From 00f0b877d37ccd9139f1e54aabcac1242f1e6321 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Tue, 4 Jun 2024 15:32:59 -0700 Subject: [PATCH 01/28] adding slsa prov generation --- .github/workflows/publish.yml | 276 ++++++++++++++++++---------------- 1 file changed, 147 insertions(+), 129 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3e66f4fb0..2d61728ef 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -25,10 +25,12 @@ permissions: jobs: build: runs-on: ubuntu-latest + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - uses: actions/checkout@v4 with: - token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} + # token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} ref: ${{ inputs.tag }} - name: Install the latest version of rye uses: eifinger/setup-rye@v2 @@ -43,143 +45,159 @@ jobs: run: | rye sync rye build - - uses: actions/upload-artifact@v4 - with: - name: build - path: ./dist - test-build: - if: ${{ !inputs.skip-tests }} - needs: ['build'] - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - include: - - python-version: 3.8 - prod-key: PROD_LABELBOX_API_KEY_2 - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: 3.9 - prod-key: PROD_LABELBOX_API_KEY_3 - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: "3.10" - prod-key: PROD_LABELBOX_API_KEY_4 - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: 3.11 - prod-key: LABELBOX_API_KEY - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: 3.12 - prod-key: PROD_LABELBOX_API_KEY_5 - da-test-key: DA_GCP_LABELBOX_API_KEY - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} - ref: ${{ inputs.tag }} - - name: Install the latest version of rye - uses: eifinger/setup-rye@v2 - with: - version: ${{ vars.RYE_VERSION }} - enable-cache: true - - name: Rye Setup + - name: "Generate hashes" + id: hash run: | - rye config --set-bool behavior.use-uv=true - - name: Python setup - run: rye pin ${{ matrix.python-version }} - - uses: actions/download-artifact@v4 + cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + - uses: actions/upload-artifact@v4 with: name: build path: ./dist - - name: Prepare package and environment - run: | - rye sync -f --update-all - rye run toml unset --toml-path pyproject.toml tool.rye.workspace - rye sync -f --update-all - - name: Integration Testing - env: - PYTEST_XDIST_AUTO_NUM_WORKERS: 32 - LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }} - DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }} - LABELBOX_TEST_ENVIRON: prod - run: | - rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute - cd libs/labelbox - rm pyproject.toml - rye run pytest tests/integration - - name: Data Testing - env: - PYTEST_XDIST_AUTO_NUM_WORKERS: 32 - LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }} - DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }} - LABELBOX_TEST_ENVIRON: prod - run: | - rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute --features data - cd libs/labelbox - rye run pytest tests/data - pypi-publish: - runs-on: ubuntu-latest - needs: ['build', 'test-build'] - if: | - always() && - (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag - environment: - name: publish - url: 'https://pypi.org/project/labelbox/' - permissions: - # IMPORTANT: this permission is mandatory for trusted publishing - id-token: write - steps: - - uses: actions/download-artifact@v4 - with: - name: build - path: ./artifact - - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - packages-dir: artifact/ - container-publish: - runs-on: ubuntu-latest - needs: ['build', 'test-build'] + provenance: + needs: [build] permissions: - packages: write - if: | - always() && - (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag - env: - CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} - ref: ${{ inputs.tag }} + actions: read + contents: write + id-token: write # Needed to access the workflow's OIDC identity. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true + # compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163 + + # test-build: + # if: ${{ !inputs.skip-tests }} + # needs: ['build'] + # runs-on: ubuntu-latest + # strategy: + # fail-fast: false + # matrix: + # include: + # - python-version: 3.8 + # prod-key: PROD_LABELBOX_API_KEY_2 + # da-test-key: DA_GCP_LABELBOX_API_KEY + # - python-version: 3.9 + # prod-key: PROD_LABELBOX_API_KEY_3 + # da-test-key: DA_GCP_LABELBOX_API_KEY + # - python-version: "3.10" + # prod-key: PROD_LABELBOX_API_KEY_4 + # da-test-key: DA_GCP_LABELBOX_API_KEY + # - python-version: 3.11 + # prod-key: LABELBOX_API_KEY + # da-test-key: DA_GCP_LABELBOX_API_KEY + # - python-version: 3.12 + # prod-key: PROD_LABELBOX_API_KEY_5 + # da-test-key: DA_GCP_LABELBOX_API_KEY + # steps: + # - uses: actions/checkout@v4 + # with: + # # token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} + # ref: ${{ inputs.tag }} + # - name: Install the latest version of rye + # uses: eifinger/setup-rye@v2 + # with: + # version: ${{ vars.RYE_VERSION }} + # enable-cache: true + # - name: Rye Setup + # run: | + # rye config --set-bool behavior.use-uv=true + # - name: Python setup + # run: rye pin ${{ matrix.python-version }} + # - uses: actions/download-artifact@v4 + # with: + # name: build + # path: ./dist + # - name: Prepare package and environment + # run: | + # rye sync -f --update-all + # rye run toml unset --toml-path pyproject.toml tool.rye.workspace + # rye sync -f --update-all + # - name: Integration Testing + # env: + # PYTEST_XDIST_AUTO_NUM_WORKERS: 32 + # LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }} + # DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }} + # LABELBOX_TEST_ENVIRON: prod + # run: | + # rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute + # cd libs/labelbox + # rm pyproject.toml + # rye run pytest tests/integration + # - name: Data Testing + # env: + # PYTEST_XDIST_AUTO_NUM_WORKERS: 32 + # LABELBOX_TEST_API_KEY: ${{ secrets[matrix.prod-key] }} + # DA_GCP_LABELBOX_API_KEY: ${{ secrets[matrix.da-test-key] }} + # LABELBOX_TEST_ENVIRON: prod + # run: | + # rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute --features data + # cd libs/labelbox + # rye run pytest tests/data +# pypi-publish: +# runs-on: ubuntu-latest +# needs: ['build', 'test-build'] +# if: | +# always() && +# (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag +# environment: +# name: publish +# url: 'https://pypi.org/project/labelbox/' +# permissions: +# # IMPORTANT: this permission is mandatory for trusted publishing +# id-token: write +# steps: +# - uses: actions/download-artifact@v4 +# with: +# name: build +# path: ./artifact +# - name: Publish package distributions to PyPI +# uses: pypa/gh-action-pypi-publish@release/v1 +# with: +# packages-dir: artifact/ +# container-publish: +# runs-on: ubuntu-latest +# needs: ['build', 'test-build'] +# permissions: +# packages: write +# if: | +# always() && +# (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag +# env: +# CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" +# steps: +# - uses: actions/checkout@v4 +# with: +# # token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} +# ref: ${{ inputs.tag }} - - name: downcase CONTAINER_IMAGE - run: | - echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} +# - name: downcase CONTAINER_IMAGE +# run: | +# echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v3 - - name: Log in to the Container registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} +# - name: Log in to the Container registry +# uses: docker/login-action@v3 +# with: +# registry: ghcr.io +# username: ${{ github.actor }} +# password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: . - file: ./libs/labelbox/Dockerfile - github-token: ${{ secrets.GITHUB_TOKEN }} - push: true +# - name: Build and push +# uses: docker/build-push-action@v5 +# with: +# context: . +# file: ./libs/labelbox/Dockerfile +# github-token: ${{ secrets.GITHUB_TOKEN }} +# push: true - platforms: | - linux/amd64 - linux/arm64 +# platforms: | +# linux/amd64 +# linux/arm64 - tags: | - ${{ env.CONTAINER_IMAGE }}:latest - ${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }} +# tags: | +# ${{ env.CONTAINER_IMAGE }}:latest +# ${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }} -# Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job. \ No newline at end of file +# # Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job. \ No newline at end of file From da7e24e401ec1c919fda668dc9ce1853cfdc5314 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Tue, 4 Jun 2024 15:36:07 -0700 Subject: [PATCH 02/28] removing push testing --- .github/workflows/python-package-develop.yml | 246 +++++++++---------- 1 file changed, 123 insertions(+), 123 deletions(-) diff --git a/.github/workflows/python-package-develop.yml b/.github/workflows/python-package-develop.yml index cd5110033..7fa248eb8 100644 --- a/.github/workflows/python-package-develop.yml +++ b/.github/workflows/python-package-develop.yml @@ -1,136 +1,136 @@ -name: Labelbox Python SDK Staging (Develop) +# name: Labelbox Python SDK Staging (Develop) -on: - push: - branches: [develop] - pull_request: - branches: [develop] +# on: +# push: +# branches: [develop] +# pull_request: +# branches: [develop] -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true +# concurrency: +# group: ${{ github.workflow }}-${{ github.ref }} +# cancel-in-progress: true -permissions: - id-token: write +# permissions: +# id-token: write -jobs: - build: - strategy: - fail-fast: false - matrix: - include: - - python-version: 3.8 - api-key: STAGING_LABELBOX_API_KEY_2 - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: 3.9 - api-key: STAGING_LABELBOX_API_KEY_3 - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: "3.10" - api-key: STAGING_LABELBOX_API_KEY_4 - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: 3.11 - api-key: STAGING_LABELBOX_API_KEY - da-test-key: DA_GCP_LABELBOX_API_KEY - - python-version: 3.12 - api-key: STAGING_LABELBOX_API_KEY_5 - da-test-key: DA_GCP_LABELBOX_API_KEY - uses: ./.github/workflows/python-package-shared.yml - with: - python-version: ${{ matrix.python-version }} - api-key: ${{ matrix.api-key }} - da-test-key: ${{ matrix.da-test-key }} - fixture-profile: true - test-env: 'staging' - secrets: inherit - test-pypi: - runs-on: ubuntu-latest - needs: ['build'] - environment: - name: Test-PyPI - url: 'https://test.pypi.org/p/labelbox-test' - permissions: - # IMPORTANT: this permission is mandatory for trusted publishing - id-token: write - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} - ref: ${{ github.head_ref }} - - uses: ./.github/actions/python-package-shared-setup - with: - rye-version: ${{ vars.RYE_VERSION }} - python-version: '3.8' - - name: Create build - id: create-build - working-directory: libs/labelbox - run: | - VERSION=$(date +"%Y.%m.%d.%H.