66 lines (57 loc) · 2.81 KB
/
build-rust-injector.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Publish Injector Stage I
on:
workflow_dispatch:
inputs:
versionTag:
description: "Version tag"
required: true
branchName:
description: "Branch to build the injector from"
required: false
default: "master"
jobs:
build-injector:
runs-on: ubuntu-latest
steps:
- name: "Dependency: Install cosign"
uses: sigstore/cosign-installer@v2.8.0
- name: "Dependency: Setup rust toolchain"
run: |
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path
echo "$HOME/.cargo/bin" >> $GITHUB_PATH
- name: "Checkout Repo"
uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.branchName }}
- name: "Build Rust Binary for x86_64"
working-directory: src/injector/stage1
run: |
cargo build --target x86_64-unknown-linux-musl --release
strip target/x86_64-unknown-linux-musl/release/zarf-injector
- name: "Build Rust Binary for aarch64"
working-directory: src/injector/stage1
run: |
rustup target add aarch64-unknown-linux-musl
curl https://musl.cc/aarch64-linux-musl-cross.tgz | tar -xz
export PATH="$PWD/aarch64-linux-musl-cross/bin:$PATH"
cargo build --target aarch64-unknown-linux-musl --release
aarch64-linux-musl-strip target/aarch64-unknown-linux-musl/release/zarf-injector
- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Upload Binaries To DockerHub"
working-directory: src/injector/stage1/target
run: |
cosign upload blob -f x86_64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
cosign upload blob -f aarch64-unknown-linux-musl/release/zarf-injector defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
- name: "Sign the binaries"
run: |
cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:amd64-${{ github.event.inputs.versionTag }}
cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=${{ github.event.inputs.versionTag }} defenseunicorns/zarf-injector:arm64-${{ github.event.inputs.versionTag }}
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}