blob: a6c86823f99df5d908d213cd96a921e57ebdafae [file] [log] [blame]
name: Release Sources
permissions:
contents: read
on:
workflow_dispatch:
inputs:
release-version:
description: Release Version
required: true
type: string
workflow_call:
inputs:
release-version:
description: Release Version
required: true
type: string
secrets:
RELEASE_TASKS_USER_TOKEN:
description: "Secret used to check user permissions."
required: false
# Run on pull_requests for testing purposes.
pull_request:
paths:
- '.github/workflows/release-sources.yml'
types:
- opened
- synchronize
- reopened
# When a PR is closed, we still start this workflow, but then skip
# all the jobs, which makes it effectively a no-op. The reason to
# do this is that it allows us to take advantage of concurrency groups
# to cancel in progress CI jobs whenever the PR is closed.
- closed
concurrency:
group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }}
cancel-in-progress: True
jobs:
inputs:
name: Collect Job Inputs
if: >-
github.repository_owner == 'llvm' &&
github.event.action != 'closed'
outputs:
ref: ${{ steps.inputs.outputs.ref }}
export-args: ${{ steps.inputs.outputs.export-args }}
runs-on: ubuntu-latest
steps:
- id: inputs
run: |
ref=${{ (inputs.release-version && format('llvmorg-{0}', inputs.release-version)) || github.sha }}
if [ -n "${{ inputs.release-version }}" ]; then
export_args="-release ${{ inputs.release-version }} -final"
else
export_args="-git-ref ${{ github.sha }}"
fi
echo "ref=$ref" >> $GITHUB_OUTPUT
echo "export-args=$export_args" >> $GITHUB_OUTPUT
release-sources:
name: Package Release Sources
if: github.repository_owner == 'llvm'
runs-on: ubuntu-latest
needs:
- inputs
permissions:
id-token: write
attestations: write
steps:
- name: Checkout LLVM
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.inputs.outputs.ref }}
fetch-tags: true
- name: Install Dependencies
run: |
pip install --require-hashes -r ./llvm/utils/git/requirements.txt
- name: Check Permissions
if: github.event_name != 'pull_request'
env:
GITHUB_TOKEN: ${{ github.token }}
USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
run: |
./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
- name: Create Tarballs
run: |
./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}
- name: Attest Build Provenance
if: github.event_name != 'pull_request'
id: provenance
uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
with:
subject-path: "*.xz"
- if: github.event_name != 'pull_request'
run: |
mv ${{ steps.provenance.outputs.bundle-path }} .
- name: Create Tarball Artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
with:
path: |
*.xz
attestation.jsonl