fix: backend release attestation and skip existing (#5449) #57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Backends - Conda Packages" | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "pixi-build-backends/**" | |
| - "crates/pixi-build-python/**" | |
| - "crates/pixi-build-rattler-build/**" | |
| - "crates/pixi-build-cmake/**" | |
| - "crates/pixi-build-rust/**" | |
| - "crates/pixi-build-mojo/**" | |
| - ".github/workflows/backends-release.yml" | |
| pull_request: | |
| types: | |
| - labeled | |
| - synchronize | |
| - opened | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| if: ${{ github.ref == 'refs/heads/main' || contains(github.event.pull_request.labels.*.name, 'release:backends')}} | |
| timeout-minutes: 80 | |
| permissions: | |
| id-token: write | |
| contents: read | |
| attestations: write | |
| env: | |
| REPO_NAME: "prefix-dev/pixi" | |
| SCCACHE_GHA_ENABLED: "true" | |
| ACTIONS_CACHE_SERVICE_V2: on | |
| strategy: | |
| matrix: | |
| include: | |
| - target: linux-64 | |
| os: ubuntu-latest | |
| - target: linux-aarch64 | |
| os: ubuntu-latest | |
| - target: win-64 | |
| os: windows-latest | |
| - target: osx-64 | |
| os: macos-15-intel | |
| - target: osx-arm64 | |
| os: macos-15 | |
| fail-fast: false | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| persist-credentials: false | |
| - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3 | |
| with: | |
| environments: backends-release | |
| - name: Configure sccache | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 | |
| with: | |
| script: | | |
| core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || ''); | |
| core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); | |
| - name: Enable long paths (Windows) | |
| if: matrix.os == 'windows-latest' | |
| run: git config --global core.longpaths true | |
| shell: bash | |
| - name: Set package version environment variables | |
| shell: bash | |
| run: pixi run -e backends-release generate-versions >> $GITHUB_ENV | |
| - name: Build all backends for ${{ matrix.target }} | |
| shell: bash | |
| env: | |
| RATTLER_BUILD_ENABLE_GITHUB_INTEGRATION: "true" | |
| RATTLER_BUILD_COLOR: "always" | |
| run: | | |
| pixi run -e backends-release build-backend-packages ${{ matrix.target }} | |
| - name: Show sccache stats | |
| shell: bash | |
| run: pixi run -e backends-release sccache --stop-server | |
| - uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0 | |
| id: attest | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| with: | |
| subject-path: "output/**/*.conda" | |
| predicate-type: "https://schemas.conda.org/attestations-publish-1.schema.json" | |
| predicate: "{\"targetChannel\": \"https://prefix.dev/pixi-build-backends\"}" | |
| - name: Generate attestations for conda packages | |
| shell: bash | |
| if: ${{ github.ref == 'refs/heads/main' }} | |
| run: pixi run -e backends-release generate-attestations output "${{ steps.attest.outputs.bundle-path }}" | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 | |
| with: | |
| name: conda-packages-${{ matrix.target }} | |
| path: | | |
| output/**/*.conda | |
| output/**/*.sig | |
| - name: Kill any lingering processes (Windows) | |
| if: runner.os == 'Windows' | |
| shell: powershell | |
| run: | | |
| # Kill any Python processes | |
| Get-Process python* -ErrorAction SilentlyContinue | Stop-Process -Force | |
| # Kill any processes from the pixi environment | |
| $pixiPath = "${{ github.workspace }}\.pixi\envs\backends-release\bin" | |
| Get-Process | Where-Object { $_.Path -like "$pixiPath*" } | Stop-Process -Force | |
| # Wait a moment for handles to be released | |
| Start-Sleep -Seconds 2 | |
| upload: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: github.repository == 'prefix-dev/pixi' | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Download all conda packages | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 | |
| with: | |
| pattern: conda-packages-* | |
| path: conda-packages | |
| merge-multiple: true | |
| run-id: ${{ github.run_id }} | |
| - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3 | |
| with: | |
| environments: backends-release | |
| - name: Upload packages | |
| shell: bash | |
| run: | | |
| for file in conda-packages/**/*.conda; do | |
| echo "Uploading ${file}" | |
| # Find corresponding attestation file | |
| ATTESTATION_FILE="${file%.conda}.sig" | |
| if [ -f "$ATTESTATION_FILE" ]; then | |
| echo "Found attestation: $ATTESTATION_FILE" | |
| pixi run -e backends-release rattler-build upload prefix --skip-existing -c pixi-build-backends "$file" --attestation "$ATTESTATION_FILE" | |
| else | |
| echo "Warning: No attestation found for $file" | |
| pixi run -e backends-release rattler-build upload prefix --skip-existing -c pixi-build-backends "$file" | |
| fi | |
| done |