%M") - echo "pip install --index-url https://test.pypi.org/simple/ --extra-index-url=https://pypi.org/simple/ labelbox-test@$VERSION" >> "$GITHUB_STEP_SUMMARY" - rye version "$VERSION" - rye run toml set --toml-path pyproject.toml project.name labelbox-test - rye build - - name: Publish package distributions to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - packages-dir: dist/ - repository-url: https://test.pypi.org/legacy/ - test-container: - runs-on: ubuntu-latest - needs: ['build'] - permissions: - # IMPORTANT: this permission is mandatory for trusted publishing - packages: write - env: - CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" - steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} - ref: ${{ github.head_ref }} +# jobs: +# build: +# strategy: +# fail-fast: false +# matrix: +# include: +# - python-version: 3.8 +# api-key: STAGING_LABELBOX_API_KEY_2 +# da-test-key: DA_GCP_LABELBOX_API_KEY +# - python-version: 3.9 +# api-key: STAGING_LABELBOX_API_KEY_3 +# da-test-key: DA_GCP_LABELBOX_API_KEY +# - python-version: "3.10" +# api-key: STAGING_LABELBOX_API_KEY_4 +# da-test-key: DA_GCP_LABELBOX_API_KEY +# - python-version: 3.11 +# api-key: STAGING_LABELBOX_API_KEY +# da-test-key: DA_GCP_LABELBOX_API_KEY +# - python-version: 3.12 +# api-key: STAGING_LABELBOX_API_KEY_5 +# da-test-key: DA_GCP_LABELBOX_API_KEY +# uses: ./.github/workflows/python-package-shared.yml +# with: +# python-version: ${{ matrix.python-version }} +# api-key: ${{ matrix.api-key }} +# da-test-key: ${{ matrix.da-test-key }} +# fixture-profile: true +# test-env: 'staging' +# secrets: inherit +# test-pypi: +# runs-on: ubuntu-latest +# needs: ['build'] +# environment: +# name: Test-PyPI +# url: 'https://test.pypi.org/p/labelbox-test' +# permissions: +# # IMPORTANT: this permission is mandatory for trusted publishing +# id-token: write +# steps: +# - uses: actions/checkout@v4 +# with: +# token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} +# ref: ${{ github.head_ref }} +# - uses: ./.github/actions/python-package-shared-setup +# with: +# rye-version: ${{ vars.RYE_VERSION }} +# python-version: '3.8' +# - name: Create build +# id: create-build +# working-directory: libs/labelbox +# run: | +# VERSION=$(date +"%Y.%m.%d.%H.%M") +# echo "pip install --index-url https://test.pypi.org/simple/ --extra-index-url=https://pypi.org/simple/ labelbox-test@$VERSION" >> "$GITHUB_STEP_SUMMARY" +# rye version "$VERSION" +# rye run toml set --toml-path pyproject.toml project.name labelbox-test +# rye build +# - name: Publish package distributions to Test PyPI +# uses: pypa/gh-action-pypi-publish@release/v1 +# with: +# packages-dir: dist/ +# repository-url: https://test.pypi.org/legacy/ +# test-container: +# runs-on: ubuntu-latest +# needs: ['build'] +# permissions: +# # IMPORTANT: this permission is mandatory for trusted publishing +# packages: write +# env: +# CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" +# steps: +# - uses: actions/checkout@v4 +# with: +# token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} +# ref: ${{ github.head_ref }} - - name: downcase CONTAINER_IMAGE - run: | - echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} +# - name: downcase CONTAINER_IMAGE +# run: | +# echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 +# - name: Set up Docker Buildx +# uses: docker/setup-buildx-action@v3 - - name: Log in to the Container registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} +# - name: Log in to the Container registry +# uses: docker/login-action@v3 +# with: +# registry: ghcr.io +# username: ${{ github.actor }} +# password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push (Develop) - if: github.event_name == 'push' - uses: docker/build-push-action@v5 - with: - context: . - file: ./libs/labelbox/Dockerfile - github-token: ${{ secrets.GITHUB_TOKEN }} - push: true +# - name: Build and push (Develop) +# if: github.event_name == 'push' +# uses: docker/build-push-action@v5 +# with: +# context: . +# file: ./libs/labelbox/Dockerfile +# github-token: ${{ secrets.GITHUB_TOKEN }} +# push: true - platforms: | - linux/amd64 - linux/arm64 +# platforms: | +# linux/amd64 +# linux/arm64 - tags: | - ${{ env.CONTAINER_IMAGE }}:develop - ${{ env.CONTAINER_IMAGE }}:${{ github.sha }} +# tags: | +# ${{ env.CONTAINER_IMAGE }}:develop +# ${{ env.CONTAINER_IMAGE }}:${{ github.sha }} - - name: Build and push (Pull Request) - if: github.event_name == 'pull_request' - uses: docker/build-push-action@v5 - with: - context: . - file: ./libs/labelbox/Dockerfile - github-token: ${{ secrets.GITHUB_TOKEN }} - push: true +# - name: Build and push (Pull Request) +# if: github.event_name == 'pull_request' +# uses: docker/build-push-action@v5 +# with: +# context: . +# file: ./libs/labelbox/Dockerfile +# github-token: ${{ secrets.GITHUB_TOKEN }} +# push: true - platforms: | - linux/amd64 - linux/arm64 +# platforms: | +# linux/amd64 +# linux/arm64 - tags: | - ${{ env.CONTAINER_IMAGE }}:${{ github.sha }} +# tags: | +# ${{ env.CONTAINER_IMAGE }}:${{ github.sha }} From b1445145e9b4ca7cb80f201741d97fadb16aacdd Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Wed, 5 Jun 2024 11:22:58 -0700 Subject: [PATCH 03/28] upload tag name --- .github/workflows/publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2d61728ef..12aa9d46a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -62,8 +62,8 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" - upload-assets: true - # compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163 + upload-assets: true # upload to a new release + upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow # test-build: # if: ${{ !inputs.skip-tests }} From 650e510998faca41755fc58c748abe4644f5de2c Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Wed, 5 Jun 2024 13:26:48 -0700 Subject: [PATCH 04/28] updating w container provenance --- .github/workflows/publish.yml | 108 +++++++++++++++++++++------------- 1 file changed, 66 insertions(+), 42 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 12aa9d46a..463a516cf 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -53,7 +53,7 @@ jobs: with: name: build path: ./dist - provenance: + provenance_python: needs: [build] permissions: actions: read @@ -154,50 +154,74 @@ jobs: # uses: pypa/gh-action-pypi-publish@release/v1 # with: # packages-dir: artifact/ -# container-publish: -# runs-on: ubuntu-latest -# needs: ['build', 'test-build'] -# permissions: -# packages: write -# if: | -# always() && -# (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag -# env: -# CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" -# steps: -# - uses: actions/checkout@v4 -# with: -# # token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} -# ref: ${{ inputs.tag }} + container-publish: + runs-on: ubuntu-latest + needs: ['build'] + # needs: ['build', 'test-build'] + permissions: + packages: write + outputs: + image: ${{ steps.image.outputs.image }} + digest: ${{ steps.build.outputs.digest }} + if: | + always() && + (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag + env: + CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" + steps: + - uses: actions/checkout@v4 + with: + # token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} + ref: ${{ inputs.tag }} -# - name: downcase CONTAINER_IMAGE -# run: | -# echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} + - name: downcase CONTAINER_IMAGE + run: | + echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 -# - name: Log in to the Container registry -# uses: docker/login-action@v3 -# with: -# registry: ghcr.io -# username: ${{ github.actor }} -# password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} -# - name: Build and push -# uses: docker/build-push-action@v5 -# with: -# context: . -# file: ./libs/labelbox/Dockerfile -# github-token: ${{ secrets.GITHUB_TOKEN }} -# push: true + - name: Build and push + uses: docker/build-push-action@v5 + id: build + with: + context: . + file: ./libs/labelbox/Dockerfile + github-token: ${{ secrets.GITHUB_TOKEN }} + push: true -# platforms: | -# linux/amd64 -# linux/arm64 + platforms: | + linux/amd64 + linux/arm64 -# tags: | -# ${{ env.CONTAINER_IMAGE }}:latest -# ${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }} - -# # Note that the build and pypi-publish jobs are split so that the additional permissions are only granted to the pypi-publish job. \ No newline at end of file + tags: | + ${{ env.CONTAINER_IMAGE }}:latest + ${{ env.CONTAINER_IMAGE }}:${{ inputs.tag }} + - name: Output image + id: image + run: | + # NOTE: Set the image as an output because the `env` context is not + # available to the inputs of a reusable workflow call. + image_name="${CONTAINER_IMAGE}" + echo "image=$image_name" >> "$GITHUB_OUTPUT" + + provenance_container: + needs: [container-publish] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ${{ needs. container-publish.outputs.image }} + digest: ${{ needs. container-publish.outputs.digest }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} From e06770ea85b9ff9d7b653fced1f9f8fb91c97e2a Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Wed, 5 Jun 2024 13:30:54 -0700 Subject: [PATCH 05/28] remove the skip condition --- .github/workflows/publish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 463a516cf..1c4472d2c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -163,9 +163,9 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} digest: ${{ steps.build.outputs.digest }} - if: | - always() && - (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag + # if: | + # always() && + # (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag env: CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" steps: From cfeef6881ec1af1aba6e3a9a49a75bd28dc14e64 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Wed, 5 Jun 2024 15:38:41 -0700 Subject: [PATCH 06/28] adding container verifier --- .github/workflows/publish.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1c4472d2c..a1b29cfd2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -225,3 +225,16 @@ jobs: registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} + + +#### Testing verification + + verify: + needs: [provenance_container] + uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 + run: | + slsa-verifier verify-image "${{ needs. container-publish.outputs.image }}@${{ needs. container-publish.outputs.digest }}" \ + --source-uri https://github.com/${{ github.repository }} \ + --source-tag ${{ inputs.tag }} + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} From 8ef2cddb812bf6dbf9c2deedb48b3a89e2ce5a81 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 11:06:42 -0700 Subject: [PATCH 07/28] removing verification that didnt work --- .github/workflows/publish.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a1b29cfd2..1b4dd2055 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -230,11 +230,13 @@ jobs: #### Testing verification verify: + runs-on: ubuntu-latest needs: [provenance_container] - uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 - run: | - slsa-verifier verify-image "${{ needs. container-publish.outputs.image }}@${{ needs. container-publish.outputs.digest }}" \ - --source-uri https://github.com/${{ github.repository }} \ - --source-tag ${{ inputs.tag }} - secrets: - github-token: ${{ secrets.GITHUB_TOKEN }} + + steps: + - name: Verify image + uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 + run: | + slsa-verifier verify-image "${{ needs. container-publish.outputs.image }}@${{ needs. container-publish.outputs.digest }}" \ + --source-uri https://github.com/${{ github.repository }} \ + --source-tag ${{ inputs.tag }} From 114650b9bb905eb031b9047617fd4e8b1ef8c33f Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 11:11:29 -0700 Subject: [PATCH 08/28] removing verification that didnt work --- .github/workflows/publish.yml | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1b4dd2055..8acb16d72 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -224,19 +224,4 @@ jobs: digest: ${{ needs. container-publish.outputs.digest }} registry-username: ${{ github.actor }} secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} - - -#### Testing verification - - verify: - runs-on: ubuntu-latest - needs: [provenance_container] - - steps: - - name: Verify image - uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 - run: | - slsa-verifier verify-image "${{ needs. container-publish.outputs.image }}@${{ needs. container-publish.outputs.digest }}" \ - --source-uri https://github.com/${{ github.repository }} \ - --source-tag ${{ inputs.tag }} + registry-password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From ee689c04f5824e237bde110a45057122bee5fa40 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 11:41:57 -0700 Subject: [PATCH 09/28] adding upload release --- .github/workflows/publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8acb16d72..d37b834fe 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -53,6 +53,9 @@ jobs: with: name: build path: ./dist + - name: Upload dist to release + run: | + gh release upload ${{ inputs.tag }} ./dist provenance_python: needs: [build] permissions: From c9eeeb4a191404ea6588ebf2f64cdfdb5eff4f21 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 11:50:10 -0700 Subject: [PATCH 10/28] adding gh token --- .github/workflows/publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d37b834fe..23a7cc0c7 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -56,6 +56,8 @@ jobs: - name: Upload dist to release run: | gh release upload ${{ inputs.tag }} ./dist + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} provenance_python: needs: [build] permissions: From f3243f3989c7fd6e831a4d3f60e2037cd23acb8a Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 11:54:03 -0700 Subject: [PATCH 11/28] adding * for dist --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 23a7cc0c7..445ae6c95 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -55,7 +55,7 @@ jobs: path: ./dist - name: Upload dist to release run: | - gh release upload ${{ inputs.tag }} ./dist + gh release upload ${{ inputs.tag }} ./dist/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} provenance_python: From 3ccba6ee64e5c7b57b78e0982b138075b8bf9056 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 12:13:53 -0700 Subject: [PATCH 12/28] adding permissoin to write to thang --- .github/workflows/publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 445ae6c95..6fccbb7c4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -25,6 +25,8 @@ permissions: jobs: build: runs-on: ubuntu-latest + permissions: + contents: write outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: From 87dc4ae3cd7e8a4be8ddbd838553df4ae87e81db Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 14:39:19 -0700 Subject: [PATCH 13/28] initial draft of readme --- README.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 634defa73..75ebd2eb9 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ [![Twitter Follow](https://img.shields.io/twitter/follow/labelbox.svg?style=social&label=Follow)](https://twitter.com/labelbox) [![LinkedIn Follow](https://img.shields.io/badge/Follow-LinkedIn-blue.svg?style=flat&logo=linkedin)](https://www.linkedin.com/company/labelbox/) [![Supported Python Versions](https://img.shields.io/pypi/pyversions/labelbox)](https://img.shields.io/pypi/pyversions/labelbox) +[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) # Labelbox @@ -94,4 +95,27 @@ c.InteractiveShellApp.exec_lines = [ 'import sys; sys.path.insert(0, "")' ] ``` -4. Go to the root of your project and run `jupyter notebook` to start the server. \ No newline at end of file +4. Go to the root of your project and run `jupyter notebook` to start the server. + +## Provenance + +To enhance the software supply chain security of Labelbox's users, as of v3.73.0, every legitify release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. +The provenance document refers to the Python wheel, as well as the generated docker image. +You can use [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance. +Example of usage for the v3.73.0 release wheel: + +``` +pip download --no-deps labelbox==3.72.0 + +slsa-verifier verify-artifact --source-branch develop --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0' --source-uri "git+https://github.com/Labelbox/labelbox-python-slsa-temp" --provenance-path multiple.intoto.jsonl ./labelbox-3.72.0-py3-none-any.whl +``` + +Example of usage for the v3.73.0 release docker image: +``` +Brew install crane +brew install slsa-verifier +IMAGE=ghcr.io/labelbox/labelbox-python-slsa-temp:6.5 +IMAGE="${IMAGE}@"$(crane digest "${IMAGE}") +slsa-verifier verify-image "$IMAGE" \ + --source-uri github.com/Labelbox/labelbox-python-slsa-temp +``` From 3ddf2df1a4fcd010e2fe137aad3e8e51495300af Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 14:42:07 -0700 Subject: [PATCH 14/28] forgot one --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 75ebd2eb9..518674e93 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ c.InteractiveShellApp.exec_lines = [ ## Provenance -To enhance the software supply chain security of Labelbox's users, as of v3.73.0, every legitify release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. +To enhance the software supply chain security of Labelbox's users, as of v3.73.0, every SDK release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. The