Skip to content

CD - Syft

CD - Syft #379

Workflow file for this run

name: CD - Syft
on:
schedule:
- cron: "0 12 * * 0" # At 12:00 UTC on every Sunday
workflow_dispatch:
inputs:
skip_tests:
description: "If true, skip pre-release tests"
required: false
default: "false"
type: choice
options:
- "false"
- "true"
release_platform:
description: "Release Platform"
required: true
default: "REAL_PYPI"
type: choice
options:
- REAL_PYPI
- TEST_PYPI
- REAL_AND_TEST_PYPI
# Prevents concurrent runs of the same workflow
# while the previous run is still in progress
concurrency:
group: "CD - Syft"
cancel-in-progress: false
jobs:
release-checks:
if: github.repository == 'OpenMined/PySyft' # don't run on forks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
# The steps ensure that the cron job is able to run only for
# for beta releases and not for stable releases
# For stable release, we always have to manually run the workflow
- name: Check if the release is a beta release
run: |
if [[ $(python packages/grid/VERSION) != *"beta"* && ${{github.event_name}} == 'schedule' ]]; then
echo "Cron Job could only be run for beta releases"
exit 1
fi
# Print the github user triggering the workflow
- name: Github User triggering the workflow
run: |
echo "Github User: ${{ github.actor }}"
call-pr-tests-linting:
needs: [release-checks]
if: github.repository == 'OpenMined/PySyft' && needs.release-checks.result == 'success' && (github.event.inputs.skip_tests == 'false' || github.event_name == 'schedule') # don't run on forks
uses: OpenMined/PySyft/.github/workflows/pr-tests-linting.yml@dev
call-pr-tests-syft:
needs: [release-checks]
if: github.repository == 'OpenMined/PySyft' && needs.release-checks.result == 'success' && (github.event.inputs.skip_tests == 'false' || github.event_name == 'schedule') # don't run on forks
uses: OpenMined/PySyft/.github/workflows/pr-tests-syft.yml@dev
call-pr-tests-stack:
needs: [release-checks]
if: github.repository == 'OpenMined/PySyft' && needs.release-checks.result == 'success' && (github.event.inputs.skip_tests == 'false' || github.event_name == 'schedule') # don't run on forks
uses: OpenMined/PySyft/.github/workflows/pr-tests-stack.yml@dev
secrets: inherit
build-and-push-docker-images:
needs:
[
call-pr-tests-linting,
call-pr-tests-syft,
call-pr-tests-stack,
release-checks,
]
if: always() && needs.release-checks.result == 'success' && (needs.call-pr-tests-linting.result == 'success' && needs.call-pr-tests-syft.result == 'success' && needs.call-pr-tests-stack.result == 'success' || github.event.inputs.skip_tests == 'true')
strategy:
matrix:
runner: [sh-arc-linux-x64, sh-arc-linux-arm64]
runs-on: ${{ matrix.runner }}
outputs:
release_tag: ${{ steps.get_release_tag.outputs.release_tag }}
server_version: ${{ steps.release_metadata.outputs.server_version }}
steps:
- uses: actions/checkout@v4
- name: Setup Python on ${{ matrix.runner }}
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Git
run: |
sudo apt-get update
sudo apt-get install git -y
- name: Check python version
run: |
python --version
python3 --version
which python
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install uv==0.4.1 tox==4.18.0 tox-uv==1.11.2 bump2version==1.0.1
uv --version
- name: Get Release tag
id: get_release_tag
run: |
if [[ $(python packages/grid/VERSION) == *"beta"* ]]; then
echo "release_tag=beta" >> $GITHUB_OUTPUT
else
echo "release_tag=latest" >> $GITHUB_OUTPUT
fi
- name: Bump the Version
if: steps.get_release_tag.outputs.release_tag == 'beta'
run: |
ls **/VERSION | xargs -I {} python {}
cat packages/grid/devspace.yaml | grep '0\.'
bump2version prenum --allow-dirty --no-commit
ls **/VERSION | xargs -I {} python {}
cat packages/grid/devspace.yaml | grep '0\.'
