update #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (c) ONNX Project Contributors | |
# | |
# SPDX-License-Identifier: Apache-2.0 | |
name: Caller Workflow | |
on: | |
schedule: | |
# Run weekly on Monday 00:00 | |
- cron: '00 00 * * MON' | |
push: | |
branches: [main, rel-*,20240710_start_reuseableworkflow] | |
pull_request: | |
branches: [main, rel-*] | |
jobs: | |
# Add job which save the current date to a variable | |
call-workflow-ubuntu_x86: | |
strategy: | |
matrix: | |
os: ['ubuntu-latest'] | |
uses: andife/onnx/.github/workflows/release_linux_x86_64.yml@20240710_start_reuseableworkflow | |
with: | |
os: "linux_x86_64" | |
currdate: "20240708" | |
call-workflow-ubuntu_aarch64: | |
strategy: | |
matrix: | |
os: ['ubuntu-latest'] | |
uses: andife/onnx/.github/workflows/release_linux_aarch64.yml@20240710_start_reuseableworkflow | |
with: | |
os: "linux_aarch64" | |
currdate: "20240708" | |
# call-workflow-win: | |
# strategy: | |
# matrix: | |
# os: ['windows-latest'] | |
# uses: andife/onnx/.github/workflows/release_win.yml@20240710_start_reuseableworkflow | |
# with: | |
# node: "14" | |
# os: "win" | |
call-workflow-mac: | |
strategy: | |
matrix: | |
os: ['mac-latest'] | |
uses: andife/onnx/.github/workflows/release_mac.yml@20240710_start_reuseableworkflow | |
with: | |
os: "mac" | |
currdate: "20240708" | |
# TODO: each for every OS? | |
# provenance: | |
# name: Generate SLSA provenance data | |
# needs: [build] | |
# permissions: | |
# actions: read # Needed for detection of GitHub Actions environment. | |
# id-token: write # Needed for provenance signing and ID | |
# contents: write # Needed for release uploads, https://github.com/slsa-framework/slsa-github-generator/issues/2044 :( | |
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
# with: | |
# base64-subjects: '${{ needs.build.outputs.hash }}' | |
# # Upload provenance to a new release | |
# upload-assets: true | |
publish-weekly: | |
name: Publish Weekly to PyPI | |
runs-on: ubuntu-latest | |
needs: [call-workflow-ubuntu_x86, call-workflow-ubuntu_aarch64, call-workflow-mac] | |
if: always() && (needs.call-workflow-ubuntu_x86.result == 'success') || (needs.call-workflow-ubuntu_aarch64.result == 'success') || ((needs.call-workflow-mac.result == 'success')) | |
environment: | |
name: testpypi # TODO: Does not yet exist, has to be created, see here: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ | |
url: https://test.pypi.org/p/af-test-onnx-sigstore | |
#url: https://pypi.org/p/onnx | |
#environment: | |
# name: pypi # TODO: Does not yet exist, has to be created, see here: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ | |
# url: https://pypi.org/p/onnx | |
permissions: | |
contents: write # IMPORTANT: mandatory for making GitHub Releases # TODO: check what is needed here? | |
id-token: write # IMPORTANT: mandatory for trusted publishing (which means without api-token or password) | |
steps: | |
- uses: actions/download-artifact@v4 | |
with: | |
pattern: wheels* # TODO change back to python-wheels? | |
path: dist | |
merge-multiple: true | |
- name: Publish distribution to PyPI | |
uses: pypa/gh-action-pypi-publish@release/v1 | |
if: github.event_name == 'schedule' | |
prepare-release: | |
name: Release-Prep (p.ex. sigstore, pypi) | |
runs-on: ubuntu-latest | |
needs: [call-workflow-ubuntu_x86, call-workflow-ubuntu_aarch64, call-workflow-mac] | |
if: always() && (needs.call-workflow-ubuntu_x86.result == 'success') && (needs.call-workflow-ubuntu_aarch64.result == 'success') && ((needs.call-workflow-mac.result == 'success')) | |
permissions: | |
contents: write # IMPORTANT: mandatory for making GitHub Releases | |
id-token: write # IMPORTANT: mandatory for sigstore | |
steps: | |
- uses: actions/download-artifact@v4 | |
with: | |
pattern: wheels* # TODO change back to python-wheels? | |
path: dist | |
merge-multiple: true | |
- name: Sign the dists with Sigstore #/home/runner/work/onnx/onnx/dist/*.tar.gz | |
uses: sigstore/[email protected] | |
with: | |
inputs: >- | |
/home/runner/work/onnx/onnx/dist/*.whl | |
- name: Rename files # to match new file extension https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md#changed | |
run: | | |
sudo apt install mmv | |
mmv "/home/runner/work/onnx/onnx/dist/*.sigstore" /home/runner/work/onnx/onnx/dist/#1.sigstore.json | |
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b | |
with: | |
name: sigstore-files | |
path: | | |
/home/runner/work/onnx/onnx/dist/*.sigstore.json | |
# TODO | |
# at this point, we have the wheels and could check if they are usable by offline testing...continue-on-error: | |
# For more information about environments and required approvals, see "Using environments for deployment." F | |
# We can use a separate requirement for deploay | |
release: | |
name: Release (Publish to pypi and add files to github release) | |
runs-on: ubuntu-latest | |
needs: [prepare-release] | |
if: always() && (needs.prepare-release.result == 'success') | |
permissions: | |
contents: write # IMPORTANT: mandatory for making GitHub Releases | |
id-token: write # IMPORTANT: mandatory for sigstore | |
steps: | |
- name: Upload artifact signatures to GitHub Release | |
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes # TODO check exact variants | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
# Upload to GitHub Release using the `gh` CLI. | |
# `dist/` contains the built packages, and the | |
# sigstore-produced signatures and certificates. | |
run: >- | |
gh release upload | |
'${{ github.ref_name }}' /home/runner/work/onnx/onnx/dist/**.sigstore | |
--repo '${{ github.repository }}' | |
# https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments | |
- name: Publish distribution to PyPI | |
uses: pypa/gh-action-pypi-publish@release/v1 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') # TODO check exact variants | |