llvm-project/.github/workflows/release-tasks.yml
Tom Stellard da0e5359fc
workflows: Add a new job for packaging release sources (#91834)
This job uses the new artifact attestations:

https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

This will allow users to verify that the sources came from a specific
workflow run in the llvm-project repository. Currently, this job does
not automatically upload sources to the release page, but rather it
attaches them the workflow run as artifacts. The release manager is
expected to download, verify, and sign the sources before uploading them
to the release page.

We may be able to automatically upload them in the future once we have a
process for signing the binaries within the github workflow.
Technically, though, the binaries are being signed as part of the
attestation process, but the only way to verify the signatures is using
the gh command line tool, and I don't think it is best to rely on that,
since the tool may not be easily available on all systems.
2024-06-18 08:27:33 -07:00

99 lines
2.8 KiB
YAML

name: Release Task
permissions:
contents: read
on:
push:
tags:
# The regex support here is limited, so just match everything that starts with llvmorg- and filter later.
- 'llvmorg-*'
jobs:
validate-tag:
name: Validate Tag
runs-on: ubuntu-latest
if: github.repository == 'llvm/llvm-project'
outputs:
release-version: ${{ steps.validate-tag.outputs.release-version }}
steps:
- name: Validate Tag
id: validate-tag
run: |
echo "${{ github.ref_name }}" | grep -e '^llvmorg-[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc[0-9]\+\)\?$'
release_version=$(echo "${{ github.ref_name }}" | sed 's/llvmorg-//g')
echo "release-version=$release_version" >> "$GITHUB_OUTPUT"
release-create:
name: Create a New Release
runs-on: ubuntu-latest
permissions:
contents: write # For creating the release.
needs: validate-tag
steps:
- name: Install Dependencies
run: |
sudo apt-get update
sudo apt-get install python3-github
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Create Release
env:
GITHUB_TOKEN: ${{ github.token }}
USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --release ${{ needs.validate-tag.outputs.release-version }} --user ${{ github.actor }} --user-token "$USER_TOKEN" create
release-documentation:
name: Build and Upload Release Documentation
needs:
- validate-tag
uses: ./.github/workflows/release-documentation.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
release-doxygen:
name: Build and Upload Release Doxygen
permissions:
contents: write
needs:
- validate-tag
- release-create
uses: ./.github/workflows/release-doxygen.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
release-lit:
name: Release Lit
needs: validate-tag
uses: ./.github/workflows/release-lit.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
release-binaries:
name: Build Release Binaries
permissions:
contents: write
needs:
- validate-tag
- release-create
uses: ./.github/workflows/release-binaries.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}
upload: true
release-sources:
name: Package Release Sources
permissions:
id-token: write
attestations: write
needs:
- validate-tag
uses: ./.github/workflows/release-sources.yml
with:
release-version: ${{ needs.validate-tag.outputs.release-version }}