# Copyright (c) ONNX Project Contributors # # SPDX-License-Identifier: Apache-2.0 name: Create Releases on: schedule: # Run weekly on Monday 00:00 UTC - cron: '0 0 * * MON' push: branches: [main, rel-*] pull_request: branches: [main, rel-*] types: - labeled - synchronize workflow_dispatch: inputs: publish_pypi_weekly: # only from main branch it is possible to publish to pypi-weekly (official weekly preview build) description: 'Publish to pypi-weekly' required: true type: choice options: - 'yes' - 'no' default: 'no' publish_testpypi_weekly: # only from main branch it is possible to publish to testpypi-weekly description: 'Publish to testpypi-weekly' required: true type: choice options: - 'yes' - 'no' default: 'no' publish_testpypi_release: # only from rel branch it is possible to publish to test-pypi (for rc1, rc2, etc.) description: 'Publish to testpypi-release' required: true type: choice options: - 'yes' - 'no' default: 'no' publish_pypi_release: description: 'Caution: Publish to pypi-release' required: true type: choice options: - 'yes' - 'no' default: 'no' build_mode: description: 'Specify the build mode (release or preview)' required: true type: choice options: - 'release' - 'preview' default: 'preview' permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true jobs: call-linux: if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run release CIs') || contains(github.event.pull_request.labels.*.name, 'ci-slsa-provenance') uses: ./.github/workflows/release_linux_cibw.yml with: build_mode: ${{ github.event.inputs.build_mode || 'preview' }} call-win: if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run release CIs') || contains(github.event.pull_request.labels.*.name, 'ci-slsa-provenance') uses: ./.github/workflows/release_windows_cibw.yml with: build_mode: ${{ github.event.inputs.build_mode || 'preview' }} call-mac: if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run release CIs') || contains(github.event.pull_request.labels.*.name, 'ci-slsa-provenance') uses: ./.github/workflows/release_macos_cibw.yml with: build_mode: ${{ github.event.inputs.build_mode || 'preview' }} call-pyodide: if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run release CIs') || contains(github.event.pull_request.labels.*.name, 'ci-slsa-provenance') uses: ./.github/workflows/release_pyodide_cibw.yml with: build_mode: ${{ github.event.inputs.build_mode || 'preview' }} call-sdist: if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run release CIs') || contains(github.event.pull_request.labels.*.name, 'ci-slsa-provenance') uses: ./.github/workflows/release_sdist.yml with: os: "macos" build_mode: ${{ github.event.inputs.build_mode || 'preview' }} attest_ci_build_artifacts: name: Attest CI build artifacts runs-on: ubuntu-latest needs: [call-linux, call-mac, call-win, call-pyodide, call-sdist] if: >- (!contains(join(needs.*.result, ' '), 'skipped')) && (github.repository_owner == 'onnx') && ( (github.event_name == 'push') || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ci-slsa-provenance')) || ( (github.event_name == 'workflow_dispatch') && (github.event.inputs.publish_pypi_weekly != 'yes') && (github.event.inputs.publish_testpypi_weekly != 'yes') && (github.event.inputs.publish_testpypi_release != 'yes') && (github.event.inputs.publish_pypi_release != 'yes') ) ) permissions: contents: read id-token: write attestations: write steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c with: pattern: wheels* path: dist merge-multiple: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c with: pattern: sdist path: dist merge-multiple: true - name: Generate SLSA Build Provenance attestations if: hashFiles('dist/**') != '' id: attest uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: dist/** - name: Upload attestation bundle if: hashFiles('dist/**') != '' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: attestation-bundle-ci path: ${{ steps.attest.outputs.bundle-path }} check_for_publish_release_build_to_pypi: name: Check for Publish release build to pypi runs-on: ubuntu-latest needs: [call-linux, call-mac, call-win, call-pyodide, call-sdist] if: (!contains(join(needs.*.result, ' '), 'skipped')) && (github.event.inputs.publish_pypi_release == 'yes') && (github.repository_owner == 'onnx') && startsWith(github.ref, 'refs/heads/rel-') && (github.event_name == 'workflow_dispatch') steps: - name: Ensure build mode is release run: | if [ "$BUILD_MODE" != "release" ]; then echo "Error: build_mode must be set to 'release' to proceed." exit 1 fi env: BUILD_MODE: ${{ github.event.inputs.build_mode }} - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false submodules: true - name: Check if package_version matches branch run: | branch_version=${GITHUB_REF#refs/heads/rel-} package_version=$(cat VERSION_NUMBER) echo "Branch version: $branch_version" echo "Package version: $package_version" if [[ "$package_version" != "$branch_version" && "$package_version" != "$branch_version"rc* ]]; then echo "Error: Package version ($package_version) does not match branch version ($branch_version) or expected RC format." exit 1 fi check_for_publish_preview_build_to_testpypi_weekly: name: Check for Publish preview build to test.pypi-weekly runs-on: ubuntu-latest needs: [call-linux, call-mac, call-win, call-pyodide, call-sdist] if: (!contains(join(needs.