From 861116ee79345764323d3490a6347e4667ede052 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 15:24:37 -0400 Subject: [PATCH 01/12] Add standard OCI image labels Normalize on the git build flow. This is helpful to be able to lookup and populate metadata about the build consistently. Also attempting to pin the build time to the commit timestamp. Signed-off-by: Scott Andrews --- .github/workflows/dev-publish.yaml | 21 ++++---- .github/workflows/manual-publish.yaml | 22 ++++---- .github/workflows/publish.yaml | 73 ++++++++++++++++----------- .github/workflows/pull-request.yaml | 45 +++++++++++++---- .github/workflows/push.yaml | 24 +++++++-- Dockerfile | 47 +++++++++-------- 6 files changed, 143 insertions(+), 89 deletions(-) diff --git a/.github/workflows/dev-publish.yaml b/.github/workflows/dev-publish.yaml index d523584..5a1e016 100644 --- a/.github/workflows/dev-publish.yaml +++ b/.github/workflows/dev-publish.yaml @@ -17,8 +17,8 @@ jobs: runs-on: ubuntu-latest outputs: rust-version: ${{ steps.versions.outputs.rust-version }} - git-ref: ${{ steps.versions.outputs.git-ref }} - git-ref-short: ${{ steps.versions.outputs.git-ref-short }} + git-sha: ${{ steps.versions.outputs.git-sha }} + git-sha-short: ${{ steps.versions.outputs.git-sha-short }} git-date: ${{ steps.versions.outputs.git-date }} steps: - uses: actions/checkout@v6 @@ -28,10 +28,12 @@ jobs: set -euo pipefail echo "rust-version=$(yq -r '.toolchain.channel' rust-toolchain.toml)" | tee -a "${GITHUB_OUTPUT}" - git_ref=$(gh api repos/bytecodealliance/wasmtime/git/${{ inputs.git-ref || 'ref/tags/dev' }} --template '{{.object.sha}}') - git_date=$(gh api repos/bytecodealliance/wasmtime/commits/${git_ref} --template '{{.commit.committer.date}}') - echo "git-ref=${git_ref}" | tee -a "${GITHUB_OUTPUT}" - echo "git-ref-short=${git_ref:0:7}" | tee -a "${GITHUB_OUTPUT}" + + git_commit=$(gh api repos/bytecodealliance/wasmtime/commits/${{ inputs.git-ref || 'ref/tags/dev' }} --template '{{.sha}} {{.commit.committer.date}}') + git_sha="$(echo "${git_commit}" | cut -d' ' -f1)" + git_date="$(echo "${git_commit}" | cut -d' ' -f2)" + echo "git-sha=${git_sha}" | tee -a "${GITHUB_OUTPUT}" + echo "git-sha-short=${git_sha:0:7}" | tee -a "${GITHUB_OUTPUT}" echo "git-date=${git_date:0:10}" | tee -a "${GITHUB_OUTPUT}" env: GH_TOKEN: ${{ github.token }} @@ -45,12 +47,11 @@ jobs: uses: ./.github/workflows/publish.yaml with: rust-version: "${{ needs.preflight.outputs.rust-version }}" - wasmtime-source: git - wasmtime-version: ${{ needs.preflight.outputs.git-ref }} + wasmtime-git-sha: ${{ needs.preflight.outputs.git-sha }} repository: dev - tag: dev-${{ needs.preflight.outputs.git-ref }} + tag: dev-${{ needs.preflight.outputs.git-sha }} additional-tags: | - dev-${{ needs.preflight.outputs.git-ref-short }} + dev-${{ needs.preflight.outputs.git-sha-short }} dev-${{ needs.preflight.outputs.git-date }} dev latest diff --git a/.github/workflows/manual-publish.yaml b/.github/workflows/manual-publish.yaml index 4039e3b..29112ff 100644 --- a/.github/workflows/manual-publish.yaml +++ b/.github/workflows/manual-publish.yaml @@ -3,18 +3,10 @@ name: Manual publish on: workflow_dispatch: inputs: - wasmtime-version: - description: wasmtime version to build + wasmtime-git-ref: + description: wasmtime git ref to build ('refs/tag/{tag}', 'refs/heads/{branch}') required: true type: string - wasmtime-source: - description: wasmtime source. 'crate' or 'git' - required: true - type: choice - default: crate - options: - - crate - - git repository: description: image repository to publish into type: string @@ -37,6 +29,7 @@ jobs: runs-on: ubuntu-latest outputs: rust-version: ${{ steps.versions.outputs.rust-version }} + wasmtime-git-sha: ${{ steps.versions.outputs.wasmtime-git-sha }} additional-tags: ${{ steps.versions.outputs.additional-tags }} steps: - uses: actions/checkout@v6 @@ -46,10 +39,16 @@ jobs: set -euo pipefail echo "rust-version=$(yq -r '.toolchain.channel' rust-toolchain.toml)" | tee -a "${GITHUB_OUTPUT}" + + wasmtime_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/${{ inputs.wasmtime-git-ref }}" --template '{{.sha}}'))" + echo "wasmtime-git-sha=${wasmtime_git_sha}" | tee -a "${GITHUB_OUTPUT}" + # convert space delimited to new-line delimited echo 'additional-tags< Date: Sun, 24 May 2026 15:34:38 -0400 Subject: [PATCH 02/12] add v to rust version to match the git tag Signed-off-by: Scott Andrews --- .github/workflows/dev-publish.yaml | 4 +-- .github/workflows/publish.yaml | 2 +- .github/workflows/pull-request.yaml | 24 ++++++++--------- .github/workflows/push.yaml | 40 ++++++++++++++--------------- 4 files changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/dev-publish.yaml b/.github/workflows/dev-publish.yaml index 5a1e016..7056e00 100644 --- a/.github/workflows/dev-publish.yaml +++ b/.github/workflows/dev-publish.yaml @@ -8,7 +8,7 @@ on: git-ref: description: git-ref version to build type: string - default: ref/tags/dev + default: refs/tags/dev jobs: @@ -29,7 +29,7 @@ jobs: echo "rust-version=$(yq -r '.toolchain.channel' rust-toolchain.toml)" | tee -a "${GITHUB_OUTPUT}" - git_commit=$(gh api repos/bytecodealliance/wasmtime/commits/${{ inputs.git-ref || 'ref/tags/dev' }} --template '{{.sha}} {{.commit.committer.date}}') + git_commit=$(gh api repos/bytecodealliance/wasmtime/commits/${{ inputs.git-ref || 'refs/tags/dev' }} --template '{{.sha}} {{.commit.committer.date}}') git_sha="$(echo "${git_commit}" | cut -d' ' -f1)" git_date="$(echo "${git_commit}" | cut -d' ' -f2)" echo "git-sha=${git_sha}" | tee -a "${GITHUB_OUTPUT}" diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 3a6803b..c13648a 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -32,7 +32,7 @@ on: default: false concurrency: - group: ${{ case(inputs.publish, inputs.tag, format('run-{0}-v{1}', github.run_id, inputs.tag)) }} + group: ${{ case(inputs.publish, inputs.tag, format('run-{0}-{1}', github.run_id, inputs.tag)) }} queue: max env: diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 25145ed..d54d36a 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -51,26 +51,26 @@ jobs: echo "rust-version=$(yq -r '.toolchain.channel' rust-toolchain.toml)" | tee -a "${GITHUB_OUTPUT}" # stable - wasmtime_stable_version="$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_stable_version}" --template '{{.sha}}'))" + wasmtime_stable_version="v$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_version}" --template '{{.sha}}'))" echo "wasmtime-stable-version=${wasmtime_stable_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-git-sha=${wasmtime_stable_git_sha}" | tee -a "${GITHUB_OUTPUT}" # stable, minus 1 - wasmtime_stable_1_version="$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_stable_1_version}" --template '{{.sha}}'))" + wasmtime_stable_1_version="v$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_1_version}" --template '{{.sha}}'))" echo "wasmtime-stable-1-version=${wasmtime_stable_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-1-git-sha=${wasmtime_stable_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts - wasmtime_lts_version="$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_lts_version}" --template '{{.sha}}'))" + wasmtime_lts_version="v$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_version}" --template '{{.sha}}'))" echo "wasmtime-lts-version=${wasmtime_lts_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-git-sha=${wasmtime_lts_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts, minus 1 - wasmtime_lts_1_version="$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_lts_1_version}" --template '{{.sha}}'))" + wasmtime_lts_1_version="v$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_1_version}" --template '{{.sha}}'))" echo "wasmtime-lts-1-version=${wasmtime_lts_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-1-git-sha=${wasmtime_lts_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" env: @@ -87,16 +87,16 @@ jobs: matrix: include: - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-stable-version }} + tag: ${{ needs.preflight.outputs.wasmtime-stable-version }} force: ${{ needs.preflight.outputs.wasmtime-stable-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-1-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-stable-1-version }} + tag: ${{ needs.preflight.outputs.wasmtime-stable-1-version }} force: ${{ needs.preflight.outputs.wasmtime-stable-1-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-lts-version }} + tag: ${{ needs.preflight.outputs.wasmtime-lts-version }} force: ${{ needs.preflight.outputs.wasmtime-lts-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-1-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-lts-1-version }} + tag: ${{ needs.preflight.outputs.wasmtime-lts-1-version }} force: ${{ needs.preflight.outputs.wasmtime-lts-1-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} uses: ./.github/workflows/publish.yaml with: diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 574771b..300677b 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -39,32 +39,32 @@ jobs: echo "rust-version=$(yq -r '.toolchain.channel' rust-toolchain.toml)" | tee -a "${GITHUB_OUTPUT}" # stable - wasmtime_stable_version="$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_stable_version}" --template '{{.sha}}'))" + wasmtime_stable_version="v$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_version}" --template '{{.sha}}'))" echo "wasmtime-stable-version=${wasmtime_stable_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-version-major=$(echo "${wasmtime_stable_version}" | cut -d. -f1)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-version-minor=$(echo "${wasmtime_stable_version}" | cut -d. -f1-2)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-git-sha=${wasmtime_stable_git_sha}" | tee -a "${GITHUB_OUTPUT}" # stable, minus 1 - wasmtime_stable_1_version="$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_stable_1_version}" --template '{{.sha}}'))" + wasmtime_stable_1_version="v$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_1_version}" --template '{{.sha}}'))" echo "wasmtime-stable-1-version=${wasmtime_stable_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-1-version-major=$(echo "${wasmtime_stable_1_version}" | cut -d. -f1)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-1-version-minor=$(echo "${wasmtime_stable_1_version}" | cut -d. -f1-2)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-1-git-sha=${wasmtime_stable_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts - wasmtime_lts_version="$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_lts_version}" --template '{{.sha}}'))" + wasmtime_lts_version="v$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_version}" --template '{{.sha}}'))" echo "wasmtime-lts-version=${wasmtime_lts_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-version-major=$(echo "${wasmtime_lts_version}" | cut -d. -f1)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-version-minor=$(echo "${wasmtime_lts_version}" | cut -d. -f1-2)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-git-sha=${wasmtime_lts_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts, minus 1 - wasmtime_lts_1_version="$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/ref/tags/${wasmtime_lts_1_version}" --template '{{.sha}}'))" + wasmtime_lts_1_version="v$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_1_version}" --template '{{.sha}}'))" echo "wasmtime-lts-1-version=${wasmtime_lts_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-1-version-major=$(echo "${wasmtime_lts_1_version}" | cut -d. -f1)" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-1-version-minor=$(echo "${wasmtime_lts_1_version}" | cut -d. -f1-2)" | tee -a "${GITHUB_OUTPUT}" @@ -82,30 +82,30 @@ jobs: matrix: include: - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-stable-version }} + tag: ${{ needs.preflight.outputs.wasmtime-stable-version }} additional-tags: | - v${{ needs.preflight.outputs.wasmtime-stable-version-minor }} - v${{ needs.preflight.outputs.wasmtime-stable-version-major }} + ${{ needs.preflight.outputs.wasmtime-stable-version-minor }} + ${{ needs.preflight.outputs.wasmtime-stable-version-major }} stable latest - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-1-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-stable-1-version }} + tag: ${{ needs.preflight.outputs.wasmtime-stable-1-version }} additional-tags: | - v${{ needs.preflight.outputs.wasmtime-stable-1-version-minor }} - v${{ needs.preflight.outputs.wasmtime-stable-1-version-major }} + ${{ needs.preflight.outputs.wasmtime-stable-1-version-minor }} + ${{ needs.preflight.outputs.wasmtime-stable-1-version-major }} stable-1 latest-1 - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-lts-version }} + tag: ${{ needs.preflight.outputs.wasmtime-lts-version }} additional-tags: | - v${{ needs.preflight.outputs.wasmtime-lts-version-major }} - v${{ needs.preflight.outputs.wasmtime-lts-version-minor }} + ${{ needs.preflight.outputs.wasmtime-lts-version-major }} + ${{ needs.preflight.outputs.wasmtime-lts-version-minor }} lts - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-1-git-sha }} - tag: v${{ needs.preflight.outputs.wasmtime-lts-1-version }} + tag: ${{ needs.preflight.outputs.wasmtime-lts-1-version }} additional-tags: | - v${{ needs.preflight.outputs.wasmtime-lts-1-version-minor }} - v${{ needs.preflight.outputs.wasmtime-lts-1-version-major }} + ${{ needs.preflight.outputs.wasmtime-lts-1-version-minor }} + ${{ needs.preflight.outputs.wasmtime-lts-1-version-major }} lts-1 uses: ./.github/workflows/publish.yaml with: From 853d39a2cb9262c8d6897db2b493d78fb95c944f Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 15:41:26 -0400 Subject: [PATCH 03/12] typo Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 2 +- .github/workflows/pull-request.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index c13648a..ff79989 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -70,7 +70,7 @@ jobs: base_digest="$(crane digest "${base}")" echo "base-digest=${base_digest}" | tee -a "${GITHUB_OUTPUT}" - wasmtime_commit_date=$(gh api repos/bytecodealliance/wasmtime/commits/${{ inputs.wasmtime-git-sha }} --template '{{.commit.committer.date}}') + wasmtime_commit_date="$(gh api "repos/bytecodealliance/wasmtime/commits/${{ inputs.wasmtime-git-sha }}" --template '{{.commit.committer.date}}')" echo "wasmtime-commit-date=${wasmtime_commit_date}" | tee -a "${GITHUB_OUTPUT}" env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index d54d36a..618bd0e 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -52,25 +52,25 @@ jobs: # stable wasmtime_stable_version="v$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_version}" --template '{{.sha}}'))" + wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_version}" --template '{{.sha}}')" echo "wasmtime-stable-version=${wasmtime_stable_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-git-sha=${wasmtime_stable_git_sha}" | tee -a "${GITHUB_OUTPUT}" # stable, minus 1 wasmtime_stable_1_version="v$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_1_version}" --template '{{.sha}}'))" + wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_1_version}" --template '{{.sha}}')" echo "wasmtime-stable-1-version=${wasmtime_stable_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-1-git-sha=${wasmtime_stable_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts wasmtime_lts_version="v$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_version}" --template '{{.sha}}'))" + wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_version}" --template '{{.sha}}')" echo "wasmtime-lts-version=${wasmtime_lts_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-git-sha=${wasmtime_lts_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts, minus 1 wasmtime_lts_1_version="v$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_1_version}" --template '{{.sha}}'))" + wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_1_version}" --template '{{.sha}}')" echo "wasmtime-lts-1-version=${wasmtime_lts_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-1-git-sha=${wasmtime_lts_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" env: From 46d5fe1f8d506475fbb25b5b164035cbd8e3ef7e Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 15:43:39 -0400 Subject: [PATCH 04/12] typo Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index ff79989..c95ce19 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -108,8 +108,8 @@ jobs: --build-arg "wasmtime_revision=${{ inputs.wasmtime-git-sha }}" \ --build-arg "wasmtime_version=${{ inputs.tag }}" \ --build-arg "wasmtime_commit_date=${{ needs.preflight.outputs.wasmtime-commit-date }}" \ - --build-arg "base=${{ needs.preflight.outputs.base }}" - --build-arg "base_digest=${{ needs.preflight.outputs.base-digest }}" + --build-arg "base=${{ needs.preflight.outputs.base }}" \ + --build-arg "base_digest=${{ needs.preflight.outputs.base-digest }}" \ --provenance false \ --sbom false \ . From cd2b2d423b5784ca481400fd553f428d9ce56d2a Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 15:47:01 -0400 Subject: [PATCH 05/12] fix docker build timestamp Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index c95ce19..f76b919 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -99,11 +99,11 @@ jobs: --driver=docker-container \ default - SOURCE_DATE_EPOCH="$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ docker buildx build \ --builder container \ --output type=oci,dest="./wasmtime-${{ inputs.tag }}-${{ matrix.arch }}.tar" \ --platform "linux/${{ matrix.arch }}" \ + --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ --build-arg "rust_version=${{ inputs.rust-version }}" \ --build-arg "wasmtime_revision=${{ inputs.wasmtime-git-sha }}" \ --build-arg "wasmtime_version=${{ inputs.tag }}" \ diff --git a/Dockerfile b/Dockerfile index 95d44cc..6a19113 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN \ ARG base ARG base_digest FROM ${base}@${base_digest} -COPY --from=build --timestamp="${wasmtime_commit_date}" \ +COPY --from=build \ /usr/local/cargo/bin/wasmtime \ /usr/bin/wasmtime ENTRYPOINT ["wasmtime"] From 6da9ccea0040c4db56f89254ef16c891405f7c53 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 15:49:40 -0400 Subject: [PATCH 06/12] drop tag for chaingard/static Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f76b919..38f424f 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -65,7 +65,7 @@ jobs: digest="$(crane digest "${{ env.image }}" || echo -n '')" echo "digest=${digest}" | tee -a "${GITHUB_OUTPUT}" - base="cgr.dev/chainguard/static:latest" + base="cgr.dev/chainguard/static" echo "base=${base}" | tee -a "${GITHUB_OUTPUT}" base_digest="$(crane digest "${base}")" echo "base-digest=${base_digest}" | tee -a "${GITHUB_OUTPUT}" From 28ee43c3e3a9c3fd9cb217e1fcbf49b322c29842 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 16:00:32 -0400 Subject: [PATCH 07/12] maybe Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 4 ++-- Dockerfile | 13 ++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 38f424f..658eefa 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -110,8 +110,8 @@ jobs: --build-arg "wasmtime_commit_date=${{ needs.preflight.outputs.wasmtime-commit-date }}" \ --build-arg "base=${{ needs.preflight.outputs.base }}" \ --build-arg "base_digest=${{ needs.preflight.outputs.base-digest }}" \ - --provenance false \ - --sbom false \ + --provenance=false \ + --sbom=false \ . mkdir "wasmtime-${{ inputs.tag }}-${{ matrix.arch }}" diff --git a/Dockerfile b/Dockerfile index 