This repository was archived by the owner on Jan 19, 2026. It is now read-only.

Merge pull request #1311 from kubewarden/renovate/lock-file-maintenance #485

Workflow file for this run

	name: kwctl build
	on:
	workflow_call:
	push:
	branches:
	- "main"
	- "feat-**"

	env:
	CARGO_TERM_COLOR: always

	jobs:
	build-linux-binaries:
	name: Build linux binaries
	runs-on: ubuntu-latest
	strategy:
	matrix:
	targetarch:
	- aarch64
	- x86_64
	permissions:
	id-token: write
	attestations: write
	steps:
	- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

	- name: checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- name: Install cross-rs
	run: \|
	set -e

	echo "$CROSS_CHECKSUM cross-x86_64-unknown-linux-musl.tar.gz" > checksum
	curl -L -O https://github.com/cross-rs/cross/releases/download/$CROSS_VERSION/cross-x86_64-unknown-linux-musl.tar.gz
	sha512sum -c checksum
	tar -xvf cross-x86_64-unknown-linux-musl.tar.gz
	env:
	CROSS_CHECKSUM: "70b31b207e981aa31925a7519a0ad125c5d97b84afe0e8e81b0664df5c3a7978558d83f9fcd0c36dc2176fc2a4d0caed67f8cf9fd689f9935f84449cd4922ceb"
	CROSS_VERSION: "v0.2.5"

	- name: Build kwctl
	shell: bash
	run: \|
	./cross build --release --target ${{matrix.targetarch}}-unknown-linux-musl

	- run: mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }}

	- name: Smoke test build
	if: matrix.targetarch == 'x86_64'
	run: ./kwctl-linux-x86_64 --help

	- name: Generate attestations
	uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
	id: attestations
	with:
	subject-path: kwctl-linux-${{ matrix.targetarch }}

	- name: Sign kwctl
	run: \|
	cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig

	- run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem

	- name: Upload binary
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: kwctl-linux-${{ matrix.targetarch }}
	path: kwctl-linux-${{ matrix.targetarch }}.zip

	- name: Install the syft command
	uses: kubewarden/github-actions/syft-installer@17f4dbf90d74f26892f7cc18179d08c4d63914d9 # v4.5.4

	- name: Create SBOM file
	shell: bash
	run: \|
	syft scan \
	--output spdx-json=kwctl-linux-${{ matrix.targetarch }}-sbom.spdx \
	--source-name kwctl-linux-${{ matrix.targetarch }} \
	--source-version ${{ github.sha }} \
	-vv \
	dir:. # use dir default catalogers, which includes Cargo.toml

	- name: Sign SBOM file
	run: \|
	cosign sign-blob --yes \
	--output-certificate kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert \
	--output-signature kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig \
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx

	- name: Upload kwctl SBOM files
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: kwctl-linux-${{ matrix.targetarch }}-sbom
	path: \|
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.cert
	kwctl-linux-${{ matrix.targetarch }}-sbom.spdx.sig

	- name: Upload kwctl air gap scripts
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	if: matrix.targetarch == 'x86_64' # only upload the scripts once
	with:
	name: kwctl-airgap-scripts
	path: \|
	scripts/kubewarden-load-policies.sh
	scripts/kubewarden-save-policies.sh

	build-darwin-binaries:
	name: Build darwin binary
	strategy:
	matrix:
	targetarch: ["aarch64", "x86_64"]
	runs-on: macos-latest
	permissions:
	id-token: write
	attestations: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

	- run: rustup target add ${{ matrix.targetarch }}-apple-darwin

	- name: Build kwctl
	run: cargo build --target=${{ matrix.targetarch }}-apple-darwin --release

	- run: mv target/${{ matrix.targetarch }}-apple-darwin/release/kwctl kwctl-darwin-${{ matrix.targetarch }}

	- name: Smoke test build
	if: matrix.targetarch == 'x86_64'
	run: ./kwctl-darwin-x86_64 --help

	- name: Generate attestations
	uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
	id: attestations
	with:
	subject-path: kwctl-darwin-${{ matrix.targetarch }}

	- name: Sign kwctl
	run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig

	- run: zip -j9 kwctl-darwin-${{ matrix.targetarch }}.zip kwctl-darwin-${{ matrix.targetarch }} kwctl-darwin-${{ matrix.targetarch }}.sig kwctl-darwin-${{ matrix.targetarch }}.pem

