mirror of
https://github.com/zama-ai/tfhe-rs.git
synced 2026-01-10 07:08:03 -05:00
ce70770347
When using crates.io trusted publishing feature GitHub token `id-token: write` permission to be able to authenticate the workflow on the registry.
226 lines
7.9 KiB
YAML
226 lines
7.9 KiB
YAML
name: Publish CUDA release
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
dry_run:
|
|
description: "Dry-run"
|
|
type: boolean
|
|
default: true
|
|
|
|
env:
|
|
ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
|
SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }}
|
|
SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png
|
|
SLACK_USERNAME: ${{ secrets.BOT_USERNAME }}
|
|
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
verify_tag:
|
|
uses: ./.github/workflows/verify_tagged_commit.yml
|
|
secrets:
|
|
RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
|
|
READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
|
|
|
|
setup-instance:
|
|
name: Setup instance (publish-cuda-release)
|
|
needs: verify_tag
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
runner-name: ${{ steps.start-instance.outputs.label }}
|
|
steps:
|
|
- name: Start instance
|
|
id: start-instance
|
|
uses: zama-ai/slab-github-runner@79939325c3c429837c10d6041e4fd8589d328bac
|
|
with:
|
|
mode: start
|
|
github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
|
|
slab-url: ${{ secrets.SLAB_BASE_URL }}
|
|
job-secret: ${{ secrets.JOB_SECRET }}
|
|
backend: aws
|
|
profile: gpu-build
|
|
|
|
package:
|
|
name: Package CUDA Release for provenance
|
|
needs: setup-instance
|
|
runs-on: ${{ needs.setup-instance.outputs.runner-name }}
|
|
outputs:
|
|
hash: ${{ steps.hash.outputs.hash }}
|
|
strategy:
|
|
fail-fast: false
|
|
# explicit include-based build matrix, of known valid options
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-22.04
|
|
cuda: "12.2"
|
|
gcc: 9
|
|
env:
|
|
CUDA_PATH: /usr/local/cuda-${{ matrix.cuda }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: "false"
|
|
token: ${{ secrets.REPO_CHECKOUT_TOKEN }}
|
|
|
|
- name: Install latest stable
|
|
uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 # zizmor: ignore[stale-action-refs] this action doesn't create releases
|
|
with:
|
|
toolchain: stable
|
|
|
|
- name: Export CUDA variables
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
echo "$CUDA_PATH/bin" >> "${GITHUB_PATH}"
|
|
{
|
|
echo "CUDA_PATH=$CUDA_PATH";
|
|
echo "LD_LIBRARY_PATH=$CUDA_PATH/lib:$LD_LIBRARY_PATH";
|
|
echo "CUDACXX=/usr/local/cuda-${CUDA_VERSION}/bin/nvcc";
|
|
} >> "${GITHUB_ENV}"
|
|
env:
|
|
CUDA_VERSION: ${{ matrix.cuda }}
|
|
|
|
# Specify the correct host compilers
|
|
- name: Export gcc and g++ variables
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
{
|
|
echo "CC=/usr/bin/gcc-${GCC_VERSION}";
|
|
echo "CXX=/usr/bin/g++-${GCC_VERSION}";
|
|
echo "CUDAHOSTCXX=/usr/bin/g++-${GCC_VERSION}";
|
|
echo "HOME=/home/ubuntu";
|
|
} >> "${GITHUB_ENV}"
|
|
env:
|
|
GCC_VERSION: ${{ matrix.gcc }}
|
|
|
|
- name: Prepare package
|
|
run: |
|
|
cargo package -p tfhe-cuda-backend
|
|
- name: generate hash
|
|
id: hash
|
|
run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}"
|
|
|
|
provenance:
|
|
if: ${{ !inputs.dry_run }}
|
|
needs: [package]
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
|
|
permissions:
|
|
# Needed to detect the GitHub Actions environment
|
|
actions: read
|
|
# Needed to create the provenance via GitHub OIDC
|
|
id-token: write
|
|
# Needed to upload assets/artifacts
|
|
contents: write
|
|
with:
