Add Trivy security scanner #24969
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# GENERATED, DO NOT EDIT! | |
# To change, edit `src/python/pants_release/generate_github_workflows.py` and run: | |
# ./pants run src/python/pants_release/generate_github_workflows.py | |
concurrency: | |
cancel-in-progress: true | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
env: | |
PANTS_CONFIG_FILES: +['pants.ci.toml'] | |
RUST_BACKTRACE: all | |
jobs: | |
bootstrap_pants_linux_arm64: | |
env: | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Bootstrap Pants, test Rust (Linux-ARM64) | |
needs: | |
- classify_changes | |
runs-on: | |
- self-hosted | |
- runs-on | |
- runner=4cpu-linux-arm64 | |
- image=ubuntu22-full-arm64-python3.7-3.13 | |
- run-id=${{ github.run_id }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Set rustup profile | |
run: rustup set profile default | |
- name: Cache Rust toolchain | |
uses: actions/cache@v4 | |
with: | |
key: Linux-ARM64-rustup-${{ hashFiles('src/rust/engine/rust-toolchain') }}-v2 | |
path: '~/.rustup/toolchains/1.83.0-* | |
~/.rustup/update-hashes | |
~/.rustup/settings.toml | |
' | |
- name: Cache Cargo | |
uses: benjyw/rust-cache@5ed697a6894712d2854c80635bb00a2496ea307a | |
with: | |
cache-bin: 'false' | |
shared-key: engine | |
workspaces: src/rust/engine | |
- id: get-engine-hash | |
name: Get native engine hash | |
run: echo "hash=$(./build-support/bin/rust/print_engine_hash.sh)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache native engine | |
uses: actions/cache@v4 | |
with: | |
key: Linux-ARM64-engine-${{ steps.get-engine-hash.outputs.hash }}-v1 | |
path: 'src/python/pants/bin/native_client | |
src/python/pants/engine/internals/native_engine.so | |
src/python/pants/engine/internals/native_engine.so.metadata' | |
- name: Bootstrap Pants | |
run: ./pants version > ${{ runner.temp }}/_pants_version.stdout && [[ -s ${{ runner.temp }}/_pants_version.stdout ]] | |
- name: Run smoke tests | |
run: './pants list :: | |
./pants roots | |
./pants help goals | |
./pants help targets | |
./pants help subsystems | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-bootstrap-Linux-ARM64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
- name: Upload native binaries | |
uses: actions/upload-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-ARM64 | |
path: 'src/python/pants/bin/native_client | |
src/python/pants/engine/internals/native_engine.so | |
src/python/pants/engine/internals/native_engine.so.metadata' | |
- env: | |
TMPDIR: ${{ runner.temp }} | |
if: needs.classify_changes.outputs.rust == 'true' | |
name: Test Rust | |
run: ./cargo test --locked --tests -- --nocapture | |
timeout-minutes: 60 | |
bootstrap_pants_linux_x86_64: | |
env: | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Bootstrap Pants, test and lint Rust (Linux-x86_64) | |
needs: | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Set rustup profile | |
run: rustup set profile default | |
- name: Cache Rust toolchain | |
uses: actions/cache@v4 | |
with: | |
key: Linux-x86_64-rustup-${{ hashFiles('src/rust/engine/rust-toolchain') }}-v2 | |
path: '~/.rustup/toolchains/1.83.0-* | |
~/.rustup/update-hashes | |
~/.rustup/settings.toml | |
' | |
- name: Cache Cargo | |
uses: benjyw/rust-cache@5ed697a6894712d2854c80635bb00a2496ea307a | |
with: | |
cache-bin: 'false' | |
shared-key: engine | |
workspaces: src/rust/engine | |
- id: get-engine-hash | |
name: Get native engine hash | |
run: echo "hash=$(./build-support/bin/rust/print_engine_hash.sh)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache native engine | |
uses: actions/cache@v4 | |
with: | |
key: Linux-x86_64-engine-${{ steps.get-engine-hash.outputs.hash }}-v1 | |
path: 'src/python/pants/bin/native_client | |
src/python/pants/engine/internals/native_engine.so | |
src/python/pants/engine/internals/native_engine.so.metadata' | |
- name: Bootstrap Pants | |
run: ./pants version > ${{ runner.temp }}/_pants_version.stdout && [[ -s ${{ runner.temp }}/_pants_version.stdout ]] | |
- name: Run smoke tests | |
run: './pants list :: | |
./pants roots | |
./pants help goals | |
./pants help targets | |
./pants help subsystems | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-bootstrap-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
- name: Upload native binaries | |
uses: actions/upload-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: 'src/python/pants/bin/native_client | |
src/python/pants/engine/internals/native_engine.so | |
src/python/pants/engine/internals/native_engine.so.metadata' | |
- name: Validate CI config | |
run: './pants run src/python/pants_release/generate_github_workflows.py -- --check | |
' | |
- env: | |
TMPDIR: ${{ runner.temp }} | |
if: needs.classify_changes.outputs.rust == 'true' | |
name: Test and lint Rust | |
run: 'sudo apt-get install -y pkg-config fuse libfuse-dev | |
./build-support/bin/check_rust_pre_commit.sh | |
./cargo test --locked --all --tests --benches -- --nocapture | |
