.github/workflows/release-binaries-all.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

name: Release Binaries All

permissions:
  contents: read # Default everything to read-only

on:
  workflow_dispatch:
    inputs:
      release-version:
        description: 'Release Version'
        required: true
        type: string
      upload:
        description: 'Upload binaries to the release page'
        required: true
        default: false
        type: boolean

  workflow_call:
    inputs:
      release-version:
        description: 'Release Version'
        required: true
        type: string
      upload:
        description: 'Upload binaries to the release page'
        required: true
        default: false
        type: boolean
    secrets:
      RELEASE_TASKS_USER_TOKEN:
        description: "Secret used to check user permissions."
        required: false

  pull_request:
    types:
      - opened
      - synchronize
      - reopened
      # When a PR is closed, we still start this workflow, but then skip
      # all the jobs, which makes it effectively a no-op.  The reason to
      # do this is that it allows us to take advantage of concurrency groups
      # to cancel in progress CI jobs whenever the PR is closed.
      - closed
    paths:
      - '.github/workflows/release-binaries-all.yml'
      - '.github/workflows/release-binaries.yml'
      - '.github/workflows/release-binaries-setup-stage/*'
      - '.github/workflows/release-binaries-save-stage/*'
      - 'clang/cmake/caches/Release.cmake'

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || 'dispatch' }}
  cancel-in-progress: True

jobs:
  setup-variables:
    if: >-
      (github.event_name != 'pull_request' || github.event.action != 'closed')
    runs-on: ubuntu-24.04
    outputs:
      release-version: ${{ steps.vars.outputs.release-version }}
      upload: ${{ steps.vars.outputs.upload }}
    steps:
      - shell: bash
        id: vars
        run: |
          upload="${{ inputs.upload }}"
          release_version="${{ inputs.release-version }}"
          if [ "${{ github.event_name }}" = "pull_request" ]; then
            upload="false"
            release_version=""
          fi
          echo "release-version=$release_version" >> "$GITHUB_OUTPUT"
          echo "upload=$upload" >> "$GITHUB_OUTPUT"

  release-binaries-all:
    name: Build Release Binaries
    needs:
      - setup-variables
    permissions:
      contents: write # For release uploads
      id-token: write     # For artifact attestations
      attestations: write # For artifact attestations
    strategy:
      fail-fast: false
      matrix:
        # We use ubuntu-22.04 rather than the latest version to make the built
        # binaries more portable (eg functional aginast older glibc).
        runs-on:
          - ubuntu-22.04
          - ubuntu-22.04-arm
          - macos-14

    uses: ./.github/workflows/release-binaries.yml
    with:
      release-version: "${{ needs.setup-variables.outputs.release-version }}"
      upload: ${{ needs.setup-variables.outputs.upload == 'true'}}
      runs-on: "${{ matrix.runs-on }}"
    secrets:
      # This will be empty for pull_request events, but that's fine, because
      # the release-binaries workflow does not use this secret for the
      # pull_request event.
      RELEASE_TASKS_USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}