Skip to content

Commit

Permalink
Hashpin sensitive dependencies and configure dependabot to update the…
Browse files Browse the repository at this point in the history 
…m automatically (#75859)

Closes #75620 

As I mentioned on the issue, this PR aims to hash-pin the CI
dependencies used on sensitive context -- i.e., they either are called
with write permissions, or are being used to build critical artifacts
like a release. In summary, this PR brings 3 changes:

1. Hash pin GitHub Actions called on sensitive context
2. Hash pin python dependencies used on sensitive context
3. Configure dependabot to automatically update those hashes
I'm further explaining the steps bellow.

The dependencies in format of GitHub Actions, I simply hash-pinned them.
I also made sure to keep the human-readable version as comments at the
same line.

At the
[release-tasks.yml](https://github.com/llvm/llvm-project/blob/main/.github/workflows/release-tasks.yml)
file, I've changed the installation method of some python dependencies
to install them considering their hashpinning. That required the
generation of a requirements file that had all the correct hashes, and
for that I used [pip-tools](https://pypi.org/project/pip-tools/2.0.0/).

While configuring dependabot, I set it to send a monthly PR updating all
the GitHub Actions, and a weekly PR to update any python dependency
required by
[/llvm/docs/requirements.txt](https://github.com/llvm/llvm-project/blob/main/llvm/docs/requirements.txt).

Let me know if you have any questions or concerns, I'd be happy to
clarify and help.

Thanks!

---------

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
  • Loading branch information
@diogoteles08
diogoteles08 authored Jan 15, 2024
1 parent 9fdd25e commit f3524e9
Show file tree
Hide file tree
Showing 4 changed files with 398 additions and 14 deletions.
18 changes: 18 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
groups:
github-actions:
patterns:
- "*"
- package-ecosystem: "pip"
directory: "/llvm/docs"
schedule:
interval: "monthly"
groups:
llvm-docs-requirements:
patterns:
- "*"
12 changes: 6 additions & 6 deletions .github/workflows/release-binaries.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:

steps:
- name: Checkout LLVM
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Validate and parse tag
id: validate-tag
Expand Down Expand Up @@ -77,15 +77,15 @@ jobs:
- ubuntu-22.04
steps:
- name: Checkout LLVM
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.prepare.outputs.ref }}

- name: Install Ninja
uses: llvm/actions/install-ninja@main
uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main

- name: Setup sccache
uses: hendrikmuhs/ccache-action@v1
uses: hendrikmuhs/ccache-action@ca3acd2731eef11f1572ccb126356c2f9298d35e # v1.2.9
with:
max-size: 250M
key: sccache-${{ matrix.os }}-release
Expand Down Expand Up @@ -119,13 +119,13 @@ jobs:
steps:
- name: Checkout LLVM
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ needs.prepare.outputs.ref }}
path: ${{ needs.prepare.outputs.build-dir }}/llvm-project

- name: Setup sccache
uses: hendrikmuhs/ccache-action@v1
uses: hendrikmuhs/ccache-action@ca3acd2731eef11f1572ccb126356c2f9298d35e # v1.2.9
with:
max-size: 250M
key: sccache-${{ matrix.target.os }}-release
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/release-tasks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
echo "release-version=$release_version" >> "$GITHUB_OUTPUT"
- name: Checkout LLVM
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install Dependencies
run: |
Expand All @@ -36,7 +36,7 @@ jobs:
python3-github \
ninja-build \
texlive-font-utils
pip3 install --user -r ./llvm/docs/requirements.txt
pip3 install --user --require-hashes -r ./llvm/docs/requirements-hashed.txt
- name: Create Release
run: |
Expand All @@ -48,14 +48,14 @@ jobs:
./llvm/utils/release/github-upload-release.py --token ${{ github.token }} --release ${{ steps.validate-tag.outputs.release-version }} upload --files ./*doxygen*.tar.xz
- name: Create Release Notes Artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: release-notes
path: docs-build/html-export/

- name: Clone www-releases
if: ${{ !contains(steps.validate-tag.outputs.release-version, 'rc') }}
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: ${{ github.repository_owner }}/www-releases
ref: main
Expand All @@ -79,10 +79,10 @@ jobs:
if: github.repository == 'llvm/llvm-project'
steps:
- name: Checkout LLVM
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Setup Cpp
uses: aminya/setup-cpp@v1
uses: aminya/setup-cpp@6e563b8e5f796db317104d19605a414345807897 # v1
with:
compiler: llvm-16.0.6
cmake: true
Expand All @@ -108,14 +108,14 @@ jobs:
python3 setup.py sdist
- name: Upload lit to test.pypi.org
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # release/v1
with:
password: ${{ secrets.LLVM_LIT_TEST_PYPI_API_TOKEN }}
repository-url: https://test.pypi.org/legacy/
packages-dir: llvm/utils/lit/dist/

- name: Upload lit to pypi.org
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # release/v1
with:
password: ${{ secrets.LLVM_LIT_PYPI_API_TOKEN }}
packages-dir: llvm/utils/lit/dist/
Loading

0 comments on commit f3524e9

Please sign in to comment.