- name: Generate Release Metadata
id: release_metadata
run: |
if [[ ${{matrix.runner}} == *"x64"* ]]; then
echo "release_platform=linux/amd64" >> $GITHUB_OUTPUT
echo "short_release_platform=amd64" >> $GITHUB_OUTPUT
else
echo "release_platform=linux/arm64" >> $GITHUB_OUTPUT
echo "short_release_platform=arm64" >> $GITHUB_OUTPUT
fi
echo "server_version=$(python packages/grid/VERSION)" >> $GITHUB_OUTPUT
# TODO: Optimize redundant bump protocol version checks
- name: Check and Bump Protocol Version
run: |
if [[ "${{ steps.get_release_tag.outputs.release_tag }}" == "latest" ]]; then
export BUMP=True
fi
tox -e syft.protocol.check
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_LOGIN }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push `syft-backend` image to DockerHub
id: syft-backend-build
uses: docker/build-push-action@v6
with:
context: ./packages
file: ./packages/grid/backend/backend.dockerfile
platforms: ${{ steps.release_metadata.outputs.release_platform }}
target: backend
outputs: type=image,name=openmined/syft-backend,push-by-digest=true,name-canonical=true,push=true
cache-from: type=registry,ref=openmined/syft-backend:cache-${{ steps.release_metadata.outputs.short_release_platform }}
cache-to: type=registry,ref=openmined/syft-backend:cache-${{ steps.release_metadata.outputs.short_release_platform }},mode=max
- name: Export digest for syft-backend
run: |
mkdir -p /tmp/digests/syft-backend
digest="${{ steps.syft-backend-build.outputs.digest }}"
touch "/tmp/digests/syft-backend/${digest#sha256:}"
- name: Build and push `syft-frontend` image to DockerHub
id: syft-frontend-build
uses: docker/build-push-action@v6
with:
context: ./packages/grid/frontend
file: ./packages/grid/frontend/frontend.dockerfile
platforms: ${{ steps.release_metadata.outputs.release_platform }}
outputs: type=image,name=openmined/syft-frontend,push-by-digest=true,name-canonical=true,push=true
target: syft-ui-development
cache-from: type=registry,ref=openmined/syft-frontend:cache-${{ steps.release_metadata.outputs.short_release_platform }}
cache-to: type=registry,ref=openmined/syft-frontend:cache-${{ steps.release_metadata.outputs.short_release_platform}},mode=max
- name: Export digest for syft-frontend
run: |
mkdir -p /tmp/digests/syft-frontend
digest="${{ steps.syft-frontend-build.outputs.digest }}"
touch "/tmp/digests/syft-frontend/${digest#sha256:}"
- name: Build and push `syft-seaweedfs` image to DockerHub
id: syft-seaweedfs-build
uses: docker/build-push-action@v6
with:
context: ./packages/grid/seaweedfs
file: ./packages/grid/seaweedfs/seaweedfs.dockerfile
platforms: ${{ steps.release_metadata.outputs.release_platform }}
outputs: type=image,name=openmined/syft-seaweedfs,push-by-digest=true,name-canonical=true,push=true
cache-from: type=registry,ref=openmined/syft-seaweedfs:cache-${{ steps.release_metadata.outputs.short_release_platform }}
cache-to: type=registry,ref=openmined/syft-seaweedfs:cache-${{ steps.release_metadata.outputs.short_release_platform}},mode=max
- name: Export digest for syft-seaweedfs
run: |
mkdir -p /tmp/digests/syft-seaweedfs
digest="${{ steps.syft-seaweedfs-build.outputs.digest }}"
touch "/tmp/digests/syft-seaweedfs/${digest#sha256:}"
- name: Build and push `syft-rathole` image to Dockerhub
id: syft-rathole-build
uses: docker/build-push-action@v6
with:
context: ./packages/grid/rathole
file: ./packages/grid/rathole/rathole.dockerfile
