Add python release build (#57)
* Add python release build * workflow dispatch * simple * maturin requires * add release * fix publish pipeline * update maturin args * test * maturin config * build * maturin * add publish to pypi and scorecard * dont fail if test token doesnt exist * run scorecard earlier * use new trusted publisher workflow * add index crates to allow list * add uploads.github.com to allowlist for codeqlmaster
parent
384311dec0
commit
c737b5138c
|
@ -0,0 +1,6 @@
|
|||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
|
@ -8,15 +8,31 @@ on:
|
|||
branches:
|
||||
- master
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
Lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions-rs/toolchain@v1
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
github.com:443
|
||||
static.rust-lang.org:443
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
|
||||
|
||||
- name: Rust toolchain
|
||||
uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
|
||||
with:
|
||||
toolchain: stable
|
||||
components: rustfmt
|
||||
|
||||
- name: Check Formatting
|
||||
run: cargo fmt --check
|
||||
|
||||
|
@ -36,13 +52,30 @@ jobs:
|
|||
python-version: 3.7
|
||||
runs-on: "${{ matrix.os }}"
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- uses: actions/setup-python@v2
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
crates.io:443
|
||||
files.pythonhosted.org:443
|
||||
github.com:443
|
||||
pypi.org:443
|
||||
static.crates.io:443
|
||||
index.crates.io:443
|
||||
static.rust-lang.org:443
|
||||
|
||||
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
|
||||
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # 4.5.0
|
||||
with:
|
||||
python-version: ${{ matrix.python-version }}
|
||||
- uses: actions-rs/toolchain@v1
|
||||
|
||||
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
|
||||
with:
|
||||
toolchain: stable
|
||||
- uses: Swatinem/rust-cache@v1
|
||||
|
||||
- uses: Swatinem/rust-cache@6720f05bc48b77f96918929a9019fb2203ff71f8 # 2.0.0
|
||||
- run: python3 -m pip install nox
|
||||
- run: nox -s test-${{ matrix.python-version }}
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
name: "CodeQL"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["master"]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: ["master"]
|
||||
schedule:
|
||||
- cron: "0 0 * * 1"
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: ["python"]
|
||||
# CodeQL supports [ $supported-codeql-languages ]
|
||||
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
files.pythonhosted.org:443
|
||||
objects.githubusercontent.com:443
|
||||
github.com:443
|
||||
pypi.org:443
|
||||
uploads.github.com:443
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
# By default, queries listed here will override any specified in a config file.
|
||||
# Prefix the list here with "+" to use these queries and those in the config file.
|
||||
|
||||
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
|
||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||
# If this step fails, then you should remove it and run the build manually (see below)
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
|
||||
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
|
||||
# If the Autobuild fails above, remove it and uncomment the following three lines.
|
||||
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
|
||||
|
||||
# - run: |
|
||||
# echo "Run, Build Application using script"
|
||||
# ./location_of_script_within_repo/buildscript.sh
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
|
@ -0,0 +1,201 @@
|
|||
name: Test & Release
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
# on:
|
||||
# pull_request:
|
||||
# branches:
|
||||
# - master
|
||||
|
||||
jobs:
|
||||
linux:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
platform: [ 'x86_64-unknown-linux-gnu', 'aarch64-unknown-linux-gnu' ]
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
|
||||
with:
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
cdn03.quay.io:443
|
||||
crates.io:443
|
||||
github.com:443
|
||||
objects.githubusercontent.com:443
|
||||
quay.io:443
|
||||
sh.rustup.rs:443
|
||||
static.crates.io:443
|
||||
index.crates.io:443
|
||||
static.rust-lang.org:443
|
||||
uploads.github.com:443
|
||||
pypi.org:443
|
||||
files.pythonhosted.org:443
|
||||
ghcr.io:443
|
||||
pkg-containers.githubusercontent.com:443
|
||||
|
||||
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
|
||||
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
|
||||
with:
|
||||
python-version: 3.8
|
||||
architecture: x64
|
||||
|
||||
- uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
|
||||
with:
|
||||
rust-toolchain: stable
|
||||
manylinux: auto
|
||||
target: ${{ matrix.platform }}
|
||||
command: build
|
||||
args: --release --sdist -o dist -i 3.8 3.9 3.10 3.11
|
||||
|
||||
- name: Upload wheels
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2
|
||||
with:
|
||||
name: wheels
|
||||
path: dist
|
||||
|
||||
windows:
|
||||
runs-on: windows-latest
|
||||
strategy:
|
||||
matrix:
|
||||
target: [x64]
|
||||
python-version: ['3.8', '3.9', '3.10', '3.11']
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
|
||||
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
|
||||
with:
|
||||
python-version: ${{ matrix.python-version }}
|
||||
|
||||
- uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
|
||||
env:
|
||||
PYO3_PYTHON: python${{ matrix.python-version }}
|
||||
with:
|
||||
command: build
|
||||
args: --release -o dist
|
||||
|
||||
- name: Upload wheels
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2
|
||||
with:
|
||||
name: wheels
|
||||
path: dist
|
||||
|
||||
macos:
|
||||
runs-on: macos-latest
|
||||
strategy:
|
||||
matrix:
|
||||
python-version: ['3.8', '3.9', '3.10', '3.11']
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
|
||||
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
|
||||
with:
|
||||
python-version: ${{ matrix.python-version }}
|
||||
|
||||
- name: Build wheels - x86_64
|
||||
uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
|
||||
env:
|
||||
PYO3_PYTHON: python${{ matrix.python-version }}
|
||||
with:
|
||||
target: x86_64-apple-darwin
|
||||
command: build
|
||||
args: --release -o dist
|
||||
|
||||
- name: Build wheels - universal2
|
||||
uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
|
||||
env:
|
||||
PYO3_PYTHON: python${{ matrix.python-version }}
|
||||
with:
|
||||
command: build
|
||||
args: --release -o dist --universal2
|
||||
|
||||
- name: Upload wheels
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2
|
||||
with:
|
||||
name: wheels
|
||||
path: dist
|
||||
|
||||
python-release-github:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ macos, windows, linux ]
|
||||
permissions:
|
||||
contents: write # To add assets to a release.
