[libclang/python][ci] Add release Clang Python Bindings CI workflow

nightlark · nightlark · commit bcca18d60d62 · 2025-11-15T11:43:04.000-08:00
This migrates the CI workflow from https://github.com/trolldbois/python-clang/blob/master/.github/workflows/release.yml and adapts it to work within the structure of the LLVM monorepo. It builds upon the Python packaging files added in llvm#125806, and should be merged after that one. The CI workflow is set up to use two jobs: - the first just builds the package and saves it as an artifact and will work for testing in forks, PRs, and untagged commits - the second checks for release manager permissions and uses trusted publishing to upload the package to PyPI Signed-off-by: Ryan Mast <mast.ryan@gmail.com>
diff --git a/.github/workflows/release-clang-pypi.yml b/.github/workflows/release-clang-pypi.yml
@@ -0,0 +1,112 @@
+name: Release Clang Python Bindings
+
+permissions:
+  contents: read
+
+on:
+  push:
+    branches:
+      - main
+      - release/*
+    paths:
+      - .github/workflows/release-clang-pypi.yml
+      - 'clang/bindings/python/**'
+
+  pull_request:
+    paths:
+      - .github/workflows/release-clang-pypi.yml
+      - 'clang/bindings/python/**'
+
+  workflow_dispatch:
+    inputs:
+      release-version:
+        description: 'Release Version'
+        required: false
+        type: string
+
+  workflow_call:
+    inputs:
+      release-version:
+        description: 'Release Version'
+        required: true
+        type: string
+    secrets:
+      RELEASE_TASKS_USER_TOKEN:
+        description: "Secret used to check user permissions."
+        required: false
+
+jobs:
+  build-release:
+    if: github.repository_owner == 'llvm' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout LLVM (tagged release)
+        if: inputs.release-version != ''
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: "llvmorg-${{ inputs.release-version }}"
+          fetch-depth: 0
+          sparse-checkout: clang/bindings/python/
+
+      - name: Checkout LLVM (latest commit)
+        if: inputs.release-version == ''
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          sparse-checkout: clang/bindings/python/
+
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: '3.13'
+
+      - name: Package Clang Python Bindings
+        working-directory: clang/bindings/python
+        run: |
+          pip install build twine
+          python -m build
+          python -m twine check dist/*
+          
+      - name: Upload Clang Python Bindings package dist artifacts
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: python-package-dist
+          path: clang/bindings/python/dist
+
+  pypi-publish:
+    name: Upload release to PyPI
+    runs-on: ubuntu-24.04
+    needs: build-release
+    # Only run this job in the main llvm repository when a release version is provided.
+    #if: github.repository_owner == 'llvm' && inputs.release-version != ''
+    if: inputs.release-version != ''
+    environment:
+      name: pypi
+      url: https://pypi.org/p/clang
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+    steps:
+      - name: Checkout github-upload-release.py for permissions check
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          sparse-checkout: llvm/utils/release/github-upload-release.py
+
+      - name: Install dependencies for github-upload-release.py
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y python3-github
+
+      - name: Check Permissions
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
+        run: |
+          ./llvm/utils/release/github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
+
+      - name: Download Python package dist artifacts
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        with:
+            name: python-package-dist
+            path: dist
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
