[Snyk] Security upgrade urllib3 from 2.0.7 to 2.2.2 #162
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) ONNX Project Contributors | |
# | |
# SPDX-License-Identifier: Apache-2.0 | |
name: LinuxRelease_aarch64 | |
on: | |
schedule: | |
# Run weekly on Monday 00:00 | |
- cron: '00 00 * * MON' | |
push: | |
branches: [main, rel-*] | |
pull_request: | |
branches: [main, rel-*] | |
workflow_dispatch: | |
permissions: # set top-level default permissions as security best practice | |
contents: read | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
if: github.event_name != 'pull_request' || startsWith( github.base_ref, 'rel-') || contains( github.event.pull_request.labels.*.name, 'run release CIs') | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
python-version: [cp38-cp38, cp39-cp39, cp310-cp310, cp311-cp311, cp312-cp312] | |
env: | |
# setting up python and docker image | |
py: /opt/python/${{ matrix.python-version }}/bin/python | |
img: quay.io/pypa/manylinux2014_aarch64 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Checkout submodules | |
shell: bash | |
run: | | |
auth_header="$(git config --local --get http.https://github.com/.extraheader)" | |
git submodule sync --recursive | |
git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1 | |
# setting up qemu for enabling aarch64 binary execution on x86 machine | |
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
# Creating a virtual environment on machine with the help of docker container \ | |
# and installing the dependencies inside that \ | |
# so that we can use installed dependencies. | |
- name: Install dependencies | |
run: | | |
docker run --rm -v ${{ github.workspace }}:/ws:rw --workdir=/ws \ | |
${{ env.img }} \ | |
bash -exc '${{ env.py }} -m pip install -q virtualenv && ${{ env.py }} -m venv .env && \ | |
source .env/bin/activate && \ | |
${{ env.py }} -m pip install -q --only-binary google-re2 -r requirements-release.txt && \ | |
yum install -y protobuf-compiler protobuf-devel | |
deactivate' | |
# using created virtual environment in new container and executing the script | |
- name: Build manylinux2014_aarch64 | |
run: | | |
docker run --rm -v ${{ github.workspace }}:/ws:rw --workdir=/ws \ | |
${{ env.img }} \ | |
bash -exc '\ | |
source .env/bin/activate && \ | |
yum install -y sudo && \ | |
sudo chmod +x .github/workflows/manylinux/entrypoint.sh && \ | |
sudo .github/workflows/manylinux/entrypoint.sh ${{ env.py }} manylinux2014_aarch64 ${{ github.event_name }} | |
deactivate' | |
# using created virtual environment in new container and testing the wheel | |
- name: Test wheel with Python ${{ matrix.python-version }} | |
run: | | |
docker run --rm -v ${{ github.workspace }}:/ws:rw --workdir=/ws \ | |
${{ env.img }} \ | |
bash -exc '\ | |
source .env/bin/activate && \ | |
python -m pip install -q --upgrade pip && \ | |
python -m pip install -q --only-binary google-re2 -r requirements-release.txt && \ | |
pip install dist/*manylinux2014_aarch64.whl && \ | |
pytest && \ | |
deactivate' | |
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: wheels | |
path: dist | |
- name: Upload wheel to PyPI weekly | |
if: (github.event_name == 'schedule') # Only triggered by weekly event | |
run: | | |
python -m pip install -q twine | |
twine upload --verbose dist/*.whl --repository-url https://upload.pypi.org/legacy/ -u ${{ secrets.ONNXWEEKLY_USERNAME }} -p ${{ secrets.ONNXWEEKLY_TOKEN }} | |
- name: Verify ONNX with the latest numpy and protobuf | |
if: ${{ always() }} | |
run: | | |
docker run --rm -v ${{ github.workspace }}:/ws:rw --workdir=/ws \ | |
${{ env.img }} \ | |
bash -exc '\ | |
source .env/bin/activate && \ | |
python -m pip uninstall -y numpy onnx protobuf && python -m pip install numpy protobuf && \ | |
python -m pip install dist/*manylinux2014_aarch64.whl && \ | |
pytest && \ | |
deactivate' | |
- name: Verify ONNX with the minimumly supported packages | |
if: ${{ always() }} | |
run: | | |
docker run --rm -v ${{ github.workspace }}:/ws:rw --workdir=/ws \ | |
${{ env.img }} \ | |
bash -exc '\ | |
source .env/bin/activate && \ | |
python -m pip uninstall -y onnx && python -m pip install -r requirements-min.txt && \ | |
python -m pip install dist/*manylinux2014_aarch64.whl && \ | |
pytest && \ | |
deactivate' | |
- name: Verify ONNX with ONNX Runtime PyPI package | |
if: matrix.python-version != 'cp312-cp312' | |
run: | | |
docker run --rm -v ${{ github.workspace }}:/ws:rw --workdir=/ws \ | |
${{ env.img }} \ | |
bash -exc '\ | |
source .env/bin/activate && \ | |
python -m pip uninstall -y protobuf numpy && python -m pip install -q -r requirements-release.txt && \ | |
python -m pip install -q onnxruntime==1.16.3 && \ | |
export ORT_MAX_IR_SUPPORTED_VERSION=9 \ | |
export ORT_MAX_ML_OPSET_SUPPORTED_VERSION=3 \ | |
export ORT_MAX_ONNX_OPSET_SUPPORTED_VERSION=20 \ | |
pytest && \ | |
deactivate' |