From 3c5c384f1ab8805f3efeae5eab0767cde6c370af Mon Sep 17 00:00:00 2001 From: Predrag Gruevski <2348618+obi1kenobi@users.noreply.github.com> Date: Mon, 30 Oct 2023 17:10:14 -0400 Subject: [PATCH] Test-publish to test PyPI and separate jobs to limit permissions. (#12578) Before making a new `langchain` release, we want to test that everything works as expected. This PR lets us publish `langchain` to test PyPI, then install it from there and run checks to ensure everything works normally before publishing it "for real". It also takes the opportunity to refactor the build process, splitting up the build, release-creation, and PyPI upload steps into separate jobs that do not share their elevated permissions with each other. --- .github/workflows/_release.yml | 189 +++++++++++++++++++++++++++++---- 1 file changed, 171 insertions(+), 18 deletions(-) diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml index 4f95b09fe69..4c0451df8f8 100644 --- a/.github/workflows/_release.yml +++ b/.github/workflows/_release.yml @@ -9,13 +9,135 @@ on: description: "From which folder this pipeline executes" env: + PYTHON_VERSION: "3.10" POETRY_VERSION: "1.6.1" jobs: - if_release: - # Disallow publishing from branches that aren't `master`. + build: if: github.ref == 'refs/heads/master' runs-on: ubuntu-latest + + outputs: + pkg-name: ${{ steps.check-version.outputs.pkg-name }} + version: ${{ steps.check-version.outputs.version }} + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + Poetry ${{ env.POETRY_VERSION }} + uses: "./.github/actions/poetry_setup" + with: + python-version: ${{ env.PYTHON_VERSION }} + poetry-version: ${{ env.POETRY_VERSION }} + working-directory: ${{ inputs.working-directory }} + cache-key: release + + # We want to keep this build stage *separate* from the release stage, + # so that there's no sharing of permissions between them. + # The release stage has trusted publishing and GitHub repo contents write access, + # and we want to keep the scope of that access limited just to the release job. + # Otherwise, a malicious `build` step (e.g. via a compromised dependency) + # could get access to our GitHub or PyPI credentials. + # + # Per the trusted publishing GitHub Action: + # > It is strongly advised to separate jobs for building [...] + # > from the publish job. + # https://github.com/pypa/gh-action-pypi-publish#non-goals + - name: Build project for distribution + run: poetry build + + - name: Upload build + uses: actions/upload-artifact@v3 + with: + name: dist + path: ${{ inputs.working-directory }}/dist/ + + - name: Check Version + id: check-version + shell: bash + working-directory: ${{ inputs.working-directory }} + run: | + echo pkg-name="$(poetry version | cut -d' ' -f 1)" >> $GITHUB_OUTPUT + echo version="$(poetry version --short)" >> $GITHUB_OUTPUT + + test-pypi-publish: + needs: + - build + runs-on: ubuntu-latest + permissions: + # This permission is used for trusted publishing: + # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ + # + # Trusted publishing has to also be configured on PyPI for each package: + # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ + id-token: write + + steps: + - uses: actions/checkout@v4 + + - uses: actions/download-artifact@v3 + with: + name: dist + path: ${{ inputs.working-directory }}/dist/ + + - name: Publish to test PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: ${{ inputs.working-directory }}/dist/ + verbose: true + print-hash: true + repository-url: https://test.pypi.org/legacy/ + + pre-release-checks: + needs: + - build + - test-pypi-publish + runs-on: ubuntu-latest + steps: + # We explicitly *don't* set up caching here. This ensures our tests are + # maximally sensitive to catching breakage. + # + # For example, here's a way that caching can cause a falsely-passing test: + # - Make the langchain package manifest no longer list a dependency package + # as a requirement. This means it won't be installed by `pip install`, + # and attempting to use it would cause a crash. + # - That dependency used to be required, so it may have been cached. + # When restoring the venv packages from cache, that dependency gets included. + # - Tests pass, because the dependency is present even though it wasn't specified. + # - The package is published, and it breaks on the missing dependency when + # used in the real world. + - uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Test published package + shell: bash + env: + PKG_NAME: ${{ needs.build.outputs.pkg-name }} + VERSION: ${{ needs.build.outputs.version }} + # Here we specify: + # - The test PyPI index as the *primary* index, meaning that it takes priority. + # - The regular PyPI index as an extra index, so that any dependencies that + # are not found on test PyPI can be resolved and installed anyway. + # + # Without the former, we might install the wrong langchain release. + # Without the latter, we might not be able to install langchain's dependencies. + # + # TODO: add more in-depth pre-publish tests after testing that importing works + run: | + pip install \ + --index-url https://test.pypi.org/simple/ \ + --extra-index-url https://pypi.org/simple/ \ + "$PKG_NAME==$VERSION" + + python -c "import $PKG_NAME; print(dir($PKG_NAME))" + + publish: + needs: + - build + - test-pypi-publish + - pre-release-checks + runs-on: ubuntu-latest permissions: # This permission is used for trusted publishing: # https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ @@ -24,28 +146,65 @@ jobs: # https://docs.pypi.org/trusted-publishers/adding-a-publisher/ id-token: write - # This permission is needed by `ncipollo/release-action` to create the GitHub release. - contents: write defaults: run: working-directory: ${{ inputs.working-directory }} + steps: - uses: actions/checkout@v4 - name: Set up Python + Poetry ${{ env.POETRY_VERSION }} uses: "./.github/actions/poetry_setup" with: - python-version: "3.10" + python-version: ${{ env.PYTHON_VERSION }} poetry-version: ${{ env.POETRY_VERSION }} working-directory: ${{ inputs.working-directory }} cache-key: release - - name: Build project for distribution - run: poetry build - - name: Check Version - id: check-version - run: | - echo version=$(poetry version --short) >> $GITHUB_OUTPUT + - uses: actions/download-artifact@v3 + with: + name: dist + path: ${{ inputs.working-directory }}/dist/ + + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: ${{ inputs.working-directory }}/dist/ + verbose: true + print-hash: true + + mark-release: + needs: + - build + - test-pypi-publish + - pre-release-checks + - publish + runs-on: ubuntu-latest + permissions: + # This permission is needed by `ncipollo/release-action` to + # create the GitHub release. + contents: write + + defaults: + run: + working-directory: ${{ inputs.working-directory }} + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python + Poetry ${{ env.POETRY_VERSION }} + uses: "./.github/actions/poetry_setup" + with: + python-version: ${{ env.PYTHON_VERSION }} + poetry-version: ${{ env.POETRY_VERSION }} + working-directory: ${{ inputs.working-directory }} + cache-key: release + + - uses: actions/download-artifact@v3 + with: + name: dist + path: ${{ inputs.working-directory }}/dist/ + - name: Create Release uses: ncipollo/release-action@v1 if: ${{ inputs.working-directory == 'libs/langchain' }} @@ -54,11 +213,5 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} draft: false generateReleaseNotes: true - tag: v${{ steps.check-version.outputs.version }} + tag: v${{ needs.build.outputs.version }} commit: master - - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - packages-dir: ${{ inputs.working-directory }}/dist/ - verbose: true - print-hash: true