|
|
# SHA-256 hashes of the Crate package.
|
|
base64-subjects: ${{ needs.package.outputs.hash }}
|
|
|
|
publish-cuda-release:
|
|
name: Publish CUDA Release
|
|
needs: [setup-instance, package] # for comparing hashes
|
|
runs-on: ${{ needs.setup-instance.outputs.runner-name }}
|
|
permissions:
|
|
# Needed for OIDC token exchange on crates.io
|
|
id-token: write
|
|
strategy:
|
|
fail-fast: false
|
|
# explicit include-based build matrix, of known valid options
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-22.04
|
|
cuda: "12.2"
|
|
gcc: 9
|
|
env:
|
|
CUDA_PATH: /usr/local/cuda-${{ matrix.cuda }}
|
|
steps:
|
|
- name: Install latest stable
|
|
uses: dtolnay/rust-toolchain@888c2e1ea69ab0d4330cbf0af1ecc7b68f368cc1 # zizmor: ignore[stale-action-refs] this action doesn't create releases
|
|
with:
|
|
toolchain: stable
|
|
|
|
- name: Export CUDA variables
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
echo "$CUDA_PATH/bin" >> "${GITHUB_PATH}"
|
|
{
|
|
echo "CUDA_PATH=$CUDA_PATH";
|
|
echo "LD_LIBRARY_PATH=$CUDA_PATH/lib:$LD_LIBRARY_PATH";
|
|
echo "CUDACXX=/usr/local/cuda-${CUDA_VERSION}/bin/nvcc";
|
|
} >> "${GITHUB_ENV}"
|
|
env:
|
|
CUDA_VERSION: ${{ matrix.cuda }}
|
|
|
|
# Specify the correct host compilers
|
|
- name: Export gcc and g++ variables
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
{
|
|
echo "CC=/usr/bin/gcc-${GCC_VERSION}";
|
|
echo "CXX=/usr/bin/g++-${GCC_VERSION}";
|
|
echo "CUDAHOSTCXX=/usr/bin/g++-${GCC_VERSION}";
|
|
echo "HOME=/home/ubuntu";
|
|
} >> "${GITHUB_ENV}"
|
|
env:
|
|
GCC_VERSION: ${{ matrix.gcc }}
|
|
|
|
- name: Authenticate on registry
|
|
uses: rust-lang/crates-io-auth-action@e919bc7605cde86df457cf5b93c5e103838bd879 # v1.0.1
|
|
id: auth
|
|
|
|
- name: Publish crate.io package
|
|
env:
|
|
CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
|
|
DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }}
|
|
run: |
|
|
# DRY_RUN expansion cannot be double quoted when variable contains empty string otherwise cargo publish
|
|
# would fail. This is safe since DRY_RUN is handled in the env section above.
|
|
# shellcheck disable=SC2086
|
|
cargo publish -p tfhe-cuda-backend ${DRY_RUN}
|
|
|
|
- name: Generate hash
|
|
id: published_hash
|
|
run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Slack notification (hashes comparison)
|
|
if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
|
|
env:
|
|
SLACK_COLOR: failure
|
|
SLACK_MESSAGE: "SLSA tfhe-cuda-backend crate - hash comparison failure: (${{ env.ACTION_RUN_URL }})"
|
|
|
|
- name: Slack Notification
|
|
if: ${{ failure() || (cancelled() && github.event_name != 'pull_request') }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
|
|
env:
|
|
SLACK_COLOR: ${{ job.status }}
|
|
SLACK_MESSAGE: "tfhe-cuda-backend release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
|
|
|
|
teardown-instance:
|
|
name: Teardown instance (publish-release)
|
|
if: ${{ always() && needs.setup-instance.result == 'success' }}
|
|
needs: [setup-instance, publish-cuda-release]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Stop instance
|
|
id: stop-instance
|
|
uses: zama-ai/slab-github-runner@79939325c3c429837c10d6041e4fd8589d328bac
|
|
with:
|
|
mode: stop
|
|
github-token: ${{ secrets.SLAB_ACTION_TOKEN }}
|
|
slab-url: ${{ secrets.SLAB_BASE_URL }}
|
|
job-secret: ${{ secrets.JOB_SECRET }}
|
|
label: ${{ needs.setup-instance.outputs.runner-name }}
|
|
|
|
- name: Slack Notification
|
|
if: ${{ failure() }}
|
|
continue-on-error: true
|
|
uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661
|
|
env:
|
|
SLACK_COLOR: ${{ job.status }}
|
|
SLACK_MESSAGE: "Instance teardown (publish-cuda-release) finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})"
|