chore: refactor crates layout (#3)

Author: andreiltd

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ env:
 
 jobs:
   check:
-    name: Check (fmt, clippy, build)
+    name: Check (fmt, clippy)
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -34,13 +34,14 @@ jobs:
       - name: Clippy
         run: cargo clippy --all-targets --all-features -- -D warnings
 
-      - name: Build
-        run: cargo build
-
-  test:
-    name: Integration tests
-    runs-on: ubuntu-latest
+  build-test:
+    name: Build and test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
     needs: check
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
       - uses: actions/checkout@v4
 
@@ -52,6 +53,18 @@ jobs:
       - name: Cache cargo
         uses: Swatinem/rust-cache@v2.8.2
 
+      - name: Setup sccache
+        uses: mozilla-actions/sccache-action@v0.0.10
+
+      - name: Configure sccache
+        shell: bash
+        run: |
+          echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
+          echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+
+      - name: Build
+        run: cargo build
+
       - name: Run tests
         run: cargo test
 
@@ -75,6 +88,15 @@ jobs:
       - name: Cache cargo
         uses: Swatinem/rust-cache@v2.8.2
 
+      - name: Setup sccache
+        uses: mozilla-actions/sccache-action@v0.0.10
+
+      - name: Configure sccache
+        shell: bash
+        run: |
+          echo "SCCACHE_GHA_ENABLED=true" >> "$GITHUB_ENV"
+          echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+
       - name: Install npm dependencies
         working-directory: npm
         run: npm install

.github/workflows/cli-release.yml

@@ -0,0 +1,134 @@
+name: Publish CLI release assets
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
+concurrency:
+  group: cli-release-${{ github.event.release.tag_name || github.ref_name }}
+  cancel-in-progress: false
+
+env:
+  CARGO_TERM_COLOR: always
+  RELEASE_TAG: ${{ github.event.release.tag_name || github.ref_name }}
+
+jobs:
+  build:
+    name: Build CLI - ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-gnu
+            os: ubuntu-latest
+            archive: tar.gz
+          - target: aarch64-unknown-linux-gnu
+            os: ubuntu-latest
+            archive: tar.gz
+            cross: true
+          - target: x86_64-unknown-linux-musl
+            os: ubuntu-latest
+            archive: tar.gz
+            musl: true
+          - target: aarch64-unknown-linux-musl
+            os: ubuntu-latest
+            archive: tar.gz
+            cross: true
+            musl: true
+          - target: x86_64-apple-darwin
+            os: macos-13
+            archive: tar.gz
+          - target: aarch64-apple-darwin
+            os: macos-14
+            archive: tar.gz
+          - target: x86_64-pc-windows-msvc
+            os: windows-latest
+            archive: zip
+          - target: aarch64-pc-windows-msvc
+            os: windows-latest
+            archive: zip
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name || github.ref }}
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-wasip2,${{ matrix.target }}
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@v1.10.15
+
+      - name: Install auditable build tool
+        run: cargo binstall cargo-auditable --force
+
+      - name: Install cross-compilation tools
+        if: matrix.cross
+        uses: taiki-e/setup-cross-toolchain-action@v1
+        with:
+          target: ${{ matrix.target }}
+
+      - name: Install musl tools
+        if: matrix.musl
+        run: sudo apt-get install -y musl-tools
+
+      - name: Build CLI
+        run: cargo build --release --bin componentize-qjs --target ${{ matrix.target }}
+        env:
+          COMPONENTIZE_QJS_RUNTIME_AUDITABLE: 1
+
+      - name: Package CLI
+        shell: bash
+        run: |
+          set -euo pipefail
+          checksum() {
+            if command -v sha256sum >/dev/null 2>&1; then
+              sha256sum "$1"
+            else
+              shasum -a 256 "$1"
+            fi
+          }
+
+          version="${RELEASE_TAG#v}"
+          pkg="componentize-qjs-v${version}-${{ matrix.target }}"
+          mkdir -p "dist/${pkg}"
+          if [[ "${{ matrix.target }}" == *windows* ]]; then
+            cp "target/${{ matrix.target }}/release/componentize-qjs.exe" "dist/${pkg}/"
+          else
+            cp "target/${{ matrix.target }}/release/componentize-qjs" "dist/${pkg}/"
+          fi
+          cp README.md "dist/${pkg}/"
+          if [[ "${{ matrix.archive }}" == "zip" ]]; then
+            (cd dist && 7z a "${pkg}.zip" "${pkg}")
+            checksum "dist/${pkg}.zip" > "dist/${pkg}.zip.sha256"
+          else
+            tar -czf "dist/${pkg}.tar.gz" -C dist "${pkg}"
+            checksum "dist/${pkg}.tar.gz" > "dist/${pkg}.tar.gz.sha256"
+          fi
+          rm -rf "dist/${pkg}"
+
+      - name: Attest CLI archives
+        if: github.event_name == 'release'
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: dist/*
+
+      - name: Upload CLI archives to release
+        if: github.event_name == 'release'
+        shell: bash
+        run: gh release upload "${RELEASE_TAG}" dist/* --clobber
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/release-plz.yml