platforms: ${{ steps.release_metadata.outputs.release_platform }}
outputs: type=image,name=openmined/syft-rathole,push-by-digest=true,name-canonical=true,push=true
cache-from: type=registry,ref=openmined/syft-rathole:cache-${{ steps.release_metadata.outputs.short_release_platform }}
cache-to: type=registry,ref=openmined/syft-rathole:cache-${{ steps.release_metadata.outputs.short_release_platform}},mode=max
- name: Export digest for syft-rathole
run: |
mkdir -p /tmp/digests/syft-rathole
digest="${{ steps.syft-rathole-build.outputs.digest }}"
touch "/tmp/digests/syft-rathole/${digest#sha256:}"
# Some of the dependencies of syft-enclave-attestation are not available for arm64
# Hence, we are building syft-enclave-attestation only for x64 (see the `if` conditional)
- name: Build and push `syft-enclave-attestation` image to DockerHub
if: ${{ endsWith(matrix.runner, '-x64') }}
id: syft-enclave-attestation-build
uses: docker/build-push-action@v6
with:
context: ./packages/grid/enclave/attestation
file: ./packages/grid/enclave/attestation/attestation.dockerfile
platforms: ${{ steps.release_metadata.outputs.release_platform }}
outputs: type=image,name=openmined/syft-enclave-attestation,push-by-digest=true,name-canonical=true,push=true
cache-from: type=registry,ref=openmined/syft-enclave-attestation:cache-${{ steps.release_metadata.outputs.short_release_platform }}
cache-to: type=registry,ref=openmined/syft-enclave-attestation:cache-${{ steps.release_metadata.outputs.short_release_platform}},mode=max
- name: Export digest for syft-enclave-attestation
if: ${{ endsWith(matrix.runner, '-x64') }}
run: |
mkdir -p /tmp/digests/syft-enclave-attestation
digest="${{ steps.syft-enclave-attestation-build.outputs.digest }}"
touch "/tmp/digests/syft-enclave-attestation/${digest#sha256:}"
- name: Build and push `syft` image to registry
id: syft-build
uses: docker/build-push-action@v6
with:
context: ./packages/
file: ./packages/grid/syft-client/syft.Dockerfile
outputs: type=image,name=openmined/syft-client,push-by-digest=true,name-canonical=true,push=true
platforms: ${{ steps.release_metadata.outputs.release_platform }}
cache-from: type=registry,ref=openmined/syft-client:cache-${{ steps.release_metadata.outputs.short_release_platform }}
cache-to: type=registry,ref=openmined/syft-client:cache-${{ steps.release_metadata.outputs.short_release_platform }},mode=max
- name: Export digest for `syft` image
run: |
mkdir -p /tmp/digests/syft
digest="${{ steps.syft-build.outputs.digest }}"
touch "/tmp/digests/syft/${digest#sha256:}"
- name: Upload digests
uses: actions/upload-artifact@v4
with:
name: digests-${{ steps.release_metadata.outputs.server_version }}-${{ steps.release_metadata.outputs.short_release_platform }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
#Used to merge x64 and arm64 into one docker image
merge-docker-images:
needs: [build-and-push-docker-images]
if: always() && (needs.build-and-push-docker-images.result == 'success')
runs-on: sh-arc-linux-x64
outputs:
release_tag: ${{ needs.build-and-push-docker-images.outputs.release_tag }}
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-${{ needs.build-and-push-docker-images.outputs.server_version }}-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_LOGIN }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Create manifest list and push for syft-backend
