mirror of
https://github.com/element-hq/synapse.git
synced 2026-04-03 12:15:42 +00:00
4fc1b92853
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v8.0.1</h2> <h2>What's Changed</h2> <ul> <li>Support for CJK characters in the artifact name by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/471">actions/download-artifact#471</a></li> <li>Add a regression test for artifact name + content-type mismatches by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/472">actions/download-artifact#472</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v8...v8.0.1">https://github.com/actions/download-artifact/compare/v8...v8.0.1</a></p> <h2>v8.0.0</h2> <h2>v8 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.</p> </blockquote> <blockquote> <p>[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).</p> </blockquote> <h3>Direct downloads</h3> <p>To support direct uploads in <code>actions/upload-artifact</code>, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the <code>Content-Type</code> header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new <code>skip-decompress</code> parameter to <code>true</code>.</p> <h3>Enforced checks (breaking)</h3> <p>A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the <code>digest-mismatch</code> parameter. To be secure by default, we are now defaulting the behavior to <code>error</code> which will fail the workflow run.</p> <h3>ESM</h3> <p>To support new versions of the @actions/* packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Don't attempt to un-zip non-zipped downloads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li> <li>Add a setting to specify what to do on hash mismatch and default it to <code>error</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="3e5f45b2cf"><code>3e5f45b</code></a> Add regression tests for CJK characters (<a href="https://redirect.github.com/actions/download-artifact/issues/471">#471</a>)</li> <li><a href="e6d03f6737"><code>e6d03f6</code></a> Add a regression test for artifact name + content-type mismatches (<a href="https://redirect.github.com/actions/download-artifact/issues/472">#472</a>)</li> <li><a href="70fc10c6e5"><code>70fc10c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a> from actions/danwkennedy/digest-mismatch-behavior</li> <li><a href="f258da9a50"><code>f258da9</code></a> Add change docs</li> <li><a href="ccc058e5fb"><code>ccc058e</code></a> Fix linting issues</li> <li><a href="bd7976ba57"><code>bd7976b</code></a> Add a setting to specify what to do on hash mismatch and default it to <code>error</code></li> <li><a href="ac21fcf45e"><code>ac21fcf</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a> from actions/danwkennedy/download-no-unzip</li> <li><a href="15999bff51"><code>15999bf</code></a> Add note about package bumps</li> <li><a href="974686ed50"><code>974686e</code></a> Bump the version to <code>v8</code> and add release notes</li> <li><a href="fbe48b1d27"><code>fbe48b1</code></a> Update test names to make it clearer what they do</li> <li>Additional commits viewable in <a href="37930b1c2a...3e5f45b2cf">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
207 lines
6.7 KiB
YAML
207 lines
6.7 KiB
YAML
# GitHub actions workflow which builds the release artifacts.
|
|
|
|
name: Build release artifacts
|
|
|
|
on:
|
|
# we build on PRs and develop to (hopefully) get early warning
|
|
# of things breaking (but only build one set of debs). PRs skip
|
|
# building wheels on ARM.
|
|
pull_request:
|
|
push:
|
|
branches: ["develop", "release-*"]
|
|
|
|
# we do the full build on tags.
|
|
tags: ["v*"]
|
|
merge_group:
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
get-distros:
|
|
name: "Calculate list of debian distros"
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: "3.x"
|
|
- id: set-distros
|
|
run: |
|
|
# if we're running from a tag, get the full list of distros; otherwise just use debian:sid
|
|
# NOTE: inside the actual Dockerfile-dhvirtualenv, the image name is expanded into its full image path
|
|
dists='["debian:sid"]'
|
|
if [[ $GITHUB_REF == refs/tags/* ]]; then
|
|
dists=$(scripts-dev/build_debian_packages.py --show-dists-json)
|
|
fi
|
|
echo "distros=$dists" >> "$GITHUB_OUTPUT"
|
|
# map the step outputs to job outputs
|
|
outputs:
