-
Notifications
You must be signed in to change notification settings - Fork 1
208 lines (179 loc) · 8.19 KB
/
cryptography_wheel.yml
File metadata and controls
208 lines (179 loc) · 8.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
name: cryptography windows
permissions:
contents: read
on:
workflow_dispatch:
inputs:
version:
description: The version to build (leave empty for latest commit)
required: false
env:
CRYPTOGRAPHY_REPO: https://github.com/pyca/cryptography.git
CRYPTOGRAPHY_DIR: cryptography-repo
BUILD_REQUIREMENTS_PATH: cryptography-repo/.github/requirements/build-requirements.txt
UV_REQUIREMENTS_PATH: cryptography-repo/.github/requirements/uv-requirements.txt
jobs:
sdist:
runs-on: ubuntu-latest
name: sdists
outputs:
commit_sha: ${{ steps.clone-repo.outputs.commit_sha }}
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Clone cryptography repository and get commit SHA
id: clone-repo
run: |
git clone ${{ env.CRYPTOGRAPHY_REPO }} ${{ env.CRYPTOGRAPHY_DIR }}
cd ${{ env.CRYPTOGRAPHY_DIR }}
if [ -n "${{ github.event.inputs.version }}" ]; then
git checkout ${{ github.event.inputs.version }}
VERSION_INFO="${{ github.event.inputs.version }}-$(git rev-parse --short HEAD)"
else
git checkout main
VERSION_INFO="$(git rev-parse --short HEAD)"
fi
COMMIT_SHA=$(git rev-parse --short HEAD)
echo "COMMIT_SHA=${COMMIT_SHA}" >> $GITHUB_ENV
echo "commit_sha=${VERSION_INFO}" >> $GITHUB_OUTPUT
echo "Using commit: ${COMMIT_SHA}"
echo "Using version info for artifacts: ${VERSION_INFO}"
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.13"
timeout-minutes: 3
- run: python -m pip install -r $UV_REQUIREMENTS_PATH
- name: Make sdist (cryptography)
run: |
cd ${{ env.CRYPTOGRAPHY_DIR }}
uv build --build-constraint=../$BUILD_REQUIREMENTS_PATH --require-hashes --sdist
mkdir -p ../dist
cp dist/* ../dist/
- name: Make sdist and wheel (vectors)
run: |
cd ${{ env.CRYPTOGRAPHY_DIR }}
uv build --build-constraint=../$BUILD_REQUIREMENTS_PATH --require-hashes vectors/
mkdir -p ../vectors/dist
cp vectors/dist/* ../vectors/dist/
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "cryptography-sdist"
path: dist/cryptography*
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "vectors-sdist-wheel"
path: vectors/dist/cryptography*
- name: Upload requirements files
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "requirements-files"
path: |
${{ env.CRYPTOGRAPHY_DIR }}/.github/requirements/
windows:
needs: [sdist]
runs-on: ${{ matrix.WINDOWS.RUNNER }}
strategy:
fail-fast: false
matrix:
WINDOWS:
- {ARCH: 'arm64', WINDOWS: 'arm64', RUST_TRIPLE: 'aarch64-pc-windows-msvc', RUNNER: 'windows-11-arm'}
- {ARCH: 'x64', WINDOWS: 'win64', RUST_TRIPLE: 'x86_64-pc-windows-msvc', RUNNER: 'windows-latest'}
PYTHON:
# Build wheels with Python 3.14 using limited ABI for backward compatibility
- {VERSION: "3.14", "ABI_VERSION": "py311"} # Compatible with Python 3.11+
- {VERSION: "3.14t"} # Free-threaded Python, no limited ABI
name: "${{ matrix.PYTHON.VERSION }} ${{ matrix.WINDOWS.WINDOWS }} ${{ matrix.PYTHON.ABI_VERSION || 'no-abi' }}"
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Create directories for requirements
run: |
mkdir -p cryptography-repo/.github/requirements/
shell: bash
- name: Download requirements files
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
