109 lines · yaml
1name: Release Sources2 3permissions:4 contents: read5 6on:7 workflow_dispatch:8 inputs:9 release-version:10 description: Release Version11 required: true12 type: string13 workflow_call:14 inputs:15 release-version:16 description: Release Version17 required: true18 type: string19 secrets:20 RELEASE_TASKS_USER_TOKEN:21 description: "Secret used to check user permissions."22 required: false23 # Run on pull_requests for testing purposes.24 pull_request:25 paths:26 - '.github/workflows/release-sources.yml'27 types:28 - opened29 - synchronize30 - reopened31 # When a PR is closed, we still start this workflow, but then skip32 # all the jobs, which makes it effectively a no-op. The reason to33 # do this is that it allows us to take advantage of concurrency groups34 # to cancel in progress CI jobs whenever the PR is closed.35 - closed36 37concurrency:38 group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }}39 cancel-in-progress: True40 41jobs:42 inputs:43 name: Collect Job Inputs44 if: >-45 github.repository_owner == 'llvm' &&46 github.event.action != 'closed'47 outputs:48 ref: ${{ steps.inputs.outputs.ref }}49 export-args: ${{ steps.inputs.outputs.export-args }}50 runs-on: ubuntu-24.0451 steps:52 - id: inputs53 run: |54 ref=${{ (inputs.release-version && format('llvmorg-{0}', inputs.release-version)) || github.sha }}55 if [ -n "${{ inputs.release-version }}" ]; then56 export_args="-release ${{ inputs.release-version }} -final"57 else58 export_args="-git-ref ${{ github.sha }}"59 fi60 echo "ref=$ref" >> $GITHUB_OUTPUT61 echo "export-args=$export_args" >> $GITHUB_OUTPUT62 63 release-sources:64 name: Package Release Sources65 if: github.repository_owner == 'llvm'66 runs-on: ubuntu-24.0467 needs:68 - inputs69 permissions:70 id-token: write71 attestations: write72 steps:73 - name: Checkout LLVM74 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.075 with:76 ref: ${{ needs.inputs.outputs.ref }}77 fetch-tags: true78 - name: Install Dependencies79 run: |80 pip install --require-hashes -r ./llvm/utils/git/requirements.txt81 82 - name: Check Permissions83 if: github.event_name != 'pull_request'84 env:85 GITHUB_TOKEN: ${{ github.token }}86 USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}87 run: |88 ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions89 - name: Create Tarballs90 run: |91 ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}92 - name: Attest Build Provenance93 if: github.event_name != 'pull_request'94 id: provenance95 uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.096 with:97 subject-path: "*.xz"98 - if: github.event_name != 'pull_request'99 run: |100 mv ${{ steps.provenance.outputs.bundle-path }} .101 - name: Create Tarball Artifacts102 uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0103 with:104 path: |105 *.xz106 attestation.jsonl107 108 109