-
Notifications
You must be signed in to change notification settings - Fork 11
127 lines (125 loc) · 6.01 KB
/
build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# This is a trusted builder implemented as a reusable workflow that can be called by other
# Actions workflows. It checks, tests, and builds the artifacts including SBOM and documentations,
# and computes hash digests as output to be used by a SLSA provenance generator. Even though we
# run the build in a matrix to check against different platforms, due to a known limitation of
# reusable workflows that do not support setting strategy property from the caller workflow, we
# only generate artifacts for ubuntu-latest and Python 3.10.
# See: https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations.
name: Build the package
on:
workflow_call:
outputs:
artifacts-sha256:
description: The hash of the artifacts
value: ${{ jobs.build.outputs.artifacts-sha256 }}
permissions:
contents: read
env:
ARTIFACT_OS: ubuntu-latest # The default OS for release.
ARTIFACT_PYTHON: '3.10' # The default Python version for release.
USER_NAME: github-actions # The default user name for release.
USER_EMAIL: [email protected] # The default email address for release.
jobs:
build:
outputs:
artifacts-sha256: ${{ steps.compute-hash.outputs.artifacts-sha256 }}
name: Build Python ${{ matrix.python }} on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
# It is recommended to pin a Runner version specifically:
# https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
os: [ubuntu-latest, macos-latest, windows-latest]
python: ['3.9', '3.10']
permissions:
contents: write # To create the release tag if run on the main branch.
steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 # v1.4.4
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Check out repository
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@c4e89fac7e8767b327bbad6cb4d859eda999cf08 # v4.1.0
with:
python-version: ${{ matrix.python }}
- name: Create and activate virtual environment
if: matrix.os == 'ubuntu-latest' || matrix.os == 'macos-latest'
run: |
make venv
source .venv/bin/activate
env:
PYTHON: python
- name: Create and activate virtual environment (Windows)
if: matrix.os == 'windows-latest'
run: |
make venv
.venv/Scripts/Activate.ps1
env:
PYTHON: python
# Note: There will be warnings from the Makefile about venv not being activated in
# the following steps. The `run:` shell is closed at the end of each step and the next
# step uses its own new shell, which doesn’t have an activated venv. Currently, we avoid
# activating the venv at the beginning of every step because activating is different
# on Windows and Linux as they put the scripts into different folders.
- name: Install dependencies
run: make setup
- name: Create changelog and bump
if: github.ref == 'refs/heads/main' && matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
run: |
# Set up the GitHub user and email as author for the release commit.
git config --global user.name $USER_NAME
git config --global user.email $USER_EMAIL
git config --list --global
# First generate the CHANGELOG diff to use as release notes.
cz changelog --dry-run --incremental --unreleased-version "Release Notes" > dist/RELEASE_NOTES.md
# Update the CHANGELOG.md.
cz changelog
cz bump
- name: Build the package
# We don't need to check and test the package separately because `make dist` runs
# those targets first and only builds the package if they succeed.
run: |
# Build the sdist and wheel distribution of the package and docs as a zip file.
# Generate the requirements.txt that contains the hash digests of the dependencies.
# Generate the SBOM using CyclonDX SBOM generator.
make dist requirements sbom
- name: Compute package hash
if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
id: compute-hash
shell: bash
run: |
set -euo pipefail
# Find the paths to the files that will be included in the release.
TARBALL_PATH=$(find dist -name "*.tar.gz")
WHEEL_PATH=$(find dist -name "*.whl")
SBOM_PATH=$(find dist -name "*-sbom.json")
HTML_DOCS_PATH=$(find dist -name *-docs-html.zip)
# Make sure dist/RELEASE_NOTES.md (which contains the release notes) exists.
touch dist/RELEASE_NOTES.md
NOTES_PATH=$(find dist -name RELEASE_NOTES.md)
# Compute the sha digest for all the release files and encode them using base64.
DIGEST=$(sha256sum $TARBALL_PATH $WHEEL_PATH $SBOM_PATH $HTML_DOCS_PATH $NOTES_PATH | base64 -w0)
echo "Digest of artifacts is $DIGEST."
# Set the computed sha digest as the output of this job.
echo "::set-output name=artifacts-sha256::$DIGEST"
- name: Upload the package artifact
# For now only generate artifacts for the specified OS and Python version in env variables.
# Currently reusable workflows do not support setting strategy property from the caller workflow.
if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: artifact-${{ matrix.os }}-${{ matrix.python }}
path: dist
if-no-files-found: error
retention-days: 1
- name: Update release tag
# Push the release tag only once when branch is main on the specified OS and Python version.
if: github.ref == 'refs/heads/main' && matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
run: |
git push
git push --tags