@@ -0,0 +1,63 @@
+name: Release-plz
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  pull-requests: write
+  contents: write
+
+concurrency:
+  group: release-plz-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  release-plz:
+    name: Release-plz
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-wasip2
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@v1.10.15
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install SBOM tools
+        run: |
+          cargo binstall cargo-auditable --force
+          cargo binstall auditable2cdx --force
+
+      - name: Build runtime for packaging
+        shell: bash
+        run: |
+          rm -rf crates/core/prebuilt target/release-plz-package
+          COMPONENTIZE_QJS_RUNTIME_AUDITABLE=1 cargo build --release -p componentize-qjs --target-dir target/release-plz-package
+          mkdir -p crates/core/prebuilt
+          mapfile -t runtimes < <(find target/release-plz-package -path '*/out/runtime.wasm' -type f | sort)
+          test "${#runtimes[@]}" -eq 1 || { printf 'ERROR: expected exactly one runtime.wasm, found %s\n' "${#runtimes[@]}"; printf '%s\n' "${runtimes[@]}"; exit 1; }
+          cp "${runtimes[0]}" crates/core/prebuilt/runtime.wasm
+          test -f crates/core/prebuilt/runtime.wasm || { echo "ERROR: runtime.wasm not found"; exit 1; }
+          sha256sum crates/core/prebuilt/runtime.wasm > crates/core/prebuilt/runtime.wasm.sha256
+          auditable2cdx crates/core/prebuilt/runtime.wasm > crates/core/prebuilt/runtime.wasm.cdx.json
+          test -s crates/core/prebuilt/runtime.wasm.cdx.json || { echo "ERROR: runtime SBOM is empty"; exit 1; }
+          echo "Pre-built runtime.wasm ready ($(wc -c < crates/core/prebuilt/runtime.wasm) bytes)"
+
+      - name: Run release-plz
+        uses: release-plz/action@v0.5
+        with:
+          command: release
+          backend: github
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

