Merge pull request #28822: Add python wheel staging to GitHub Actions…

… build_release_candidate
apache · Oct 6, 2023 · 795d366 · 795d366
2 parents ce217d3 + 57821c1
commit 795d366
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 10 deletions.
diff --git a/.github/workflows/build_release_candidate.yml b/.github/workflows/build_release_candidate.yml
@@ -20,7 +20,7 @@ on:
         description: Your Apache password. Required if you want to stage artifacts into https://dist.apache.org/repos/dist/dev/beam/
         required: false
       BEAM_SITE_TOKEN:
-        description:  Github Personal Access Token with repo permission if you want to create the beam-site docs PR. See https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.
+        description:  Github Personal Access Token with apache/beam-site repo permission if you want to create the beam-site docs PR. See https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens.
         default: ''
       PUBLISH_JAVA_ARTIFACTS:
         description: Whether to publish java artifacts to https://repository.apache.org/#stagingRepositories (yes/no)
@@ -34,6 +34,10 @@ on:
         description: Whether to stage SDK docker images to docker hub Apache organization
         required: true
         default: 'no'
+      STAGE_PYTHON_ARTIFACTS:
+        description: Whether to stage the python artifacts into https://dist.apache.org/repos/dist/dev/beam/
+        required: true
+        default: 'no'
       CREATE_BEAM_SITE_PR:
         description: Whether to create the documentation update PR against apache/beam-site.
         required: true
@@ -147,7 +151,74 @@ jobs:
             svn status
             svn commit -m "Staging Java artifacts for Apache Beam ${{ github.event.inputs.RELEASE }} RC${{ github.event.inputs.RC }}" --non-interactive --username ${{ github.event.inputs.APACHE_ID }} --password ${{ github.event.inputs.APACHE_PASSWORD }} 
         
-      
+  stage_python_artifacts:
+    if: ${{github.event.inputs.STAGE_PYTHON_ARTIFACTS == 'yes'}}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate and mask apache id/password
+        run: |
+          echo "::add-mask::${{ github.event.inputs.APACHE_PASSWORD }}"
+          if [ "${{ github.event.inputs.APACHE_ID }}" == "" ]
+          then
+            echo "Must provide an apache id to stage artifacts to https://dist.apache.org/repos/dist/dev/beam/"
+          fi
+          if [ "${{ github.event.inputs.APACHE_PASSWORD }}" == "" ]
+          then
+            echo "Must provide an apache password to stage artifacts to https://dist.apache.org/repos/dist/dev/beam/"
+          fi
+      - name: Setup environment
+        uses: ./.github/actions/setup-environment-action
+        with:
+          python-version: 3.8
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      - name: stage python artifacts
+        env:
+          RC_TAG: "v${{ github.event.inputs.RELEASE }}-RC${{ github.event.inputs.RC }}"
+          GIT_REPO_BASE_URL: https://github.com/apache/beam
+          RELEASE_DIR: "beam/${{ github.event.inputs.RELEASE }}"
+          SCRIPT_DIR: release/src/main/scripts
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          svn co https://dist.apache.org/repos/dist/dev/beam
+          mkdir -p "${SVN_ARTIFACTS_DIR}"
+          
+          RELEASE_COMMIT=$(git rev-list -n 1 "tags/${RC_TAG}")
+          
+          python "${SCRIPT_DIR}/download_github_actions_artifacts.py" \
+            --github-token-var GITHUB_TOKEN \
+            --repo-url "${GIT_REPO_BASE_URL}" \
+            --rc-tag "${RC_TAG}" \
+            --release-commit "${RELEASE_COMMIT}" \
+            --artifacts_dir "${RELEASE_DIR}/python"
+        
+          cd "${RELEASE_DIR}"/python
+        
+          echo "------Checking Hash Value for apache-beam-${RELEASE}.zip-----"
+          sha512sum -c "apache-beam-${RELEASE}.zip.sha512"
+        
+          echo "------Signing Source Release apache-beam-${RELEASE}.zip------"
+          gpg --local-user "${{steps.import_gpg.outputs.name}}" --armor --detach-sig "apache-beam-${RELEASE}.zip"
+        
+          for artifact in *.whl; do
+            echo "----------Checking Hash Value for ${artifact} wheel-----------"
+            sha512sum -c "${artifact}.sha512"
+          done
+        
+          for artifact in *.whl; do
+            echo "------------------Signing ${artifact} wheel-------------------"
+            gpg --local-user "${{steps.import_gpg.outputs.name}}" --armor --batch --yes --detach-sig "${artifact}"
+          done
+        
+          cd ..
+          svn add --force python
+          svn status
+          svn commit --no-auth-cache -m "Staging Python artifacts for Apache Beam ${RELEASE} RC${RC_NUM}"
+        
+
   stage_docker:
     if: ${{github.event.inputs.STAGE_DOCKER_ARTIFACTS == 'yes'}}
     # Note: if this ever changes to self-hosted, remove the "Remove default github maven configuration" step
@@ -192,7 +263,6 @@ jobs:
       - name: Push docker images
         run: ./gradlew :pushAllDockerImages -PisRelease -Pdocker-pull-licenses -Pprune-images -Pdocker-tag=${{ github.event.inputs.RELEASE }}rc${{ github.event.inputs.RC }} -Pjava11Home=${{steps.export-java11.outputs.JAVA11_HOME}} --no-daemon --no-parallel
 
