WIP: Release pipeline without offline steps (PR to discuss the ideas) #6246
Conversation
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #6246 +/- ##
==========================================
+ Coverage 56.95% 57.22% +0.26%
==========================================
Files 506 507 +1
Lines 30467 31398 +931
Branches 4592 4691 +99
==========================================
+ Hits 17353 17968 +615
- Misses 12285 12577 +292
- Partials 829 853 +24 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
.github/workflows/create_release.yml
Outdated
| name: Release (Publish to pypi and add files to github release) | ||
| runs-on: ubuntu-latest | ||
| needs: [prepare-release] | ||
| if: always() && (needs.prepare-release.result == 'success') && startsWith(github.base_ref, 'rel-') # TODO only if a release is requested |
There was a problem hiding this comment.
Is it here that we should check that the trigger is scheduled?
There was a problem hiding this comment.
What exactly do you mean by that?
I think one should take another look at all my steps to see if the checks were chosen correctly.
I currently also assume that the Github release is generated via the GUI and I only add the files in this step accordingly. In this release step, you would now also have to define a Github deployment environment, which you link to Pypi, so that the reviewers first have to approve the step before the Whl is actually pushed. I think you would have 30 days for the review, you can download the wheels beforehand for local testing. Maybe the handling of the RC candidates is currently missing? Do we also want them on pypi? or would they be better off on testpypi?
There was a problem hiding this comment.
What would be the status of this document? Does this need to go through infra sig?
There was a problem hiding this comment.
I would say what our process offers or suggests. I am happy to present and discuss my ideas. According to the PR title where I originally wanted to remove the offline steps, I thought the signing step made sense now.
I would definitely want to add slsa later, but I thought I wouldn't overload the PR that way.
I think the document could do the job so far.
In any case, the adjustments in https://github.com/onnx/onnx/blob/main/docs/OnnxReleases.md are still pending, but I think a certain amount of discussion is still necessary, but I will make a suggestion.
These changes then definitely have to go through SIG/Infra, or we need the comments from the people who have made releases.
|
Some minor refinement may be needed but looks good to me otherwise. Thank you for the huge improvement! |
Co-authored-by: Justin Chu <justinchuby@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: Justin Chu <justinchuby@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Co-authored-by: Justin Chu <justinchuby@users.noreply.github.com> Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
|
Because I was asked for that. In my opinion we should create deployment environments (one video describing that functionality could be found here: https://www.youtube.com/watch?v=EOlm3ft0VPo )
|
|
First draft of the release (rc and final) workflow graph TB
subgraph GitHub GUI
A[Trigger: Draft a new Release in Github GUI and select the 1.X.X Branch] --> B[SaveDraft or Publish Release?]
end
subgraph CI Pipeline
B --> D1[create_release.yml is called]
D1 --> D{All 4 different OSPipelines were successful?}
D -->|Yes| E[Job 3: Call Prepare Release Workflow]
D -->|No| F[Job: Send Failure Notification]
E --> G[Job 4: Prepare Release Workflow]
end
subgraph Prepare Release Workflow
G --> H[Job 5: Download all artifacts]
H --> I[Job 6: Sign all artifacts with sigstore]
end
subgraph Integration Testing
I --> J[Job 7: External Integration Tests]
J --> K{Integration Tests Passed?}
K -->|Yes| L[Job 8: Manual Approval for Release]
K -->|No| M[Job: Rollback & Investigate]
M --> F
end
subgraph Release
L --> N{Is it an official release?}
N --> |Yes| O1[Job 9: Publish to PyPI]
N --> |No| O2[Job 9: Publish to rc-candidate to TestPyPI]
O1 --> O[Job 10: Add signature files to GithubRelease]
O2 --> O[Job 10: Add signature files to GithubRelease]
O --> P[Job 11: Tag Release in GitHub]
P --> Q1[Job 12: Create Release Notes]
Q1 --> Q[Job 13: Add files to release]
end
Q --> R[End Pipeline]
F --> R
M --> R
|
|
The diagram flow looks very good and clean, thanks! |
|
Actually, I would also like to list our RC candidates in the github releases, but that could get confusing? (see here https://github.com/vercel/next.js/releases). There doesn't seem to be a good way to filter via the GUI (https://github.com/orgs/community/discussions/6108) ? Since we have mostly managed with 2 RC candidates so far, this would not be a restriction for me at least (could be nicer for me, but ok) Think the RC process should be as close as possible to the regular process (it should also be tested) Any comments? |
