[llvm] workflows: Add a new job for packaging release sources (PR #91834)

Tom Stellard via llvm-commits llvm-commits at lists.llvm.org
Fri May 10 20:39:02 PDT 2024 

https://github.com/tstellar created https://github.com/llvm/llvm-project/pull/91834

This job uses the new artifact attestations:
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

This will allow users to verify that the sources came from a specific workflow run in the llvm-project repository.  Currently, this job does not automatically upload sources to the release page, but rather it attaches them the workflow run as artifacts.  The release manager is expected to download, verify, and sign the sources before uploading them to the release page.

We may be able to automatically upload them in the future once we have a process for signing the binaries within the github workflow. Technically, though, the binaries are being signed as part of the attestation process, but the only way to verify the signatures is using the gh command line tool, and I don't think it is best to rely on that, since the tool may not be easily available on all systems.

>From 157d6701c2d64912de4bde2330814c7b5641436f Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Sat, 4 May 2024 14:28:17 +0000
Subject: [PATCH] workflows: Add a new job for packaging release sources

This job uses the new artifact attestations:
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

This will allow users to verify that the sources came from a specific
workflow run in the llvm-project repository.  Currently, this job does
not automatically upload sources to the release page, but rather it attaches
them the workflow run as artifacts.  The release manager is expected to
download, verify, and sign the sources before uploading them to the
release page.

We may be able to automatically upload them in the future once we have a
process for signing the binaries within the github workflow.
Technically, though, the binaries are being signed as part of the
attestation process, but the only way to verify the signatures is using
the gh command line tool, and I don't think it is best to rely on that,
since the tool may not be easily available on all systems.
---
 .github/workflows/release-sources.yml | 57 +++++++++++++++++++++++++++
 .github/workflows/release-tasks.yml   |  8 ++++
 2 files changed, 65 insertions(+)
 create mode 100644 .github/workflows/release-sources.yml

diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
new file mode 100644
index 0000000000000..0029078ccb7ee
--- /dev/null
+++ b/.github/workflows/release-sources.yml
@@ -0,0 +1,57 @@
+name: Release Sources
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      release-version:
+        description: Release Version
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      release-version:
+        description: Release Version
+        required: true
+        type: string
+jobs:
+  release-sources:
+    name: Package Release Sources
+    if: github.repository_owner == 'llvm'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout LLVM
+        uses: actions/checkout at b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: llvmorg-${{ inputs.release-version }}
+          fetch-tags: true
+      - name: Install Dependencies
+        run: |
+          pip install -r ./llvm/utils/git/requirements.txt
+      - name: Check Permissions
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
+        run: |
+          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
+      - name: Create Tarballs
+        run: |
+          ./llvm/utils/release/export.sh -release "${{ inputs.release-version }}" -final
+      - name: Attest Build Provenance
+        id: provenance
+        uses: actions/attest-build-provenance at 897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: "*.xz"
+      - name: Create Tarball Artifacts
+        uses: actions/upload-artifact at 65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
+        with:
+          path: |
+            *.xz
+            ${{ steps.provenance.outputs.bundle-path }}
+
+
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index 29049ff014288..b85a8144a9f18 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -85,3 +85,11 @@ jobs:
     with:
       release-version: ${{ needs.validate-tag.outputs.release-version }}
       upload: true
+
+  release-sources:
+    name: Package Release Sources
+    needs:
+      - validate-tag
+    uses: ./.github/workflows/release-sources.yml
+    with:
+      release-version: ${{ needs.validate-tag.outputs.release-version }}

More information about the llvm-commits mailing list