compute-sdk-python/.github/workflows/release.yml at main · fastly/compute-sdk-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
# Package up release artifacts, and attach them to a new GitHub prerelease.

name: Release

# Triggers:
#   - Push a version tag (e.g. git tag v0.1.0 && git push --tags) for a real release.
#   - workflow_dispatch for ad-hoc test builds without creating a tag.
#     Wheels are uploaded as GitHub Actions artifacts and no GitHub Release is created.
on:
  push:
    tags:
      - "v*"
  pull_request:
    paths:
      - ".github/workflows/release.yml"
  workflow_dispatch:

# Minimal permissions by default; create-github-release job adds write where needed.
permissions:
  contents: read

env:
  # Bump these in one place when upgrading toolchains or maturin.
  # RUST_STABLE and RUST_NIGHTLY must also be kept in sync with the defaults
  # in .github/actions/setup-rust/action.yml.
  PYTHON_VERSION: "3.12"
  RUST_STABLE: "1.92.0"
  RUST_NIGHTLY: "nightly-2026-04-27"
  MATURIN_VERSION: "v1.13.3"

jobs:
  # Verify that the versions in pyproject.toml and Cargo.toml match the tag
  # (or the manually-supplied version label) before spending time on builds.
  check-version:
    name: "Check version consistency"
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Verify versions match
        shell: bash
        run: |
          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
            python scripts/check_version_sync.py --tag "${{ github.ref_name }}"
          else
            python scripts/check_version_sync.py
          fi

  # Build CPython for WASI on a Linux runner and upload it as an artifact.
  # Since WASI is platform-independent, this artifact is reused by both the
  # macOS and Windows runner jobs to completely avoid compiling CPython from
  # source (which adds CI time and is problematic on Windows).
  build-cpython-wasi:
    name: "Build CPython for WASI"
    runs-on: ubuntu-24.04
    needs: [check-version]
    steps:
      - uses: actions/checkout@v6

      - name: Set up Rust toolchains
        uses: ./.github/actions/setup-rust
        with:
          rust-stable: ${{ env.RUST_STABLE }}
          rust-nightly: ${{ env.RUST_NIGHTLY }}

      - name: Build CPython WASI via cargo check
        run: |
          cargo fetch
          # Trigger execution of build scripts by running cargo check.
          # This fully compiles CPython inside componentize-py's build.rs,
          # but skips compiling heavy Rust machine code, saving massive time!
          cargo check --locked --manifest-path crates/fastly-compute-py/Cargo.toml

      - name: Package CPython WASI builddir
        shell: bash
        run: |
          MANIFEST_DIR="$(python .github/scripts/get-componentize-py-dir.py)"
          echo "Found componentize-py at $MANIFEST_DIR"
          tar -czf cpython-wasi.tar.gz -C "$MANIFEST_DIR" --exclude="*/bin/*" --exclude="*.pc" --exclude="*/man/*" cpython/builddir/wasi

      - name: Upload CPython WASI artifact
        uses: actions/upload-artifact@v4
        with:
          name: cpython-wasi
          path: cpython-wasi.tar.gz
          if-no-files-found: error

  # Linux wheels are built inside manylinux_2_28 containers via maturin-action.
  # We explicitly target manylinux 2_28; auto likely would too but pinning
  # avoids unexpected wheel renames. See https://github.com/pypa/manylinux.
  #
  # The composite setup-rust action cannot run inside the maturin-action
  # container, so toolchain setup is handled via before-script-linux instead.
  build-linux:
    name: "Linux ${{ matrix.target }}"
    runs-on: ubuntu-24.04
    needs: [check-version, build-cpython-wasi]
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-unknown-linux-gnu
            manylinux: "2_28"
          - target: aarch64-unknown-linux-gnu
            manylinux: "2_28"

    steps:
      - uses: actions/checkout@v6

      - name: Download CPython WASI artifact
        uses: actions/download-artifact@v4
        with:
          name: cpython-wasi

      - name: Build wheels
        uses: PyO3/maturin-action@v1
        with:
          maturin-version: ${{ env.MATURIN_VERSION }}
          target: ${{ matrix.target }}
          manylinux: ${{ matrix.manylinux }}
          rust-toolchain: ${{ env.RUST_STABLE }}
          # abi3-py312 is set in [tool.maturin] features; no -i needed.
          args: --release --locked --compatibility pypi
          before-script-linux: |
            .github/scripts/setup-nightly.sh ${{ env.RUST_NIGHTLY }}
            rustup target add wasm32-unknown-unknown
            cargo fetch
            MANIFEST_DIR="$(python .github/scripts/get-componentize-py-dir.py)"
            echo "Found componentize-py inside container at $MANIFEST_DIR"
            tar -xzf cpython-wasi.tar.gz -C "$MANIFEST_DIR"

      - name: Upload wheels
        uses: actions/upload-artifact@v4
        with:
          name: wheels-linux-${{ matrix.target }}
          path: target/wheels/*.whl
          if-no-files-found: error

