Merge branch 'main' into users/cachemeifyoucan/spr/cas-disable-castests-on-windows-versions-before-windows-11

Author: cachemeifyoucan

.github/workflows/issue-write-test.yaml

@@ -0,0 +1,33 @@
+name: Test Issue Write
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/issue-write-test.yaml'
+      - '.github/workflows/issue-write.yml'
+
+jobs:
+  test-issue-write:
+    name: "Test Issue Write"
+    runs-on: ubuntu-24.04
+    if: github.repository == 'llvm/llvm-project'
+    steps:
+      - name: Write Comment
+        run: |
+          echo '[{"body": "This is a comment for testing the issue write workflow"}]' > comments-foo
+          echo '[{"body": "This is another comment for testing the issue write workflow that was placed in a separate file"}]' > comments-bar
+      - name: Upload Comment
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: workflow-args-foo
+          path: |
+            comments-foo
+      - name: Upload Comment
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: workflow-args-bar
+          path: |
+            comments-bar

.github/workflows/issue-write.yml

@@ -8,6 +8,7 @@ on:
       - "PR Request Release Note"
       - "Code lint"
       - "CI Checks"
+      - "Test Issue Write"
     types:
       - completed
 
@@ -40,13 +41,18 @@ jobs:
           artifact-name: workflow-args
 
       - name: 'Comment on PR'
-        if: steps.download-artifact.outputs.artifact-id != ''
+        if: steps.download-artifact.outputs.artifact-ids != ''
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             var fs = require('fs');
-            const comments = JSON.parse(fs.readFileSync('./comments'));
+            var comments = []
+            for (local_file of fs.readdirSync('.')) {
+              if (local_file.startsWith("comments")) {
+                comments.push(...JSON.parse(fs.readFileSync(local_file)))
+              }
+            }
             if (!comments || comments.length == 0) {
               return;
             }
@@ -155,5 +161,5 @@ jobs:
       - name: Dump comments file
         if: >-
           always() &&
-          steps.download-artifact.outputs.artifact-id != ''
+          steps.download-artifact.outputs.artifact-ids != ''
         run: cat comments

.github/workflows/release-sources.yml

@@ -64,11 +64,11 @@ jobs:
     name: Package Release Sources
     if: github.repository_owner == 'llvm'
     runs-on: ubuntu-24.04
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
+      artifact-id: ${{ steps.artifact-upload.outputs.artifact-id }}
     needs:
       - inputs
-    permissions:
-      id-token: write
-      attestations: write
     steps:
       - name: Checkout LLVM
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -79,30 +79,47 @@ jobs:
         run: |
           pip install --require-hashes -r ./llvm/utils/git/requirements.txt
 
-      - name: Check Permissions
-        if: github.event_name != 'pull_request'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
-        run: |
-          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
       - name: Create Tarballs
         run: |
           ./llvm/utils/release/export.sh ${{ needs.inputs.outputs.export-args }}
-      - name: Attest Build Provenance
-        if: github.event_name != 'pull_request'
-        id: provenance
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
-        with:
-          subject-path: "*.xz"
-      - if: github.event_name != 'pull_request'
+
+      - name: Generate sha256 digest for sources
+        id: digest
         run: |
-          mv ${{ steps.provenance.outputs.bundle-path }} .
-      - name: Create Tarball Artifacts
+          echo "digest=$(cat *.xz | sha256sum | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
+    
+      - name: Release Sources Artifact
+        id: artifact-upload
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
+          name: ${{ needs.inputs.outputs.ref }}-sources
           path: |
             *.xz
-            attestation.jsonl
 
+  attest-release-sources:
+    name: Attest Release Sources
+    runs-on: ubuntu-24.04
+    if: github.event_name != 'pull_request'
+    needs:
+      - inputs
+      - release-sources
+    permissions:
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout Release Scripts
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: |
+            .github/workflows/upload-release-artifact
+            llvm/utils/release/github-upload-release.py
+            llvm/utils/git/requirements.txt
+          sparse-checkout-cone-mode: false
 
+      - name: Upload Artifacts
+        uses: ./.github/workflows/upload-release-artifact
+        with:
+          artifact-id: ${{ needs.release-sources.outputs.artifact-id }}
+          attestation-name: ${{ needs.inputs.outputs.ref }}-sources-attestation
+          digest: ${{ needs.release-sources.outputs.digest }}
+          upload: false