-
   beam_site_pr:
     if: ${{github.event.inputs.CREATE_BEAM_SITE_PR == 'yes'}}
     # Note: if this ever changes to self-hosted, remove the "Remove default github maven configuration" step

diff --git a/release/src/main/scripts/download_github_actions_artifacts.py b/release/src/main/scripts/download_github_actions_artifacts.py
@@ -44,15 +44,15 @@ def parse_arguments():
       description=
       "Script for downloading GitHub Actions artifacts from 'Build python wheels' workflow."
   )
-  parser.add_argument("--github-user", required=True)
+  parser.add_argument("--github-token-var", required=False, default='GITHUB_TOKEN')
   parser.add_argument("--repo-url", required=True)
   parser.add_argument("--rc-tag", required=True)
   parser.add_argument("--release-commit", required=True)
   parser.add_argument("--artifacts_dir", required=True)
   parser.add_argument("--rc_number", required=False, default="")
 
   args = parser.parse_args()
-  github_token = ask_for_github_token()
+  github_token = get_github_token(args.github_token_var)
 
   print("You passed following arguments:")
   pprint.pprint({**vars(args), **{"github_token": github_token}})
@@ -61,19 +61,21 @@ def parse_arguments():
     print("You said NO. Quitting ...")
     sys.exit(1)
 
-  user_github_id = args.github_user
   repo_url = args.repo_url
   rc_tag = args.rc_tag
   release_commit = args.release_commit
   artifacts_dir = args.artifacts_dir if os.path.isabs(args.artifacts_dir) \
     else os.path.abspath(args.artifacts_dir)
   rc_number = args.rc_number
 
-  return github_token, user_github_id, repo_url, rc_tag, release_commit, artifacts_dir, rc_number
+  return github_token, repo_url, rc_tag, release_commit, artifacts_dir, rc_number
 
 
-def ask_for_github_token():
-  """Ask for github token and print basic information about it."""
+def get_github_token(github_token_var):
+  """Get GitHub token from env or ask for it and print basic information about it."""
+  if github_token_var in os.environ:
+    return os.environ[github_token_var]
+
   url = "https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token"
   message = (
       f"You need to have a github access token with public_repo scope. "
@@ -321,7 +323,6 @@ def extract_single_artifact(file_path, output_dir):
   )
   (
       github_token,
-      user_github_id,
       repo_url,
       rc_tag,
       release_commit,