./cargo doc' | |
timeout-minutes: 60 | |
bootstrap_pants_macos13_x86_64: | |
env: | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Bootstrap Pants, test Rust (macOS13-x86_64) | |
needs: | |
- classify_changes | |
runs-on: | |
- macos-13 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Set rustup profile | |
run: rustup set profile default | |
- name: Cache Rust toolchain | |
uses: actions/cache@v4 | |
with: | |
key: macOS13-x86_64-rustup-${{ hashFiles('src/rust/engine/rust-toolchain') }}-v2 | |
path: '~/.rustup/toolchains/1.83.0-* | |
~/.rustup/update-hashes | |
~/.rustup/settings.toml | |
' | |
- name: Cache Cargo | |
uses: benjyw/rust-cache@5ed697a6894712d2854c80635bb00a2496ea307a | |
with: | |
cache-bin: 'false' | |
shared-key: engine | |
workspaces: src/rust/engine | |
- id: get-engine-hash | |
name: Get native engine hash | |
run: echo "hash=$(./build-support/bin/rust/print_engine_hash.sh)" >> $GITHUB_OUTPUT | |
shell: bash | |
- name: Cache native engine | |
uses: actions/cache@v4 | |
with: | |
key: macOS13-x86_64-engine-${{ steps.get-engine-hash.outputs.hash }}-v1 | |
path: 'src/python/pants/bin/native_client | |
src/python/pants/engine/internals/native_engine.so | |
src/python/pants/engine/internals/native_engine.so.metadata' | |
- name: Bootstrap Pants | |
run: ./pants version > ${{ runner.temp }}/_pants_version.stdout && [[ -s ${{ runner.temp }}/_pants_version.stdout ]] | |
- name: Run smoke tests | |
run: './pants list :: | |
./pants roots | |
./pants help goals | |
./pants help targets | |
./pants help subsystems | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-bootstrap-macOS13-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
- name: Upload native binaries | |
uses: actions/upload-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.macOS13-x86_64 | |
path: 'src/python/pants/bin/native_client | |
src/python/pants/engine/internals/native_engine.so | |
src/python/pants/engine/internals/native_engine.so.metadata' | |
- env: | |
TMPDIR: ${{ runner.temp }} | |
if: needs.classify_changes.outputs.rust == 'true' | |
name: Test Rust | |
run: ./cargo test --locked --tests -- --nocapture | |
timeout-minutes: 60 | |
build_wheels_linux_arm64: | |
container: | |
image: quay.io/pypa/manylinux_2_28_aarch64:latest | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
MODE: debug | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: ((github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.release == 'true' || needs.classify_changes.outputs.ci_config | |
== 'true')) && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Build wheels (Linux-ARM64) | |
needs: | |
- classify_changes | |
runs-on: | |
- self-hosted | |
- runs-on | |
- runner=4cpu-linux-arm64 | |
- image=ubuntu22-full-arm64-python3.7-3.13 | |
- run-id=${{ github.run_id }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Configure Git | |
run: git config --global safe.directory "$GITHUB_WORKSPACE" | |
- name: Install rustup | |
run: 'curl --proto ''=https'' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -v -y --default-toolchain none | |
echo "${HOME}/.cargo/bin" >> $GITHUB_PATH | |
' | |
- name: Expose Pythons | |
run: 'echo "/opt/python/cp37-cp37m/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp38-cp38/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp39-cp39/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp310-cp310/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp311-cp311/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp312-cp312/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp313-cp313/bin" >> $GITHUB_PATH | |
' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Install Python headers | |
run: yum install -y python3.11-devel | |
- env: {} | |
name: Build wheels | |
run: ./pants run src/python/pants_release/release.py -- build-wheels | |
- env: {} | |
name: Build Pants PEX | |
run: ./pants package src/python/pants:pants-pex | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-wheels-and-pex-Linux-ARM64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
build_wheels_linux_x86_64: | |
container: | |
image: quay.io/pypa/manylinux_2_28_x86_64:latest | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | |
MODE: debug | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: ((github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.release == 'true' || needs.classify_changes.outputs.ci_config | |
== 'true')) && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Build wheels (Linux-x86_64) | |
needs: | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Configure Git | |
run: git config --global safe.directory "$GITHUB_WORKSPACE" | |
- name: Install rustup | |
run: 'curl --proto ''=https'' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -v -y --default-toolchain none | |
echo "${HOME}/.cargo/bin" >> $GITHUB_PATH | |
' | |
- name: Expose Pythons | |
