Prebuild #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Prebuild | |
| # yamllint disable-line rule:truthy | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| attestations: write | |
| contents: write | |
| id-token: write | |
| env: | |
| # Disable incremental compilation to avoid overhead. | |
| CARGO_INCREMENTAL: "0" | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # do NOT load any caches here, we want a clean, freestanding build w/o stateful dependencies! | |
| - name: Set Timestamp | |
| id: timestamp | |
| run: | | |
| ts_iso="$(date -u -Is)" | |
| ts_tag="$(echo "$ts_iso" | sed 's/+00:00//g' | sed 's/:/-/g')" | |
| echo "iso=$ts_iso" | |
| echo "tag=$ts_tag" | |
| echo TIMESTAMP_ISO="$ts_iso" >> "$GITHUB_OUTPUT" | |
| echo TIMESTAMP_TAG="$ts_tag" >> "$GITHUB_OUTPUT" | |
| - name: Checkout | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| fetch-depth: 1 | |
| - name: Fetch main branch | |
| run: git fetch --depth=1 origin main | |
| - name: Free disk space | |
| uses: ./.github/actions/free-disk-space | |
| - name: Install `just` | |
| uses: taiki-e/install-action@0e76c5c569f13f7eb21e8e5b26fe710062b57b62 # v2 | |
| with: | |
| tool: just | |
| - name: Install stable toolchain | |
| uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master | |
| with: | |
| toolchain: stable | |
| targets: wasm32-wasip2 | |
| - name: build "add one" example (debug) | |
| run: just guests::rust::build-add-one-debug | |
| - name: build "add one" example (release) | |
| run: just guests::rust::build-add-one-release | |
| - name: build python guest (debug) | |
| run: just guests::python::build-debug | |
| - name: build python guest (release) | |
| run: just guests::python::build-release | |
| # we need unique file names for the release | |
| - name: stage release files | |
| run: | | |
| mkdir out | |
| mv target/wasm32-wasip2/debug/examples/add_one.wasm out/example_add_one.debug.wasm | |
| mv target/wasm32-wasip2/release/examples/add_one.wasm out/example_add_one.release.wasm | |
| mv target/wasm32-wasip2/debug/datafusion_udf_wasm_python.wasm out/datafusion_udf_wasm_python.debug.wasm | |
| mv target/wasm32-wasip2/release/datafusion_udf_wasm_python.wasm out/datafusion_udf_wasm_python.release.wasm | |
| - name: compile WASM to machine code | |
| run: | | |
| targets=( | |
| "aarch64-apple-darwin" | |
| "aarch64-pc-windows-msvc" | |
| "aarch64-unknown-linux-gnu" | |
| "x86_64-apple-darwin" | |
| "x86_64-pc-windows-msvc" | |
| "x86_64-unknown-linux-gnu" | |
| ) | |
| for wasm_path in out/*.wasm; do | |
| wasm_basename="$(basename "$wasm_path" .wasm)" | |
| for target in "${targets[@]}"; do | |
| out_file="${wasm_basename}.${target}.elf" | |
| echo "$out_file" | |
| cargo run --bin=compile --features="all-arch" -- "$wasm_path" "out/${out_file}" "$target" | |
| done | |
| done | |
| - name: calculate checksums | |
| run: | | |
| sha256sum * > sha256sum.txt | |
| working-directory: ./out | |
| - name: read wasmtime version | |
| id: wasmtime | |
| run: | | |
| version="$(cargo metadata --format-version=1 | jq --raw-output '.packages[] | select(.name == "wasmtime") | .version')" | |
| echo "version=$version" | |
| echo VERSION="$version" >> "$GITHUB_OUTPUT" | |
| - name: attestation | |
| id: attestation | |
| uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3 | |
| with: | |
| subject-path: out/* | |
| - name: publish release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 | |
| with: | |
| body: | | |
| WASM guest binaries. | |
| # Build Metadata | |
| **Commit:** [`${{ github.sha }}`](${{ github.server_url }}/${{ github.repository }}/tree/${{ github.sha }}) | |
| **Wasmtime:** `${{ steps.wasmtime.outputs.VERSION }}` | |
| **Build Timestamp:** `${{ steps.timestamp.outputs.TIMESTAMP_ISO }}` | |
| **Build Attestation:** <${{ steps.attestation.outputs.attestation-url }}> | |
| # WASM Binaries | |
| We build the following targets: | |
| - `example_add_one`: "add one" Rust example UDF | |
| - `datafusion_udf_wasm_python`: Guest for Python-based UDFs, bundles CPython. | |
| Each of them is provided in `debug` and `release` builds. The artifacts have the file extension `.wasm`. | |
| # Machine-Code Binaries | |
| In addition to the WASM binary blobs, we also provide pre-compiled guests for various targets to be used with `wasmtime`. The artifacts have the file extension `.elf`. | |
| **⚠️ Using pre-build binaries requires you to validate the source and trust the binary. Using a binary blindly can lead to remote code execution, memory and data corruption, and all kinds of bad things. You can use the provided build attestation. ⚠️** | |
| # Checksums & Attestation | |
| We provide sha256 checksums for all artifacts in `sha256sum.txt`. You can use that file -- either directly or indirectly via its own checksum -- to safely pin all artifacts of this release. We also provide [build attestation](${{ steps.attestation.outputs.attestation-url }}). | |
| preserve_order: true | |
| files: out/* | |
| name: "WASM Binaries ${{ steps.timestamp.outputs.TIMESTAMP_ISO }}" | |
| tag_name: "wasm-binaries/${{ steps.timestamp.outputs.TIMESTAMP_TAG }}/${{ github.sha }}" | |
| fail_on_unmatched_files: true | |
| target_commitish: "${{ github.sha }}" | |
| make_latest: false |