working-directory: /tmp/digests/syft-backend
run: |
docker buildx imagetools create \
-t openmined/syft-backend:${{ needs.build-and-push-docker-images.outputs.server_version }} \
-t openmined/syft-backend:${{ needs.build-and-push-docker-images.outputs.release_tag }} \
$(printf 'openmined/syft-backend@sha256:%s ' *)
- name: Create manifest list and push for syft-frontend
working-directory: /tmp/digests/syft-frontend
run: |
docker buildx imagetools create \
-t openmined/syft-frontend:${{ needs.build-and-push-docker-images.outputs.server_version }} \
-t openmined/syft-frontend:${{ needs.build-and-push-docker-images.outputs.release_tag }} \
$(printf 'openmined/syft-frontend@sha256:%s ' *)
- name: Create manifest list and push for syft-seaweedfs
working-directory: /tmp/digests/syft-seaweedfs
run: |
docker buildx imagetools create \
-t openmined/syft-seaweedfs:${{ needs.build-and-push-docker-images.outputs.server_version }} \
-t openmined/syft-seaweedfs:${{ needs.build-and-push-docker-images.outputs.release_tag }} \
$(printf 'openmined/syft-seaweedfs@sha256:%s ' *)
- name: Create manifest list and push for syft-rathole
working-directory: /tmp/digests/syft-rathole
run: |
docker buildx imagetools create \
-t openmined/syft-rathole:${{ needs.build-and-push-docker-images.outputs.server_version }} \
-t openmined/syft-rathole:${{ needs.build-and-push-docker-images.outputs.release_tag }} \
$(printf 'openmined/syft-rathole@sha256:%s ' *)
- name: Create manifest list and push for syft-enclave-attestation
working-directory: /tmp/digests/syft-enclave-attestation
run: |
docker buildx imagetools create \
-t openmined/syft-enclave-attestation:${{ needs.build-and-push-docker-images.outputs.server_version }} \
-t openmined/syft-enclave-attestation:${{ needs.build-and-push-docker-images.outputs.release_tag }} \
$(printf 'openmined/syft-enclave-attestation@sha256:%s ' *)
- name: Create manifest list and push for syft
working-directory: /tmp/digests/syft
run: |
docker buildx imagetools create \
-t openmined/syft-client:${{ needs.build-and-push-docker-images.outputs.server_version }} \
-t openmined/syft-client:${{ needs.build-and-push-docker-images.outputs.release_tag }} \
$(printf 'openmined/syft-client@sha256:%s ' *)
deploy-syft:
needs: [merge-docker-images]
if: always() && needs.merge-docker-images.result == 'success'
runs-on: ubuntu-latest
permissions:
contents: write # For tag and release notes.
outputs:
syft_version: ${{ steps.release_checks.outputs.syft_version }}
release_platform: ${{ github.event.inputs.release_platform }}
steps:
- name: Permission to home directory
run: |
sudo chown -R $USER:$USER $HOME
- uses: actions/checkout@v4
with:
token: ${{ secrets.SYFT_BOT_COMMIT_TOKEN }}
# free 10GB of space
- name: Remove unnecessary files
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
docker image prune --all --force
docker builder prune --all --force
docker system prune --all --force
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install uv==0.4.1 tox==4.18.0 tox-uv==1.11.2 setuptools wheel twine bump2version PyYAML
uv --version
- name: Bump the Version
if: needs.merge-docker-images.outputs.release_tag == 'beta'
run: |
ls **/VERSION | xargs -I {} python {}
cat packages/grid/devspace.yaml | grep '0\.'
bump2version prenum --allow-dirty --no-commit
ls **/VERSION | xargs -I {} python {}
cat packages/grid/devspace.yaml | grep '0\.'
