tailscale-rs/.github/workflows/python.yml at main · GeiserX/tailscale-rs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: python

on:
  push:
    branches:
      - main
    tags:
      - 'v*'
  pull_request:
  workflow_dispatch:
    inputs:
      python_environment:
        default: 'pypi'
        description: 'The GitHub environment to use for publishing, as well as the name
        of the Python package index to publish to. Value must match both the name of a
        GitHub environment and the name of a [[tool.uv.index]] entry in
        ts_python/pyproject.toml.'
        required: true
        type: choice
        options:
          - 'pypi'
          - 'testpypi'

permissions:
  contents: read

env:
  # Cache-busting key -- change it if the build changes in a way that invalidates old
  # cached state.
  cache_key: python-ci
  # Is this a tagged release build?
  is_tag_push: ${{ startsWith(github.ref, 'refs/tags/') }}
  # The GitHub environment to use for the "publish" job. Use the workflow_dispatch input
  # if present, 'pypi' if this is a tagged release build; otherwise, fall back to
  # 'testpypi'.
  python_environment: &python_environment ${{ case(inputs.python_environment != '', inputs.python_environment, startsWith(github.ref, 'refs/tags/'), 'pypi', 'testpypi') }}
  # The Python package index to publish to. Identical to "python_environment", separated
  # for clarity.
  python_index: *python_environment
  # The Python ABI to build wheels for. Serves as a "minimum supported CPython version".
  python_version: 3.12
  # The Rust toolchain version to build the wheels with. Should be latest supported
  # version (MSRV + 1).
  rust_toolchain: 1.95.0

jobs:
  build:
    name: build (${{ matrix.platform.os }}, ${{ matrix.platform.target }})
    # This matrix targets self-hosted runner labels that only exist in the upstream tailscale
    # org; skip off-upstream to avoid queued-run spam.
    if: ${{ github.repository_owner == 'tailscale' }}
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
        platform:
          - os: linux
            runner: linux-arm64-16cpu
            target: aarch64
            triple: aarch64-unknown-linux-gnu
          - os: linux
            runner: linux-x86_64-16cpu
            target: x86_64
            triple: x86_64-unknown-linux-gnu
          - os: macOS
            runner: macos-26
            target: aarch64
            triple: aarch64-apple-darwin
          - os: windows
            runner: windows-8vcpu
            target: x86_64
            triple: x86_64-pc-windows-msvc

    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Setup rust
        id: setup-rust
        uses: ./.github/actions/setup-rust
        with:
          toolchain-version: ${{ env.rust_toolchain }}
          builder-triple: ${{ matrix.platform.triple }}
      - name: Install python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.python_version }}
      - name: Build wheels
        uses: PyO3/maturin-action@e83996d129638aa358a18fbd1dfb82f0b0fb5d3b # v1.51.0
        with:
          working-directory: ts_python
          rust-toolchain: ${{ env.rust_toolchain }}
          target: ${{ matrix.platform.triple }}
          args: --release --out dist
          sccache: ${{ !env.is_tag_push }}
          manylinux: auto
      - name: Upload wheels
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: wheels-${{ matrix.platform.os }}-${{ matrix.platform.target }}
          path: ts_python/dist

  publish:
    runs-on: ubuntu-latest
    if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }}
    needs: build
    environment: *python_environment
    permissions:
      # Use to sign the release artifacts
      id-token: write
      # Used to upload release artifacts
      contents: write
      # Used to generate artifact attestation
      attestations: write
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
      - name: Download built wheels
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: ts_python
      - name: Generate artifact attestation
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
        with:
          subject-path: 'ts_python/wheels-*/*'
      - name: Install uv
        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
        with:
          working-directory: ts_python
      - name: (Dry Run) Publish to ${{ env.python_index }}
        run: uv publish --dry-run --directory ts_python --index ${{ env.python_index }} 'wheels-*/*'
      - name: Publish to ${{ env.python_index }}
        run: uv publish --directory ts_python --index ${{ env.python_index }} 'wheels-*/*'