*.result, ' '), 'skipped')) && (github.event.inputs.publish_testpypi_weekly == 'yes') && (github.ref == 'refs/heads/main') && (github.repository_owner == 'onnx') && (github.event_name == 'workflow_dispatch') steps: - name: Confirm preview publish request run: echo "Proceeding with test.pypi-weekly publish checks." publish_preview_build_to_testpypi_weekly: name: Publish preview build to test.pypi-weekly runs-on: ubuntu-latest needs: [check_for_publish_preview_build_to_testpypi_weekly] environment: name: testpypi-weekly url: https://test.pypi.org/p/onnx-weekly permissions: contents: read id-token: write attestations: write steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'workflow_dispatch' ) with: pattern: wheels* path: dist merge-multiple: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'workflow_dispatch' ) with: pattern: sdist path: dist merge-multiple: true - name: Generate SLSA Build Provenance attestations if: hashFiles('dist/**') != '' id: attest uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: dist/** - name: Upload attestation bundle if: hashFiles('dist/**') != '' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: attestation-bundle-testpypi-weekly path: ${{ steps.attest.outputs.bundle-path }} - name: Upload preview build to test.pypi if: (github.ref == 'refs/heads/main') && (github.event.inputs.publish_testpypi_weekly == 'yes') && (github.repository_owner == 'onnx') id: upload_preview_build_to_testpypi_weekly uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b with: repository-url: https://test.pypi.org/legacy/ verbose: true print-hash: true check_for_publish_release_build_to_testpypi: name: Check for Publish release build to test.pypi (rc-candidates) runs-on: ubuntu-latest needs: [call-linux, call-mac, call-win, call-pyodide, call-sdist] if: (!contains(join(needs.*.result, ' '), 'skipped')) && (github.event.inputs.publish_testpypi_release == 'yes') && startsWith(github.ref, 'refs/heads/rel') && (github.repository_owner == 'onnx') && (github.event_name == 'workflow_dispatch') steps: - name: Confirm release publish request run: echo "Proceeding with test.pypi release publish checks." publish_release_build_to_testpypi: name: Publish release build to test.pypi runs-on: ubuntu-latest needs: [check_for_publish_release_build_to_testpypi] environment: name: testpypi-release url: https://test.pypi.org/p/onnx permissions: contents: read id-token: write attestations: write steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'workflow_dispatch' ) with: pattern: wheels* path: dist merge-multiple: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'workflow_dispatch' ) with: pattern: sdist path: dist merge-multiple: true - name: Generate SLSA Build Provenance attestations if: hashFiles('dist/**') != '' id: attest uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: dist/** - name: Upload attestation bundle if: hashFiles('dist/**') != '' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: attestation-bundle-testpypi-release path: ${{ steps.attest.outputs.bundle-path }} - name: Upload release build to test.pypi id: upload_release_build_to_testpypi uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b with: repository-url: https://test.pypi.org/legacy/ verbose: true print-hash: true check_for_publish_preview_build_to_pypi_weekly: name: Check for Publish preview build to pypi-weekly runs-on: ubuntu-latest needs: [call-linux, call-mac, call-win, call-pyodide, call-sdist] if: (!contains(join(needs.*.result, ' '), 'skipped')) && (github.event_name == 'schedule' || github.event.inputs.publish_pypi_weekly == 'yes') && (github.repository_owner == 'onnx') steps: - name: Confirm weekly publish request run: echo "Proceeding with pypi-weekly publish checks." publish_preview_build_to_pypi_weekly: name: Publish preview build to pypi-weekly runs-on: ubuntu-latest needs: [check_for_publish_preview_build_to_pypi_weekly] environment: name: pypi-weekly url: https://pypi.org/p/onnx-weekly permissions: contents: read id-token: write attestations: write steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') with: pattern: wheels* path: dist merge-multiple: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') with: pattern: sdist path: dist merge-multiple: true - name: Generate SLSA Build Provenance attestations if: hashFiles('dist/**') != '' id: attest uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: dist/** - name: Upload attestation bundle if: hashFiles('dist/**') != '' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: attestation-bundle-weekly path: ${{ steps.attest.outputs.bundle-path }} - name: Upload preview_build to pypi-weekly id: upload_preview_build_to_pypi_weekly if: (github.ref == 'refs/heads/main') uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b with: repository-url: https://upload.pypi.org/legacy/ verbose: true print-hash: true publish_release_build_to_pypi: name: Publish release build to pypi runs-on: ubuntu-latest needs: [check_for_publish_release_build_to_pypi] environment: name: pypi-release url: https://pypi.org/p/onnx permissions: contents: read id-token: write attestations: write steps: - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'workflow_dispatch') with: pattern: wheels* path: dist merge-multiple: true - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c if: (github.event_name == 'workflow_dispatch') with: pattern: sdist path: dist merge-multiple: true - name: Generate SLSA Build Provenance attestations if: hashFiles('dist/**') != '' id: attest uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: dist/** - name: Upload attestation bundle if: hashFiles('dist/**') != '' uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: attestation-bundle-release path: ${{ steps.attest.outputs.bundle-path }} - name: Publish release_build to pypi if: (github.repository_owner == 'onnx') uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b with: repository-url: https://upload.pypi.org/legacy/ verbose: true print-hash: true test_source_dist: name: test source distribution needs: [publish_preview_build_to_pypi_weekly, publish_release_build_to_testpypi] if: (needs.publish_preview_build_to_pypi_weekly.result == 'success' || needs.publish_release_build_to_testpypi.result == 'success') uses: ./.github/workflows/preview_source_dist_test.yml