mirror of
https://github.com/zama-ai/concrete.git
synced 2026-04-17 03:00:54 -04:00
88 lines
3.4 KiB
YAML
88 lines
3.4 KiB
YAML
# This workflows should be runned after that releases has been validated and ready to push to pypi.org and docker hub.
|
|
name: concrete-python finalize-release
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'version of concrete-python to push to pypi and docker hub'
|
|
required: true
|
|
type: string
|
|
|
|
jobs:
|
|
publish-to-pypi:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Pull wheels from S3
|
|
env:
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_IAM_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_IAM_KEY }}
|
|
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
|
|
S3_BUCKET_NAME: ${{ secrets.AWS_S3_PYPI_BUCKET_NAME }}
|
|
run: |
|
|
mkdir wheels
|
|
aws s3 cp "s3://${S3_BUCKET_NAME}/cpu/concrete-python/" ./wheels/ --recursive --exclude "*" --include "concrete_python-${{ inputs.version }}-*"
|
|
echo "============== Downloaded wheels ==============="
|
|
ls -la ./wheels/
|
|
- name: Push wheels to public PyPI (public)
|
|
run: |
|
|
pip install twine==4.0.2
|
|
twine upload wheels/concrete_python-${{ inputs.version }}*.whl \
|
|
-u "${{ secrets.PUBLIC_PYPI_USER }}" \
|
|
-p "${{ secrets.PUBLIC_PYPI_PASSWORD }}" \
|
|
-r pypi
|
|
- name: Slack Notification
|
|
if: ${{ failure() }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990
|
|
env:
|
|
SLACK_COLOR: ${{ job.status }}
|
|
SLACK_MESSAGE: "publish-to-pypi finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
|
|
|
|
publish-to-dockerhub:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
DOCKER_IMAGE_NAME: zamafhe/concrete-python
|
|
DOCKER_FILE: docker/Dockerfile.concrete-python
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
- name: Get version from tag
|
|
run: |
|
|
# remove leading 'v' and '-' from tag
|
|
VERSION=$(echo ${{ inputs.version }} | sed "s/^v*//g" | sed "s/-//g")
|
|
{
|
|
echo "VERSION=$VERSION"
|
|
echo "NAME_TAG=${{ env.DOCKER_IMAGE_NAME }}:v$VERSION"
|
|
} >> "${GITHUB_ENV}"
|
|
- name: Build image
|
|
run: |
|
|
mkdir empty_context
|
|
docker image build -t ${{ env.NAME_TAG }} --build-arg version=${{ env.VERSION }} -f ${{ env.DOCKER_FILE }} empty_context
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
|
|
with:
|
|
image-ref: '${{ env.NAME_TAG }}'
|
|
format: 'sarif'
|
|
scanners: vuln,secret
|
|
output: trivy-out-docker.sarif
|
|
env:
|
|
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
|
|
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.6
|
|
with:
|
|
sarif_file: trivy-out-docker.sarif
|
|
category: trivy-docker
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Push image
|
|
run: docker image push ${{ env.NAME_TAG }}
|