  # macOS wheels — native builds on GitHub-hosted runners.
  # macos-14 is Apple Silicon (aarch64); macos-13 is Intel (x86_64).
  build-macos:
    name: "macOS ${{ matrix.target }}"
    runs-on: ${{ matrix.runner }}
    needs: [check-version, build-cpython-wasi]
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: x86_64-apple-darwin
            runner: macos-26-intel
            # Maturin defaults to 10.12 for x86_64, but componentize-py's
            # build.rs compiles a native CPython host binary that requires
            # >=10.15 (sqlite3_create_window_function) with Xcode 26's SDK.
            # Python 3.12 itself requires 10.13+, so 10.15 is a safe minimum.
            macosx_deployment_target: "10.15"
          - target: aarch64-apple-darwin
            runner: macos-26
            macosx_deployment_target: "11.0"

    steps:
      - uses: actions/checkout@v6

      - name: Set up Rust toolchains
        uses: ./.github/actions/setup-rust
        with:
          rust-stable: ${{ env.RUST_STABLE }}
          rust-nightly: ${{ env.RUST_NIGHTLY }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Download CPython WASI artifact
        uses: actions/download-artifact@v4
        with:
          name: cpython-wasi

      - name: Restore CPython WASI
        shell: bash
        run: |
          cargo fetch
          MANIFEST_DIR="$(python .github/scripts/get-componentize-py-dir.py)"
          echo "Found componentize-py at $MANIFEST_DIR"
          tar -xzf cpython-wasi.tar.gz -C "$MANIFEST_DIR"

      - name: Build wheels
        uses: PyO3/maturin-action@v1
        with:
          maturin-version: ${{ env.MATURIN_VERSION }}
          target: ${{ matrix.target }}
          # container: off is implied for non-Linux but set explicitly for clarity.
          container: "off"
          # abi3-py312 is set in [tool.maturin] features; no -i needed.
          args: --release --locked
        env:
          MACOSX_DEPLOYMENT_TARGET: ${{ matrix.macosx_deployment_target }}

      - name: Upload wheels
        uses: actions/upload-artifact@v4
        with:
          name: wheels-macos-${{ matrix.target }}
          path: target/wheels/*.whl
          if-no-files-found: error

  # Windows wheel — native build on windows-latest (x86_64).
  build-windows:
    name: "Windows x86_64"
    runs-on: windows-latest
    needs: [check-version, build-cpython-wasi]

    steps:
      - uses: actions/checkout@v6

      - name: Set up Rust toolchains
        uses: ./.github/actions/setup-rust
        with:
          rust-stable: ${{ env.RUST_STABLE }}
          rust-nightly: ${{ env.RUST_NIGHTLY }}

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Download CPython WASI artifact
        uses: actions/download-artifact@v4
        with:
          name: cpython-wasi

      - name: Restore CPython WASI
        shell: bash
        run: |
          cargo fetch
          MANIFEST_DIR="$(python .github/scripts/get-componentize-py-dir.py)"
          echo "Found componentize-py at $MANIFEST_DIR"
          tar -xzf cpython-wasi.tar.gz -C "$MANIFEST_DIR"

      - name: Build wheels
        uses: PyO3/maturin-action@v1
        with:
          maturin-version: ${{ env.MATURIN_VERSION }}
          target: x86_64-pc-windows-msvc
          container: "off"
          # abi3-py312 is set in [tool.maturin] features; no -i needed.
          args: --release --locked

      - name: Upload wheels
        uses: actions/upload-artifact@v4
        with:
          name: wheels-windows-x86_64
          path: target/wheels/*.whl
          if-no-files-found: error

  # Build a source distribution for PyPI alongside the binary wheels.
  build-sdist:
    name: "Build sdist"
    runs-on: ubuntu-24.04
    needs: [check-version]
    steps:
      - uses: actions/checkout@v6

      - name: Build sdist
        uses: PyO3/maturin-action@v1
        with:
          maturin-version: ${{ env.MATURIN_VERSION }}
          command: sdist
          args: --out dist

      - name: Upload sdist
        uses: actions/upload-artifact@v4
        with:
          name: sdist
          path: dist/*.tar.gz
          if-no-files-found: error

  # Collect all release artifacts (wheels + sdist) into a single artifact,
  # generate SHA256 checksums, and upload everything together.
  collect-artifacts:
    name: "Collect release artifacts"
    needs: [build-linux, build-macos, build-windows, build-sdist]
    runs-on: ubuntu-24.04

    steps:
      - name: Download all wheel artifacts
        uses: actions/download-artifact@v4
        with:
          pattern: wheels-*
          path: dist/
          merge-multiple: true

      - name: Download sdist
        uses: actions/download-artifact@v4
        with:
          name: sdist
          path: dist/

      - name: Generate SHA256 checksums
        run: |
          cd dist
          sha256sum *.whl *.tar.gz > checksums.txt
          cat checksums.txt

      - name: List artifacts
        run: ls -lh dist/

      - name: Upload combined artifact
        uses: actions/upload-artifact@v4
        with:
          name: release-artifacts
          path: dist/
          if-no-files-found: error

  # Create a GitHub Release and attach all artifacts.
  # Only runs on tag pushes, workflow_dispatch builds stop at collect-artifacts,
  # presumed to be used for testing CI or related.
  create-github-release:
    name: "Create GitHub Release"
    needs: [collect-artifacts]
    runs-on: ubuntu-24.04
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
    permissions:
      contents: write  # Required to create releases and upload assets.

    steps:
      - uses: actions/checkout@v6

      - name: Download release artifacts
        uses: actions/download-artifact@v4
        with:
          name: release-artifacts
          path: dist/

      - name: Create GitHub Release
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          TAG="${{ github.ref_name }}"
          gh release create "$TAG" dist/*.whl dist/*.tar.gz dist/checksums.txt \
            --title "$TAG" \
            --prerelease \
            --generate-notes \
            --notes-start-tag "$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo '')"