	- name: Upload binary
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: kwctl-darwin-${{ matrix.targetarch }}
	path: kwctl-darwin-${{ matrix.targetarch }}.zip

	- name: Install the syft command
	uses: kubewarden/github-actions/syft-installer@17f4dbf90d74f26892f7cc18179d08c4d63914d9 # v4.5.4
	with:
	arch: darwin_amd64

	- name: Create SBOM file
	shell: bash
	run: \|
	syft scan \
	--output spdx-json=kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx \
	--source-name kwctl-darwin-${{ matrix.targetarch }} \
	--source-version ${{ github.sha }} \
	-vv \
	dir:. # use dir default catalogers, which includes Cargo.toml

	- name: Sign SBOM file
	run: \|
	cosign sign-blob --yes \
	--output-certificate kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert \
	--output-signature kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig \
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx

	- name: Upload kwctl SBOM files
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: kwctl-darwin-${{ matrix.targetarch }}-sbom
	path: \|
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.cert
	kwctl-darwin-${{ matrix.targetarch }}-sbom.spdx.sig

	build-windows-x86_64:
	name: Build windows (x86_64) binary
	strategy:
	matrix:
	# workaround to have the same GH UI for all jobs
	targetarch: ["x86_64"]
	os: ["windows-latest"]
	runs-on: ${{ matrix.os }}
	permissions:
	id-token: write
	attestations: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

	- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2

	- name: enable git long paths on Windows
	if: matrix.os == 'windows-latest'
	run: \|
	echo 'CMAKE_POLICY_VERSION_MINIMUM="3.5"' >> $GITHUB_ENV

	# aws-lc-sys CMakefile contains a directive that has been removed from
	# cmake v4 that has just been released (march 2025). The build failure
	# can be fixed by setting an environment variable
	- name: fix aws-lc-sys building with cmake 4.0.0
	run: set CMAKE_POLICY_VERSION_MINIMUM="3.5"

	- name: Build kwctl
	run: cargo build --target=x86_64-pc-windows-msvc --release

	- run: mv target/x86_64-pc-windows-msvc/release/kwctl.exe kwctl-windows-x86_64.exe

	- name: Smoke test build
	run: .\kwctl-windows-x86_64.exe --help

	- name: Generate attestations
	uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
	id: attestations
	with:
	subject-path: kwctl-windows-${{ matrix.targetarch }}.exe

	- name: Sign kwctl
	run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig

	- run: \|
	"/c/Program Files/7-Zip/7z.exe" a kwctl-windows-x86_64.exe.zip kwctl-windows-x86_64.exe kwctl-windows-x86_64.sig kwctl-windows-x86_64.pem
	shell: bash

	- name: Upload binary
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: kwctl-windows-x86_64
	path: kwctl-windows-x86_64.exe.zip

	- name: Install the syft command
	uses: kubewarden/github-actions/syft-installer@17f4dbf90d74f26892f7cc18179d08c4d63914d9 # v4.5.4
	with:
	arch: windows_amd64

	- name: Create SBOM file
	shell: bash
	run: \|
	syft scan \
	--output spdx-json=kwctl-windows-x86_64-sbom.spdx \
	--source-name kwctl-windows-x86_64 \
	--source-version ${{ github.sha }} \
	-vv \
	dir:. # use dir default catalogers, which includes Cargo.toml

	- name: Sign SBOM file
	shell: bash
	run: \|
	cosign sign-blob --yes \
	--output-certificate kwctl-windows-x86_64-sbom.spdx.cert \
	--output-signature kwctl-windows-x86_64-sbom.spdx.sig \
	kwctl-windows-x86_64-sbom.spdx

	- name: Upload kwctl SBOM files
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: kwctl-windows-x86_64-sbom
	path: \|
	kwctl-windows-x86_64-sbom.spdx
	kwctl-windows-x86_64-sbom.spdx.cert
	kwctl-windows-x86_64-sbom.spdx.sig

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #1311 from kubewarden/renovate/lock-file-maintenance #485

Workflow file

Merge pull request #1311 from kubewarden/renovate/lock-file-maintenance #485

Uh oh!

Workflow file for this run