- name: Generate Release Metadata
id: release_checks
run: |
echo "github_release_version=$(python packages/grid/VERSION | sed 's/-beta./b/')" >> $GITHUB_OUTPUT
echo "future_stable_version=$(python packages/grid/VERSION | sed 's/-beta.*//')" >> $GITHUB_OUTPUT
echo "syft_version=$(python packages/grid/VERSION)" >> $GITHUB_OUTPUT
if [[ ${{ needs.merge-docker-images.outputs.release_tag}} == "beta" ]]; then
echo "is_beta_release=true" >> $GITHUB_OUTPUT
else
echo "is_beta_release=false" >> $GITHUB_OUTPUT
fi
- name: Check Protocol Version
run: |
tox -e syft.protocol.check
- name: Build Helm Chart
shell: bash
run: |
# install k3d
K3D_VERSION=v5.6.3
wget https://github.com/k3d-io/k3d/releases/download/${K3D_VERSION}/k3d-linux-amd64
mv k3d-linux-amd64 k3d
chmod +x k3d
export PATH=`pwd`:$PATH
k3d version
#Install Devspace
DEVSPACE_VERSION=v6.3.12
curl -sSL https://github.com/loft-sh/devspace/releases/download/${DEVSPACE_VERSION}/devspace-linux-amd64 -o ./devspace
chmod +x devspace
devspace version
# Install helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
helm version
tox -e syft.build.helm
tox -e syft.package.helm
- name: Check and Bump Protocol Version
run: |
if [[ "${{ needs.merge-docker-images.outputs.release_tag }}" == "latest" ]]; then
export BUMP=True
fi
tox -e syft.protocol.check
- name: Update PyPI Readme
run: |
python scripts/convert_to_pypi_readme.py --input-file packages/syft/README.md --output-file packages/syft/PYPI.md --version ${{ steps.release_checks.outputs.future_stable_version }}
- name: Take API Snapshot
run: |
if [[ "${{ needs.merge-docker-images.outputs.release_tag }}" == "latest" ]]; then
export STABLE_RELEASE=True
fi
SAVE_SNAP=True tox --recreate -e syft.api.snapshot
- name: Linting
run: |
tox -e lint || true
- name: Changes to commit to Syft Repo during beta release
if: needs.merge-docker-images.outputs.release_tag == 'beta'
uses: EndBug/add-and-commit@v9
with:
author_name: ${{ secrets.OM_BOT_NAME }}
author_email: ${{ secrets.OM_BOT_EMAIL }}
message: "[syft]bump version"
add: "['.bumpversion.cfg', 'VERSION', 'packages/grid/VERSION','packages/syft/PYPI.md', 'packages/grid/devspace.yaml', 'packages/syft/src/syft/VERSION', 'packages/syft/setup.cfg', 'packages/grid/frontend/package.json', 'packages/syft/src/syft/__init__.py', 'packages/grid/helm/syft/Chart.yaml','packages/grid/helm/repo', 'packages/syftcli/manifest.yml', 'packages/syft/src/syft/protocol/protocol_version.json', 'packages/syft/src/syft/protocol/releases/', 'packages/grid/backend/grid/images/worker_cpu.dockerfile','packages/grid/helm/syft/values.yaml','packages/grid/helm/syft','packages/syft/src/syft/util/api_snapshot/syft_api_spec_beta.json']"
- name: Changes to commit to Syft Repo during stable release
if: needs.merge-docker-images.outputs.release_tag == 'latest'
uses: EndBug/add-and-commit@v9
with:
author_name: ${{ secrets.OM_BOT_NAME }}
author_email: ${{ secrets.OM_BOT_EMAIL }}
message: "[syft] bump protocol version"
add: "['packages/syft/src/syft/protocol/protocol_version.json', 'packages/syft/src/syft/protocol/releases/','packages/syft/PYPI.md','packages/grid/helm/repo','packages/syft/src/syft/util/api_snapshot/syft_api_spec_stable.json']"
- name: Scheduled Build and Publish
if: github.event_name == 'schedule'
run: |
tox -e syft.publish
twine upload -u __token__ -p ${{ secrets.OM_SYFT_PYPI_TOKEN }} packages/syft/dist/*
- name: Manual Build and Publish
if: github.event_name != 'schedule'
run: |
tox -e syft.publish
