-
Notifications
You must be signed in to change notification settings - Fork 3
170 lines (134 loc) · 6.04 KB
/
create_release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# Copyright (c) ONNX Project Contributors
#
# SPDX-License-Identifier: Apache-2.0
name: Caller Workflow
on:
schedule:
# Run weekly on Monday 00:00
- cron: '00 00 * * MON'
push:
branches: [main, rel-*,20240710_start_reuseableworkflow]
pull_request:
branches: [main, rel-*]
jobs:
call-workflow-ubuntu_x86:
strategy:
matrix:
os: ['ubuntu-latest']
uses: andife/onnx/.github/workflows/release_linux_x86_64.yml@20240710_start_reuseableworkflow
with:
os: "linux_x86_64"
currdate: "20240708"
call-workflow-ubuntu_aarch64:
strategy:
matrix:
os: ['ubuntu-latest']
uses: andife/onnx/.github/workflows/release_linux_aarch64.yml@20240710_start_reuseableworkflow
with:
os: "linux_aarch64"
currdate: "20240708"
# call-workflow-win:
# strategy:
# matrix:
# os: ['windows-latest']
# uses: andife/onnx/.github/workflows/release_win.yml@20240710_start_reuseableworkflow
# with:
# node: "14"
# os: "win"
call-workflow-mac:
strategy:
matrix:
os: ['mac-latest']
uses: andife/onnx/.github/workflows/release_mac.yml@20240710_start_reuseableworkflow
with:
os: "mac"
currdate: "20240708"
# TODO: each for every OS?
# provenance:
# name: Generate SLSA provenance data
# needs: [build]
# permissions:
# actions: read # Needed for detection of GitHub Actions environment.
# id-token: write # Needed for provenance signing and ID
# contents: write # Needed for release uploads, https://github.com/slsa-framework/slsa-github-generator/issues/2044 :(
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
# with:
# base64-subjects: '${{ needs.build.outputs.hash }}'
# # Upload provenance to a new release
# upload-assets: true
publish-weekly:
name: Publish Weekly to PyPI
runs-on: ubuntu-latest
needs: [call-workflow-ubuntu_x86, call-workflow-ubuntu_aarch64, call-workflow-mac]
if: always() && (needs.call-workflow-ubuntu_x86.result == 'success') || (needs.call-workflow-ubuntu_aarch64.result == 'success') || ((needs.call-workflow-mac.result == 'success'))
environment:
name: pypi # TODO: Does not yet exist, has to be created, see here: https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/
url: https://pypi.org/p/onnx
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases # TODO: check what is needed here?
id-token: write # IMPORTANT: mandatory for trusted publishing (which means without api-token or password)
steps:
- uses: actions/download-artifact@v4
with:
pattern: wheels* # TODO change back to python-wheels?
path: dist
merge-multiple: true
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
if: github.event_name == 'schedule'
prepare-release:
name: Release-Prep (p.ex. sigstore, pypi)
runs-on: ubuntu-latest
needs: [call-workflow-ubuntu_x86, call-workflow-ubuntu_aarch64, call-workflow-mac]
if: always() && (needs.call-workflow-ubuntu_x86.result == 'success') && (needs.call-workflow-ubuntu_aarch64.result == 'success') && ((needs.call-workflow-mac.result == 'success'))
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- uses: actions/download-artifact@v4
with:
pattern: wheels* # TODO change back to python-wheels?
path: dist
merge-multiple: true
- name: Sign the dists with Sigstore #/home/runner/work/onnx/onnx/dist/*.tar.gz
uses: sigstore/[email protected]
with:
inputs: >-
/home/runner/work/onnx/onnx/dist/*.whl
- name: Rename files # to match new file extension https://github.com/sigstore/sigstore-python/blob/main/CHANGELOG.md#changed
run: |
sudo apt install mmv
mmv "/home/runner/work/onnx/onnx/dist/*.sigstore" /home/runner/work/onnx/onnx/dist/#1.sigstore.json
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
with:
name: sigstore-files
path: |
/home/runner/work/onnx/onnx/dist/*.sigstore.json
# TODO
# at this point, we have the wheels and could check if they are usable by offline testing...continue-on-error:
# For more information about environments and required approvals, see "Using environments for deployment." F
# We can use a separate requirement for deploay
release:
name: Release (Publish to pypi and add files to github release)
runs-on: ubuntu-latest
needs: [prepare-release]
if: always() && (needs.prepare-release.result == 'success')
permissions:
contents: write # IMPORTANT: mandatory for making GitHub Releases
id-token: write # IMPORTANT: mandatory for sigstore
steps:
- name: Upload artifact signatures to GitHub Release
if: startsWith(github.ref, 'refs/tags/') # only publish to PyPI on tag pushes # TODO check exact variants
env:
GITHUB_TOKEN: ${{ github.token }}
# Upload to GitHub Release using the `gh` CLI.
# `dist/` contains the built packages, and the
# sigstore-produced signatures and certificates.
run: >-
gh release upload
'${{ github.ref_name }}' /home/runner/work/onnx/onnx/dist/**.sigstore
--repo '${{ github.repository }}'
# https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments
- name: Publish distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') # TODO check exact variants