diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 68eef0e..b3fc9ae 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -3,7 +3,7 @@ name: linux on: push: branches: [main] - pull_request: + # pull_request: concurrency: group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.sha }} @@ -29,7 +29,7 @@ jobs: sudo apt update sudo apt install -y --no-install-recommends libssl-dev pkg-config - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -67,7 +67,7 @@ jobs: permissions: packages: write steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -80,7 +80,7 @@ jobs: uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -143,7 +143,7 @@ jobs: crate-build-matrix: ${{ steps.set-matrix.outputs.crate-build-matrix }} any_builds: ${{ steps.set-matrix.outputs.any_builds }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -215,7 +215,7 @@ jobs: fail-fast: false name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -226,13 +226,13 @@ jobs: python-version: "3.11" - name: Download pythonbuild - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: ${{ matrix.crate_artifact_name }} path: build - name: Download images - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: image-* path: build @@ -323,7 +323,7 @@ jobs: fail-fast: false name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -334,18 +334,19 @@ jobs: python-version: "3.11" - name: Download pythonbuild - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: ${{ matrix.crate_artifact_name }} path: build - name: Download images - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: pattern: image-* path: build merge-multiple: true + - name: Cache downloads - name: Cache downloads uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index b746a96..e7a04bd 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -3,7 +3,7 @@ name: macos on: push: branches: [main] - pull_request: + # pull_request: concurrency: group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.sha }} @@ -24,7 +24,7 @@ jobs: fail-fast: false name: crate / ${{ matrix.arch }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -58,7 +58,7 @@ jobs: crate-build-matrix: ${{ steps.set-matrix.outputs.crate-build-matrix }} any_builds: ${{ steps.set-matrix.outputs.any_builds }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -123,7 +123,7 @@ jobs: fail-fast: false name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }} steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -134,7 +134,7 @@ jobs: python-version: "3.11" - name: Download pythonbuild - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: ${{ matrix.crate_artifact_name }} path: build @@ -172,7 +172,7 @@ jobs: - name: Checkout macOS SDKs for validation if: ${{ ! matrix.dry-run }} - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: repository: phracker/MacOSX-SDKs ref: master diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c3b3225..be9c3d1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,7 @@ jobs: attestations: write steps: - - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: submodules: recursive persist-credentials: true # needed for git operations below diff --git a/.github/workflows/security-3rd-party-pr-checks.yml b/.github/workflows/security-3rd-party-pr-checks.yml new file mode 100644 index 0000000..5337dab --- /dev/null +++ b/.github/workflows/security-3rd-party-pr-checks.yml @@ -0,0 +1,10 @@ +name: security-3rd-party-pr-checks +on: + # Allow for manual run of security workflows + workflow_dispatch: + # Scan changed files in PRs (diff-aware scanning): + pull_request: {} +jobs: + running-3rd-party-pr-security-checks: + uses: verkada/securitybots/.github/workflows/3rd-party-pr-checks.yml@main + secrets: inherit diff --git a/.github/workflows/vlinux.yml b/.github/workflows/vlinux.yml new file mode 100644 index 0000000..a7a4b4e --- /dev/null +++ b/.github/workflows/vlinux.yml @@ -0,0 +1,304 @@ +name: vlinux + +on: + push: + branches: [main] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +env: + FORCE_COLOR: 1 + +permissions: {} + +jobs: + generate-matrix: + name: Generate build matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + any_builds: ${{ steps.set-matrix.outputs.any_builds }} + pythonbuild_changed: ${{ steps.check-pythonbuild.outputs.changed }} + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Set up Python + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 + + - name: Get pull request labels + id: get-labels + env: + PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }} + run: | + # Convert GitHub labels array to comma-separated string + LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")') + echo "labels=$LABELS" >> $GITHUB_OUTPUT + + - name: Generate build matrix + id: set-matrix + run: | + uv run ci-matrix.py \ + --platform linux \ + --labels '${{ steps.get-labels.outputs.labels }}' \ + --free-runners \ + > matrix.json + + + echo "matrix=$(cat matrix.json)" >> $GITHUB_OUTPUT + + # Display the matrix for debugging too + cat matrix.json | jq + + if jq -e '.include | length > 0' matrix.json > /dev/null; then + # Build matrix has entries + echo "any_builds=true" >> $GITHUB_OUTPUT + else + # Build matrix is empty + echo "any_builds=false" >> $GITHUB_OUTPUT + fi + + - name: Check if the `pythonbuild` crate changed + id: check-pythonbuild + env: + BASE_REF: ${{ github.event.pull_request.base.ref || 'main' }} + run: | + merge_base=$(git merge-base HEAD "origin/${BASE_REF}") + if git diff --quiet "${merge_base}...HEAD" -- ':src/*.rs'; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + crate-build: + needs: + - generate-matrix + runs-on: ${{ matrix.runner }} + strategy: + matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix).crate-build }} + steps: + - name: Install System Dependencies + run: | + sudo apt update + sudo apt install -y --no-install-recommends libssl-dev pkg-config + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false + + - name: Emit rustc version + run: | + rustc --version > .rustc-version + + - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: ${{ runner.os }}-pythonbuild-${{ hashFiles('Cargo.lock', '.rustc-version') }} + + - name: Build + run: | + cargo build --release + + - name: Upload pythonbuild Executable + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: ${{ matrix.crate_artifact_name }} + path: target/release/pythonbuild + + image: + if: ${{ needs.generate-matrix.outputs.pythonbuild_changed == 'true' || needs.generate-matrix.outputs.any_builds == 'true' || github.ref == 'refs/heads/main' }} + needs: + - generate-matrix + strategy: + fail-fast: false + matrix: + image: + - build + - build.cross + - build.cross-riscv64 + - gcc + name: ${{ matrix.image }} + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false + + - name: Install Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.11" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate Dockerfiles + run: | + ./build-linux.py --make-target empty + repo_name=$(echo "${GITHUB_REPOSITORY,,}" | sed 's|\.|_|g') + git_ref_name=$(echo "${GITHUB_REF_NAME,,}" | sed 's|[^a-z0-9_-]|_|g') + echo "REPO_NAME=${repo_name}" >> "${GITHUB_ENV}" + echo "GIT_REF_NAME=${git_ref_name}" >> "${GITHUB_ENV}" + + - name: Build Image + id: build-image + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + env: + SOURCE_DATE_EPOCH: 0 + with: + context: . + file: build/${{ matrix.image }}.Dockerfile + labels: org.opencontainers.image.source=https://github.com/${{ env.REPO_NAME }} + # Cache from/to the current branch of the current repo as the primary cache key. + # Cache from the default branch of the current repo so branches can have cache hits. + # Cache from the default branch of the canonical repo so forks can have cache hits. + # Ignore errors on cache writes so CI of forks works without a valid GHCR config. + cache-from: | + type=registry,ref=ghcr.io/${{ env.REPO_NAME }}:${{ matrix.image }}-linux-${{ env.GIT_REF_NAME }} + type=registry,ref=ghcr.io/${{ env.REPO_NAME }}:${{ matrix.image }}-linux-main + type=registry,ref=ghcr.io/astral-sh/python-build-standalone:${{ matrix.image }}-linux-main + cache-to: | + type=registry,ref=ghcr.io/${{ env.REPO_NAME }}:${{ matrix.image }}-linux-${{ env.GIT_REF_NAME }},ignore-error=true + outputs: | + type=docker,dest=build/image-${{ matrix.image }}.linux.tar + + - name: Compress Image + run: | + echo ${STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID} > build/image-${MATRIX_IMAGE}.linux + zstd -v -T0 -6 --rm build/image-*.tar + touch -t 197001010000 build/image-* + env: + STEPS_BUILD_IMAGE_OUTPUTS_IMAGEID: ${{ steps.build-image.outputs.imageid }} + MATRIX_IMAGE: ${{ matrix.image }} + + - name: Upload Docker Image + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: image-${{ matrix.image }}-linux + path: build/image-* + compression-level: '0' + + + build: + needs: + - generate-matrix + - crate-build + - image + # Permissions used for actions/attest-build-provenance + permissions: + id-token: write + attestations: write + runs-on: ${{ matrix.runner }} + strategy: + matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix).python-build }} + fail-fast: false + name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }} + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + fetch-depth: 0 + persist-credentials: false + lfs: true + + - name: Install Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.11" + + - name: Download pythonbuild + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ matrix.crate_artifact_name }} + path: build + + - name: Download images + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + pattern: image-* + path: build + merge-multiple: true + + - name: Cache downloads + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + with: + path: build/downloads + key: ${{ matrix.target_triple }}-${{ hashFiles('pythonbuild/downloads.py')}} + restore-keys: | + ${{ matrix.target_triple }}-${{ hashFiles('pythonbuild/downloads.py')}} + ${{ matrix.target_triple }}- + + - name: Load Docker Images + run: | + for f in build/image-*.tar.zst; do + echo "decompressing $f" + zstd -d --rm ${f} + done + + for f in build/image-*.tar; do + echo "loading $f" + docker load --input $f + done + + - name: Build + if: ${{ ! matrix.dry-run }} + run: | + # Do empty target so all generated files are touched. + ./build-linux.py --make-target empty + + # Touch mtimes of all images so they are newer than autogenerated files above. + touch build/image-* + + ./build-linux.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS} + env: + MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }} + MATRIX_PYTHON: ${{ matrix.python }} + MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }} + + - name: Generate attestations + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + if: ${{ github.ref == 'refs/heads/main' }} + with: + subject-path: dist/* + + - name: Upload Distribution + if: ${{ ! matrix.dry-run }} + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: cpython-${{ matrix.python }}-${{ matrix.target_triple }}-${{ matrix.build_options }} + path: dist/* + + - name: Validate Distribution + if: ${{ ! matrix.dry-run }} + run: | + chmod +x build/pythonbuild + + if [ "${MATRIX_RUN}" == "true" ]; then + if [ "${MATRIX_LIBC}" == "musl" ]; then + sudo apt install musl-dev + + # GitHub's setup-python action sets `LD_LIBRARY_PATH` which overrides `RPATH` + # as used in the musl builds. + unset LD_LIBRARY_PATH + fi + EXTRA_ARGS="--run" + fi + + build/pythonbuild validate-distribution ${EXTRA_ARGS} dist/*.tar.zst + diff --git a/.github/workflows/vmacos.yml b/.github/workflows/vmacos.yml new file mode 100644 index 0000000..8fac588 --- /dev/null +++ b/.github/workflows/vmacos.yml @@ -0,0 +1,184 @@ +name: vmacos + +on: + push: + branches: [main] + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +env: + FORCE_COLOR: 1 + +permissions: {} + +jobs: + generate-matrix: + name: Generate build matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + any_builds: ${{ steps.set-matrix.outputs.any_builds }} + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Set up Python + uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 + + - name: Get pull request labels + id: get-labels + env: + PULL_REQUEST_LABELS: ${{ toJson(github.event.pull_request.labels.*.name) }} + run: | + # Convert GitHub labels array to comma-separated string + LABELS=$(echo "${PULL_REQUEST_LABELS}" | jq -r 'join(",")') + echo "labels=$LABELS" >> $GITHUB_OUTPUT + + - name: Generate build matrix + id: set-matrix + run: | + uv run ci-matrix.py \ + --platform darwin \ + --labels '${{ steps.get-labels.outputs.labels }}' \ + --free-runners \ + > matrix.json + + echo "matrix=$(cat matrix.json)" >> $GITHUB_OUTPUT + + # Display the matrix for debugging too + cat matrix.json | jq + + if jq -e '.include | length > 0' matrix.json > /dev/null; then + # Build matrix has entries + echo "any_builds=true" >> $GITHUB_OUTPUT + else + # Build matrix is empty + echo "any_builds=false" >> $GITHUB_OUTPUT + fi + + - name: Check if the `pythonbuild` crate changed + id: check-pythonbuild + env: + BASE_REF: ${{ github.event.pull_request.base.ref || 'main' }} + run: | + merge_base=$(git merge-base HEAD "origin/${BASE_REF}") + if git diff --quiet "${merge_base}...HEAD" -- ':src/*.rs'; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + crate-build: + needs: + - generate-matrix + runs-on: ${{ matrix.runner }} + strategy: + matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix).crate-build }} + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + persist-credentials: false + + - name: Emit rustc version + run: | + rustc --version > .rustc-version + + - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target + key: ${{ runner.os }}-pythonbuild-${{ hashFiles('Cargo.lock', '.rustc-version') }} + + - name: Build + run: | + cargo build --release + + - name: Upload pythonbuild Executable + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: ${{ matrix.crate_artifact_name }} + path: target/release/pythonbuild + + build: + needs: + - generate-matrix + - crate-build + # Permissions used for actions/attest-build-provenance + permissions: + id-token: write + attestations: write + runs-on: ${{ matrix.runner }} + strategy: + matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix).python-build }} + fail-fast: false + name: ${{ matrix.target_triple }} / ${{ matrix.python }} / ${{ matrix.build_options }} + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Install Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.11" + + - name: Download pythonbuild + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + with: + name: ${{ matrix.crate_artifact_name }} + path: build + + - name: Build + if: ${{ ! matrix.dry-run }} + run: | + # Find the latest available macOS SDK + SDK_PATH=$(find /Applications/Xcode*.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs -name "MacOSX*.sdk" | sort -V | tail -1) + if [ -z "$SDK_PATH" ]; then + echo "No macOS SDK found" + exit 1 + fi + echo "Using SDK: $SDK_PATH" + export APPLE_SDK_PATH="$SDK_PATH" + + ./build-macos.py --target-triple ${MATRIX_TARGET_TRIPLE} --python cpython-${MATRIX_PYTHON} --options ${MATRIX_BUILD_OPTIONS} + env: + MATRIX_TARGET_TRIPLE: ${{ matrix.target_triple }} + MATRIX_PYTHON: ${{ matrix.python }} + MATRIX_BUILD_OPTIONS: ${{ matrix.build_options }} + + - name: Generate attestations + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + if: ${{ github.ref == 'refs/heads/main' }} + with: + subject-path: dist/* + + - name: Upload Distributions + if: ${{ ! matrix.dry-run }} + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: cpython-${{ matrix.python }}-${{ matrix.target_triple }}-${{ matrix.build_options }} + path: dist/* + + - name: Checkout macOS SDKs for validation + if: ${{ ! matrix.dry-run }} + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + repository: phracker/MacOSX-SDKs + ref: master + path: macosx-sdks + persist-credentials: false + + - name: Validate Distribution + if: ${{ ! matrix.dry-run }} + run: | + chmod +x build/pythonbuild + + build/pythonbuild validate-distribution --macos-sdks-path macosx-sdks --run dist/*.tar.zst diff --git a/.github/workflows/vrelease.yml b/.github/workflows/vrelease.yml new file mode 100644 index 0000000..1579608 --- /dev/null +++ b/.github/workflows/vrelease.yml @@ -0,0 +1,99 @@ +name: vRelease + +on: + workflow_dispatch: + inputs: + tag: + description: "The version to release (e.g., '20250414')." + type: string + sha: + description: "The full SHA of the commit to be released (e.g., 'd09ff921d92d6da8d8a608eaa850dc8c0f638194')." + type: string + dry-run: + description: "Dry run? Tests the release process without publishing." + default: false + required: false + type: boolean + +env: + FORCE_COLOR: 1 + +permissions: {} + +jobs: + release: + name: Release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + runs-on: ubuntu-latest + + permissions: + contents: write + packages: write + # Permissions used for actions/attest-build-provenance + id-token: write + attestations: write + + steps: + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + with: + submodules: recursive + persist-credentials: true # needed for git operations below + + - uses: extractions/setup-crate@4993624604c307fbca528d28a3c8b60fa5ecc859 # v1.4.0 + with: + repo: casey/just + version: 1.42.4 + + # Perform a release in dry-run mode. + - run: just release-dry-run ${GH_TOKEN} ${GITHUB_EVENT_INPUTS_SHA} ${GITHUB_EVENT_INPUTS_TAG} + if: ${{ github.event.inputs.dry-run == 'true' }} + env: + GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} + - name: Configure Git identity + if: ${{ github.event.inputs.dry-run == 'false' }} + run: | + git config --global user.name "$GITHUB_ACTOR" + git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" + + # Fetch the commit so that it exists locally. + - name: Fetch commit + if: ${{ github.event.inputs.dry-run == 'false' }} + run: git fetch origin ${GITHUB_EVENT_INPUTS_SHA} + env: + GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} + + # Associate the commit with the tag. + - name: Create tag + if: ${{ github.event.inputs.dry-run == 'false' }} + run: git tag ${GITHUB_EVENT_INPUTS_TAG} ${GITHUB_EVENT_INPUTS_SHA} + env: + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} + GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} + - name: Push tag + if: ${{ github.event.inputs.dry-run == 'false' }} + run: git push origin ${GITHUB_EVENT_INPUTS_TAG} + env: + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} + + # Create a GitHub release. + - name: Create GitHub Release + if: ${{ github.event.inputs.dry-run == 'false' }} + run: just release-create ${GITHUB_EVENT_INPUTS_TAG} + env: + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} + + # Uploading the relevant artifact to the GitHub release. + - run: just release-run ${GH_TOKEN} ${GITHUB_EVENT_INPUTS_SHA} ${GITHUB_EVENT_INPUTS_TAG} + if: ${{ github.event.inputs.dry-run == 'false' }} + env: + GITHUB_EVENT_INPUTS_SHA: ${{ github.event.inputs.sha }} + GITHUB_EVENT_INPUTS_TAG: ${{ github.event.inputs.tag }} + - name: Generate attestations + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + if: ${{ github.event.inputs.dry-run == 'false' }} + with: + subject-path: | + dist/*.tar.gz + dist/*.tar.zst diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 94bdc04..06a369e 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,9 +1,7 @@ name: windows on: - push: - branches: [main] - pull_request: + workflow_dispatch: # Only run manually concurrency: group: ${{ github.workflow }}-${{ github.ref_name }}-${{ github.event.pull_request.number || github.sha }} @@ -18,11 +16,7 @@ jobs: crate-build: needs: - generate-matrix - runs-on: ${{ matrix.runner }} - strategy: - matrix: ${{ fromJson(needs.generate-matrix.outputs.crate-build-matrix) }} - fail-fast: false - name: crate / ${{ matrix.arch }} + runs-on: 'windows-latest' steps: - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: diff --git a/Justfile b/Justfile index c9b8167..1118075 100644 --- a/Justfile +++ b/Justfile @@ -28,15 +28,15 @@ cat-python-json archive: # Download release artifacts from GitHub Actions release-download-distributions token commit: mkdir -p dist - cargo run --release -- fetch-release-distributions --token {{token}} --commit {{commit}} --dest dist + cargo run --release -- fetch-release-distributions --org verkada --token {{token}} --commit {{commit}} --dest dist # Upload release artifacts to a GitHub release. release-upload-distributions token datetime tag: - cargo run --release -- upload-release-distributions --token {{token}} --datetime {{datetime}} --tag {{tag}} --dist dist + cargo run --release -- upload-release-distributions --org verkada --token {{token}} --datetime {{datetime}} --tag {{tag}} --dist dist # "Upload" release artifacts to a GitHub release in dry-run mode (skip upload). release-upload-distributions-dry-run token datetime tag: - cargo run --release -- upload-release-distributions --token {{token}} --datetime {{datetime}} --tag {{tag}} --dist dist -n + cargo run --release -- upload-release-distributions --org verkada --token {{token}} --datetime {{datetime}} --tag {{tag}} --dist dist -n # Promote a tag to "latest" by pushing to the `latest-release` branch. release-set-latest-release tag: diff --git a/binutils-2.43.tar.xz b/binutils-2.43.tar.xz new file mode 100644 index 0000000..42f8fd3 Binary files /dev/null and b/binutils-2.43.tar.xz differ diff --git a/ci-matrix.py b/ci-matrix.py index 91cfa95..ff8b2d1 100644 --- a/ci-matrix.py +++ b/ci-matrix.py @@ -217,7 +217,7 @@ def find_runner(runners: dict[str, Any], platform: str, arch: str, free: bool) - match_platform = [ runner for runner in runners - if runners[runner]["platform"] == platform and runners[runner]["free"] == free + if runners[runner]["platform"] == platform ] # Then, find a matching architecture diff --git a/ci-runners.yaml b/ci-runners.yaml index dae6aab..bf41eaa 100644 --- a/ci-runners.yaml +++ b/ci-runners.yaml @@ -1,20 +1,5 @@ # Describes the runners that the CI system can use -depot-ubuntu-22.04: - arch: x86_64 - platform: linux - free: false - -depot-ubuntu-22.04-arm: - arch: aarch64 - platform: linux - free: false - -depot-macos-latest: - arch: x86_64 - platform: darwin - free: false - ubuntu-latest: arch: x86_64 platform: linux @@ -24,23 +9,3 @@ macos-latest: arch: x86_64 platform: darwin free: true - -depot-windows-2022-8: - arch: x86_64 - platform: windows - free: false - -windows-latest-large: - arch: x86_64 - platform: windows - free: false - -windows-latest: - arch: x86_64 - platform: windows - free: true - -windows-11-arm: - arch: aarch64 - platform: windows - free: false diff --git a/ci-targets.yaml b/ci-targets.yaml index 0662bbe..bc8f5d0 100644 --- a/ci-targets.yaml +++ b/ci-targets.yaml @@ -1,428 +1,52 @@ # Describes the targets that the CI system will build and test on. +# Simplified to build only install_only targets darwin: aarch64-apple-darwin: arch: aarch64 python_versions: - - "3.9" - "3.10" - "3.11" - "3.12" - "3.13" - "3.14" build_options: - - debug - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" x86_64-apple-darwin: arch: x86_64 python_versions: - - "3.9" - "3.10" - "3.11" - "3.12" - "3.13" - "3.14" build_options: - - debug - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" linux: aarch64-unknown-linux-gnu: arch: aarch64 libc: gnu python_versions: - - "3.9" - "3.10" - "3.11" - "3.12" - "3.13" - "3.14" build_options: - - debug - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" - armv7-unknown-linux-gnueabi: - arch: armv7 - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - - armv7-unknown-linux-gnueabihf: - arch: armv7 - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - - s390x-unknown-linux-gnu: - arch: s390x - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - - ppc64le-unknown-linux-gnu: - arch: ppc64le - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - - riscv64-unknown-linux-gnu: - arch: riscv64 - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" x86_64-unknown-linux-gnu: arch: x86_64 libc: gnu python_versions: - - "3.9" - "3.10" - "3.11" - "3.12" - "3.13" - "3.14" build_options: - - debug - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" - run: true - - x86_64_v2-unknown-linux-gnu: - arch: x86_64 - arch_variant: v2 - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" - run: true - - x86_64_v3-unknown-linux-gnu: - arch: x86_64 - arch_variant: v3 - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" - run: true - - x86_64_v4-unknown-linux-gnu: - arch: x86_64 - arch_variant: v4 - libc: gnu - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug - - pgo+lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+pgo+lto - minimum-python-version: "3.13" - run: true - - x86_64-unknown-linux-musl: - arch: x86_64 - libc: musl - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug+static - - noopt+static - - lto+static - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - run: true - - x86_64_v2-unknown-linux-musl: - arch: x86_64 - arch_variant: v2 - libc: musl - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug+static - - noopt+static - - lto+static - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - run: true - - x86_64_v3-unknown-linux-musl: - arch: x86_64 - arch_variant: v3 - libc: musl - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug+static - - noopt+static - - lto+static - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - run: true - - x86_64_v4-unknown-linux-musl: - arch: x86_64 - arch_variant: v4 - libc: musl - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - debug+static - - noopt+static - - lto+static - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - run: true - - aarch64-unknown-linux-musl: - arch: aarch64 - libc: musl - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - # TODO: Static support is current blocked by some compiler-rt linking issues - # - debug+static - # - noopt+static - # - lto+static - - debug - - noopt - - lto - build_options_conditional: - - options: - - freethreaded+debug - - freethreaded+noopt - - freethreaded+lto - minimum-python-version: "3.13" - run: true - -windows: - i686-pc-windows-msvc: - arch: x86 - vcvars: vcvars32.bat - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - pgo - build_options_conditional: - - options: - - freethreaded+pgo - minimum-python-version: "3.13" - - x86_64-pc-windows-msvc: - arch: x86_64 - vcvars: vcvars64.bat - python_versions: - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - pgo - build_options_conditional: - - options: - - freethreaded+pgo - minimum-python-version: "3.13" - - aarch64-pc-windows-msvc: - arch: aarch64 - vcvars: vcvarsamd64_arm64.bat - python_versions: - # On 3.9 / 3.10, `_tkinter` is failing to be included in the build - # - "3.9" - # - "3.10" - - "3.11" - - "3.12" - - "3.13" - - "3.14" - build_options: - - pgo - build_options_conditional: - - options: - - freethreaded+pgo - minimum-python-version: "3.13" + run: true \ No newline at end of file diff --git a/cpython-unix/build-cpython.sh b/cpython-unix/build-cpython.sh index d21533a..e33fe59 100755 --- a/cpython-unix/build-cpython.sh +++ b/cpython-unix/build-cpython.sh @@ -44,7 +44,9 @@ sed "${sed_args[@]}" "s|/tools/host|${TOOLS_PATH}/host|g" ${TOOLS_PATH}/host/sha # We force linking of external static libraries by removing the shared # libraries. This is hacky. But we're building in a temporary container # and it gets