awesome-bookmarks/wifi-ruview
3
0
Fork 0
mirror of https://github.com/ruvnet/RuView.git synced 2026-06-02 00:58:56 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
fd75d48b7048a564f1280be0cce20bda27d1a155
wifi-ruview/.github/workflows/pip-release.yml
T
dependabot[bot] fd75d48b70 chore(deps): bump actions/checkout from 4 to 6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-25 19:32:43 +00:00

287 lines
12 KiB
YAML
Raw Blame History

# ADR-117 P5 — cibuildwheel + PyPI publish workflow for `wifi-densepose`
#
# This workflow is **explicitly NOT** triggered on every push. It runs only on:
# - a maintainer-dispatched `workflow_dispatch`
# - a pushed tag matching `v*-pip` (e.g. `v2.0.0-pip`)
#
# The reason for the `-pip` tag suffix is that the repo already cuts
# `v0.X.Y-esp32` tags for firmware releases (see CLAUDE.md). The `-pip`
# suffix keeps the pip release schedule independent of the firmware
# release schedule.
#
# Sequencing on release day (per ADR-117 §7.3):
# 1. cut tag `v1.99.0-pip` → publishes the tombstone wheel first
# 2. cut tag `v2.0.0-pip` → publishes the PyO3 v2 wheel matrix
#
# Publishes via the `PYPI_API_TOKEN` GitHub Actions secret. The
# token-refresh runbook (GCP Secret Manager → gh secret set) lives in
# docs/integrations/pypi-release.md so KICS does not flag the
# secret name as a generic-secret literal in the workflow.
#
# Q3 (witness hash v2 — open in ADR-117 §11.3) MUST be resolved
# before the first v2.0.0 publish. When v2 lands, add a parallel
# step that verifies the v2 hash against the Rust pipeline.
name: pip-release
on:
workflow_dispatch:
inputs:
target:
description: "Which package to release"
required: true
type: choice
options:
- v2-wheels
- v1-99-tombstone
publish_to:
description: "Where to publish"
required: true
default: testpypi
type: choice
options:
- testpypi # dry-run target
- pypi # production
push:
tags:
- "v*-pip"
permissions:
contents: read
jobs:
# ────────────────────────────────────────────────────────────────
# v2.0.0 — cibuildwheel matrix (5 wheels + sdist)
# ────────────────────────────────────────────────────────────────
build-wheels:
name: Build ${{ matrix.os }} ${{ matrix.arch }}
if: |
github.event_name == 'workflow_dispatch' && inputs.target == 'v2-wheels' ||
startsWith(github.ref, 'refs/tags/v2.')
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
arch: x86_64
- os: ubuntu-latest
arch: aarch64
- os: macos-13 # x86_64 runner
arch: x86_64
- os: macos-14 # arm64 runner
arch: arm64
- os: windows-latest
arch: AMD64
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v6
# Linux aarch64 needs QEMU for cross-build on x86_64 runners.
- name: Set up QEMU
if: matrix.os == 'ubuntu-latest' && matrix.arch == 'aarch64'
uses: docker/setup-qemu-action@v3
# ADR-117 §5.4: abi3-py310 — one binary per OS/arch covers all
# Python minor versions ≥ 3.10. Build only cp310 wheels.
- name: Build wheels (cibuildwheel)
uses: pypa/cibuildwheel@v2.21
env:
CIBW_BUILD: "cp310-*"
CIBW_ARCHS_LINUX: ${{ matrix.arch }}
CIBW_ARCHS_MACOS: ${{ matrix.arch }}
CIBW_ARCHS_WINDOWS: ${{ matrix.arch }}
CIBW_BUILD_FRONTEND: "build"
CIBW_BEFORE_BUILD: "pip install maturin>=1.7"
# The PyO3 sdist landing depends on the cargo/Rust toolchain
# being present. cibuildwheel images carry rustup on Linux
# but we also pin a known-good version for reproducibility.
CIBW_BEFORE_ALL_LINUX: "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.82"
CIBW_ENVIRONMENT_LINUX: 'PATH="$HOME/.cargo/bin:$PATH"'
# Smoke-test every built wheel before accepting it. Catches
# the case where the wheel imports but the compiled symbols
# are missing.
CIBW_TEST_REQUIRES: "pytest>=8.0"
CIBW_TEST_COMMAND: 'python -c "import wifi_densepose; assert wifi_densepose.hello() == \"ok\"; print(wifi_densepose.__build_features__)"'
with:
package-dir: python
output-dir: wheelhouse
- uses: actions/upload-artifact@v4
with:
name: wheels-${{ matrix.os }}-${{ matrix.arch }}
path: wheelhouse/*.whl
if-no-files-found: error
build-sdist:
name: Build v2 sdist
if: |
github.event_name == 'workflow_dispatch' && inputs.target == 'v2-wheels' ||
startsWith(github.ref, 'refs/tags/v2.')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install maturin
run: pip install maturin>=1.7
- name: Build sdist
working-directory: python
run: maturin sdist --out ../sdist
- uses: actions/upload-artifact@v4
with:
name: sdist
path: sdist/*.tar.gz
if-no-files-found: error
# ────────────────────────────────────────────────────────────────
# v1.99.0 — tombstone wheel (pure Python, single sdist + wheel)
# ────────────────────────────────────────────────────────────────
build-tombstone:
name: Build v1.99.0 tombstone
if: |
github.event_name == 'workflow_dispatch' && inputs.target == 'v1-99-tombstone' ||
startsWith(github.ref, 'refs/tags/v1.99')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install build backend
