workflows: Factor out artifact attestation and upload into a composite action #135
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Sources | |
| permissions: | |
| contents: read | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release-version: | |
| description: Release Version | |
| required: true | |
| type: string | |
| workflow_call: | |
| inputs: | |
| release-version: | |
| description: Release Version | |
| required: true | |
| type: string | |
| secrets: | |
| RELEASE_TASKS_USER_TOKEN: | |
| description: "Secret used to check user permissions." | |
| required: false | |
| # Run on pull_requests for testing purposes. | |
| pull_request: | |
| paths: | |
| - '.github/workflows/release-sources.yml' | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| # When a PR is closed, we still start this workflow, but then skip | |
| # all the jobs, which makes it effectively a no-op. The reason to | |
| # do this is that it allows us to take advantage of concurrency groups | |
| # to cancel in progress CI jobs whenever the PR is closed. | |
| - closed | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ inputs.release-version || github.event.pull_request.number }} | |
| cancel-in-progress: True | |
| jobs: | |
| inputs: | |
| name: Collect Job Inputs | |
| if: >- | |
| github.repository_owner == 'llvm' && | |
| github.event.action != 'closed' | |
| outputs: | |
| ref: ${{ steps.inputs.outputs.ref }} | |
| export-args: ${{ steps.inputs.outputs.export-args }} | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - id: inputs | |
| run: | | |
| ref=${{ (inputs.release-version && format('llvmorg-{0}', inputs.release-version)) || github.sha }} | |
| if [ -n "${{ inputs.release-version }}" ]; then | |
| export_args="-release ${{ inputs.release-version }} -final" | |
| else | |
| export_args="-git-ref ${{ github.sha }}" | |
| fi | |
| echo "ref=$ref" >> $GITHUB_OUTPUT | |
| echo "export-args=$export_args" >> $GITHUB_OUTPUT | |
| release-sources: | |
| name: Package Release Sources | |
| if: github.repository_owner == 'llvm' | |
| runs-on: ubuntu-24.04 | |
| needs: | |
| - inputs | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - name: Checkout LLVM | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| ref: ${{ needs.inputs.outputs.ref }} | |
| fetch-tags: true | |
| - name: Install Dependencies | |
| run: | | |
| pip install --require-hashes -r ./llvm/utils/git/requirements.txt | |
| - name: Create Tarballs | |
| run: | | |
| ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }} | |
| - name: Store Tarball Names | |
| id: filenames | |
| run: | | |
| echo "filenames=*.xz" >> $GITHUB_OUTPUT | |
| - name: Upload Artifacts | |
| uses: ./.github/workflows/upload-release-artifact | |
| with: | |
| files: ${{ steps.filenames.outputs.filenames }} | |
| attestation-name: ${{ needs.inputs.outputs.ref }}-sources | |
| upload: false |