From b9b5b773d0e7eed839c2e3800a2b21653bd7ecd7 Mon Sep 17 00:00:00 2001 From: David Lord Date: Fri, 13 Jan 2023 07:02:48 -0800 Subject: [PATCH] build, provenance, publish workflow --- .github/workflows/build.yaml | 31 -------- .github/workflows/publish.yaml | 134 +++++++++++++++++++++++++++++++++ requirements/build.in | 1 + requirements/build.txt | 17 +++++ 4 files changed, 152 insertions(+), 31 deletions(-) delete mode 100644 .github/workflows/build.yaml create mode 100644 .github/workflows/publish.yaml create mode 100644 requirements/build.in create mode 100644 requirements/build.txt diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index 9a63cedd..00000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: Build -on: - push: - branches: - - main - - '*.x' - tags: - - '*' -jobs: - wheels: - name: ${{ matrix.os }} - runs-on: ${{ matrix.os }} - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - steps: - - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - - name: Set up QEMU - if: runner.os == 'Linux' - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 - with: - platforms: arm64 - - uses: joerick/cibuildwheel@27fc88e6385a995e61a87ee4b903bed263e6a6e2 - env: - CIBW_SKIP: 'pp*' - CIBW_ARCHS_LINUX: auto aarch64 - CIBW_ARCHS_MACOS: auto universal2 - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce - with: - path: ./wheelhouse diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 00000000..1826547f --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,134 @@ +name: Publish +on: + push: + tags: + - '*' + # When a new version of Python is released, the workflow can be run manually to + # publish new wheels for the existing tag. + workflow_dispatch: + inputs: + tag: + description: 'git tag to check out and upload to' + required: true + python: + description: 'Python version, like "cp311"' + required: true +jobs: + sdist: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + with: + ref: ${{ inputs.tag }} + - uses: actions/setup-python@5ccb29d8773c3f3f653e1705f474dfaa8a06a912 + with: + python-version: '3.x' + cache: 'pip' + cache-dependency-path: 'requirements/*.txt' + - run: pip install -r requirements/build.txt + # Use the commit date instead of the current date during the build. + - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV + - run: python -m build --sdist + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + with: + path: ./dist + # The sdist is not needed on new Python version builds. However, this job must + # present in the run for the hash job, so only the upload is skipped. + if: github.event_name == 'push' + wheels: + name: wheels / ${{ matrix.os }} + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest, macos-latest] + steps: + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c + - run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV + - name: Set up QEMU + if: runner.os == 'Linux' + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 + with: + platforms: arm64 + - uses: joerick/cibuildwheel@27fc88e6385a995e61a87ee4b903bed263e6a6e2 + env: + # For workflow_dispatch, only build the new Python version. + CIBW_BUILD: "${{ inputs.python && format('{0}-*', inputs.python) || null }}" + CIBW_SKIP: 'pp*' + CIBW_ARCHS_LINUX: auto aarch64 + CIBW_ARCHS_MACOS: auto universal2 + CIBW_BUILD_FRONTEND: build + CIBW_ENVIRONMENT_PASS_LINUX: SOURCE_DATE_EPOCH + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + with: + path: ./wheelhouse + hash: + # Generate hashes for the sdist and wheels, used later for provenance. + needs: ['sdist', 'wheels'] + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + - name: generate hash + id: hash + run: cd artifact && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + provenance: + needs: ['hash'] + permissions: + actions: read + id-token: write + contents: write + # Can't pin with hash due to how this workflow works. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: ${{ needs.hash.outputs.hash }} + # When building more wheels, use the Python version as the provenance file name. + provenance-name: ${{ inputs.python && format('{0}.intoto.jsonl', inputs.python) || null }} + create-release: + # Upload the sdist, wheels, and provenance to a GitHub release. They remain + # available as build artifacts for a while as well. + needs: ['provenance'] + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + # When building a new tag, create a new draft release. + - if: github.event_name == 'push' + name: create release + run: > + gh release create --draft --repo ${{ github.repository }} + ${{ inputs.tag || github.ref_name }} + *.intoto.jsonl/* artifact/* + env: + GH_TOKEN: ${{ github.token }} + # When running manually, update the existing release with more files. + - if: github.event_name == 'workflow_dispatch' + name: update release + run: > + gh release upload --repo ${{ github.repository }} + ${{ inputs.tag || github.ref_name }} + *.intoto.jsonl/* artifact/* + env: + GH_TOKEN: ${{ github.token }} + publish-pypi: + needs: ['provenance'] + # Wait for approval before attempting to upload to PyPI. This allows reviewing the + # files in the draft release. + environment: 'publish' + runs-on: ubuntu-latest + steps: + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a + # Try uploading to Test PyPI first, in case something fails. + - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc + with: + password: ${{ secrets.TEST_PYPI_TOKEN }} + repository_url: https://test.pypi.org/legacy/ + packages_dir: artifact/ + skip_existing: true + - uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc + with: + password: ${{ secrets.PYPI_TOKEN }} + packages_dir: artifact/ + skip_existing: true diff --git a/requirements/build.in b/requirements/build.in new file mode 100644 index 00000000..378eac25 --- /dev/null +++ b/requirements/build.in @@ -0,0 +1 @@ +build diff --git a/requirements/build.txt b/requirements/build.txt new file mode 100644 index 00000000..a735b3d0 --- /dev/null +++ b/requirements/build.txt @@ -0,0 +1,17 @@ +# SHA1:80754af91bfb6d1073585b046fe0a474ce868509 +# +# This file is autogenerated by pip-compile-multi +# To update, run: +# +# pip-compile-multi +# +build==0.9.0 + # via -r requirements/build.in +packaging==23.0 + # via build +pep517==0.13.0 + # via build +tomli==2.0.1 + # via + # build + # pep517