run: python -m pip install --upgrade pip build>=1.2
- name: Build sdist + wheel
working-directory: python/tombstone
run: python -m build --outdir ../../tombstone-dist
# Inspect what was actually built — the previous v1.99.0-pip run
# showed an `import wifi_densepose` that returned cleanly instead
# of raising, even though build logs said `adding 'wifi_densepose/__init__.py'`.
# Print the wheel manifest + the __init__.py content so any
# future regression is debuggable from the run log alone.
- name: Inspect wheel contents
run: |
set -e
WHL=tombstone-dist/wifi_densepose-1.99.0-py3-none-any.whl
echo "--- wheel listing ---"
python -m zipfile -l "$WHL"
echo "--- wifi_densepose/__init__.py inside the wheel ---"
python -m zipfile -e "$WHL" /tmp/tomb-inspect
cat /tmp/tomb-inspect/wifi_densepose/__init__.py
echo "--- size in bytes ---"
wc -c /tmp/tomb-inspect/wifi_densepose/__init__.py
# Smoke-test in an ISOLATED venv. The previous run's failure
# mode was that the ubuntu-latest runner's system `python` had
# site-packages picking up something other than the user-installed
# wheel, so the import resolved to a different module. A clean
# venv removes any ambiguity about which wifi_densepose is loaded.
- name: Smoke-test tombstone in isolated venv
run: |
set -e
# Copy the wheel to /tmp BEFORE entering the venv — we must
# cd OUT of the repo root because the repo contains a
# `wifi_densepose/` directory left over from the legacy v1
# source. Python puts cwd at sys.path[0], so an import from
# the repo root would resolve to the legacy directory and
# bypass the freshly-installed wheel entirely (this was the
# silent failure mode of the previous two run attempts).
cp tombstone-dist/wifi_densepose-1.99.0-py3-none-any.whl /tmp/
python -m venv /tmp/smoke-venv
/tmp/smoke-venv/bin/python -m pip install --upgrade pip
/tmp/smoke-venv/bin/python -m pip install /tmp/wifi_densepose-1.99.0-py3-none-any.whl
cd /tmp # away from the repo root's stray wifi_densepose/
/tmp/smoke-venv/bin/python -c "import importlib.util as u; s = u.find_spec('wifi_densepose'); print('Resolved to:', s.origin); print('--- file content ---'); print(open(s.origin).read())"
set +e
/tmp/smoke-venv/bin/python -c "import wifi_densepose" 2> import-output.txt
rc=$?
set -e
if [ "$rc" -eq 0 ]; then
echo "ERROR: tombstone import succeeded — should have raised ImportError"
exit 1
fi
if ! grep -q "github.com/ruvnet/RuView" import-output.txt; then
echo "ERROR: tombstone ImportError missing migration URL"
cat import-output.txt
exit 1
fi
echo "Tombstone wheel correctly raises ImportError with migration URL."
- uses: actions/upload-artifact@v4
with:
name: tombstone
path: tombstone-dist/*
if-no-files-found: error
# ────────────────────────────────────────────────────────────────
# Publish — gated by manual dispatch OR by the tag form
# ────────────────────────────────────────────────────────────────
publish-v2:
name: Publish v2 wheels
needs: [build-wheels, build-sdist]
if: |
always() &&
needs.build-wheels.result == 'success' &&
needs.build-sdist.result == 'success' &&
(
github.event_name == 'workflow_dispatch' && inputs.target == 'v2-wheels' ||
startsWith(github.ref, 'refs/tags/v2.')
)
runs-on: ubuntu-latest
steps:
- name: Gather all artifacts into dist/
uses: actions/download-artifact@v4
with:
path: dist-staging
- name: Flatten artifacts
run: |
mkdir -p dist
find dist-staging -type f \( -name '*.whl' -o -name '*.tar.gz' \) -exec cp -v {} dist/ \;
ls -lh dist/
- name: Publish to TestPyPI (dry-run target)
if: github.event_name == 'workflow_dispatch' && inputs.publish_to == 'testpypi'
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
password: ${{ secrets.PYPI_API_TOKEN }}
packages-dir: dist
skip-existing: true
- name: Publish to PyPI
if: |
startsWith(github.ref, 'refs/tags/v2.') ||
(github.event_name == 'workflow_dispatch' && inputs.publish_to == 'pypi')
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}
packages-dir: dist
publish-tombstone:
name: Publish v1.99 tombstone
needs: [build-tombstone]
if: |
always() &&
needs.build-tombstone.result == 'success' &&
(
github.event_name == 'workflow_dispatch' && inputs.target == 'v1-99-tombstone' ||
startsWith(github.ref, 'refs/tags/v1.99')
)
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
name: tombstone
path: dist
- name: Publish to TestPyPI (dry-run target)
if: github.event_name == 'workflow_dispatch' && inputs.publish_to == 'testpypi'
uses: pypa/gh-action-pypi-publish@release/v1
with:
repository-url: https://test.pypi.org/legacy/
password: ${{ secrets.PYPI_API_TOKEN }}
packages-dir: dist
skip-existing: true
- name: Publish to PyPI
if: |
startsWith(github.ref, 'refs/tags/v1.99') ||
(github.event_name == 'workflow_dispatch' && inputs.publish_to == 'pypi')
uses: pypa/gh-action-pypi-publish@release/v1
with:
password: ${{ secrets.PYPI_API_TOKEN }}
packages-dir: dist
Reference in New Issue View Git Blame Copy Permalink