.github/workflows/test-unprivileged-download-artifact.yml

@@ -21,15 +21,23 @@ jobs:
     if: github.repository_owner == 'llvm'
     runs-on: ubuntu-24.04
     steps:
-      - name: Create Test File
+      - name: Create Test Files
         run: |
-          echo "test" > comment
-      - name: Upload Test File
+          echo "foo" > comment1
+          echo "bar" > comment2
+      - name: Upload Test File 1
         uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
-          name: workflow-args
+          name: artifact-name-1
           path: |
-            comment
+            comment1
+      - name: Upload Test File 2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: artifact-name-2
+          path: |
+            comment2
+        
 
   test-download:
     name: Test Unprivileged Download Artifact
@@ -47,8 +55,10 @@ jobs:
         id: download-artifact
         with:
           run-id: ${{ github.run_id }}
-          artifact-name: workflow-args
+          artifact-name: artifact-name-
       - name: Assert That Contents are the Same
         run: |
-          cat comment
-          [[ "$(cat comment)" == "test" ]]
+          cat comment1
+          [[ "$(cat comment1)" == "foo" ]]
+          cat comment2
+          [[ "$(cat comment2)" == "bar" ]]

.github/workflows/unprivileged-download-artifact/action.yml

@@ -19,9 +19,9 @@ outputs:
       The filename of the downloaded artifact or the empty string if the
       artifact was not found.
     value: ${{ steps.download-artifact.outputs.filename }}
-  artifact-id:
+  artifact-ids:
     description: "The id of the artifact being downloaded."
-    value: ${{ steps.artifact-url.outputs.id }}
+    value: ${{ steps.artifact-url.outputs.ids }}
 
 
 runs:
@@ -36,46 +36,67 @@ runs:
             response = await github.rest.actions.listArtifactsForRepo({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              name: "${{ inputs.artifact-name }}"
             })
           } else {
             response = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: "${{ inputs.run-id }}",
-              name: "${{ inputs.artifact-name }}"
             })
           }
 
           console.log(response)
 
+          artifacts_to_download = []
           for (artifact of response.data.artifacts) {
+            if (artifact.name.startsWith("${{ inputs.artifact-name }}")) {
+              artifacts_to_download.push(artifact)
+            }
+          }
+
+          for (artifact of artifacts_to_download) {
             console.log(artifact);
           }
 
-          if (response.data.artifacts.length == 0) {
-            console.log("Could not find artifact ${{ inputs.artifact-name }} for workflow run ${{ inputs.run-id }}")
+          if (artifacts_to_download.length == 0) {
+            console.log("Could not find artifacts starting with name ${{ inputs.artifact-name }} for workflow run ${{ inputs.run-id }}")
             return;
           }
 
-          const url_response = await github.rest.actions.downloadArtifact({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            artifact_id: response.data.artifacts[0].id,
-            archive_format: "zip"
-          })
+          artifact_ids = []
+          artifact_urls = []
+          artifact_names = []
+          for (artifact_to_download of artifacts_to_download) {
+            const url_response = await github.rest.actions.downloadArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: artifact_to_download.id,
+              archive_format: "zip"
+            })
+
+            artifact_ids.push(artifact_to_download.id)
+            artifact_urls.push('"' + url_response.url + '"')
+            artifact_names.push('"' + artifact_to_download.name + '"')
+          }
 
-          core.setOutput("url", url_response.url);
-          core.setOutput("id", response.data.artifacts[0].id);
+          core.setOutput("urls", artifact_urls.join(" "));
+          core.setOutput("ids", artifact_ids.join(" "));
+          core.setOutput("names", artifact_names.join(" "));
 
     - shell: bash
-      if: steps.artifact-url.outputs.url != ''
+      if: steps.artifact-url.outputs.urls != ''
       id: download-artifact
       run: |
-        curl -L -o ${{ inputs.artifact-name }}.zip "${{ steps.artifact-url.outputs.url }}"
-        echo "filename=${{ inputs.artifact-name }}.zip" >> $GITHUB_OUTPUT
+        artifact_urls=(${{ steps.artifact-url.outputs.urls }})
+        artifact_names=(${{ steps.artifact-url.outputs.names }})
+        for i in "${!artifact_urls[@]}"; do
+          curl -L -o "${artifact_names[$i]}.zip" "${artifact_urls[$i]}"
+        done
 