the job done. -find ${TOOLS_PATH}/deps -name '*.so*' -a \! \( -name 'libtcl*.so*' -or -name 'libtk*.so*' \) -exec rm {} \; +# `fips.so` is an exception as it needs to be available to enable FIPS via +# openssl configuration. +find ${TOOLS_PATH}/deps -name '*.so*' ! -name 'fips.so' ! -name 'libtcl*.so*' ! -name 'libtk*.so*' -exec rm {} \; tar -xf Python-${PYTHON_VERSION}.tar.xz @@ -1278,6 +1280,13 @@ if [ -d "${TOOLS_PATH}/deps/usr/share/terminfo" ]; then cp -av ${TOOLS_PATH}/deps/usr/share/terminfo ${ROOT}/out/python/install/share/ fi +# Copy files required to enable FIPS if enabled. +if [ -f ${TOOLS_PATH}/deps/fipsmodule.cnf ]; then + mkdir -p ${ROOT}/out/python/install/share/ssl + cp -rv ${TOOLS_PATH}/deps/lib/ossl-modules ${ROOT}/out/python/install/share/ssl + cp -av ${TOOLS_PATH}/deps/fipsmodule.cnf ${ROOT}/out/python/install/share/ssl +fi + # config.c defines _PyImport_Inittab and extern references to modules, which # downstream consumers may want to strip. We bundle config.c and config.c.in so # a custom one can be produced downstream. diff --git a/cpython-unix/build-openssl-3.0.sh b/cpython-unix/build-openssl-3.0.sh index 1d1f913..74526de 100755 --- a/cpython-unix/build-openssl-3.0.sh +++ b/cpython-unix/build-openssl-3.0.sh @@ -16,18 +16,23 @@ pushd openssl-${OPENSSL_3_0_VERSION} # Otherwise it gets set to /tools/deps/ssl by default. case "${TARGET_TRIPLE}" in *apple*) - EXTRA_FLAGS="--openssldir=/private/etc/ssl" + OPENSSL_DIR=/private/etc/ssl ;; *) - EXTRA_FLAGS="--openssldir=/etc/ssl" + OPENSSL_DIR=/etc/ssl ;; esac +EXTRA_FLAGS="--openssldir=${OPENSSL_DIR}" +EXTRA_INSTALL_FLAGS="" # musl is missing support for various primitives. # TODO disable secure memory is a bit scary. We should look into a proper # workaround. if [ "${CC}" = "musl-clang" ]; then EXTRA_FLAGS="${EXTRA_FLAGS} no-async -DOPENSSL_NO_ASYNC -D__STDC_NO_ATOMICS__=1 no-engine -DOPENSSL_NO_SECURE_MEMORY" +else + EXTRA_INSTALL_FLAGS="install_fips" + EXTRA_FLAGS="${EXTRA_FLAGS} enable-fips" fi # The -arch cflags confuse Configure. And OpenSSL adds them anyway. @@ -35,6 +40,10 @@ fi EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch arm64/} EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS/\-arch x86_64/} +# With -fvisibility=hidden, OSSL_provider_init symbol is not exported in fips module preventing it from loaded +# OSSL_provider_init is supposed to be `extern` so it should not happen but I can't find a more targeted solution +# at the moment. +EXTRA_TARGET_CFLAGS=${EXTRA_TARGET_CFLAGS//-fvisibility=hidden/} EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}" /usr/bin/perl ./Configure \ @@ -47,4 +56,9 @@ EXTRA_FLAGS="${EXTRA_FLAGS} ${EXTRA_TARGET_CFLAGS}" ${EXTRA_FLAGS} make -j ${NUM_CPUS} -make -j ${NUM_CPUS} install_sw install_ssldirs DESTDIR=${ROOT}/out +make -j ${NUM_CPUS} install_sw install_ssldirs ${EXTRA_INSTALL_FLAGS} DESTDIR=${ROOT}/out + +if [ -f ${ROOT}/out${OPENSSL_DIR}/fipsmodule.cnf ]; then + # install_fips does not use DESTDIR. we need to copy it so it gets added to the archive. + cp ${ROOT}/out${OPENSSL_DIR}/fipsmodule.cnf ${ROOT}/out/tools/deps/fipsmodule.cnf +fi diff --git a/src/github.rs b/src/github.rs index 5db2247..a90b961 100644 --- a/src/github.rs +++ b/src/github.rs @@ -195,7 +195,6 @@ pub async fn command_fetch_release_distributions(args: &ArgMatches) -> Result<() wf.path.as_str(), ".github/workflows/macos.yml" | ".github/workflows/linux.yml" - | ".github/workflows/windows.yml" ) { workflow_names.insert(wf.id, wf.name); @@ -226,6 +225,7 @@ pub async fn command_fetch_release_distributions(args: &ArgMatches) -> Result<() workflows .list_runs(format!("{workflow_id}")) .event("push") + .event("pull_request") .status("success") .send() .await? diff --git a/src/release.rs b/src/release.rs index 4c123f6..b434d5a 100644 --- a/src/release.rs +++ b/src/release.rs @@ -104,66 +104,9 @@ pub static RELEASE_TRIPLES: Lazy> = Lazy:: }, ); - // Windows. - h.insert( - "i686-pc-windows-msvc", - TripleRelease { - suffixes: vec!["pgo"], - install_only_suffix: "pgo", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: vec!["freethreaded+pgo"], - }], - }, - ); - h.insert( - "x86_64-pc-windows-msvc", - TripleRelease { - suffixes: vec!["pgo"], - install_only_suffix: "pgo", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: vec!["freethreaded+pgo"], - }], - }, - ); - h.insert( - "aarch64-pc-windows-msvc", - TripleRelease { - suffixes: vec!["pgo"], - install_only_suffix: "pgo", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.11").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: vec!