run: 'echo "/opt/python/cp37-cp37m/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp38-cp38/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp39-cp39/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp310-cp310/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp311-cp311/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp312-cp312/bin" >> $GITHUB_PATH | |
echo "/opt/python/cp313-cp313/bin" >> $GITHUB_PATH | |
' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
name: Build wheels | |
run: ./pants run src/python/pants_release/release.py -- build-wheels | |
- env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
name: Build Pants PEX | |
run: ./pants package src/python/pants:pants-pex | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-wheels-and-pex-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
build_wheels_macos13_x86_64: | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: false | |
MODE: debug | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: ((github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.release == 'true' || needs.classify_changes.outputs.ci_config | |
== 'true')) && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Build wheels (macOS13-x86_64) | |
needs: | |
- classify_changes | |
runs-on: | |
- macos-13 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Set rustup profile | |
run: rustup set profile default | |
- name: Cache Rust toolchain | |
uses: actions/cache@v4 | |
with: | |
key: macOS13-x86_64-rustup-${{ hashFiles('src/rust/engine/rust-toolchain') }}-v2 | |
path: '~/.rustup/toolchains/1.83.0-* | |
~/.rustup/update-hashes | |
~/.rustup/settings.toml | |
' | |
- name: Cache Cargo | |
uses: benjyw/rust-cache@5ed697a6894712d2854c80635bb00a2496ea307a | |
with: | |
cache-bin: 'false' | |
shared-key: engine | |
workspaces: src/rust/engine | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- env: | |
ARCHFLAGS: -arch x86_64 | |
name: Build wheels | |
run: ./pants run src/python/pants_release/release.py -- build-wheels | |
- env: | |
ARCHFLAGS: -arch x86_64 | |
name: Build Pants PEX | |
run: ./pants package src/python/pants:pants-pex | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-wheels-and-pex-macOS13-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
build_wheels_macos14_arm64: | |
env: | |
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: false | |
MODE: debug | |
PANTS_REMOTE_CACHE_READ: 'false' | |
PANTS_REMOTE_CACHE_WRITE: 'false' | |
if: ((github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.release == 'true' || needs.classify_changes.outputs.ci_config | |
== 'true')) && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Build wheels (macOS14-ARM64) | |
needs: | |
- classify_changes | |
runs-on: | |
- macos-14 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Set up Python 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Set rustup profile | |
run: rustup set profile default | |
- name: Cache Rust toolchain | |
uses: actions/cache@v4 | |
with: | |
key: macOS14-ARM64-rustup-${{ hashFiles('src/rust/engine/rust-toolchain') }}-v2 | |
path: '~/.rustup/toolchains/1.83.0-* | |
~/.rustup/update-hashes | |
~/.rustup/settings.toml | |
' | |
- name: Cache Cargo | |
uses: benjyw/rust-cache@5ed697a6894712d2854c80635bb00a2496ea307a | |
with: | |
cache-bin: 'false' | |
shared-key: engine | |
workspaces: src/rust/engine | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
version: 23.x | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- env: | |
ARCHFLAGS: -arch arm64 | |
name: Build wheels | |
run: ./pants run src/python/pants_release/release.py -- build-wheels | |
- env: | |
ARCHFLAGS: -arch arm64 | |
name: Build Pants PEX | |
run: ./pants package src/python/pants:pants-pex | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-wheels-and-pex-macOS14-ARM64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
check_release_notes: | |
if: github.repository_owner == 'pantsbuild' | |
name: Ensure PR has release notes | |
needs: | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
if: github.event_name == 'pull_request' && !needs.classify_changes.outputs.notes | |
name: Ensure appropriate label | |
uses: mheap/github-action-required-labels@v4.0.0 | |
with: | |
count: 1 | |
labels: release-notes:not-required, category:internal | |
message: "\nPlease do one of:\n\n- add release notes to the appropriate file in `docs/notes`\n\n- label this PR with\ | |
\ `release-notes:not-required` if it does not need them (for\n instance, if this is fixing a minor typo in documentation)\n\ | |
\n- label this PR with `category:internal` if it's an internal change\n\nFeel free to ask a maintainer for help\ | |
\ if you are not sure what is appropriate!\n" | |
mode: minimum | |
classify_changes: | |
if: github.repository_owner == 'pantsbuild' | |
name: Classify changes | |
outputs: | |
ci_config: ${{ steps.classify.outputs.ci_config }} | |
docs: ${{ steps.classify.outputs.docs }} | |
docs_only: ${{ steps.classify.outputs.docs_only }} | |
notes: ${{ steps.classify.outputs.notes }} | |
other: ${{ steps.classify.outputs.other }} | |