|
|
distros: ${{ steps.set-distros.outputs.distros }}
|
|
|
|
# now build the packages with a matrix build.
|
|
build-debs:
|
|
needs: get-distros
|
|
name: "Build .deb packages"
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
distro: ${{ fromJson(needs.get-distros.outputs.distros) }}
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
path: src
|
|
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Set up docker layer caching
|
|
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
|
|
with:
|
|
path: /tmp/.buildx-cache
|
|
key: ${{ runner.os }}-buildx-${{ github.sha }}
|
|
restore-keys: |
|
|
${{ runner.os }}-buildx-
|
|
|
|
- name: Set up python
|
|
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: "3.x"
|
|
|
|
- name: Build the packages
|
|
# see https://github.com/docker/build-push-action/issues/252
|
|
# for the cache magic here
|
|
run: |
|
|
./src/scripts-dev/build_debian_packages.py \
|
|
--docker-build-arg=--cache-from=type=local,src=/tmp/.buildx-cache \
|
|
--docker-build-arg=--cache-to=type=local,mode=max,dest=/tmp/.buildx-cache-new \
|
|
--docker-build-arg=--progress=plain \
|
|
--docker-build-arg=--load \
|
|
"${{ matrix.distro }}"
|
|
rm -rf /tmp/.buildx-cache
|
|
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
|
|
|
|
- name: Artifact name
|
|
id: artifact-name
|
|
# We can't have colons in the upload name of the artifact, so we convert
|
|
# e.g. `debian:sid` to `sid`.
|
|
env:
|
|
DISTRO: ${{ matrix.distro }}
|
|
run: |
|
|
echo "ARTIFACT_NAME=${DISTRO#*:}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload debs as artifacts
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: debs-${{ steps.artifact-name.outputs.ARTIFACT_NAME }}
|
|
path: debs/*
|
|
|
|
build-wheels:
|
|
name: Build wheels on ${{ matrix.os }}
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os:
|
|
- ubuntu-24.04
|
|
- ubuntu-24.04-arm
|
|
# is_pr is a flag used to exclude certain jobs from the matrix on PRs.
|
|
# It is not read by the rest of the workflow.
|
|
is_pr:
|
|
- ${{ startsWith(github.ref, 'refs/pull/') }}
|
|
|
|
exclude:
|
|
# Don't build aarch64 wheels on PR CI.
|
|
- is_pr: true
|
|
os: "ubuntu-24.04-arm"
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
# setup-python@v4 doesn't impose a default python version. Need to use 3.x
|
|
# here, because `python` on osx points to Python 2.7.
|
|
python-version: "3.x"
|
|
|
|
- name: Install cibuildwheel
|
|
run: python -m pip install cibuildwheel==3.2.1
|
|
|
|
- name: Only build a single wheel on PR
|
|
if: startsWith(github.ref, 'refs/pull/')
|
|
run: echo "CIBW_BUILD="cp310-manylinux_*"" >> $GITHUB_ENV
|
|
|
|
- name: Build wheels
|
|
run: python -m cibuildwheel --output-dir wheelhouse
|
|
env:
|
|
# The platforms that we build for are determined by the
|
|
# `tool.cibuildwheel.skip` option in `pyproject.toml`.
|
|
|
|
# We skip testing wheels for the following platforms in CI:
|
|
#
|
|
# pp3*-* (PyPy wheels) broke in CI (TODO: investigate).
|
|
# musl: (TODO: investigate).
|
|
CIBW_TEST_SKIP: pp3*-* *musl*
|
|
|
|
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: Wheel-${{ matrix.os }}
|
|
path: ./wheelhouse/*.whl
|
|
|
|
build-sdist:
|
|
name: Build sdist
|
|
runs-on: ubuntu-latest
|
|
if: ${{ !startsWith(github.ref, 'refs/pull/') }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
|
|
with:
|
|
python-version: "3.10"
|
|
|
|
- run: pip install build
|
|
|
|
- name: Build sdist
|
|
run: python -m build --sdist
|
|
|
|
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: Sdist
|
|
path: dist/*.tar.gz
|
|
|
|
# if it's a tag, create a release and attach the artifacts to it
|
|
attach-assets:
|
|
name: "Attach assets to release"
|
|
if: ${{ !failure() && !cancelled() && startsWith(github.ref, 'refs/tags/') }}
|
|
needs:
|
|
- build-debs
|
|
- build-wheels
|
|
- build-sdist
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Download all workflow run artifacts
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
- name: Build a tarball for the debs
|
|
# We need to merge all the debs uploads into one folder, then compress
|
|
# that.
|
|
run: |
|
|
mkdir debs
|
|
mv debs*/* debs/
|
|
tar -cvJf debs.tar.xz debs
|
|
- name: Attach to release
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh release upload "${{ github.ref_name }}" \
|
|
Sdist/* \
|
|
Wheel*/* \
|
|
debs.tar.xz \
|
|
--repo ${{ github.repository }}
|