.github/workflows/release-sources.yml

   1 name: Release Sources
   2
   3 permissions:
   4   contents: read
   5
   6 on:
   7   workflow_dispatch:
   8     inputs:
   9       release-version:
  10         description: Release Version
  11         required: true
  12         type: string
  13   workflow_call:
  14     inputs:
  15       release-version:
  16         description: Release Version
  17         required: true
  18         type: string
  19     secrets:
  20       RELEASE_TASKS_USER_TOKEN:
  21         description: "Secret used to check user permissions."
  22         required: false
  23   # Run on pull_requests for testing purposes.
  24   pull_request:
  25     paths:
  26       - '.github/workflows/release-sources.yml'
  27     types:
  28       - opened
  29       - synchronize
  30       - reopened
  31       # When a PR is closed, we still start this workflow, but then skip
  32       # all the jobs, which makes it effectively a no-op.  The reason to
  33       # do this is that it allows us to take advantage of concurrency groups
  34       # to cancel in progress CI jobs whenever the PR is closed.
  35       - closed
  36
  37 concurrency:
  38   group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }}
  39   cancel-in-progress: True
  40
  41 jobs:
  42   inputs:
  43     name: Collect Job Inputs
  44     if: >-
  45       github.repository_owner == 'llvm' &&
  46       github.event.action != 'closed'
  47     outputs:
  48       ref: ${{ steps.inputs.outputs.ref }}
  49       export-args: ${{ steps.inputs.outputs.export-args }}
  50     runs-on: ubuntu-latest
  51     steps:
  52       - id: inputs
  53         run: |
  54           ref=${{ (inputs.release-version && format('llvmorg-{0}', inputs.release-version)) || github.sha }}
  55           if [ -n "${{ inputs.release-version }}" ]; then
  56             export_args="-release ${{ inputs.release-version }} -final"
  57           else
  58             export_args="-git-ref ${{ github.sha }}"
  59           fi
  60           echo "ref=$ref" >> $GITHUB_OUTPUT
  61           echo "export-args=$export_args" >> $GITHUB_OUTPUT
  62
  63   release-sources:
  64     name: Package Release Sources
  65     if: github.repository_owner == 'llvm'
  66     runs-on: ubuntu-latest
  67     needs:
  68       - inputs
  69     permissions:
  70       id-token: write
  71       attestations: write
  72     steps:
  73       - name: Checkout LLVM
  74         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  75         with:
  76           ref: ${{ needs.inputs.outputs.ref }}
  77           fetch-tags: true
  78       - name: Install Dependencies
  79         run: |
  80           pip install --require-hashes -r ./llvm/utils/git/requirements.txt
  81
  82       - name: Check Permissions
  83         if: github.event_name != 'pull_request'
  84         env:
  85           GITHUB_TOKEN: ${{ github.token }}
  86           USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
  87         run: |
  88           ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
  89       - name: Create Tarballs
  90         run: |
  91           ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}
  92       - name: Attest Build Provenance
  93         if: github.event_name != 'pull_request'
  94         id: provenance
  95         uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
  96         with:
  97           subject-path: "*.xz"
  98       - if: github.event_name != 'pull_request'
  99         run: |
 100           mv ${{ steps.provenance.outputs.bundle-path }} .
 101       - name: Create Tarball Artifacts
 102         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
 103         with:
 104           path: |
 105             *.xz
 106             attestation.jsonl
 107
 108