6a19113..2db977d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,24 +1,27 @@ ARG rust_version -FROM rust:${rust_version} AS build +FROM rust${rust_version:+:${rust_version}} AS build RUN apt-get update && apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y RUN rustup target add $(arch)-unknown-linux-musl ARG wasmtime_revision -ARG wasmtime_version -ARG wasmtime_commit_date RUN \ cargo install \ --target "$(arch)-unknown-linux-musl" \ --git https://github.com/bytecodealliance/wasmtime.git \ --rev "${wasmtime_revision}" \ wasmtime-cli -ARG base +ARG base=cgr.dev/chainguard/static ARG base_digest -FROM ${base}@${base_digest} +FROM "${base}${base_digest:+@${base_digest}}" COPY --from=build \ /usr/local/cargo/bin/wasmtime \ /usr/bin/wasmtime ENTRYPOINT ["wasmtime"] CMD ["--version"] +ARG base +ARG base_digest +ARG wasmtime_revision +ARG wasmtime_version +ARG wasmtime_commit_date LABEL org.opencontainers.image.created="${wasmtime_commit_date}" LABEL org.opencontainers.image.authors="Bytecode Alliance " LABEL org.opencontainers.image.source="https://github.com/bytecodealliance/wasmtime" From 2121d1d671c61967e07e3130c80ef374becb96cc Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 16:04:31 -0400 Subject: [PATCH 08/12] move arg directive up top Signed-off-by: Scott Andrews --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2db977d..30724b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,6 @@ ARG rust_version +ARG base=cgr.dev/chainguard/static +ARG base_digest FROM rust${rust_version:+:${rust_version}} AS build RUN apt-get update && apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y RUN rustup target add $(arch)-unknown-linux-musl @@ -9,8 +11,6 @@ RUN \ --git https://github.com/bytecodealliance/wasmtime.git \ --rev "${wasmtime_revision}" \ wasmtime-cli -ARG base=cgr.dev/chainguard/static -ARG base_digest FROM "${base}${base_digest:+@${base_digest}}" COPY --from=build \ /usr/local/cargo/bin/wasmtime \ From c06d360a8d88c1267f27d67ba7639798b31af5c7 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 18:22:04 -0400 Subject: [PATCH 09/12] bring back crate builds for pushes Signed-off-by: Scott Andrews --- .github/workflows/manual-publish.yaml | 4 +++ .github/workflows/publish.yaml | 4 +++ .github/workflows/pull-request.yaml | 37 +++++++++++++++------------ .github/workflows/push.yaml | 37 +++++++++++++++------------ Dockerfile | 27 +++++++++++++------ 5 files changed, 69 insertions(+), 40 deletions(-) diff --git a/.github/workflows/manual-publish.yaml b/.github/workflows/manual-publish.yaml index 29112ff..8eeff3e 100644 --- a/.github/workflows/manual-publish.yaml +++ b/.github/workflows/manual-publish.yaml @@ -3,6 +3,9 @@ name: Manual publish on: workflow_dispatch: inputs: + wasmtime-crate: + description: wasmtime crate version to build + type: string wasmtime-git-ref: description: wasmtime git ref to build ('refs/tag/{tag}', 'refs/heads/{branch}') required: true @@ -58,6 +61,7 @@ jobs: uses: ./.github/workflows/publish.yaml with: rust-version: "${{ needs.preflight.outputs.rust-version }}" + wasmtime-crate: "${{ inputs.wasmtime-crate }}" wasmtime-git-sha: "${{ needs.preflight.outputs.wasmtime-git-sha }}" repository: "${{ inputs.repository }}" tag: "${{ inputs.tag }}" diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 658eefa..b1b3441 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -3,6 +3,9 @@ name: Publish on: workflow_call: inputs: + wasmtime-crate: + description: wasmtime crate version to build + type: string wasmtime-git-sha: description: wasmtime git sha to build required: true @@ -105,6 +108,7 @@ jobs: --platform "linux/${{ matrix.arch }}" \ --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ --build-arg "rust_version=${{ inputs.rust-version }}" \ + --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \ --build-arg "wasmtime_revision=${{ inputs.wasmtime-git-sha }}" \ --build-arg "wasmtime_version=${{ inputs.tag }}" \ --build-arg "wasmtime_commit_date=${{ needs.preflight.outputs.wasmtime-commit-date }}" \ diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 618bd0e..76bec93 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -51,26 +51,26 @@ jobs: echo "rust-version=$(yq -r '.toolchain.channel' rust-toolchain.toml)" | tee -a "${GITHUB_OUTPUT}" # stable - wasmtime_stable_version="v$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_version}" --template '{{.sha}}')" + wasmtime_stable_version="$(cd versions/stable ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_stable_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/v${wasmtime_stable_version}" --template '{{.sha}}')" echo "wasmtime-stable-version=${wasmtime_stable_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-git-sha=${wasmtime_stable_git_sha}" | tee -a "${GITHUB_OUTPUT}" # stable, minus 1 - wasmtime_stable_1_version="v$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_stable_1_version}" --template '{{.sha}}')" + wasmtime_stable_1_version="$(cd versions/stable-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_stable_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/v${wasmtime_stable_1_version}" --template '{{.sha}}')" echo "wasmtime-stable-1-version=${wasmtime_stable_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-stable-1-git-sha=${wasmtime_stable_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts - wasmtime_lts_version="v$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_version}" --template '{{.sha}}')" + wasmtime_lts_version="$(cd versions/lts ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_lts_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/v${wasmtime_lts_version}" --template '{{.sha}}')" echo "wasmtime-lts-version=${wasmtime_lts_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-git-sha=${wasmtime_lts_git_sha}" | tee -a "${GITHUB_OUTPUT}" # lts, minus 1 - wasmtime_lts_1_version="v$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" - wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/${wasmtime_lts_1_version}" --template '{{.sha}}')" + wasmtime_lts_1_version="$(cd versions/lts-1 ; yq -p toml -oj -r '.package[] | select(.name == "wasmtime-cli") | .version' Cargo.lock)" + wasmtime_lts_1_git_sha="$(gh api "repos/bytecodealliance/wasmtime/commits/refs/tags/v${wasmtime_lts_1_version}" --template '{{.sha}}')" echo "wasmtime-lts-1-version=${wasmtime_lts_1_version}" | tee -a "${GITHUB_OUTPUT}" echo "wasmtime-lts-1-git-sha=${wasmtime_lts_1_git_sha}" | tee -a "${GITHUB_OUTPUT}" env: @@ -86,21 +86,26 @@ jobs: fail-fast: false matrix: include: - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-stable-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-stable-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-stable-version }} force: ${{ needs.preflight.outputs.wasmtime-stable-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-1-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-stable-1-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-stable-1-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-1-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-stable-1-version }} force: ${{ needs.preflight.outputs.wasmtime-stable-1-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-lts-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-lts-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-lts-version }} force: ${{ needs.preflight.outputs.wasmtime-lts-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-1-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-lts-1-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-lts-1-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-1-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-lts-1-version }} force: ${{ needs.preflight.outputs.wasmtime-lts-1-changed == 'true' || needs.preflight.outputs.common-changed == 'true' }} uses: ./.github/workflows/publish.yaml with: rust-version: "${{ needs.preflight.outputs.rust-version }}" + wasmtime-crate: "${{ matrix.wasmtime-crate }}" wasmtime-git-sha: "${{ matrix.wasmtime-git-sha }}" tag: "${{ matrix.tag }}" publish: false diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index 300677b..8ace7c7 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -81,35 +81,40 @@ jobs: fail-fast: false matrix: include: - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-stable-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-stable-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-stable-version }} additional-tags: | - ${{ needs.preflight.outputs.wasmtime-stable-version-minor }} - ${{ needs.preflight.outputs.wasmtime-stable-version-major }} + v${{ needs.preflight.outputs.wasmtime-stable-version-minor }} + v${{ needs.preflight.outputs.wasmtime-stable-version-major }} stable latest - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-1-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-stable-1-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-stable-1-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-stable-1-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-stable-1-version }} additional-tags: | - ${{ needs.preflight.outputs.wasmtime-stable-1-version-minor }} - ${{ needs.preflight.outputs.wasmtime-stable-1-version-major }} + v${{ needs.preflight.outputs.wasmtime-stable-1-version-minor }} + v${{ needs.preflight.outputs.wasmtime-stable-1-version-major }} stable-1 latest-1 - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-lts-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-lts-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-lts-version }} additional-tags: | - ${{ needs.preflight.outputs.wasmtime-lts-version-major }} - ${{ needs.preflight.outputs.wasmtime-lts-version-minor }} + v${{ needs.preflight.outputs.wasmtime-lts-version-major }} + v${{ needs.preflight.outputs.wasmtime-lts-version-minor }} lts - - wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-1-git-sha }} - tag: ${{ needs.preflight.outputs.wasmtime-lts-1-version }} + - wasmtime-crate: ${{ needs.preflight.outputs.wasmtime-lts-1-version }} + wasmtime-git-sha: ${{ needs.preflight.outputs.wasmtime-lts-1-git-sha }} + tag: v${{ needs.preflight.outputs.wasmtime-lts-1-version }} additional-tags: | - ${{ needs.preflight.outputs.wasmtime-lts-1-version-minor }} - ${{ needs.preflight.outputs.wasmtime-lts-1-version-major }} + v${{ needs.preflight.outputs.wasmtime-lts-1-version-minor }} + v${{ needs.preflight.outputs.wasmtime-lts-1-version-major }} lts-1 uses: ./.github/workflows/publish.yaml with: rust-version: "${{ needs.preflight.outputs.rust-version }}" + wasmtime-crate: "${{ matrix.wasmtime-crate }}" wasmtime-git-sha: "${{ matrix.wasmtime-git-sha }}" tag: "${{ matrix.tag }}" additional-tags: "${{ matrix.additional-tags }}" diff --git a/Dockerfile b/Dockerfile index 30724b6..766d24e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,28 @@ ARG rust_version -ARG base=cgr.dev/chainguard/static +ARG base ARG base_digest -FROM rust${rust_version:+:${rust_version}} AS build +FROM rust:${rust_version:} AS build RUN apt-get update && apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y RUN rustup target add $(arch)-unknown-linux-musl +ARG wasmtime_crate ARG wasmtime_revision RUN \ - cargo install \ - --target "$(arch)-unknown-linux-musl" \ - --git https://github.com/bytecodealliance/wasmtime.git \ - --rev "${wasmtime_revision}" \ - wasmtime-cli -FROM "${base}${base_digest:+@${base_digest}}" + if [ "${wasmtime_crate}" = "" ] ; then \ + cargo install \ + --target "$(arch)-unknown-linux-musl" \ + --git https://github.com/bytecodealliance/wasmtime.git \ + --rev "${wasmtime_revision}" \ + --locked \ + wasmtime-cli \ + ; \ + else \ + cargo install \ + --target "$(arch)-unknown-linux-musl" \ + --locked \ + wasmtime-cli@${wasmtime_crate} \ + ; \ + fi +FROM "${base}@${base_digest}" COPY --from=build \ /usr/local/cargo/bin/wasmtime \ /usr/bin/wasmtime From 8c437143ad3476da3afdc71899a9a771a498752f Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 18:25:10 -0400 Subject: [PATCH 10/12] typo Signed-off-by: Scott Andrews --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 766d24e..ba169c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ ARG rust_version ARG base ARG base_digest -FROM rust:${rust_version:} AS build +FROM rust:${rust_version} AS build RUN apt-get update && apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y RUN rustup target add $(arch)-unknown-linux-musl ARG wasmtime_crate @@ -22,10 +22,12 @@ RUN \ wasmtime-cli@${wasmtime_crate} \ ; \ fi + FROM "${base}@${base_digest}" COPY --from=build \ /usr/local/cargo/bin/wasmtime \ /usr/bin/wasmtime + ENTRYPOINT ["wasmtime"] CMD ["--version"] ARG base From ceb994551f419f32d6419238231df31bcae8fe8f Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 20:38:14 -0400 Subject: [PATCH 11/12] polishing Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 26 +++++++++++++++--------- Dockerfile | 36 +++++++++------------------------- 2 files changed, 26 insertions(+), 36 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index b1b3441..a5c287b 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -68,7 +68,7 @@ jobs: digest="$(crane digest "${{ env.image }}" || echo -n '')" echo "digest=${digest}" | tee -a "${GITHUB_OUTPUT}" - base="cgr.dev/chainguard/static" + base="cgr.dev/chainguard/static:latest" echo "base=${base}" | tee -a "${GITHUB_OUTPUT}" base_digest="$(crane digest "${base}")" echo "base-digest=${base_digest}" | tee -a "${GITHUB_OUTPUT}" @@ -107,15 +107,23 @@ jobs: --output type=oci,dest="./wasmtime-${{ inputs.tag }}-${{ matrix.arch }}.tar" \ --platform "linux/${{ matrix.arch }}" \ --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \ - --build-arg "rust_version=${{ inputs.rust-version }}" \ --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \ - --build-arg "wasmtime_revision=${{ inputs.wasmtime-git-sha }}" \ - --build-arg "wasmtime_version=${{ inputs.tag }}" \ - --build-arg "wasmtime_commit_date=${{ needs.preflight.outputs.wasmtime-commit-date }}" \ - --build-arg "base=${{ needs.preflight.outputs.base }}" \ - --build-arg "base_digest=${{ needs.preflight.outputs.base-digest }}" \ - --provenance=false \ - --sbom=false \ + --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ + --build-arg "from_base=${{ needs.preflight.outputs.base }}@${{ needs.preflight.outputs.base-digest }}" \ + --build-arg "from_build=rust:${{ inputs.rust-version }}" \ + --label org.opencontainers.image.created="${{ needs.preflight.outputs.wasmtime-commit-date }}" \ + --label org.opencontainers.image.authors="Bytecode Alliance " \ + --label org.opencontainers.image.source="https://github.com/bytecodealliance/wasmtime" \ + --label org.opencontainers.image.version="${{ inputs.tag }}" \ + --label org.opencontainers.image.revision="${{ inputs.wasmtime-git-sha }}" \ + --label org.opencontainers.image.vendor="Componentized " \ + --label org.opencontainers.image.url="https://github.com/componentized/wasmtime" \ + --label org.opencontainers.image.title="wasmtime" \ + --label org.opencontainers.image.description="A fast and secure runtime for WebAssembly. Packaged by Componentized." \ + --label org.opencontainers.image.documentation="https://docs.wasmtime.dev" \ + --label org.opencontainers.image.licenses="Apache-2.0" \ + --label org.opencontainers.image.base.digest="${{ needs.preflight.outputs.base-digest }}" \ + --label org.opencontainers.image.base.name="${{ needs.preflight.outputs.base }}" \ . mkdir "wasmtime-${{ inputs.tag }}-${{ matrix.arch }}" diff --git a/Dockerfile b/Dockerfile index ba169c7..32b4fc3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,15 @@ -ARG rust_version -ARG base -ARG base_digest -FROM rust:${rust_version} AS build -RUN apt-get update && apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y -RUN rustup target add $(arch)-unknown-linux-musl -ARG wasmtime_crate -ARG wasmtime_revision +ARG from_build from_base +FROM ${from_build} AS build +ARG wasmtime_crate wasmtime_git_rev RUN \ + apt-get update ; \ + apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y ; \ + rustup target add $(arch)-unknown-linux-musl ; \ if [ "${wasmtime_crate}" = "" ] ; then \ cargo install \ --target "$(arch)-unknown-linux-musl" \ --git https://github.com/bytecodealliance/wasmtime.git \ - --rev "${wasmtime_revision}" \ + --rev "${wasmtime_git_rev}" \ --locked \ wasmtime-cli \ ; \ @@ -22,25 +20,9 @@ RUN \ wasmtime-cli@${wasmtime_crate} \ ; \ fi - -FROM "${base}@${base_digest}" +FROM "${from_base}" COPY --from=build \ /usr/local/cargo/bin/wasmtime \ /usr/bin/wasmtime - ENTRYPOINT ["wasmtime"] -CMD ["--version"] -ARG base -ARG base_digest -ARG wasmtime_revision -ARG wasmtime_version -ARG wasmtime_commit_date -LABEL org.opencontainers.image.created="${wasmtime_commit_date}" -LABEL org.opencontainers.image.authors="Bytecode Alliance " -LABEL org.opencontainers.image.source="https://github.com/bytecodealliance/wasmtime" -LABEL org.opencontainers.image.version="${wasmtime_version}" -LABEL org.opencontainers.image.revision="${wasmtime_revision}" -LABEL org.opencontainers.image.vendor="Componentized " -LABEL org.opencontainers.image.licenses="Apache-2.0" -LABEL org.opencontainers.image.base.digest="${base_digest}" -LABEL org.opencontainers.image.base.name="${base}" +CMD ["--version"] From 7aa9022e58cefbf8c58f7d1bba45e0d6daead366 Mon Sep 17 00:00:00 2001 From: Scott Andrews Date: Sun, 24 May 2026 21:29:21 -0400 Subject: [PATCH 12/12] polishing Signed-off-by: Scott Andrews --- .github/workflows/publish.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index a5c287b..5dda1f5 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -111,19 +111,19 @@ jobs: --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \ --build-arg "from_base=${{ needs.preflight.outputs.base }}@${{ needs.preflight.outputs.base-digest }}" \ --build-arg "from_build=rust:${{ inputs.rust-version }}" \ - --label org.opencontainers.image.created="${{ needs.preflight.outputs.wasmtime-commit-date }}" \ --label org.opencontainers.image.authors="Bytecode Alliance " \ - --label org.opencontainers.image.source="https://github.com/bytecodealliance/wasmtime" \ - --label org.opencontainers.image.version="${{ inputs.tag }}" \ - --label org.opencontainers.image.revision="${{ inputs.wasmtime-git-sha }}" \ - --label org.opencontainers.image.vendor="Componentized " \ - --label org.opencontainers.image.url="https://github.com/componentized/wasmtime" \ - --label org.opencontainers.image.title="wasmtime" \ + --label org.opencontainers.image.base.digest="${{ needs.preflight.outputs.base-digest }}" \ + --label org.opencontainers.image.base.name="${{ needs.preflight.outputs.base }}" \ + --label org.opencontainers.image.created="${{ needs.preflight.outputs.wasmtime-commit-date }}" \ --label org.opencontainers.image.description="A fast and secure runtime for WebAssembly. Packaged by Componentized." \ --label org.opencontainers.image.documentation="https://docs.wasmtime.dev" \ --label org.opencontainers.image.licenses="Apache-2.0" \ - --label org.opencontainers.image.base.digest="${{ needs.preflight.outputs.base-digest }}" \ - --label org.opencontainers.image.base.name="${{ needs.preflight.outputs.base }}" \ + --label org.opencontainers.image.revision="${{ inputs.wasmtime-git-sha }}" \ + --label org.opencontainers.image.source="https://github.com/bytecodealliance/wasmtime" \ + --label org.opencontainers.image.title="wasmtime" \ + --label org.opencontainers.image.vendor="Componentized " \ + --label org.opencontainers.image.version="${{ inputs.tag }}" \ + --label org.opencontainers.image.url="${{ github.server_url }}/${{ github.repository }}" \ . mkdir "wasmtime-${{ inputs.tag }}-${{ matrix.arch }}"