Skip to content

Labelbox Python SDK Publish #100

Labelbox Python SDK Publish

Labelbox Python SDK Publish #100

Workflow file for this run

name: Labelbox Python SDK Publish
on:
workflow_dispatch:
inputs:
tag:
description: 'Release Tag'
required: true
prev_sdk_tag:
description: 'Prev SDK Release Tag, used to determine which lbox files have changed'
required: true
skip-tests:
description: 'Skip PROD Test (Do not do this unless there is an emergency)'
default: false
type: boolean
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
jobs:
build-lbox:
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
packages: write
uses: ./.github/workflows/lbox-publish.yml
with:
tag: ${{ inputs.tag }}
prev_sdk_tag: ${{ inputs.prev_sdk_tag }}
secrets: inherit
build:
needs: ['build-lbox']
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- name: Install the latest version of rye
uses: eifinger/setup-rye@v2
with:
version: ${{ vars.RYE_VERSION }}
enable-cache: true
- name: Rye Setup
run: |
rye config --set-bool behavior.use-uv=true
- name: Create build
working-directory: libs/labelbox
run: |
rye sync
rye build
- name: "Generate hashes"
id: hash
run: |
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v4
with:
name: build
path: ./dist
provenance_python:
needs: [build]
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow
test-build:
if: ${{ !inputs.skip-tests }}
needs: ['build']
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- python-version: 3.9
prod-key: PROD_LABELBOX_API_KEY_3
da-test-key: DA_GCP_LABELBOX_API_KEY
- python-version: "3.10"
prod-key: PROD_LABELBOX_API_KEY_4
da-test-key: DA_GCP_LABELBOX_API_KEY
- python-version: 3.11
prod-key: LABELBOX_API_KEY
da-test-key: DA_GCP_LABELBOX_API_KEY
- python-version: 3.12
prod-key: PROD_LABELBOX_API_KEY_5
da-test-key: DA_GCP_LABELBOX_API_KEY
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- name: Install the latest version of rye
uses: eifinger/setup-rye@v2
with:
version: ${{ vars.RYE_VERSION }}
enable-cache: true
- name: Rye Setup
run: |
rye config --set-bool behavior.use-uv=true
- name: Python setup
run: rye pin ${{ matrix.python-version }}
- uses: actions/download-artifact@v4
with:
name: build
path: ./dist
- name: Prepare package and environment
run: |
rye sync -f --update-all
rye run toml unset --toml-path pyproject.toml tool.rye.workspace
rye sync -f --update-all
- name: Integration Testing
env:
PYTEST_XDIST_AUTO_NUM_WORKERS: 32
LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }}
DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }}
LABELBOX_TEST_ENVIRON: prod
run: |
rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute
cd libs/labelbox
rm pyproject.toml
rye run pytest tests/integration
- name: Data Testing
env:
PYTEST_XDIST_AUTO_NUM_WORKERS: 32
LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }}
DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }}
LABELBOX_TEST_ENVIRON: prod
run: |
rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute --features data
cd libs/labelbox
rye run pytest tests/data
publish-python-package-to-release:
runs-on: ubuntu-latest
needs: ['build']
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- uses: actions/download-artifact@v4
with:
name: build
path: ./artifact
- name: Upload dist to release
run: |
gh release upload ${{ inputs.tag }} ./artifact/*
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
pypi-publish:
runs-on: ubuntu-latest
needs: ['build', 'test-build']
if: |
always() &&
(needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag
environment:
name: publish
url: 'https://pypi.org/project/labelbox/'
permissions:
# IMPORTANT: this permission is mandatory for trusted publishing
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
name: build
path: ./artifact
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: artifact/
container-publish:
runs-on: ubuntu-latest
needs: ['build', 'test-build']
permissions:
packages: write
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build_container.outputs.digest }}
if: |
always() &&
(needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag
env:
CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}"
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- name: downcase CONTAINER_IMAGE
run: |
echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
id: build_container
with:
context: .
file: ./libs/labelbox/Dockerfile
github-token: ${{ secrets.GITHUB_TOKEN }}
push: true
platforms: |
linux/amd64
linux/arm64
tags: |
${{ env.CONTAINER_IMAGE }}:latest
${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }}
- name: Output image
id: image
run: |
# NOTE: Set the image as an output because the `env` context is not
# available to the inputs of a reusable workflow call.
image_name="${CONTAINER_IMAGE}"
echo "image=$image_name" >> "$GITHUB_OUTPUT"
provenance_container:
needs: [container-publish]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs. container-publish.outputs.image }}
digest: ${{ needs. container-publish.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}