provenance document refers to the Python wheel, as well as the generated docker image. You can use [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance. Example of usage for the v3.73.0 release wheel: From 0bf53892503fe9f8557582ee4faf94c07419a25e Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 14:49:18 -0700 Subject: [PATCH 15/28] name --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 518674e93..05f5abb00 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ c.InteractiveShellApp.exec_lines = [ ## Provenance To enhance the software supply chain security of Labelbox's users, as of v3.73.0, every SDK release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. -The provenance document refers to the Python wheel, as well as the generated docker image. +The provenance document refers to the Python package, as well as the generated docker image. You can use [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance. Example of usage for the v3.73.0 release wheel: From 279b12e64bea2d893d7e823a3820639cd99d9695 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 15:11:08 -0700 Subject: [PATCH 16/28] lb --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 05f5abb00..d9519ea01 100644 --- a/README.md +++ b/README.md @@ -99,8 +99,8 @@ c.InteractiveShellApp.exec_lines = [ ## Provenance -To enhance the software supply chain security of Labelbox's users, as of v3.73.0, every SDK release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. -The provenance document refers to the Python package, as well as the generated docker image. +To enhance the software supply chain security of Labelbox's users, as of v3.73.0, every Labelbox SDK release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document. +The provenance document refers to the Python package, as well as the generated Docker image. You can use [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance. Example of usage for the v3.73.0 release wheel: From 278623bb9ac4dcdf49d2528bcd40002b19698a96 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 15:52:59 -0700 Subject: [PATCH 17/28] trying out w new step --- .github/workflows/publish.yml | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6fccbb7c4..0c0d6de32 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -25,8 +25,6 @@ permissions: jobs: build: runs-on: ubuntu-latest - permissions: - contents: write outputs: hashes: ${{ steps.hash.outputs.hashes }} steps: @@ -55,11 +53,6 @@ jobs: with: name: build path: ./dist - - name: Upload dist to release - run: | - gh release upload ${{ inputs.tag }} ./dist/* - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} provenance_python: needs: [build] permissions: @@ -140,7 +133,23 @@ jobs: # rye add labelbox --path ./$(find ./dist/ -name *.tar.gz) --sync --absolute --features data # cd libs/labelbox # rye run pytest tests/data -# pypi-publish: + publish-python-package-to-release: + runs-on: ubuntu-latest + needs: ['build'] + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: build + path: ./artifact + - name: Upload dist to release + run: | + gh release upload ${{ inputs.tag }} ./artifact/dist/* + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # pypi-publish: # runs-on: ubuntu-latest # needs: ['build', 'test-build'] # if: | From 699f816dfc0930a89bd23c8695a416a006d78f3a Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 15:56:33 -0700 Subject: [PATCH 18/28] remove dist --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 0c0d6de32..5fe40d165 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -145,7 +145,7 @@ jobs: path: ./artifact - name: Upload dist to release run: | - gh release upload ${{ inputs.tag }} ./artifact/dist/* + gh release upload ${{ inputs.tag }} ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From d4c8f03a3c76c593db282131ee94834c4323db79 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:06:28 -0700 Subject: [PATCH 19/28] exp --- .../workflows/upload_download_experiment.yml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/upload_download_experiment.yml diff --git a/.github/workflows/upload_download_experiment.yml b/.github/workflows/upload_download_experiment.yml new file mode 100644 index 000000000..1feb777af --- /dev/null +++ b/.github/workflows/upload_download_experiment.yml @@ -0,0 +1,60 @@ + +on: + workflow_dispatch: + inputs: + tag: + description: 'Release Tag' + required: true + + + +jobs: + build: + runs-on: ubuntu-latest + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - uses: actions/checkout@v4 + with: + # token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} + ref: ${{ inputs.tag }} + - name: Install the latest version of rye + uses: eifinger/setup-rye@v2 + with: + version: ${{ vars.RYE_VERSION }} + enable-cache: true + - name: Rye Setup + run: | + rye config --set-bool behavior.use-uv=true + - name: Create build + working-directory: libs/labelbox + run: | + rye sync + rye build + - name: "Generate hashes" + id: hash + run: | + cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + - uses: actions/upload-artifact@v4 + with: + name: build + path: ./dist + + + publish-python-package-to-release: + runs-on: ubuntu-latest + needs: ['build'] + permissions: + contents: write + steps: + - uses: actions/download-artifact@v4 + with: + name: build + path: ./artifact + - name: List artifact contents + run: ls -R ./artifact + - name: Upload dist to release + run: | + gh release upload ${{ inputs.tag }} ./artifact/* + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From f80528d532be6418c32ed385cc99c8f5033f00b2 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:07:12 -0700 Subject: [PATCH 20/28] pr --- .github/workflows/upload_download_experiment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/upload_download_experiment.yml b/.github/workflows/upload_download_experiment.yml index 1feb777af..a00f8a9f0 100644 --- a/.github/workflows/upload_download_experiment.yml +++ b/.github/workflows/upload_download_experiment.yml @@ -1,5 +1,6 @@ on: + pull_request: workflow_dispatch: inputs: tag: From 0605657fc594042c73f952eb2517183e4f89c99d Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:10:13 -0700 Subject: [PATCH 21/28] working dir --- .github/workflows/python-package-develop.yml | 136 ------------------ .../workflows/upload_download_experiment.yml | 3 +- 2 files changed, 2 insertions(+), 137 deletions(-) delete mode 100644 .github/workflows/python-package-develop.yml diff --git a/.github/workflows/python-package-develop.yml b/.github/workflows/python-package-develop.yml deleted file mode 100644 index 7fa248eb8..000000000 --- a/.github/workflows/python-package-develop.yml +++ /dev/null @@ -1,136 +0,0 @@ -# name: Labelbox Python SDK Staging (Develop) - -# on: -# push: -# branches: [develop] -# pull_request: -# branches: [develop] - -# concurrency: -# group: ${{ github.workflow }}-${{ github.ref }} -# cancel-in-progress: true - -# permissions: -# id-token: write - -# jobs: -# build: -# strategy: -# fail-fast: false -# matrix: -# include: -# - python-version: 3.8 -# api-key: STAGING_LABELBOX_API_KEY_2 -# da-test-key: DA_GCP_LABELBOX_API_KEY -# - python-version: 3.9 -# api-key: STAGING_LABELBOX_API_KEY_3 -# da-test-key: DA_GCP_LABELBOX_API_KEY -# - python-version: "3.10" -# api-key: STAGING_LABELBOX_API_KEY_4 -# da-test-key: DA_GCP_LABELBOX_API_KEY -# - python-version: 3.11 -# api-key: STAGING_LABELBOX_API_KEY -# da-test-key: DA_GCP_LABELBOX_API_KEY -# - python-version: 3.12 -# api-key: STAGING_LABELBOX_API_KEY_5 -# da-test-key: DA_GCP_LABELBOX_API_KEY -# uses: ./.github/workflows/python-package-shared.yml -# with: -# python-version: ${{ matrix.python-version }} -# api-key: ${{ matrix.api-key }} -# da-test-key: ${{ matrix.da-test-key }} -# fixture-profile: true -# test-env: 'staging' -# secrets: inherit -# test-pypi: -# runs-on: ubuntu-latest -# needs: ['build'] -# environment: -# name: Test-PyPI -# url: 'https://test.pypi.org/p/labelbox-test' -# permissions: -# # IMPORTANT: this permission is mandatory for trusted publishing -# id-token: write -# steps: -# - uses: actions/checkout@v4 -# with: -# token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} -# ref: ${{ github.head_ref }} -# - uses: ./.github/actions/python-package-shared-setup -# with: -# rye-version: ${{ vars.RYE_VERSION }} -# python-version: '3.8' -# - name: Create build -# id: create-build -# working-directory: libs/labelbox -# run: | -# VERSION=$(date +"%Y.%m.%d.%H.%M") -# echo "pip install --index-url https://test.pypi.org/simple/ --extra-index-url=https://pypi.org/simple/ labelbox-test@$VERSION" >> "$GITHUB_STEP_SUMMARY" -# rye version "$VERSION" -# rye run toml set --toml-path pyproject.toml project.name labelbox-test -# rye build -# - name: Publish package distributions to Test PyPI -# uses: pypa/gh-action-pypi-publish@release/v1 -# with: -# packages-dir: dist/ -# repository-url: https://test.pypi.org/legacy/ -# test-container: -# runs-on: ubuntu-latest -# needs: ['build'] -# permissions: -# # IMPORTANT: this permission is mandatory for trusted publishing -# packages: write -# env: -# CONTAINER_IMAGE: "ghcr.io/${{ github.repository }}" -# steps: -# - uses: actions/checkout@v4 -# with: -# token: ${{ secrets.ACTIONS_ACCESS_TOKEN }} -# ref: ${{ github.head_ref }} - -# - name: downcase CONTAINER_IMAGE -# run: | -# echo "CONTAINER_IMAGE=${CONTAINER_IMAGE,,}" >> ${GITHUB_ENV} - -# - name: Set up Docker Buildx -# uses: docker/setup-buildx-action@v3 - -# - name: Log in to the Container registry -# uses: docker/login-action@v3 -# with: -# registry: ghcr.io -# username: ${{ github.actor }} -# password: ${{ secrets.GITHUB_TOKEN }} - -# - name: Build and push (Develop) -# if: github.event_name == 'push' -# uses: docker/build-push-action@v5 -# with: -# context: . -# file: ./libs/labelbox/Dockerfile -# github-token: ${{ secrets.GITHUB_TOKEN }} -# push: true - -# platforms: | -# linux/amd64 -# linux/arm64 - -# tags: | -# ${{ env.CONTAINER_IMAGE }}:develop -# ${{ env.CONTAINER_IMAGE }}:${{ github.sha }} - -# - name: Build and push (Pull Request) -# if: github.event_name == 'pull_request' -# uses: docker/build-push-action@v5 -# with: -# context: . -# file: ./libs/labelbox/Dockerfile -# github-token: ${{ secrets.GITHUB_TOKEN }} -# push: true - -# platforms: | -# linux/amd64 -# linux/arm64 - -# tags: | -# ${{ env.CONTAINER_IMAGE }}:${{ github.sha }} diff --git a/.github/workflows/upload_download_experiment.yml b/.github/workflows/upload_download_experiment.yml index a00f8a9f0..f24e7df80 100644 --- a/.github/workflows/upload_download_experiment.yml +++ b/.github/workflows/upload_download_experiment.yml @@ -55,7 +55,8 @@ jobs: - name: List artifact contents run: ls -R ./artifact - name: Upload dist to release + working-directory: ${{ github.workspace }} run: | - gh release upload ${{ inputs.tag }} ./artifact/* + gh release upload ${{ inputs.tag }} ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 752cf5ac4e9a4bc7df37c6969707015513e50ab6 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:12:47 -0700 Subject: [PATCH 22/28] checkout --- .github/workflows/upload_download_experiment.