release: ${{ steps.classify.outputs.release }} | |
rust: ${{ steps.classify.outputs.rust }} | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- id: classify | |
name: Classify changed files | |
run: "if [[ -z $GITHUB_EVENT_PULL_REQUEST_BASE_SHA ]]; then\n # push: compare to the immediate parent, which should\ | |
\ already be fetched\n # (checkout's fetch_depth defaults to 10)\n comparison_sha=$(git rev-parse HEAD^)\nelse\n\ | |
\ # pull request: compare to the base branch, ensuring that commit exists\n git fetch --depth=1 \"$GITHUB_EVENT_PULL_REQUEST_BASE_SHA\"\ | |
\n comparison_sha=\"$GITHUB_EVENT_PULL_REQUEST_BASE_SHA\"\nfi\necho \"comparison_sha=$comparison_sha\"\n\naffected=$(git\ | |
\ diff --name-only \"$comparison_sha\" HEAD | python build-support/bin/classify_changed_files.py)\necho \"Affected:\"\ | |
\nif [[ \"${affected}\" == \"docs\" || \"${affected}\" == \"docs notes\" ]]; then\n echo \"docs_only=true\" | tee\ | |
\ -a $GITHUB_OUTPUT\nfi\nfor i in ${affected}; do\n echo \"${i}=true\" | tee -a $GITHUB_OUTPUT\ndone\n" | |
lint_python: | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Lint Python and Shell | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Lint | |
run: './pants lint check :: | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-lint-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 30 | |
merge_ok: | |
if: always() | |
name: Merge OK | |
needs: | |
- set_merge_ok | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- run: "merge_ok=\"${{ needs.set_merge_ok.outputs.merge_ok }}\"\nif [[ \"${merge_ok}\" == \"true\" ]]; then\n echo\ | |
\ \"Merge OK\"\n exit 0\nelse\n echo \"Merge NOT OK\"\n exit 1\nfi\n" | |
set_merge_ok: | |
if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') | |
name: Set Merge OK | |
needs: | |
- classify_changes | |
- check_release_notes | |
- bootstrap_pants_linux_arm64 | |
- bootstrap_pants_linux_x86_64 | |
- bootstrap_pants_macos13_x86_64 | |
- build_wheels_linux_arm64 | |
- build_wheels_linux_x86_64 | |
- build_wheels_macos13_x86_64 | |
- build_wheels_macos14_arm64 | |
- check_release_notes | |
- classify_changes | |
- lint_python | |
- test_python_linux_arm64 | |
- test_python_linux_x86_64_0 | |
- test_python_linux_x86_64_1 | |
- test_python_linux_x86_64_2 | |
- test_python_linux_x86_64_3 | |
- test_python_linux_x86_64_4 | |
- test_python_linux_x86_64_5 | |
- test_python_linux_x86_64_6 | |
- test_python_linux_x86_64_7 | |
- test_python_linux_x86_64_8 | |
- test_python_linux_x86_64_9 | |
- test_python_macos13_x86_64 | |
outputs: | |
merge_ok: ${{ steps.set_merge_ok.outputs.merge_ok }} | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- id: set_merge_ok | |
run: echo 'merge_ok=true' >> ${GITHUB_OUTPUT} | |
test_python_linux_arm64: | |
env: {} | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-ARM64) | |
needs: | |
- bootstrap_pants_linux_arm64 | |
- classify_changes | |
runs-on: | |
- self-hosted | |
- runs-on | |
- runner=4cpu-linux-arm64 | |
- image=ubuntu22-full-arm64-python3.7-3.13 | |
- run-id=${{ github.run_id }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-ARM64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python tests | |
run: './pants --tag=+platform_specific_behavior test :: -- -m platform_specific_behavior | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-ARM64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-Linux-ARM64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_0: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 0/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 0/10 | |
run: './pants test --shard=0/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-0_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_1: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 1/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 1/10 | |
run: './pants test --shard=1/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-1_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_2: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 2/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 2/10 | |
run: './pants test --shard=2/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-2_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_3: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 3/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 3/10 | |
run: './pants test --shard=3/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-3_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_4: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 4/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 4/10 | |
run: './pants test --shard=4/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-4_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_5: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 5/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 5/10 | |
