diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml new file mode 100644 index 0000000000000..9c5b1a9f01709 --- /dev/null +++ b/.github/workflows/release-sources.yml @@ -0,0 +1,104 @@ +name: Release Sources + +permissions: + contents: read + +on: + workflow_dispatch: + inputs: + release-version: + description: Release Version + required: true + type: string + workflow_call: + inputs: + release-version: + description: Release Version + required: true + type: string + # Run on pull_requests for testing purposes. + pull_request: + paths: + - '.github/workflows/release-sources.yml' + types: + - opened + - synchronize + - reopened + # When a PR is closed, we still start this workflow, but then skip + # all the jobs, which makes it effectively a no-op. The reason to + # do this is that it allows us to take advantage of concurrency groups + # to cancel in progress CI jobs whenever the PR is closed. + - closed + +concurrency: + group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }} + cancel-in-progress: True + +jobs: + inputs: + name: Collect Job Inputs + if: >- + github.repository_owner == 'llvm' && + github.event.action != 'closed' + outputs: + ref: ${{ steps.inputs.outputs.ref }} + export-args: ${{ steps.inputs.outputs.export-args }} + runs-on: ubuntu-latest + steps: + - id: inputs + run: | + ref=${{ inputs.release-version || github.sha }} + if [ -n "${{ inputs.release-version }}" ]; then + export_args="-release ${{ inputs.release-version }} -final" + else + export_args="-git-ref ${{ github.sha }}" + fi + echo "ref=$ref" >> $GITHUB_OUTPUT + echo "export-args=$export_args" >> $GITHUB_OUTPUT + + release-sources: + name: Package Release Sources + if: github.repository_owner == 'llvm' + runs-on: ubuntu-latest + needs: + - inputs + permissions: + id-token: write + attestations: write + steps: + - name: Checkout LLVM + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{ needs.inputs.outputs.ref }} + fetch-tags: true + - name: Install Dependencies + run: | + pip install --require-hashes -r ./llvm/utils/git/requirements.txt + + - name: Check Permissions + if: github.event_name != 'pull_request' + env: + GITHUB_TOKEN: ${{ github.token }} + USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }} + run: | + ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions + - name: Create Tarballs + run: | + ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }} + - name: Attest Build Provenance + if: github.event_name != 'pull_request' + id: provenance + uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: "*.xz" + - if: github.event_name != 'pull_request' + run: | + mv ${{ steps.provenance.outputs.bundle-path }} . + - name: Create Tarball Artifacts + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3 + with: + path: | + *.xz + attestation.jsonl + + diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml index 29049ff014288..2ed56dace1d4c 100644 --- a/.github/workflows/release-tasks.yml +++ b/.github/workflows/release-tasks.yml @@ -85,3 +85,14 @@ jobs: with: release-version: ${{ needs.validate-tag.outputs.release-version }} upload: true + + release-sources: + name: Package Release Sources + permissions: + id-token: write + attestations: write + needs: + - validate-tag + uses: ./.github/workflows/release-sources.yml + with: + release-version: ${{ needs.validate-tag.outputs.release-version }} diff --git a/llvm/docs/HowToReleaseLLVM.rst b/llvm/docs/HowToReleaseLLVM.rst index 51ab6dfd8d8d5..eff5df074910e 100644 --- a/llvm/docs/HowToReleaseLLVM.rst +++ b/llvm/docs/HowToReleaseLLVM.rst @@ -144,8 +144,17 @@ Tag release candidates: $ git tag -sa llvmorg-X.Y.Z-rcN -The Release Manager must supply pre-packaged source tarballs for users. This can -be done with the export.sh script in utils/release. +The pre-packaged source tarballs will be automatically generated via the +"Release Sources" workflow on GitHub. This workflow will create an artifact +containing all the release tarballs and the artifact attestation. The +Release Manager should download the artifact, verify the tarballs, sign them, +and then upload them to the release page. + +:: + + $ unzip artifact.zip + $ gh auth login + $ for f in *.xz; do gh attestation verify --owner llvm $f && gpg -b $f; done Tarballs, release binaries, or any other release artifacts must be uploaded to GitHub. This can be done using the github-upload-release.py script in utils/release. @@ -154,12 +163,6 @@ GitHub. This can be done using the github-upload-release.py script in utils/rel $ github-upload-release.py upload --token --release X.Y.Z-rcN --files -:: - - $ ./export.sh -release X.Y.Z -rc $RC - -This will generate source tarballs for each LLVM project being validated, which -can be uploaded to github for further testing. Build The Binary Distribution ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^