Labelbox Python SDK Publish #112
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Labelbox Python SDK Publish | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: 'Release Tag' | |
| required: true | |
| prev_sdk_tag: | |
| description: 'Prev SDK Release Tag, used to determine which lbox files have changed' | |
| required: true | |
| skip-tests: | |
| description: 'Skip PROD Test (Do not do this unless there is an emergency)' | |
| default: false | |
| type: boolean | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: false | |
| # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| jobs: | |
| build-lbox: | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write # Needed to access the workflow's OIDC identity. | |
| packages: write | |
| uses: ./.github/workflows/lbox-publish.yml | |
| with: | |
| tag: ${{ inputs.tag }} | |
| prev_sdk_tag: ${{ inputs.prev_sdk_tag }} | |
| secrets: inherit | |
| build: | |
| needs: ['build-lbox'] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| - name: Install the latest version of rye | |
| uses: eifinger/setup-rye@v2 | |
| with: | |
| version: ${{ vars.RYE_VERSION }} | |
| enable-cache: true | |
| - name: Rye Setup | |
| run: | | |
| rye config --set-bool behavior.use-uv=true | |
| - name: Create build | |
| working-directory: libs/labelbox | |
| run: | | |
| rye sync | |
| rye build | |
| - name: "Generate hashes" | |
| id: hash | |
| run: | | |
| cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: build | |
| path: ./dist | |
| provenance_python: | |
| needs: [build] | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write # Needed to access the workflow's OIDC identity. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: "${{ needs.build.outputs.hashes }}" | |
| upload-assets: true | |
| upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow | |
| test-build: | |
| if: ${{ !inputs.skip-tests }} | |
| needs: ['build'] | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - python-version: 3.9 | |
| prod-key: PROD_LABELBOX_API_KEY_3 | |
| da-test-key: DA_GCP_LABELBOX_API_KEY | |
| - python-version: "3.10" | |
| prod-key: PROD_LABELBOX_API_KEY_4 | |
| da-test-key: DA_GCP_LABELBOX_API_KEY | |
| - python-version: 3.11 | |
| prod-key: LABELBOX_API_KEY | |
| da-test-key: DA_GCP_LABELBOX_API_KEY | |
| - python-version: 3.12 | |
| prod-key: PROD_LABELBOX_API_KEY_5 | |
| da-test-key: DA_GCP_LABELBOX_API_KEY | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| - name: Install the latest version of rye | |
| uses: eifinger/setup-rye@v2 | |
| with: | |
| version: ${{ vars.RYE_VERSION }} | |
| enable-cache: true | |
| - name: Rye Setup | |
| run: | | |
| rye config --set-bool behavior.use-uv=true | |
| - name: Python setup | |
| run: rye pin ${{ matrix.python-version }} | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: ./dist | |
| - name: Prepare package and environment | |
| run: | | |
| rye sync -f --update-all | |
| rye run toml unset --toml-path pyproject.toml tool.rye.workspace | |
| rye sync -f --update-all | |
| - name: Integration Testing | |
| env: | |
| PYTEST_XDIST_AUTO_NUM_WORKERS: 32 | |
| LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }} | |
| DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }} | |
| LABELBOX_TEST_ENVIRON: prod | |
| run: | | |
| rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute | |
| cd libs/labelbox | |
| rm pyproject.toml | |
| rye run pytest tests/integration | |
| - name: Data Testing | |
| env: | |
| PYTEST_XDIST_AUTO_NUM_WORKERS: 32 | |
| LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }} | |
| DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }} | |
| LABELBOX_TEST_ENVIRON: prod | |
| run: | | |
| rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute --features data | |
| cd libs/labelbox | |
| rye run pytest tests/data | |
| publish-python-package-to-release: | |
| runs-on: ubuntu-latest | |
| needs: ['build'] | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: ./artifact | |
| - name: Upload dist to release | |
| run: | | |
| gh release upload ${{ inputs.tag }} ./artifact/* | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| pypi-publish: | |
| runs-on: ubuntu-latest | |
| needs: ['build', 'test-build'] | |
| if: | | |
| always() && | |
| (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag | |
| environment: | |
| name: publish | |
| url: 'https://pypi.org/project/labelbox/' | |
| permissions: | |
| # IMPORTANT: this permission is mandatory for trusted publishing | |
| id-token: write | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: build | |
| path: ./artifact | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| packages-dir: artifact/ | |
| container-publish: | |
| runs-on: ubuntu-latest | |
| needs: ['build', 'test-build'] | |
| permissions: | |
| packages: write | |
| outputs: | |
| image: ${{ steps.image.outputs.image }} | |
| digest: ${{ steps.build_container.outputs.digest }} | |
| if: | | |
| always() && | |
| (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag | |
| env: | |
| CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| - name: downcase CONTAINER_IMAGE | |
| run: | | |
| echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| uses: docker/build-push-action@v5 | |
| id: build_container | |
| with: | |
| context: . | |
| file: ./libs/labelbox/Dockerfile | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| push: true | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64 | |
| tags: | | |
| ${{ env.CONTAINER_IMAGE }}:latest | |
| ${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }} | |
| - name: Output image | |
| id: image | |
| run: | | |
| # NOTE: Set the image as an output because the `env` context is not | |
| # available to the inputs of a reusable workflow call. | |
| image_name="${CONTAINER_IMAGE}" | |
| echo "image=$image_name" >> "$GITHUB_OUTPUT" | |
| provenance_container: | |
| needs: [container-publish] | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: ${{ needs. container-publish.outputs.image }} | |
| digest: ${{ needs. container-publish.outputs.digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} |