run: './pants test --shard=5/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-5_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_6: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 6/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 6/10 | |
run: './pants test --shard=6/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-6_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_7: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 7/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 7/10 | |
run: './pants test --shard=7/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-7_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_8: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 8/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 8/10 | |
run: './pants test --shard=8/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-8_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_linux_x86_64_9: | |
env: | |
PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1' | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (Linux-x86_64) Shard 9/10 | |
needs: | |
- bootstrap_pants_linux_x86_64 | |
- classify_changes | |
runs-on: | |
- ubuntu-22.04 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
name: Launch bazel-remote | |
run: "mkdir -p ~/bazel-remote\nif [[ -z \"${AWS_ACCESS_KEY_ID}\" ]]; then\n CACHE_WRITE=false\n # If no secret read/write\ | |
\ creds, use hard-coded read-only creds, so that\n # cross-fork PRs can at least read from the cache.\n # These\ | |
\ creds are hard-coded here in this public repo, which makes the bucket\n # world-readable. But since putting raw\ | |
\ AWS tokens in a public repo, even\n # deliberately, is icky, we base64-them. This will at least help hide from\n\ | |
\ # automated scanners that look for checked in AWS keys.\n # Not that it would be terrible if we were scanned,\ | |
\ since this is public\n # on purpose, but it's best not to draw attention.\n AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK'\ | |
\ | base64 -d)\n AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' | base64\ | |
\ -d)\nelse\n CACHE_WRITE=true\nfi\ndocker run --detach -u 1001:1000 -v ~/bazel-remote:/data \ | |
\ -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key\ | |
\ --s3.access_key_id=\"${AWS_ACCESS_KEY_ID}\" --s3.secret_access_key=\"${AWS_SECRET_ACCESS_KEY}\"\ | |
\ --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com \ | |
\ --max_size 30\necho \"PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092\" >> \"$GITHUB_ENV\"\necho\ | |
\ \"PANTS_REMOTE_CACHE_READ=true\" >> \"$GITHUB_ENV\"\necho \"PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}\" >> \"$GITHUB_ENV\"\ | |
\n" | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- if: runner.os == 'Linux' | |
name: Download Apache `thrift` binary (Linux) | |
run: 'mkdir -p "${HOME}/.thrift" | |
curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift" | |
chmod +x "${HOME}/.thrift/thrift" | |
echo "${HOME}/.thrift" >> $GITHUB_PATH | |
' | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.Linux-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python test shard 9/10 | |
run: './pants test --shard=9/10 :: | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-9_10-Linux-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
test_python_macos13_x86_64: | |
env: | |
ARCHFLAGS: -arch x86_64 | |
if: (github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.docs_only != 'true') | |
name: Test Python (macOS13-x86_64) | |
needs: | |
- bootstrap_pants_macos13_x86_64 | |
- classify_changes | |
runs-on: | |
- macos-13 | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 10 | |
- name: Install AdoptJDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: adopt | |
java-version: '11' | |
- name: Install Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: 1.19.5 | |
- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7 | |
3.8 | |
3.9 | |
3.10 | |
3.12 | |
3.13 | |
3.11' | |
- name: Download native binaries | |
uses: actions/download-artifact@v4 | |
with: | |
name: native_binaries.${{ matrix.python-version }}.macOS13-x86_64 | |
path: src/python/pants | |
- name: Make native-client runnable | |
run: chmod +x src/python/pants/bin/native_client | |
- name: Run Python tests | |
run: './pants --tag=+platform_specific_behavior test :: -- -m platform_specific_behavior | |
' | |
- continue-on-error: true | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
if: always() | |
name: Upload test reports | |
run: 'export S3_DST=s3://logs.pantsbuild.org/test/reports/macOS13-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB} | |
echo "Uploading test reports to ${S3_DST}" | |
./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path="" | |
' | |
- continue-on-error: true | |
if: always() | |
name: Upload pants.log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: logs-python-test-macOS13-x86_64 | |
overwrite: 'true' | |
path: .pants.d/workdir/*.log | |
timeout-minutes: 90 | |
name: Pull Request CI | |
'on': | |
pull_request: {} | |
push: | |
branches: | |
- main | |
- 2.*.x |