-
Notifications
You must be signed in to change notification settings - Fork 460
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: build wheel only on origin, make sbom test more robust (#4126)
* fixes #4115 This moves the artifact/wheel build into a separate yml file and makes sure it's run only on the main repo (since it needs some info only available there) Because test_SBOM started failing while I was working on this, I also improved the test_SBOM failure message so it's not trying to show you the diff of the whole log and instead diffs the relevant lines, then made it a bit more robust to data changes by giving a number range for "number of products with CVEs" instead of a specific number. This should hopefully stop this test from failing a couple of times per year due to data changes, and make it more obvious what's going wrong if it does. --------- Signed-off-by: Terri Oda <[email protected]>
- Loading branch information
Showing
3 changed files
with
71 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
name: Build pip wheel | ||
|
||
on: | ||
push: | ||
branches: [ "main" ] | ||
workflow_dispatch: | ||
|
||
build: | ||
name: Build wheel | ||
runs-on: ubuntu-latest | ||
permissions: | ||
id-token: write | ||
attestations: write | ||
contents: read | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
python-version: | ||
- "3.12" | ||
if: github.repository == 'intel/cve-bin-tool' && github.ref == 'refs/heads/main' # run on origin repo only | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | ||
with: | ||
python-version: ${{ matrix.python-version }} | ||
cache: 'pip' | ||
- name: Install dependencies | ||
run: | | ||
python -m pip install --upgrade pip setuptools wheel build | ||
- name: Build | ||
run: | | ||
python -m build . | ||
- name: Get built filenames | ||
id: filename | ||
run: | | ||
echo "tar=$(cd dist/ && echo *.tar.gz)" >> $GITHUB_OUTPUT | ||
echo "whl=$(cd dist/ && echo *.tar.gz)" >> $GITHUB_OUTPUT | ||
- name: Attest Build Provenance for tar | ||
uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 | ||
with: | ||
subject-path: "dist/${{ steps.filename.outputs.tar }}" | ||
- name: Attest Build Provenance for whl | ||
uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1 | ||
with: | ||
subject-path: "dist/${{ steps.filename.outputs.whl }}" | ||
# TODO Upload to pypi on release creation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters