-
-
Notifications
You must be signed in to change notification settings - Fork 644
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: Allow unsecure node in wheel actions
- Loading branch information
Showing
3 changed files
with
63 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,22 +19,31 @@ | |
|
|
||
| from pants.util.strutil import softwrap | ||
|
|
||
| ACTION = { | ||
| "action-send-mail": "dawidd6/[email protected]", | ||
| "cache": "actions/cache@v4", | ||
| "checkout": "actions/checkout@v4", | ||
| "download-artifact": "actions/download-artifact@v4", | ||
| "expose-pythons": "pantsbuild/actions/expose-pythons@627a8ce25d972afa03da1641be9261bbbe0e3ffe", | ||
| "github-action-required-labels": "mheap/[email protected]", | ||
| "rust-cache": "benjyw/rust-cache@461b9f8eee66b575bce78977bf649b8b7a8d53f1", | ||
| "setup-go": "actions/setup-go@v5", | ||
| "setup-java": "actions/setup-java@v4", | ||
| "setup-node": "actions/setup-node@v4", | ||
| "setup-protoc": "arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9", | ||
| "setup-python": "actions/setup-python@v5", | ||
| "slack-github-action": "slackapi/[email protected]", | ||
| "upload-artifact": "actions/upload-artifact@v4", | ||
| } | ||
|
|
||
| def action(name: str, node16_compat: bool = False) -> str: | ||
| if node16_compat: | ||
| return { | ||
| "checkout": "actions/checkout@v3", | ||
| "upload-artifact": "actions/upload-artifact@v3", | ||
| }[name] | ||
| else: | ||
| return { | ||
| "action-send-mail": "dawidd6/[email protected]", | ||
| "cache": "actions/cache@v4", | ||
| "checkout": "actions/checkout@v4", | ||
| "download-artifact": "actions/download-artifact@v4", | ||
| "expose-pythons": "pantsbuild/actions/expose-pythons@627a8ce25d972afa03da1641be9261bbbe0e3ffe", | ||
| "github-action-required-labels": "mheap/[email protected]", | ||
| "rust-cache": "benjyw/rust-cache@461b9f8eee66b575bce78977bf649b8b7a8d53f1", | ||
| "setup-go": "actions/setup-go@v5", | ||
| "setup-java": "actions/setup-java@v4", | ||
| "setup-node": "actions/setup-node@v4", | ||
| "setup-protoc": "arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9", | ||
| "setup-python": "actions/setup-python@v5", | ||
| "slack-github-action": "slackapi/[email protected]", | ||
| "upload-artifact": "actions/upload-artifact@v4", | ||
| }[name] | ||
|
|
||
|
|
||
| HEADER = dedent( | ||
| """\ | ||
|
|
@@ -170,7 +179,7 @@ def ensure_category_label() -> Sequence[Step]: | |
| { | ||
| "if": "github.event_name == 'pull_request'", | ||
| "name": "Ensure category label", | ||
| "uses": ACTION["github-action-required-labels"], | ||
| "uses": action("github-action-required-labels"), | ||
| "env": {"GITHUB_TOKEN": gha_expr("secrets.GITHUB_TOKEN")}, | ||
| "with": { | ||
| "mode": "exactly", | ||
|
|
@@ -197,7 +206,7 @@ def ensure_release_notes() -> Sequence[Step]: | |
| # out via a label. | ||
| "if": "github.event_name == 'pull_request' && !needs.classify_changes.outputs.notes", | ||
| "name": "Ensure appropriate label", | ||
| "uses": ACTION["github-action-required-labels"], | ||
| "uses": action("github-action-required-labels"), | ||
| "env": {"GITHUB_TOKEN": gha_expr("secrets.GITHUB_TOKEN")}, | ||
| "with": { | ||
| "mode": "minimum", | ||
|
|
@@ -237,7 +246,7 @@ def checkout( | |
| # We need to fetch a few commits back, to be able to access HEAD^2 in the PR case. | ||