name: requirements-files
path: cryptography-repo/.github/requirements/
- uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
name: cryptography-sdist
- name: Setup Python ${{ matrix.PYTHON.VERSION }}-${{ matrix.WINDOWS.ARCH }} via PyManager
shell: pwsh
run: |
winget install Python.PythonInstallManager --source winget --accept-package-agreements --accept-source-agreements
if ($LASTEXITCODE -ne 0) { throw "Failed to install PyManager" }
$env:Path = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path", "User")
$pyVersion = "${{ matrix.PYTHON.VERSION }}"
if ("${{ matrix.WINDOWS.ARCH }}" -ne "x64") {
$pyVersion += "-${{ matrix.WINDOWS.ARCH }}"
}
pymanager install $pyVersion
if ($LASTEXITCODE -ne 0) { throw "Failed to install Python $pyVersion" }
# Resolve installed Python path and expose for all subsequent steps
$pythonExe = pymanager exec -V:$pyVersion -c "import sys; print(sys.executable)"
if ($LASTEXITCODE -ne 0) { throw "Failed to resolve Python path" }
$pythonExe = $pythonExe.Trim()
$pythonDir = Split-Path $pythonExe
$scriptsDir = Join-Path $pythonDir "Scripts"
echo "Python executable: $pythonExe"
echo "Python directory: $pythonDir"
echo "$pythonDir" >> $env:GITHUB_PATH
echo "$scriptsDir" >> $env:GITHUB_PATH
echo "UV_PYTHON=$pythonExe" >> $env:GITHUB_ENV
- uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b
with:
toolchain: stable
target: ${{ matrix.WINDOWS.RUST_TRIPLE }}
- uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
with:
repo: pyca/infra
workflow: build-windows-openssl.yml
branch: main
workflow_conclusion: success
name: "openssl-${{ matrix.WINDOWS.WINDOWS }}"
path: "C:/openssl-${{ matrix.WINDOWS.WINDOWS }}/"
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Configure OpenSSL
run: |
echo "OPENSSL_DIR=C:/openssl-${{ matrix.WINDOWS.WINDOWS }}" >> $GITHUB_ENV
echo "OPENSSL_STATIC=1" >> $GITHUB_ENV
shell: bash
- run: |
# Verify requirements files exist before using them
ls -la ${UV_REQUIREMENTS_PATH}
python -m pip install -r "${UV_REQUIREMENTS_PATH}"
shell: bash
- run: mkdir wheelhouse
- run: |
if [ -n "${{ matrix.PYTHON.ABI_VERSION }}" ]; then
PY_LIMITED_API="--config-settings=build-args=--features=pyo3/abi3-${{ matrix.PYTHON.ABI_VERSION }}"
fi
uv build --wheel --require-hashes --build-constraint=$BUILD_REQUIREMENTS_PATH cryptography*.tar.gz $PY_LIMITED_API -o wheelhouse/
shell: bash
- run: uv venv
- run: uv pip install --require-hashes -r "${BUILD_REQUIREMENTS_PATH}"
shell: bash
- run: uv pip install cryptography --no-index -f wheelhouse/
- name: Print the OpenSSL we built and linked against
run: |
echo "from cryptography.hazmat.backends.openssl.backend import backend;print('Loaded: ' + backend.openssl_version_text());print('Linked Against: ' + backend._ffi.string(backend._lib.OPENSSL_VERSION_TEXT).decode('ascii'))" | uv run -
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "cryptography-${{ needs.sdist.outputs.commit_sha }}-${{ matrix.WINDOWS.WINDOWS }}-${{ matrix.PYTHON.VERSION }}-${{ matrix.PYTHON.ABI_VERSION || 'no-abi' }}"
path: wheelhouse\
cleanup:
needs: [windows]
runs-on: ubuntu-latest
if: always()
steps:
- name: Delete intermediate artifacts
uses: geekyeggo/delete-artifact@v5
with:
name: |
cryptography-sdist
requirements-files
vectors-sdist-wheel
failOnError: false