From f59491d36f30b2d94485518c824e4d14946ee15c Mon Sep 17 00:00:00 2001 From: Jonathan Schwender <55576758+jschwe@users.noreply.github.com> Date: Sat, 11 Apr 2026 07:50:28 +0200 Subject: [PATCH] CI: Simplify release workflow (#44085) Using the new yaml anchor feature, we can inline the upload_release workflow file without duplicating code. In combination with the matrix feature this allows us to remove quite a bit of duplication. I'm not sure why we didn't use matrix to begin with. This is also a preparation for a follow-up PR, that uses github environments to improve secret protection, since reusable workflows don't support environments. Testing: [manually triggered nightly release](https://github.com/servo/servo/actions/runs/24236862409) Signed-off-by: Jonathan Schwender --- .github/workflows/release.yml | 308 +++++++-------------------- .github/workflows/upload_release.yml | 69 ------ 2 files changed, 78 insertions(+), 299 deletions(-) delete mode 100644 .github/workflows/upload_release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5a64b901dee..a90a27a3eeb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,12 +100,8 @@ jobs: needs: - create-draft-release - upload-vendored-source - - upload-linux-nightly - - upload-win-nightly - - upload-mac-nightly - - upload-mac-arm64-nightly - - upload-android-nightly - - upload-ohos-nightly + - upload-artifacts-nightly + - upload-artifacts-release publish-crates-io: name: 'Publish to crates.io' @@ -175,45 +171,98 @@ jobs: env: GITHUB_TOKEN: ${{ inputs.regular_release && github.token || secrets.NIGHTLY_REPO_TOKEN }} - upload-win-nightly: + upload-artifacts-nightly: # Only run scheduled nightly builds on upstream servo. if: | (github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch') && (inputs.regular_release || false) == false + runs-on: ubuntu-latest permissions: id-token: write attestations: write - needs: + needs: &upload-artifacts-needs - create-draft-release - build-win - secrets: - github_upload_token: ${{ secrets.NIGHTLY_REPO_TOKEN }} - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-win.outputs.artifact_ids }} - artifact_platform: windows-msvc - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} + - build-mac + - build-mac-arm64 + - build-linux + - build-android + - build-ohos + strategy: &upload-artifacts-strategy + fail-fast: false + matrix: + include: + - artifact_ids: ${{ needs.build-win.outputs.artifact_ids }} + artifact_platform: windows-msvc + - artifact_ids: ${{ needs.build-mac.outputs.artifact_ids }} + artifact_platform: mac + - artifact_ids: ${{ needs.build-mac-arm64.outputs.artifact_ids }} + artifact_platform: mac-arm64 + - artifact_ids: ${{ needs.build-linux.outputs.artifact_ids }} + artifact_platform: linux + - artifact_ids: ${{ needs.build-android.outputs.artifact_ids }} + artifact_platform: android + - artifact_ids: ${{ needs.build-ohos.outputs.artifact_ids }} + artifact_platform: ohos + env: + ARTIFACT_IDS: ${{ matrix.artifact_ids }} + ARTIFACT_PLATFORM: ${{ matrix.artifact_platform }} + GITHUB_RELEASE_ID: ${{ needs.create-draft-release.outputs.release-id }} + RELEASE_REPO: ${{ github.repository_owner }}/servo-nightly-builds + RELEASE_REPO_TOKEN: ${{ secrets.NIGHTLY_REPO_TOKEN }} + S3_UPLOAD_CREDENTIALS: ${{ secrets.S3_UPLOAD_CREDENTIALS }} + steps: &upload-artifacts-steps + - uses: actions/checkout@v6 + with: + sparse-checkout: | + .github + etc/ci + fetch-depth: '1' + - name: Setup Python + uses: ./.github/actions/setup-python + - name: Validate artifact IDs + run: | + if [[ -z "${ARTIFACT_IDS}" ]]; then + echo "Error: No artifact IDs provided." + echo "Help: Check the build job's outputs.artifact_ids value." + echo "If you recently renamed the build job without updating the corresponding output reference," + echo "that is likely the cause of this error." + exit 1 + fi + - uses: actions/download-artifact@v8 + with: + artifact-ids: ${{ env.ARTIFACT_IDS }} + merge-multiple: true + path: release-artifacts + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v3 + with: + subject-path: 'release-artifacts/*' + - name: Upload release artifacts + run: | + ./etc/ci/upload_nightly.py "${ARTIFACT_PLATFORM}" \ + --secret-from-environment \ + --github-release-id "${GITHUB_RELEASE_ID}" \ + release-artifacts/* - upload-win-release: + upload-artifacts-release: if: github.event_name == 'workflow_dispatch' && inputs.regular_release + runs-on: ubuntu-latest permissions: id-token: write attestations: write # Necessary for the github token to upload artifacts to the release. contents: write - needs: - - create-draft-release - - build-win - secrets: - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-win.outputs.artifact_ids }} - artifact_platform: windows-msvc - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} + needs: *upload-artifacts-needs + strategy: *upload-artifacts-strategy + env: + ARTIFACT_IDS: ${{ matrix.artifact_ids }} + ARTIFACT_PLATFORM: ${{ matrix.artifact_platform }} + GITHUB_RELEASE_ID: ${{ needs.create-draft-release.outputs.release-id }} + RELEASE_REPO: ${{ github.repository_owner }}/servo + RELEASE_REPO_TOKEN: ${{ github.token }} + S3_UPLOAD_CREDENTIALS: ${{ secrets.S3_UPLOAD_CREDENTIALS }} + steps: *upload-artifacts-steps build-mac: @@ -225,46 +274,6 @@ jobs: profile: "production" force-github-hosted-runner: true # - upload-mac-nightly: - # Only run scheduled nightly builds on upstream servo. - if: | - (github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch') - && (inputs.regular_release || false) == false - permissions: - id-token: write - attestations: write - needs: - - create-draft-release - - build-mac - secrets: - github_upload_token: ${{ secrets.NIGHTLY_REPO_TOKEN }} - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-mac.outputs.artifact_ids }} - artifact_platform: mac - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - - upload-mac-release: - if: github.event_name == 'workflow_dispatch' && inputs.regular_release - permissions: - id-token: write - attestations: write - # Necessary for the github token to upload artifacts to the release. - contents: write - needs: - - create-draft-release - - build-mac - secrets: - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-mac.outputs.artifact_ids }} - artifact_platform: mac - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - build-mac-arm64: # This job is only useful when run on upstream servo. if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch' @@ -274,46 +283,6 @@ jobs: profile: "production" force-github-hosted-runner: true # - upload-mac-arm64-nightly: - # Only run scheduled nightly builds on upstream servo. - if: | - (github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch') - && (inputs.regular_release || false) == false - permissions: - id-token: write - attestations: write - needs: - - create-draft-release - - build-mac-arm64 - secrets: - github_upload_token: ${{ secrets.NIGHTLY_REPO_TOKEN }} - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-mac-arm64.outputs.artifact_ids }} - artifact_platform: mac-arm64 - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - - upload-mac-arm64-release: - if: github.event_name == 'workflow_dispatch' && inputs.regular_release - permissions: - id-token: write - attestations: write - # Necessary for the github token to upload artifacts to the release. - contents: write - needs: - - create-draft-release - - build-mac-arm64 - secrets: - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-mac-arm64.outputs.artifact_ids }} - artifact_platform: mac-arm64 - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - build-linux: # This job is only useful when run on upstream servo. if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch' @@ -323,46 +292,6 @@ jobs: profile: "production" force-github-hosted-runner: true # - upload-linux-nightly: - # Only run scheduled nightly builds on upstream servo. - if: | - (github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch') - && (inputs.regular_release || false) == false - permissions: - id-token: write - attestations: write - needs: - - create-draft-release - - build-linux - secrets: - github_upload_token: ${{ secrets.NIGHTLY_REPO_TOKEN }} - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-linux.outputs.artifact_ids }} - artifact_platform: linux - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - - upload-linux-release: - if: github.event_name == 'workflow_dispatch' && inputs.regular_release - permissions: - id-token: write - attestations: write - # Necessary for the github token to upload artifacts to the release. - contents: write - needs: - - create-draft-release - - build-linux - secrets: - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-linux.outputs.artifact_ids }} - artifact_platform: linux - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - build-android: # This job is only useful when run on upstream servo. if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch' @@ -372,47 +301,6 @@ jobs: profile: "release" secrets: inherit - upload-android-nightly: - # Only run scheduled nightly builds on upstream servo. - if: | - (github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch') - && (inputs.regular_release || false) == false - permissions: - id-token: write - attestations: write - needs: - - create-draft-release - - build-android - secrets: - github_upload_token: ${{ secrets.NIGHTLY_REPO_TOKEN }} - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-android.outputs.artifact_ids }} - artifact_platform: android - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - - upload-android-release: - if: github.event_name == 'workflow_dispatch' && inputs.regular_release - permissions: - id-token: write - attestations: write - # Necessary for the github token to upload artifacts to the release. - contents: write - needs: - - create-draft-release - - build-android - secrets: - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-android.outputs.artifact_ids }} - artifact_platform: android - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - - build-ohos: # This job is only useful when run on upstream servo. if: github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch' @@ -422,43 +310,3 @@ jobs: profile: "production" upload_library: true secrets: inherit - - upload-ohos-nightly: - # Only run scheduled nightly builds on upstream servo. - if: | - (github.repository == 'servo/servo' || github.event_name == 'workflow_dispatch') - && (inputs.regular_release || false) == false - permissions: - id-token: write - attestations: write - needs: - - create-draft-release - - build-ohos - secrets: - github_upload_token: ${{ secrets.NIGHTLY_REPO_TOKEN }} - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-ohos.outputs.artifact_ids }} - artifact_platform: ohos - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} - - upload-ohos-release: - if: github.event_name == 'workflow_dispatch' && inputs.regular_release - permissions: - id-token: write - attestations: write - # Necessary for the github token to upload artifacts to the release. - contents: write - needs: - - create-draft-release - - build-ohos - secrets: - s3_upload_token: ${{ secrets.S3_UPLOAD_CREDENTIALS }} - uses: ./.github/workflows/upload_release.yml - with: - artifact_ids: ${{ needs.build-ohos.outputs.artifact_ids }} - artifact_platform: ohos - github_release_id: ${{ needs.create-draft-release.outputs.release-id }} - target_repo: ${{ github.repository_owner }}/${{ inputs.regular_release && 'servo' || 'servo-nightly-builds' }} diff --git a/.github/workflows/upload_release.yml b/.github/workflows/upload_release.yml deleted file mode 100644 index efc68c7bb25..00000000000 --- a/.github/workflows/upload_release.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Upload and Attest Release Assets -on: - workflow_call: - inputs: - artifact_platform: - type: string - required: true - description: "The platform of the release artifacts to upload." - target_repo: - type: string - required: true - description: "The target repository owner and name (e.g. `servo/servo`) where the release will be created." - github_release_id: - type: string - required: true - description: "The ID of the GitHub release to which assets will be added." - artifact_ids: - required: true - type: string - description: "A comma-separated list of artifact IDs to upload." - secrets: - github_upload_token: - required: false - description: "A GitHub token with permission to upload release assets. If omitted github.token will be used instead." - s3_upload_token: - required: true - description: "A token with permission to upload release artifacts to our S3 bucket." - - -jobs: - upload-artifact: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - sparse-checkout: | - .github - etc/ci - fetch-depth: '1' - - name: Setup Python - uses: ./.github/actions/setup-python - - name: Validate artifact IDs - run: | - if [[ -z "${{ inputs.artifact_ids }}" ]]; then - echo "Error: No artifact IDs provided." - echo "Help: Check the calling workflow's output.artifact_ids parameter, usually created by a build workflow." - echo "If you recently renamed the build job for the artifacts, without updating the `outputs.artifact_ids` " - echo "parameter then this might be the cause of the error." - exit 1 - fi - - uses: actions/download-artifact@v8 - with: - artifact-ids: ${{ inputs.artifact_ids }} - merge-multiple: true - path: release-artifacts - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v3 - with: - subject-path: 'release-artifacts/*' - - name: Upload release artifacts - run: | - ./etc/ci/upload_nightly.py ${{ inputs.artifact_platform}} \ - --secret-from-environment \ - --github-release-id ${{ inputs.github_release_id }} \ - release-artifacts/* - env: - S3_UPLOAD_CREDENTIALS: ${{ secrets.s3_upload_token }} - RELEASE_REPO_TOKEN: ${{ secrets.github_upload_token || github.token }} - RELEASE_REPO: ${{ inputs.target_repo }}