Create tag with constraints files for new releases #6495
Conversation
6c2bbc5 to
06f6ef7
Compare
e1ece0a to
1881cdd
Compare
dc04dee to
a3eeedf
Compare
I'd be in favor of removing the variables entirely if they are indeed just duplicates of default env vars, but yeah it should probably be done in a separate PR. |
There was a problem hiding this comment.
This LGTM from a code standpoint, but I think we'll want to run this by ProdSec since we're passing GitHub tokens around + adding secrets: inherit to a bunch of places. (CC @sfc-gh-hpathak)
I think this should be fine since
- tokens are created for individual workflow runs so should have pretty restricted permissions when the token corresponds to a fork (I'm also assuming they should be short-lived given their intended use-case)
- we require approval from a maintainer to run CI for a PR from a contributor
but I'd prefer to err on the side of caution here. If this turns out this requires some security process or has nontrivial security implications, then I'd suggest splitting 6056a79786bac032ce1d80835b9cc19ef4f93ed9 out into a separate PR so that the rest of it can be merged more quickly.
a3eeedf to
72c0100
Compare
|
I have moved changes that require prod sec reviews to a separate PR. Once this change is merged, I will do a rebase and ask for reviews. |
* develop: Create tag with constraints files for new releases (streamlit#6495) Autoformat yaml in .github dir and enforce formatting (streamlit#6497) Update metadata description (streamlit#6503) Update CODEOWNERS (streamlit#6496)
📚 Context
Hi. I make a few changes so that the constraints files are automatically generated for each new release.
This PR contains the following changes:
Remove
.github/actions/tag_and_repoactionI deleted this action because it made creating new environment variables used by all build steps too complicated. Github Action has an
envfield that we can use in this case. A separate issue is whether we should create these variables at all because it looks like a duplicate of the default environment variables (GITHUB_REF_NAME,GITHUB_REPOSITORY) created by Github Action. I didn't remove these variables to limit the scope.Make "Build Release" workflow run in private forksTo make it easier to test the "Release build" workflow, I made a few changes to make this workflow work on private forks. Especially, if the GitHub token is available, it is passed to HTTP requests and the correct permissions are set for the Github Action token.In private forks, only the step "Upload to PyPI" is not running, because PyPi is a public package repository, so we don't want to put private artifacts in there.Create a tag with constraints files for new releases.
The "Release build" workflow now runs tests against all Python versions to generate the constraints. This file is then placed on the
constraints-releasebranch.If the constraints files have changed since the last release, then a new commit is created. And then a tag is created based on the latest commit.The constraints files are stored in a separate branch, because theoretically on the
developbranch, we can support newer dependencies than on release. We will also have a clearer history because now all user-facing constraints files are on the single branch -constraints-release.🌐 References
Does this depend on other work, documents, or tickets?
Contribution License Agreement
By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.