["freethreaded+pgo"], - }], - }, - ); - // Linux. let linux_suffixes_pgo = vec!["debug", "pgo+lto"]; - let linux_suffixes_nopgo = vec!["debug", "lto", "noopt"]; - let linux_suffixes_musl = vec![ - "debug", - "lto", - "noopt", - "debug+static", - "lto+static", - "noopt+static", - ]; - let linux_suffixes_musl_freethreaded = vec![ - "freethreaded+debug", - "freethreaded+lto", - "freethreaded+noopt", - ]; let linux_suffixes_pgo_freethreaded = vec!["freethreaded+debug", "freethreaded+pgo+lto"]; - let linux_suffixes_nopgo_freethreaded = vec![ - "freethreaded+debug", - "freethreaded+lto", - "freethreaded+noopt", - ]; h.insert( "aarch64-unknown-linux-gnu", @@ -178,70 +121,6 @@ pub static RELEASE_TRIPLES: Lazy> = Lazy:: }, ); - h.insert( - "ppc64le-unknown-linux-gnu", - TripleRelease { - suffixes: linux_suffixes_nopgo.clone(), - install_only_suffix: "lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_nopgo_freethreaded.clone(), - }], - }, - ); - - h.insert( - "riscv64-unknown-linux-gnu", - TripleRelease { - suffixes: linux_suffixes_nopgo.clone(), - install_only_suffix: "lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_nopgo_freethreaded.clone(), - }], - }, - ); - - h.insert( - "s390x-unknown-linux-gnu", - TripleRelease { - suffixes: linux_suffixes_nopgo.clone(), - install_only_suffix: "lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_nopgo_freethreaded.clone(), - }], - }, - ); - - h.insert( - "armv7-unknown-linux-gnueabi", - TripleRelease { - suffixes: linux_suffixes_nopgo.clone(), - install_only_suffix: "lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_nopgo_freethreaded.clone(), - }], - }, - ); - - h.insert( - "armv7-unknown-linux-gnueabihf", - TripleRelease { - suffixes: linux_suffixes_nopgo.clone(), - install_only_suffix: "lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_nopgo_freethreaded.clone(), - }], - }, - ); h.insert( "x86_64-unknown-linux-gnu", @@ -255,102 +134,6 @@ pub static RELEASE_TRIPLES: Lazy> = Lazy:: }], }, ); - h.insert( - "x86_64_v2-unknown-linux-gnu", - TripleRelease { - suffixes: linux_suffixes_pgo.clone(), - install_only_suffix: "pgo+lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_pgo_freethreaded.clone(), - }], - }, - ); - h.insert( - "x86_64_v3-unknown-linux-gnu", - TripleRelease { - suffixes: linux_suffixes_pgo.clone(), - install_only_suffix: "pgo+lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_pgo_freethreaded.clone(), - }], - }, - ); - h.insert( - "x86_64_v4-unknown-linux-gnu", - TripleRelease { - suffixes: linux_suffixes_pgo.clone(), - install_only_suffix: "pgo+lto", - python_version_requirement: Some(VersionSpecifier::from_str(">=3.9").unwrap()), - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_pgo_freethreaded.clone(), - }], - }, - ); - h.insert( - "x86_64-unknown-linux-musl", - TripleRelease { - suffixes: linux_suffixes_musl.clone(), - install_only_suffix: "lto", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_musl_freethreaded.clone(), - }], - }, - ); - h.insert( - "x86_64_v2-unknown-linux-musl", - TripleRelease { - suffixes: linux_suffixes_musl.clone(), - install_only_suffix: "lto", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_musl_freethreaded.clone(), - }], - }, - ); - h.insert( - "x86_64_v3-unknown-linux-musl", - TripleRelease { - suffixes: linux_suffixes_musl.clone(), - install_only_suffix: "lto", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_musl_freethreaded.clone(), - }], - }, - ); - h.insert( - "x86_64_v4-unknown-linux-musl", - TripleRelease { - suffixes: linux_suffixes_musl.clone(), - install_only_suffix: "lto", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_musl_freethreaded.clone(), - }], - }, - ); - h.insert( - "aarch64-unknown-linux-musl", - TripleRelease { - suffixes: vec!["debug", "lto", "noopt"], - install_only_suffix: "lto", - python_version_requirement: None, - conditional_suffixes: vec![ConditionalSuffixes { - python_version_requirement: VersionSpecifier::from_str(">=3.13").unwrap(), - suffixes: linux_suffixes_musl_freethreaded.clone(), - }], - }, - ); h }); diff --git a/src/validation.rs b/src/validation.rs index 33e61e2..8a06bf8 100644 --- a/src/validation.rs +++ b/src/validation.rs @@ -1899,6 +1899,12 @@ fn validate_distribution( let mut entry = entry.map_err(|e| anyhow!("failed to iterate over archive: {}", e))?; let path = entry.path()?.to_path_buf(); + if let Some(file_name) = path.file_name() { + if file_name == "fips.dylib" || file_name == "fips.so" { + continue + } + } + seen_paths.insert(path.clone()); if let Some(link_name) = entry.link_name()? {