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload_download_experiment.yml b/.github/workflows/upload_download_experiment.yml index f24e7df80..ee37ba8f7 100644 --- a/.github/workflows/upload_download_experiment.yml +++ b/.github/workflows/upload_download_experiment.yml @@ -48,6 +48,9 @@ jobs: permissions: contents: write steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.tag }} - uses: actions/download-artifact@v4 with: name: build @@ -55,8 +58,7 @@ jobs: - name: List artifact contents run: ls -R ./artifact - name: Upload dist to release - working-directory: ${{ github.workspace }} run: | - gh release upload ${{ inputs.tag }} ./artifact/* + gh release upload 6.5 ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 02faf2a825d6439cd601c3d1bf0748ebcb1ba245 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:14:04 -0700 Subject: [PATCH 23/28] dirty --- .github/workflows/upload_download_experiment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/upload_download_experiment.yml b/.github/workflows/upload_download_experiment.yml index ee37ba8f7..c8ffdd291 100644 --- a/.github/workflows/upload_download_experiment.yml +++ b/.github/workflows/upload_download_experiment.yml @@ -59,6 +59,6 @@ jobs: run: ls -R ./artifact - name: Upload dist to release run: | - gh release upload 6.5 ./artifact/* + gh release upload 6.7 ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 16cf0baffbb58075f8ad82270b7782fb63657319 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:15:35 -0700 Subject: [PATCH 24/28] upload to rel --- .github/workflows/publish.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5fe40d165..6de5c93fe 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -139,13 +139,16 @@ jobs: permissions: contents: write steps: + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.tag }} - uses: actions/download-artifact@v4 with: name: build path: ./artifact - name: Upload dist to release run: | - gh release upload ${{ inputs.tag }} ./artifact/* + gh release upload ${{ inputs.tag }} ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From abff4f7d5ae08dd46a3b31356026fd63af9839d0 Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Thu, 6 Jun 2024 16:16:37 -0700 Subject: [PATCH 25/28] space --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6de5c93fe..a03e29ecc 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -148,7 +148,7 @@ jobs: path: ./artifact - name: Upload dist to release run: | - gh release upload ${{ inputs.tag }} ./artifact/* + gh release upload ${{ inputs.tag }} ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 8f5264d08662c01ccc9628cd86b28d9d06db4fae Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Fri, 7 Jun 2024 08:44:11 -0700 Subject: [PATCH 26/28] specific about containe rbuild --- .github/workflows/publish.yml | 4 ++-- .github/workflows/upload_download_experiment.yml | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a03e29ecc..848c1e6dc 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -181,7 +181,7 @@ jobs: packages: write outputs: image: ${{ steps.image.outputs.image }} - digest: ${{ steps.build.outputs.digest }} + digest: ${{ steps.build_container.outputs.digest }} # if: | # always() && # (needs.test-build.result == 'success' || needs.test-build.result == 'skipped') && github.event.inputs.tag @@ -209,7 +209,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v5 - id: build + id: build_container with: context: . file: ./libs/labelbox/Dockerfile diff --git a/.github/workflows/upload_download_experiment.yml b/.github/workflows/upload_download_experiment.yml index c8ffdd291..cef141cba 100644 --- a/.github/workflows/upload_download_experiment.yml +++ b/.github/workflows/upload_download_experiment.yml @@ -1,14 +1,12 @@ on: - pull_request: +# pull_request: workflow_dispatch: inputs: tag: description: 'Release Tag' required: true - - jobs: build: runs-on: ubuntu-latest @@ -59,6 +57,6 @@ jobs: run: ls -R ./artifact - name: Upload dist to release run: | - gh release upload 6.7 ./artifact/* + gh release upload ${{ inputs.tag }} ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 9c3d2c6bb771df226a4f0a6bbf2f29da9532f46e Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Fri, 7 Jun 2024 10:55:16 -0700 Subject: [PATCH 27/28] release tag in the name --- .github/workflows/publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 848c1e6dc..7979be48d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -63,7 +63,7 @@ jobs: with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # upload to a new release - upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow + upload-tag-name: "Release ${{ inputs.tag }}" # Tag from the initiation of the workflow # test-build: # if: ${{ !inputs.skip-tests }} @@ -148,7 +148,7 @@ jobs: path: ./artifact - name: Upload dist to release run: | - gh release upload ${{ inputs.tag }} ./artifact/* + gh release upload "Release ${{ inputs.tag }}" ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a22166cb9d1cc57e7b80c00f502ab595911f198a Mon Sep 17 00:00:00 2001 From: Aaron Bacchi Date: Fri, 7 Jun 2024 11:00:58 -0700 Subject: [PATCH 28/28] release tag in the name remove --- .github/workflows/publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7979be48d..848c1e6dc 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -63,7 +63,7 @@ jobs: with: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # upload to a new release - upload-tag-name: "Release ${{ inputs.tag }}" # Tag from the initiation of the workflow + upload-tag-name: ${{ inputs.tag }} # Tag from the initiation of the workflow # test-build: # if: ${{ !inputs.skip-tests }} @@ -148,7 +148,7 @@ jobs: path: ./artifact - name: Upload dist to release run: | - gh release upload "Release ${{ inputs.tag }}" ./artifact/* + gh release upload ${{ inputs.tag }} ./artifact/* env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}