This job uses the new artifact attestations: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ This will allow users to verify that the sources came from a specific workflow run in the llvm-project repository. Currently, this job does not automatically upload sources to the release page, but rather it attaches them the workflow run as artifacts. The release manager is expected to download, verify, and sign the sources before uploading them to the release page. We may be able to automatically upload them in the future once we have a process for signing the binaries within the github workflow. Technically, though, the binaries are being signed as part of the attestation process, but the only way to verify the signatures is using the gh command line tool, and I don't think it is best to rely on that, since the tool may not be easily available on all systems.
99 lines
2.8 KiB
YAML
99 lines
2.8 KiB
YAML
name: Release Task
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
# The regex support here is limited, so just match everything that starts with llvmorg- and filter later.
|
|
- 'llvmorg-*'
|
|
|
|
jobs:
|
|
validate-tag:
|
|
name: Validate Tag
|
|
runs-on: ubuntu-latest
|
|
if: github.repository == 'llvm/llvm-project'
|
|
outputs:
|
|
release-version: ${{ steps.validate-tag.outputs.release-version }}
|
|
steps:
|
|
- name: Validate Tag
|
|
id: validate-tag
|
|
run: |
|
|
echo "${{ github.ref_name }}" | grep -e '^llvmorg-[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc[0-9]\+\)\?$'
|
|
release_version=$(echo "${{ github.ref_name }}" | sed 's/llvmorg-//g')
|
|
echo "release-version=$release_version" >> "$GITHUB_OUTPUT"
|
|
|
|
release-create:
|
|
name: Create a New Release
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # For creating the release.
|
|
needs: validate-tag
|
|
|
|
steps:
|
|
- name: Install Dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install python3-github
|
|
|
|
- name: Checkout LLVM
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
|
|
|
- name: Create Release
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
|
|
run: |
|
|
./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} --user-token "$USER_TOKEN" create
|
|
release-documentation:
|
|
name: Build and Upload Release Documentation
|
|
needs:
|
|
- validate-tag
|
|
uses: ./.github/workflows/release-documentation.yml
|
|
with:
|
|
release-version: ${{ needs.validate-tag.outputs.release-version }}
|
|
upload: true
|
|
|
|
release-doxygen:
|
|
name: Build and Upload Release Doxygen
|
|
permissions:
|
|
contents: write
|
|
needs:
|
|
- validate-tag
|
|
- release-create
|
|
uses: ./.github/workflows/release-doxygen.yml
|
|
with:
|
|
release-version: ${{ needs.validate-tag.outputs.release-version }}
|
|
upload: true
|
|
|
|
release-lit:
|
|
name: Release Lit
|
|
needs: validate-tag
|
|
uses: ./.github/workflows/release-lit.yml
|
|
with:
|
|
release-version: ${{ needs.validate-tag.outputs.release-version }}
|
|
|
|
release-binaries:
|
|
name: Build Release Binaries
|
|
permissions:
|
|
contents: write
|
|
needs:
|
|
- validate-tag
|
|
- release-create
|
|
uses: ./.github/workflows/release-binaries.yml
|
|
with:
|
|
release-version: ${{ needs.validate-tag.outputs.release-version }}
|
|
upload: true
|
|
|
|
release-sources:
|
|
name: Package Release Sources
|
|
permissions:
|
|
id-token: write
|
|
attestations: write
|
|
needs:
|
|
- validate-tag
|
|
uses: ./.github/workflows/release-sources.yml
|
|
with:
|
|
release-version: ${{ needs.validate-tag.outputs.release-version }}
|