Skip to content

[AAASM-2189] πŸ› (ci): Install protoc in maturin wheel builds (Linux + macOS) #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Chisanan232 merged 3 commits into from
Jun 1, 2026
+54 βˆ’0
Merged

[AAASM-2189] πŸ› (ci): Install protoc in maturin wheel builds (Linux + macOS) #68

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ebf79b5
πŸ› (ci): Install protoc in maturin wheel builds (Linux + macOS)
Chisanan232 May 29, 2026
b841666
πŸ› (ci): Use protoc binary download instead of broken yum package
Chisanan232 May 29, 2026
e1b0424
πŸ”’ (ci): Harden protoc download with SHA256 verification + retry
Chisanan232 Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/release-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ env:
# inside the wheel (matches runtime.py's WHEEL_BUNDLED_BIN search path).
AASM_BINARY_RELEASE_REPO: AI-agent-assembly/agent-assembly
PYTHON_VERSION: '3.12'
# protoc binary version + per-arch SHA256 sums (cross-verified against
# the GitHub release API's `digest:` field on the v32.1 release assets).
# Bump in one place when upgrading protoc.
PROTOC_VERSION: '32.1'
PROTOC_SHA256_X86_64: 'e9c129c176bb7df02546c4cd6185126ca53c89e7d2f09511e209319704b5dd7e'
PROTOC_SHA256_AARCH_64: '4a802ed23d70f7bad7eb19e5a3e724b3aa967250d572cadfd537c1ba939aee6a'

jobs:
build-sdist:
Expand Down Expand Up @@ -74,6 +80,32 @@ jobs:
command: build
args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }}
manylinux: auto
# The manylinux2014 image (CentOS 7-based) lacks protoc; aa-proto's
# build.rs needs it via prost-build for proto3 syntax. The yum/dnf
# `protobuf-compiler` package on CentOS 7 ships protoc 2.5.0 which
# ONLY understands proto2 ("Unrecognized syntax identifier 'proto3'"),
# so we download the official protoc binary release instead.
#
# SECURITY: the zip is downloaded over HTTPS from GitHub's release
# CDN AND verified against a hardcoded SHA256 cross-checked against
# the GitHub release API's `digest` field. Without the SHA check we'd
# be installing an arbitrary binary as root with no integrity gate.
before-script-linux: |
set -euo pipefail
(command -v unzip >/dev/null) || (yum install -y unzip || dnf install -y unzip)
ARCH=$(uname -m)
case "$ARCH" in
x86_64) PROTOC_ARCH="x86_64"; EXPECTED_SHA="${{ env.PROTOC_SHA256_X86_64 }}" ;;
aarch64) PROTOC_ARCH="aarch_64"; EXPECTED_SHA="${{ env.PROTOC_SHA256_AARCH_64 }}" ;;
*) echo "::error::unsupported manylinux arch: $ARCH"; exit 1 ;;
esac
curl -sSLf --retry 3 --retry-delay 5 \
"https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-linux-${PROTOC_ARCH}.zip" \
-o /tmp/protoc.zip
echo "${EXPECTED_SHA} /tmp/protoc.zip" | sha256sum --check --status \
|| { echo "::error::protoc-${{ env.PROTOC_VERSION }}-linux-${PROTOC_ARCH}.zip SHA256 mismatch β€” refusing to install"; sha256sum /tmp/protoc.zip; exit 1; }
unzip -o /tmp/protoc.zip -d /usr/local >/dev/null
protoc --version
- name: Upload wheel artifact
uses: actions/upload-artifact@v7
with:
Expand Down Expand Up @@ -108,6 +140,24 @@ jobs:
command: build
args: --release --out dist --interpreter ${{ env.PYTHON_VERSION }}
manylinux: auto
# See linux-x86_64 above for rationale + security model. Same
# SHA-verified protoc binary download.
before-script-linux: |
set -euo pipefail
(command -v unzip >/dev/null) || (yum install -y unzip || dnf install -y unzip)
ARCH=$(uname -m)
case "$ARCH" in
x86_64) PROTOC_ARCH="x86_64"; EXPECTED_SHA="${{ env.PROTOC_SHA256_X86_64 }}" ;;
aarch64) PROTOC_ARCH="aarch_64"; EXPECTED_SHA="${{ env.PROTOC_SHA256_AARCH_64 }}" ;;
*) echo "::error::unsupported manylinux arch: $ARCH"; exit 1 ;;
esac
curl -sSLf --retry 3 --retry-delay 5 \
"https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-linux-${PROTOC_ARCH}.zip" \
-o /tmp/protoc.zip
echo "${EXPECTED_SHA} /tmp/protoc.zip" | sha256sum --check --status \
|| { echo "::error::protoc-${{ env.PROTOC_VERSION }}-linux-${PROTOC_ARCH}.zip SHA256 mismatch β€” refusing to install"; sha256sum /tmp/protoc.zip; exit 1; }
unzip -o /tmp/protoc.zip -d /usr/local >/dev/null
protoc --version
- name: Upload wheel artifact
uses: actions/upload-artifact@v7
with:
Expand Down Expand Up @@ -135,6 +185,8 @@ jobs:
else
echo "::warning::aasm-macos-arm64 not yet published by $AASM_REPO β€” wheel will ship without bundled binary"
fi
- name: Install protoc (macOS)
run: brew install protobuf
- name: Build wheel
uses: PyO3/maturin-action@v1
with:
Expand Down Expand Up @@ -168,6 +220,8 @@ jobs:
else
echo "::warning::aasm-macos-x86_64 not yet published by $AASM_REPO β€” wheel will ship without bundled binary"
fi
- name: Install protoc (macOS)
run: brew install protobuf
- name: Build wheel
uses: PyO3/maturin-action@v1
with:
Expand Down
Loading