-
Notifications
You must be signed in to change notification settings - Fork 61
252 lines (240 loc) · 7.87 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
name: Labelbox Python SDK Publish
on:
workflow_dispatch:
inputs:
tag:
description: 'Release Tag'
required: true
prev_sdk_tag:
description: 'Prev SDK Release Tag, used to determine which lbox files have changed'
required: true
skip-tests:
description: 'Skip PROD Test (Do not do this unless there is an emergency)'
default: false
type: boolean
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
jobs:
build-lbox:
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
packages: write
uses: ./.github/workflows/lbox-publish.yml
with:
tag: ${{ inputs.tag }}
prev_sdk_tag: ${{ inputs.prev_sdk_tag }}
secrets: inherit
build:
needs: ['build-lbox']
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- name: Install the latest version of rye
uses: eifinger/setup-rye@v2
with:
version: ${{ vars.RYE_VERSION }}
enable-cache: true
- name: Rye Setup
run: |
rye config --set-bool behavior.use-uv=true
- name: Create build
working-directory: libs/labelbox
run: |
rye sync
rye build
- name: "Generate hashes"
id: hash
run: |
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- uses: actions/upload-artifact@v4
with:
name: build
path: ./dist
provenance_python:
needs: [build]
permissions:
actions: read
contents: write
id-token: write # Needed to access the workflow's OIDC identity.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow
test-build:
if: ${{ !inputs.skip-tests }}
needs: ['build']
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- python-version: 3.9
prod-key: PROD_LABELBOX_API_KEY_3
da-test-key: DA_GCP_LABELBOX_API_KEY
- python-version: "3.10"
prod-key: PROD_LABELBOX_API_KEY_4
da-test-key: DA_GCP_LABELBOX_API_KEY
- python-version: 3.11
prod-key: LABELBOX_API_KEY
da-test-key: DA_GCP_LABELBOX_API_KEY
- python-version: 3.12
prod-key: PROD_LABELBOX_API_KEY_5
da-test-key: DA_GCP_LABELBOX_API_KEY
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- name: Install the latest version of rye
uses: eifinger/setup-rye@v2
with:
version: ${{ vars.RYE_VERSION }}
enable-cache: true
- name: Rye Setup
run: |
rye config --set-bool behavior.use-uv=true
- name: Python setup
run: rye pin ${{ matrix.python-version }}
- uses: actions/download-artifact@v4
with:
name: build
path: ./dist
- name: Prepare package and environment
run: |
rye sync -f --update-all
rye run toml unset --toml-path pyproject.toml tool.rye.workspace
rye sync -f --update-all
- name: Integration Testing
env:
PYTEST_XDIST_AUTO_NUM_WORKERS: 32
LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }}
DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }}
LABELBOX_TEST_ENVIRON: prod
run: |
rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute
cd libs/labelbox
rm pyproject.toml
rye run pytest tests/integration
- name: Data Testing
env:
PYTEST_XDIST_AUTO_NUM_WORKERS: 32
LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }}
DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }}
LABELBOX_TEST_ENVIRON: prod
run: |
rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute --features data
cd libs/labelbox
rye run pytest tests/data
publish-python-package-to-release:
runs-on: ubuntu-latest
needs: ['build']
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- uses: actions/download-artifact@v4
with:
name: build
path: ./artifact
- name: Upload dist to release
run: |
gh release upload ${{ inputs.tag }} ./artifact/*
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
pypi-publish:
runs-on: ubuntu-latest
needs: ['build', 'test-build']
if: |
always() &&
(needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag
environment:
name: publish
url: 'https://pypi.org/project/labelbox/'
permissions:
# IMPORTANT: this permission is mandatory for trusted publishing
id-token: write
steps:
- uses: actions/download-artifact@v4
with:
name: build
path: ./artifact
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
packages-dir: artifact/
container-publish:
runs-on: ubuntu-latest
needs: ['build', 'test-build']
permissions:
packages: write
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build_container.outputs.digest }}
if: |
always() &&
(needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag
env:
CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}"
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.tag }}
- name: downcase CONTAINER_IMAGE
run: |
echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
id: build_container
with:
context: .
file: ./libs/labelbox/Dockerfile
github-token: ${{ secrets.GITHUB_TOKEN }}
push: true
platforms: |
linux/amd64
linux/arm64
tags: |
${{ env.CONTAINER_IMAGE }}:latest
${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }}
- name: Output image
id: image
run: |
# NOTE: Set the image as an output because the `env` context is not
# available to the inputs of a reusable workflow call.
image_name="${CONTAINER_IMAGE}"
echo "image=$image_name" >> "$GITHUB_OUTPUT"
provenance_container:
needs: [container-publish]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs. container-publish.outputs.image }}
digest: ${{ needs. container-publish.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}