.github/workflows/runtime-publish.yml

@@ -0,0 +1,134 @@
+name: Publish runtime Wasm
+
+on:
+  push:
+    tags:
+      - v*
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+  IMAGE_NAME: ${{ github.repository }}
+  COMPONENT_NAME: componentize-qjs-runtime
+  COMPONENT_DESCRIPTION: QuickJS runtime for componentize-qjs
+  COMPONENT_SOURCE: https://github.com/${{ github.repository }}
+  COMPONENT_HOMEPAGE: https://github.com/${{ github.repository }}
+  COMPONENT_LICENSES: Apache-2.0
+  WASM_FILE: dist/componentize_qjs_runtime.wasm
+  SBOM_FILE: dist/componentize_qjs_runtime.wasm.cdx.json
+
+jobs:
+  publish:
+    name: Publish runtime Wasm
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-wasip2
+
+      - name: Install cargo-binstall
+        uses: cargo-bins/cargo-binstall@v1.10.15
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'workflow_dispatch'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install cosign
+        if: github.event_name != 'workflow_dispatch'
+        uses: sigstore/cosign-installer@v3.7.0
+
+      - name: Install publish tools
+        run: |
+          cargo binstall wkg --force
+          cargo binstall cargo-auditable --force
+          cargo binstall auditable2cdx --force
+
+      - name: Build auditable runtime
+        shell: bash
+        run: |
+          rm -rf crates/core/prebuilt dist target/runtime-publish
+          COMPONENTIZE_QJS_RUNTIME_AUDITABLE=1 cargo build --release -p componentize-qjs --target-dir target/runtime-publish
+          mkdir -p dist
+          mapfile -t runtimes < <(find target/runtime-publish -path '*/out/runtime.wasm' -type f | sort)
+          test "${#runtimes[@]}" -eq 1 || { printf 'ERROR: expected exactly one runtime.wasm, found %s\n' "${#runtimes[@]}"; printf '%s\n' "${runtimes[@]}"; exit 1; }
+          cp "${runtimes[0]}" "${WASM_FILE}"
+          sha256sum "${WASM_FILE}" > "${WASM_FILE}.sha256"
+          auditable2cdx "${WASM_FILE}" > "${SBOM_FILE}"
+          test -s "${SBOM_FILE}" || { echo "ERROR: runtime SBOM is empty"; exit 1; }
+          echo "Runtime ready at ${WASM_FILE} ($(wc -c < "${WASM_FILE}") bytes)"
+
+      - name: Upload runtime artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: componentize-qjs-runtime
+          path: |
+            ${{ env.WASM_FILE }}
+            ${{ env.WASM_FILE }}.sha256
+            ${{ env.SBOM_FILE }}
+          if-no-files-found: error
+
+      - name: Publish `:<version>` to GitHub Container Registry
+        if: github.event_name != 'workflow_dispatch'
+        id: publish_versioned
+        uses: bytecodealliance/wkg-github-action@v5
+        with:
+          file: ${{ env.WASM_FILE }}
+          oci-reference-without-tag: ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}
+          version: ${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
+          description: ${{ env.COMPONENT_DESCRIPTION }}
+          source: ${{ env.COMPONENT_SOURCE }}
+          homepage: ${{ env.COMPONENT_HOMEPAGE }}
+          licenses: ${{ env.COMPONENT_LICENSES }}
+
+      - name: Sign the versioned runtime
+        if: github.event_name != 'workflow_dispatch'
+        run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_versioned.outputs.digest }}
+
+      - name: Attest the versioned runtime SBOM
+        if: github.event_name != 'workflow_dispatch'
+        run: cosign attest --yes --type cyclonedx --predicate "${SBOM_FILE}" ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_versioned.outputs.digest }}
+
+      - name: Publish `:latest` to GitHub Container Registry
+        if: github.event_name != 'workflow_dispatch'
+        id: publish_latest
+        uses: bytecodealliance/wkg-github-action@v5
+        with:
+          file: ${{ env.WASM_FILE }}
+          oci-reference-without-tag: ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}
+          version: latest
+          description: ${{ env.COMPONENT_DESCRIPTION }}
+          source: ${{ env.COMPONENT_SOURCE }}
+          homepage: ${{ env.COMPONENT_HOMEPAGE }}
+          licenses: ${{ env.COMPONENT_LICENSES }}
+
+      - name: Sign the latest runtime
+        if: github.event_name != 'workflow_dispatch'
+        run: cosign sign --yes ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_latest.outputs.digest }}
+
+      - name: Attest the latest runtime SBOM
+        if: github.event_name != 'workflow_dispatch'
+        run: cosign attest --yes --type cyclonedx --predicate "${SBOM_FILE}" ghcr.io/${{ env.IMAGE_NAME }}/${{ env.COMPONENT_NAME }}@${{ steps.publish_latest.outputs.digest }}