if [[ "${{ github.event.inputs.release_platform }}" == "REAL_PYPI" ]]; then
twine upload -u __token__ -p ${{ secrets.OM_SYFT_PYPI_TOKEN }} packages/syft/dist/*
fi
if [[ "${{ github.event.inputs.release_platform }}" == "TEST_PYPI" ]]; then
twine upload -r testpypi -u __token__ -p ${{ secrets.OM_SYFT_TEST_PYPI_TOKEN }} packages/syft/dist/*
fi
if [[ "${{ github.event.inputs.release_platform }}" == "REAL_AND_TEST_PYPI" ]]; then
twine upload -u __token__ -p ${{ secrets.OM_SYFT_PYPI_TOKEN }} packages/syft/dist/*
twine upload -r testpypi -u __token__ -p ${{ secrets.OM_SYFT_TEST_PYPI_TOKEN }} packages/syft/dist/*
fi
# Checkout Infra repo (nested)
- name: Checkout Infra Repo
uses: actions/checkout@v4
with:
repository: ${{ secrets.INFRA_REPO }}
ref: "main"
token: ${{ secrets.INFRA_BOT_COMMIT_TOKEN }}
path: infrastructure
# This step will copy the generated K8s manifest files to the correct directory in Infra repo
- name: Copy files to Infra Repo
run: |
if [[ "${{ needs.merge-docker-images.outputs.release_tag }}" == "beta" ]]; then
rm -rf infrastructure/gitops/environments/pre_release/
mkdir -p infrastructure/gitops/environments/pre_release/
cp -R packages/grid/helm/syft/. infrastructure/gitops/environments/pre_release/
else
rm -rf infrastructure/gitops/environments/stable/
mkdir -p infrastructure/gitops/environments/stable/
cp -R packages/grid/helm/syft/. infrastructure/gitops/environments/stable/
fi
- name: Commit changes to Infra Repo
uses: EndBug/add-and-commit@v9
with:
author_name: ${{ secrets.OM_BOT_NAME }}
author_email: ${{ secrets.OM_BOT_EMAIL }}
message: "Update K8s Manifests from Syft Repo"
add: "."
push: "origin main"
cwd: "./infrastructure/"
- name: Create SyftCLI Config assets
run: |
pip install pyyaml
python scripts/create_syftcli_config.py
- name: GitHub Release
if: github.event.inputs.release_platform != 'TEST_PYPI'
uses: softprops/action-gh-release@v2
with:
name: v${{ steps.release_checks.outputs.github_release_version }}
generate_release_notes: true
prerelease: ${{ steps.release_checks.outputs.is_beta_release }}
files: |
./packages/syftcli/manifest.yml
./build/syftcli-config/*
tag_name: v${{ steps.release_checks.outputs.github_release_version }}
# Checkout to gh-pages and update helm repo
- name: Checkout to gh-pages
uses: actions/checkout@v4
with:
ref: gh-pages
token: ${{ secrets.SYFT_BOT_COMMIT_TOKEN }}
path: ghpages
- name: Copy helm repo files from Syft Repo
run: |
cp packages/grid/helm/repo/syft-${{ steps.release_checks.outputs.syft_version }}.tgz ghpages/helm/
cd ghpages/helm && helm repo index . --url https://openmined.github.io/PySyft/helm
- name: Commit changes to gh-pages
uses: EndBug/add-and-commit@v9
with:
author_name: ${{ secrets.OM_BOT_NAME }}
author_email: ${{ secrets.OM_BOT_EMAIL }}
message: "Add Helm package for Syft Version: ${{ steps.release_checks.outputs.syft_version }}"
add: "helm/"
push: "origin gh-pages"
cwd: "./ghpages/"
# Since the post-release tests are dependent on the release being available on PyPI
# we need to wait for PyPI to update before running the post-release tests
- name: Wait for PyPI to update
run: |
sleep 120
# Can we remove the always flag from the below job?
call-cd-post-release-tests:
needs: [deploy-syft]
if: always() && github.repository == 'OpenMined/PySyft' && needs.deploy-syft.result == 'success' # don't run on forks
uses: OpenMined/PySyft/.github/workflows/cd-post-release-tests.yml@dev
with:
syft_version: ${{ needs.deploy-syft.outputs.syft_version }}
release_platform: ${{ github.event.inputs.release_platform}}