Add python release build (#57)

* Add python release build

* workflow dispatch

* simple

* maturin requires

* add release

* fix publish pipeline

* update maturin args

* test

* maturin config

* build

* maturin

* add publish to pypi and scorecard

* dont fail if test token doesnt exist

* run scorecard earlier

* use new trusted publisher workflow

* add index crates to allow list

* add uploads.github.com to allowlist for codeql
master
Cameron 2023-06-21 10:00:11 +10:00 committed by GitHub
parent 384311dec0
commit c737b5138c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 396 additions and 6 deletions

6
.github/dependabot.yaml vendored Normal file
View File

@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

View File

@ -8,15 +8,31 @@ on:
branches:
- master
permissions:
contents: read
jobs:
Lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
static.rust-lang.org:443
- name: Checkout
uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
- name: Rust toolchain
uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
with:
toolchain: stable
components: rustfmt
- name: Check Formatting
run: cargo fmt --check
@ -36,13 +52,30 @@ jobs:
python-version: 3.7
runs-on: "${{ matrix.os }}"
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v2
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
crates.io:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
static.crates.io:443
index.crates.io:443
static.rust-lang.org:443
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # 4.5.0
with:
python-version: ${{ matrix.python-version }}
- uses: actions-rs/toolchain@v1
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af
with:
toolchain: stable
- uses: Swatinem/rust-cache@v1
- uses: Swatinem/rust-cache@6720f05bc48b77f96918929a9019fb2203ff71f8 # 2.0.0
- run: python3 -m pip install nox
- run: nox -s test-${{ matrix.python-version }}

78
.github/workflows/codeql.yml vendored Normal file
View File

@ -0,0 +1,78 @@
name: "CodeQL"
on:
push:
branches: ["master"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["master"]
schedule:
- cron: "0 0 * * 1"
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["python"]
# CodeQL supports [ $supported-codeql-languages ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
objects.githubusercontent.com:443
github.com:443
pypi.org:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
# Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
with:
category: "/language:${{matrix.language}}"

201
.github/workflows/publish.yaml vendored Normal file
View File

@ -0,0 +1,201 @@
name: Test & Release
on:
release:
types: [published]
# on:
# pull_request:
# branches:
# - master
jobs:
linux:
runs-on: ubuntu-latest
strategy:
matrix:
platform: [ 'x86_64-unknown-linux-gnu', 'aarch64-unknown-linux-gnu' ]
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
cdn03.quay.io:443
crates.io:443
github.com:443
objects.githubusercontent.com:443
quay.io:443
sh.rustup.rs:443
static.crates.io:443
index.crates.io:443
static.rust-lang.org:443
uploads.github.com:443
pypi.org:443
files.pythonhosted.org:443
ghcr.io:443
pkg-containers.githubusercontent.com:443
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
with:
python-version: 3.8
architecture: x64
- uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
with:
rust-toolchain: stable
manylinux: auto
target: ${{ matrix.platform }}
command: build
args: --release --sdist -o dist -i 3.8 3.9 3.10 3.11
- name: Upload wheels
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2
with:
name: wheels
path: dist
windows:
runs-on: windows-latest
strategy:
matrix:
target: [x64]
python-version: ['3.8', '3.9', '3.10', '3.11']
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
with:
python-version: ${{ matrix.python-version }}
- uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
env:
PYO3_PYTHON: python${{ matrix.python-version }}
with:
command: build
args: --release -o dist
- name: Upload wheels
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2
with:
name: wheels
path: dist
macos:
runs-on: macos-latest
strategy:
matrix:
python-version: ['3.8', '3.9', '3.10', '3.11']
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
with:
python-version: ${{ matrix.python-version }}
- name: Build wheels - x86_64
uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
env:
PYO3_PYTHON: python${{ matrix.python-version }}
with:
target: x86_64-apple-darwin
command: build
args: --release -o dist
- name: Build wheels - universal2
uses: messense/maturin-action@49e11751aa9751fc4db9c247b8910702ee225df9
env:
PYO3_PYTHON: python${{ matrix.python-version }}
with:
command: build
args: --release -o dist --universal2
- name: Upload wheels
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # 3.1.2
with:
name: wheels
path: dist
python-release-github:
runs-on: ubuntu-latest
needs: [ macos, windows, linux ]
permissions:
contents: write # To add assets to a release.
steps:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.1.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
static.rust-lang.org:443
uploads.github.com:443
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ github.head_ref }}
- uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
with:
profile: minimal
toolchain: stable
- name: Set up Python 3.8
uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
with:
python-version: 3.8
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: wheels
path: wheels
- name: Upload release binaries
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
asset_paths: '["./wheels/tantivy-*"]'
release-pypy:
name: Release
runs-on: ubuntu-latest
needs: [ macos, windows, linux ]
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: wheels
path: wheels
- name: Publish package distributions to Test PyPI
uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5
with:
repository-url: https://test.pypi.org/legacy/
packages-dir: wheels/
skip-existing: true
- name: Publish package distributions to PyPI
if: always()
uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5
with:
packages-dir: wheels/
skip-existing: true

69
.github/workflows/scorecards.yml vendored Normal file
View File

@ -0,0 +1,69 @@
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '35 8 * * 5'
push:
branches: [ "master" ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
with:
sarif_file: results.sarif

View File

@ -5,3 +5,6 @@ build-backend = "maturin"
[project]
name = "tantivy"
requires-python = ">=3.7"
[tool.maturin]
bindings = "pyo3"