workflows: Factor out artifact attestation and upload into a composite action

tstellar · tstellar · commit 81a0b9c35c57 · 2025-11-26T00:50:08.000-08:00
Also, switch the release-sources workflow over to use this new action.
As a result of this change, the attestation file for the sources will be
renamed from attestation.jsonl to $TAG-sources.jsonl.
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
@@ -79,30 +79,18 @@ jobs:
         run: |
           pip install --require-hashes -r ./llvm/utils/git/requirements.txt
 
-      - name: Check Permissions
-        if: github.event_name != 'pull_request'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
-        run: |
-          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
       - name: Create Tarballs
         run: |
           ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}
-      - name: Attest Build Provenance
-        if: github.event_name != 'pull_request'
-        id: provenance
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
-        with:
-          subject-path: "*.xz"
-      - if: github.event_name != 'pull_request'
-        run: |
-          mv ${{ steps.provenance.outputs.bundle-path }} .
-      - name: Create Tarball Artifacts
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-        with:
-          path: |
-            *.xz
-            attestation.jsonl
 
+      - name: Store Tarball Names
+        id: filenames
+        run: |
+          echo "filenames=*.xz" >> $GITHUB_OUTPUT
 
+      - name: Upload Artifacts
+        uses: ./.github/workflows/upload-release-artifact
+        with:
+          files: ${{ steps.filenames.outputs.filenames }}
+          attestation-name: ${{ needs.inputs.outputs.ref }}-sources
+          upload: false
diff --git a/.github/workflows/upload-release-artifact/action.yml b/.github/workflows/upload-release-artifact/action.yml
@@ -0,0 +1,92 @@
+name: Upload Release Artifact
+description: >-
+  Upload release artifact along with an attestation.  The action assumes that
+  the llvm-project repository has already been checked out.
+inputs:
+  files:
+    description: >-
+      Files to be uploaded. This can contain bash wildcards.
+    required: true
+  release-version:
+    description: >-
+      The release where the artifact will be attached.
+    required: true
+  upload:
+    description: >-
+      Whether or not to upload the file and attestation to the release.  If this
+      is set to false, then the atteastion will still be generated and attached as
+      an artifact to the workflow, but won't be uploaded to the release.
+    default: true
+  user-token:
+    description: >-
+      Token with premissions to read llvm teams that is used to ensure that
+      the person who triggred the action has permission to upload artifacts.
+      This is required if upload is true.
+    requred: false
+  attestation-name:
+    description: >-
+      This will be used for the artifact name that is attached to the workflow and
+      will be used as the basename for the attestation file which will be called
+      $attestation-name.jsonl.  If this is not set, it will default
+      to the falue of `files`.
+    required: false
+
+
+runs:
+  using: "composite"
+  steps:
+    - name: Collect Variables
+      id: vars
+      shell: bash
+      env:
+        INPUTS_ATTESTATION_NAME: ${{ inputs.attestation-name }}
+        INPUTS_FILES: ${{ inputs.files }}
+      run: |
+        if [ -z "$INPUTS_ATTESTATION_NAME" ]; then
+          name="$INPUTS_FILES"
+        else
+          name="$INPUTS_ATTESTATION_NAME"
+        fi
+        echo "attestation-name=$name" >> $GITHUB_OUTPUT
+    - name: Attest Build Provenance
+      id: provenance
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: ${{ inputs.files }}
+
+    - name: Rename attestation file
+      shell: bash
+      run: |
+        mv ${{ steps.provenance.outputs.bundle-path }} ${{ steps.vars.outputs.attestation-name }}.jsonl
+
+    - name: Upload Build Provenance
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      with:
+        name: ${{ steps.vars.outputs.attestation-name }}
+        path: |
+          ${{ inputs.files }}
+          ${{ steps.vars.outputs.attestation-name }}.jsonl
+
+    - name: Install Python Requirements
+      if: inputs.upload == 'true'
+      shell: bash
+      run: |
+        pip install --require-hashes -r ./llvm/utils/git/requirements.txt
+
+    - name: Check Permissions
+      if: inputs.upload == 'true'
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        USER_TOKEN: ${{ inputs.user-token }}
+      shell: bash
+      run: |
+        ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user "$GITHUB_ACTOR" --user-token "$USER_TOKEN" check-permissions
+    - name: Upload Release
+      shell: bash
+      if: inputs.upload == 'true'
+      run: |
+        ./llvm/utils/release/github-upload-release.py \
+        --token ${{ github.token }} \
+        --release ${{ inputs.release-version }} \
+        upload \
+        --files ${{ inputs.files }} ${{ steps.vars.outputs.attestation-name}}.jsonl