| { | ||
| "name": "Check out code", | ||
| "uses": ACTION["checkout"], | ||
| "uses": action("checkout", node16_compat=containerized), | ||
| "with": { | ||
| **fetch_depth_opt, | ||
| **({"ref": ref} if ref else {}), | ||
|
|
@@ -339,23 +348,23 @@ def install_rustup() -> Step: | |
| def install_python(version: str) -> Step: | ||
| return { | ||
| "name": f"Set up Python {version}", | ||
| "uses": ACTION["setup-python"], | ||
| "uses": action("setup-python"), | ||
| "with": {"python-version": version}, | ||
| } | ||
|
|
||
|
|
||
| def install_node(version: str) -> Step: | ||
| return { | ||
| "name": f"Set up Node {version}", | ||
| "uses": ACTION["setup-node"], | ||
| "uses": action("setup-node"), | ||
| "with": {"node-version": version}, | ||
| } | ||
|
|
||
|
|
||
| def install_jdk() -> Step: | ||
| return { | ||
| "name": "Install AdoptJDK", | ||
| "uses": ACTION["setup-java"], | ||
| "uses": action("setup-java"), | ||
| "with": { | ||
| "distribution": "adopt", | ||
| "java-version": "11", | ||
|
|
@@ -366,7 +375,7 @@ def install_jdk() -> Step: | |
| def install_go() -> Step: | ||
| return { | ||
| "name": "Install Go", | ||
| "uses": ACTION["setup-go"], | ||
| "uses": action("setup-go"), | ||
| "with": {"go-version": "1.19.5"}, | ||
| } | ||
|
|
||
|
|
@@ -377,7 +386,7 @@ def install_go() -> Step: | |
| def install_protoc() -> Step: | ||
| return { | ||
| "name": "Install Protoc", | ||
| "uses": ACTION["setup-protoc"], | ||
| "uses": action("setup-protoc"), | ||
| "with": { | ||
| "version": "23.x", | ||
| "repo-token": "${{ secrets.GITHUB_TOKEN }}", | ||
|
|
@@ -470,7 +479,7 @@ def wrap_cmd(self, cmd: str) -> str: | |
| def native_binaries_upload(self) -> Step: | ||
| return { | ||
| "name": "Upload native binaries", | ||
| "uses": ACTION["upload-artifact"], | ||
| "uses": action("upload-artifact"), | ||
| "with": { | ||
| "name": f"native_binaries.{gha_expr('matrix.python-version')}.{self.platform_name()}", | ||
| "path": "\n".join(NATIVE_FILES), | ||
|
|
@@ -481,7 +490,7 @@ def native_binaries_download(self) -> Sequence[Step]: | |
| return [ | ||
| { | ||
| "name": "Download native binaries", | ||
| "uses": ACTION["download-artifact"], | ||
| "uses": action("download-artifact"), | ||
| "with": { | ||
| "name": f"native_binaries.{gha_expr('matrix.python-version')}.{self.platform_name()}", | ||
| "path": NATIVE_FILES_COMMON_PREFIX, | ||
|
|
@@ -502,15 +511,15 @@ def rust_caches(self) -> Sequence[Step]: | |
| }, | ||
| { | ||
| "name": "Cache Rust toolchain", | ||
| "uses": ACTION["cache"], | ||
| "uses": action("cache"), | ||
| "with": { | ||
| "path": f"~/.rustup/toolchains/{rust_channel()}-*\n~/.rustup/update-hashes\n~/.rustup/settings.toml\n", | ||
| "key": f"{self.platform_name()}-rustup-{hash_files('src/rust/engine/rust-toolchain')}-v2", | ||
| }, | ||
| }, | ||
| { | ||
| "name": "Cache Cargo", | ||
| "uses": ACTION["rust-cache"], | ||
| "uses": action("rust-cache"), | ||
| "with": { | ||
| # If set, replaces the job id in the cache key, so that the cache is stable across jobs. | ||
| # If we don't set this, each job may restore from a previous job's cache entry (via a | ||
|
|
@@ -540,7 +549,7 @@ def bootstrap_caches(self) -> Sequence[Step]: | |
| }, | ||
| { | ||
| "name": "Cache native engine", | ||
| "uses": ACTION["cache"], | ||
| "uses": action("cache"), | ||