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
|
For testing the pipeline I would prefer alpha and beta. We don't have to start with rc-candidates |
…nnx#6277) ### Description <!-- - Describe your changes. --> This pull request should be the start of a pipeline (current status of the considerations under onnx#6246) that automatically generates a whls after tagging, signs it and publishes it directly to Pypi to improve supply chain security. As this is all too much at once, the changes will be introduced and tested gradually. Changes related to this PR: Reusable Workflows are used to merge the individual OS release builds together (we need one process as we want to have all artifacts in one pipeline, so there is not need to download them manuelly). The workflows are currently not really "reusable", as we more or less use pypi creditionals in the workflow, among other things. I reused our testpypi weekly repo as I didn't want to change our behavoir for pypi and testpypi. Maybe it would make sense to adapt the process right away so that you can trigger our "Weekly" manually via the Github interface for testing and don't have to wait a week ;-) #### Key points for the review: * How do we want to configure concurrency * What concurrency-groups do we need? * Where do we need "cancel-in-progress"? #### Not part of the pull request: * Extract publish whl to pypi/testpyp * Introduce trusted publishing * ... ### Motivation and Context * see onnx#6246 --------- Signed-off-by: Andreas Fehlner <fehlner@arcor.de> Co-authored-by: Justin Chu <justinchuby@users.noreply.github.com> Signed-off-by: Linsho Kaku <linsho@preferred.jp>
|
We're planning to go towards trusted publishing after model signing stable release in https://github.com/sigstore/model-transparency/ |
|
Hi Andreas, should we plan to get these into the upcoming 1.18 release? We'd like to pick a deadline for the release soon |
| @@ -55,13 +59,14 @@ jobs: | |||
| # Install Protobuf from source | |||
| export NUM_CORES=`sysctl -n hw.logicalcpu` | |||
| source workflow_scripts/protobuf/build_protobuf_unix.sh $NUM_CORES $(pwd)/protobuf/protobuf_install | |||
| if [ '${{ github.event_name }}' == 'schedule' ]; then | |||
| if [ '${{ github.event_name }}' == 'schedule' ]; then | |||
There was a problem hiding this comment.
Whitespace
| if [ '${{ github.event_name }}' == 'schedule' ]; then | |
| if [ '${{ github.event_name }}' == 'schedule' ]; then |
| sed -i '' 's/name = "onnx"/name = "onnx-weekly"/' 'pyproject.toml' | ||
| export ONNX_PREVIEW_BUILD=1 | ||
| fi | ||
| python -m build --wheel | ||
| python -m build --wheel |
There was a problem hiding this comment.
Whitespace
| python -m build --wheel | |
| python -m build --wheel |
| - name: Build ONNX wheel |
There was a problem hiding this comment.
Whitespace
| - name: Build ONNX wheel | |
| - name: Build ONNX wheel |
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
Signed-off-by: Andreas Fehlner <fehlner@arcor.de>
| @@ -20,20 +22,22 @@ permissions: | |||
|
|
|||
| jobs: | |||
| build: | |||
| if: github.event_name != 'pull_request' || startsWith( github.base_ref, 'rel-') || contains( github.event.pull_request.labels.*.name, 'run release CIs') | |||
| if: github.event_name != 'pull_request' || startsWith( github.base_ref, 'rel-') || contains( github.event.pull_request.labels.*.name, 'run release CIs') | |||
There was a problem hiding this comment.
Whitespace
| if: github.event_name != 'pull_request' || startsWith( github.base_ref, 'rel-') || contains( github.event.pull_request.labels.*.name, 'run release CIs') | |
| if: github.event_name != 'pull_request' || startsWith( github.base_ref, 'rel-') || contains( github.event.pull_request.labels.*.name, 'run release CIs') |
|
Our release workflow does not contain offline steps for onnx 1.19 any more. Documentation parts should be improved |
Description
Remove offline steps for the official release build in order to increase supply chain security.
In a nutshell:
Points that have not yet been fully implemented
From my point of view, our pipeline is still missing the step of manually starting a dev build and pushing the results to testpypi
I would still prefer it if the release builds of the different OS would contain the same functionality
These points do not need to be part of the PR in the hope of keeping the PR “manageable”?
I look forward to discussing the aspects and adapting them to our needs.
Motivation and Context
(https://github.com/onnx/onnx/issues/5927)](https://github.com/onnx/onnx/issues/5927)