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.1.0
|
||||
with:
|
||||
disable-sudo: true
|
||||
egress-policy: block
|
||||
allowed-endpoints: >
|
||||
api.github.com:443
|
||||
github.com:443
|
||||
static.rust-lang.org:443
|
||||
uploads.github.com:443
|
||||
|
||||
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
|
||||
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
|
||||
with:
|
||||
profile: minimal
|
||||
toolchain: stable
|
||||
|
||||
- name: Set up Python 3.8
|
||||
uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
|
||||
with:
|
||||
python-version: 3.8
|
||||
|
||||
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: wheels
|
||||
path: wheels
|
||||
|
||||
- name: Upload release binaries
|
||||
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
asset_paths: '["./wheels/tantivy-*"]'
|
||||
|
||||
release-pypy:
|
||||
name: Release
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ macos, windows, linux ]
|
||||
permissions:
|
||||
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: wheels
|
||||
path: wheels
|
||||
|
||||
- name: Publish package distributions to Test PyPI
|
||||
uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5
|
||||
with:
|
||||
repository-url: https://test.pypi.org/legacy/
|
||||
packages-dir: wheels/
|
||||
skip-existing: true
|
||||
|
||||
- name: Publish package distributions to PyPI
|
||||
if: always()
|
||||
uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5
|
||||
with:
|
||||
packages-dir: wheels/
|
||||
skip-existing: true
|
|
@ -0,0 +1,69 @@
|
|||
# This workflow uses actions that are not certified by GitHub. They are provided
|
||||
# by a third-party and are governed by separate terms of service, privacy
|
||||
# policy, and support documentation.
|
||||
|
||||
name: Scorecard supply-chain security
|
||||
on:
|
||||
# For Branch-Protection check. Only the default branch is supported. See
|
||||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
|
||||
branch_protection_rule:
|
||||
# To guarantee Maintained check is occasionally updated. See
|
||||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
|
||||
schedule:
|
||||
- cron: '35 8 * * 5'
|
||||
push:
|
||||
branches: [ "master" ]
|
||||
|
||||
# Declare default permissions as read only.
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
name: Scorecard analysis
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
# Needed to upload the results to code-scanning dashboard.
|
||||
security-events: write
|
||||
# Needed to publish results and get a badge (see publish_results below).
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: "Checkout code"
|
||||
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: "Run analysis"
|
||||
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
|
||||
with:
|
||||
results_file: results.sarif
|
||||
results_format: sarif
|
||||
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
|
||||
# - you want to enable the Branch-Protection check on a *public* repository, or
|
||||
# - you are installing Scorecard on a *private* repository
|
||||
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
|
||||
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
|
||||
|
||||
# Public repositories:
|
||||
# - Publish results to OpenSSF REST API for easy access by consumers
|
||||
# - Allows the repository to include the Scorecard badge.
|
||||
# - See https://github.com/ossf/scorecard-action#publishing-results.
|
||||
# For private repositories:
|
||||
# - `publish_results` will always be set to `false`, regardless
|
||||
# of the value entered here.
|
||||
publish_results: true
|
||||
|
||||
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
|
||||
# format to the repository Actions tab.
|
||||
- name: "Upload artifact"
|
||||
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
|
||||
with:
|
||||
name: SARIF file
|
||||
path: results.sarif
|
||||
retention-days: 5
|
||||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
|
||||
with:
|
||||
sarif_file: results.sarif
|
|
@ -5,3 +5,6 @@ build-backend = "maturin"
|
|||
[project]
|
||||
name = "tantivy"
|
||||
requires-python = ">=3.7"
|
||||
|
||||
[tool.maturin]
|
||||
bindings = "pyo3"
|
||||
|
|
Loading…
Reference in New Issue