| "with": { | ||
| "path": "\n".join(NATIVE_FILES), | ||
| "key": f"{self.platform_name()}-engine-{gha_expr('steps.get-engine-hash.outputs.hash')}-v1", | ||
|
|
@@ -564,7 +573,7 @@ def expose_all_pythons(self) -> Sequence[Step]: | |
| ret.append( | ||
| { | ||
| "name": "Expose Pythons", | ||
| "uses": ACTION["expose-pythons"], | ||
| "uses": action("expose-pythons"), | ||
| } | ||
| ) | ||
| return ret | ||
|
|
@@ -598,10 +607,10 @@ def bootstrap_pants(self) -> Sequence[Step]: | |
| self.native_binaries_upload(), | ||
| ] | ||
|
|
||
| def upload_log_artifacts(self, name: str) -> Step: | ||
| def upload_log_artifacts(self, name: str, node16_compat: bool = False) -> Step: | ||
| return { | ||
| "name": "Upload pants.log", | ||
| "uses": ACTION["upload-artifact"], | ||
| "uses": action("upload-artifact", node16_compat=node16_compat), | ||
| "if": "always()", | ||
| "continue-on-error": True, | ||
| "with": { | ||
|
|
@@ -860,9 +869,7 @@ def build_wheels_job( | |
| elif platform == Platform.LINUX_ARM64: | ||
| # Unfortunately Equinix do not support the CentOS 7 image on the hardware we've been | ||
| # generously given by the Works on ARM program. So we have to build in this image. | ||
| container = { | ||
| "image": "ghcr.io/pantsbuild/wheel_build_aarch64:v3-8384c5cf", | ||
| } | ||
| container = {"image": "ghcr.io/pantsbuild/wheel_build_aarch64:v3-8384c5cf"} | ||
| else: | ||
| container = None | ||
|
|
||
|
|
@@ -904,6 +911,7 @@ def build_wheels_job( | |
| **({"needs": needs} if needs else {}), | ||
| "timeout-minutes": 90, | ||
| "env": { | ||
| "ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION": True, | ||
| **DISABLE_REMOTE_CACHE_ENV, | ||
| # If we're not deploying these wheels, build in debug mode, which allows for | ||
| # incremental compilation across wheels. If this becomes too slow in CI, most likely | ||
|
|
@@ -925,7 +933,7 @@ def build_wheels_job( | |
| "run": "./pants package src/python/pants:pants-pex", | ||
| "env": helper.platform_env(), | ||
| }, | ||
| helper.upload_log_artifacts(name="wheels-and-pex"), | ||
| helper.upload_log_artifacts(name="wheels-and-pex", node16_compat=bool(container)), | ||
| *( | ||
| [ | ||
| { | ||
|
|
@@ -1236,7 +1244,7 @@ def release_jobs_and_inputs() -> tuple[Jobs, dict[str, Any]]: | |
| "steps": [ | ||
| { | ||
| "name": "Checkout Pants at Release Tag", | ||
| "uses": ACTION["checkout"], | ||
| "uses": action("checkout"), | ||
| "with": { | ||
| # N.B.: We need the last few edits to VERSION. Instead of guessing, just | ||
| # clone the repo, we're not so big as to need to optimize this. | ||
|
|
@@ -1259,7 +1267,7 @@ def release_jobs_and_inputs() -> tuple[Jobs, dict[str, Any]]: | |
| }, | ||
| { | ||
| "name": "Announce to Slack", | ||
| "uses": ACTION["slack-github-action"], | ||
| "uses": action("slack-github-action"), | ||
| "with": { | ||
| "channel-id": "C18RRR4JK", | ||
| "payload-file-path": "${{ runner.temp }}/slack_announcement.json", | ||
|
|
@@ -1268,7 +1276,7 @@ def release_jobs_and_inputs() -> tuple[Jobs, dict[str, Any]]: | |
| }, | ||
| { | ||
| "name": "Announce to pants-devel", | ||
| "uses": ACTION["action-send-mail"], | ||
| "uses": action("action-send-mail"), | ||
| "with": { | ||
| # Note: Email is sent from the dedicated account [email protected]. | ||
| # The EMAIL_CONNECTION_URL should be of the form: | ||
|
|
||