     - shell: bash
-      if: steps.download-artifact.outputs.filename != ''
+      if: steps.artifact-url.outputs.names != ''
       run: |
-        unzip ${{ steps.download-artifact.outputs.filename }}
+        artifact_names=(${{ steps.artifact-url.outputs.names }})
+        for name in "${artifact_names[@]}"; do
+          unzip "${name}.zip"
+        done

.github/workflows/upload-release-artifact/action.yml

@@ -0,0 +1,105 @@
+name: Upload Release Artifact
+description: >-
+  Upload release artifact along with an attestation.  The action assumes that
+  the llvm-project repository has already been checked out.
+inputs:
+  release-version:
+    description: >-
+      The release where the artifact will be attached.
+    required: true
+  upload:
+    description: >-
+      Whether or not to upload the file and attestation to the release.  If this
+      is set to false, then the file will be uploaded to the job as an artifact,
+      but no atteastion will be generated and the artifact won't be uploaded
+      to the release.
+    default: true
+  user-token:
+    description: >-
+      Token with premissions to read llvm teams that is used to ensure that
+      the person who triggred the action has permission to upload artifacts.
+      This is required if upload is true.
+    requred: false
+  attestation-name:
+    description: >-
+      This will be used for the artifact name that is attached to the workflow and
+      will be used as the basename for the attestation file which will be called
+      $attestation-name.jsonl.  If this is not set, it will default
+      to the falue of `files`.
+    required: false
+  artifact-id:
+    description: >-
+      Artifact id of the artifact with the files to upload.
+    required: true
+  digest:
+    description: >-
+      sha256 digest to verify the authenticity of the files being uploaded.
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download Artifact
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      id: download-artifact
+      with:
+        artifact-ids: ${{ inputs.artifact-id }}
+        path: downloads
+
+    # In theory github artifacts are immutable so we could just rely on using
+    # the artifact-id to download it, but just to be extra safe we want to
+    # generated a digest for the files we are uploading so we can verify it
+    # when downloading.
+    # See also: https://irsl.medium.com/github-artifact-immutability-is-a-lie-9b6244095694
+    - name: Verify Files
+      shell: bash
+      env:
+        INPUTS_DIGEST: ${{ inputs.digest }}
+      run: |
+        digest_file="sha256"
+        echo "$INPUTS_DIGEST -" > $digest_file
+        cat ${{ steps.download-artifact.outputs.download-path }}/* | sha256sum -c $digest_file
+
+    - name: Attest Build Provenance
+      id: provenance
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: ${{ steps.download-artifact.outputs.download-path }}/*
+
+    - name: Rename attestation file
+      shell: bash
+      env:
+        INPUTS_ATTESTATION_NAME: ${{ inputs.attestation-name }}
+      run: |
+        mv ${{ steps.provenance.outputs.bundle-path }} "$INPUTS_ATTESTATION_NAME".jsonl
+
+    - name: Upload Build Provenance
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      with:
+        name: ${{ inputs.attestation-name }}
+        path: |
+          ${{ inputs.attestation-name }}.jsonl
+
+    - name: Install Python Requirements
+      if: inputs.upload == 'true'
+      shell: bash
+      run: |
+        pip install --require-hashes -r ./llvm/utils/git/requirements.txt
+
+    - name: Check Permissions
+      if: inputs.upload == 'true'
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        USER_TOKEN: ${{ inputs.user-token }}
+      shell: bash
+      run: |
+        ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user "$GITHUB_ACTOR" --user-token "$USER_TOKEN" check-permissions
+    - name: Upload Release
+      shell: bash
+      if: inputs.upload == 'true'
+      run: |
+        ./llvm/utils/release/github-upload-release.py \
+        --token ${{ github.token }} \
+        --release ${{ inputs.release-version }} \
+        upload \
+        --files ${{ steps.download-artifact.outputs.download-path }}/* ${{ steps.vars.outputs.attestation-name}}.jsonl