
run: touch doc/.nojekyll | |
- name: Write `index.html` | |
run: | | |
cat <<EOF > doc/index.html | |
<!DOCTYPE html> | |
<meta charset="utf-8"> | |
<title>Redirecting to wrpc/index.html</title> | |
<meta http-equiv="refresh" content="0; URL=wrpc/index.html"> | |
<link rel="canonical" href="https://${{ github.repository_owner }}.github.io/wrpc/wrpc/index.html"> | |
EOF | |
- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 | |
with: | |
path: doc | |
deploy-doc: | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: build-doc | |
permissions: | |
pages: write | |
id-token: write | |
environment: | |
name: github-pages | |
url: ${{ steps.deployment.outputs.page_url }} | |
steps: | |
- uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 | |
id: deployment | |
oci: | |
if: ${{ !startsWith(github.ref, 'refs/tags/crates/') && !startsWith(github.ref, 'refs/tags/go/') }} | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
needs: | |
- build-bin | |
- test-linux | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: ./.github/actions/install-nix | |
with: | |
cachixAuthToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- name: Extract tag context | |
id: ctx | |
run: | | |
echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT" | |
echo "sha_short=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" | |
version=${GITHUB_REF_NAME#${{ matrix.prefix }}v} | |
echo "version=${version}" >> "$GITHUB_OUTPUT" | |
echo "version is ${version}" | |
if [[ $version == *"-"* ]]; then | |
echo "version ${version} is a pre-release" | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
fi | |
- name: Login to GitHub Container Registry | |
if: startswith(github.ref, format('refs/tags/{0}v', matrix.prefix)) || github.ref == 'refs/heads/main' | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install `buildah` | |
run: nix profile install --inputs-from . 'nixpkgs#buildah' | |
- name: Build `wrpc` image | |
run: nix run -L .#build-wrpc-oci wrpc | |
- name: Test `wrpc` image | |
run: | | |
buildah push wrpc:$(nix eval --raw .#wrpc-x86_64-unknown-linux-musl-oci.imageTag) docker-daemon:wrpc:test | |
docker run --rm wrpc:test wit-bindgen-wrpc --version | |
- name: Push `wrpc` commit rev tag | |
if: startswith(github.ref, format('refs/tags/{0}v', matrix.prefix)) || github.ref == 'refs/heads/main' | |
run: | | |
buildah manifest push --all --format 'v2s2' wrpc docker://ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:${{ github.sha }} | |
buildah manifest push --all --format 'v2s2' wrpc docker://ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:${{ steps.ctx.outputs.sha_short }} | |
docker run --rm ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:${{ github.sha }} wit-bindgen-wrpc --version | |
docker run --rm ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:${{ steps.ctx.outputs.sha_short }} wit-bindgen-wrpc --version | |
- name: Push `wrpc` version tag | |
if: startswith(github.ref, format('refs/tags/{0}v', matrix.prefix)) | |
continue-on-error: ${{ github.repository_owner != 'bytecodealliance' }} | |
run: | | |
buildah manifest push --all --format 'v2s2' wrpc docker://ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:${{ steps.ctx.outputs.version }} | |
docker run --rm ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:${{ steps.ctx.outputs.version }} wit-bindgen-wrpc --version | |
- name: Push `wrpc` `latest` tag | |
if: startswith(github.ref, format('refs/tags/{0}v', matrix.prefix)) && !steps.ctx.outputs.prerelease | |
continue-on-error: ${{ github.repository_owner != 'bytecodealliance' }} | |
run: | | |
buildah manifest push --all --format 'v2s2' wrpc docker://ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:latest | |
docker run --rm ghcr.io/${{ steps.ctx.outputs.owner }}/wrpc:latest wit-bindgen-wrpc --version | |
release: | |
if: startsWith(github.ref, 'refs/tags/v') | |
needs: | |
- build-bin | |
- build-doc | |
- build-lipo | |
- cargo | |
- crates | |
- oci | |
- test-linux | |
- test-windows | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Extract tag context | |
id: ctx | |
run: | | |
version=${GITHUB_REF_NAME#v} | |
echo "version=${version}" >> "$GITHUB_OUTPUT" | |
echo "version is ${version}" | |
if [[ $version == *"-"* ]]; then | |
echo "version ${version} is a pre-release" | |
echo "prerelease=true" >> "$GITHUB_OUTPUT" | |
fi | |
- name: publish wRPC to crates.io | |
run: | | |
pkgver=$(cargo pkgid | cut -d '#' -f 2) | |
tagver="${{ steps.ctx.outputs.version }}" | |
if ! [ "$pkgver" = "$tagver" ]; then | |
echo "version mismatch, $pkgver (package) != $tagver (tag)" | |
exit 1 | |
fi | |
cargo publish --token ${{ secrets.CARGO_REGISTRY_TOKEN }} | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: artifacts | |
- run: | | |
for dir in ./artifacts/wrpc-*; do | |
target=${dir#./artifacts/wrpc-} | |
for bin_path in $(find ${dir}/bin -type f); do | |
chmod +x ${bin_path} | |
bin=$(basename ${bin_path}) | |
case "$bin" in | |
*.exe) | |
bin="${bin%.exe}" | |
mkdir -p ./${bin} | |
mv ${bin_path} ./${bin}/${bin}-${target}.exe | |
;; | |
*) | |
mkdir -p ./${bin} | |
mv ${bin_path} ./${bin}/${bin}-${target%-fhs} | |
;; | |
esac | |
done | |
done | |
- uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
with: | |
draft: true | |
prerelease: true | |
generate_release_notes: true | |
files: | | |
./wit-bindgen-wrpc/* | |
./wrpc-wasmtime/* | |