ci: update Cargo Artifactory publishing config (#68) #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: Copyright (c) 2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved. | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Build pull request | |
| on: | |
| push: | |
| branches: | |
| - 'pull-request/**' | |
| - 'main' | |
| - 'release/**' | |
| tags: | |
| - '*' | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: '${{ github.workflow }} @ ${{ github.event_name }} @ ${{ github.head_ref || github.ref }}' | |
| cancel-in-progress: true | |
| jobs: | |
| pr-builder: | |
| needs: | |
| - prepare | |
| - ci_required | |
| if: >- | |
| ${{ | |
| always() | |
| && !cancelled() | |
| && needs.prepare.result == 'success' | |
| && needs.ci_required.result == 'success' | |
| && needs.prepare.outputs.publish_docs != 'true' | |
| }} | |
| permissions: | |
| contents: read | |
| uses: rapidsai/shared-workflows/.github/workflows/pr-builder.yaml@4866bb5437e913caf5bf775f57c91abd144ed391 # main | |
| with: | |
| needs: ${{ toJSON(needs) }} | |
| prepare: | |
| # Executes the get-pr-info action to determine if the PR has the skip-ci label, if the action fails we assume the | |
| # PR does not have the label | |
| name: Prepare | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read | |
| steps: | |
| - name: Get PR Info | |
| id: get-pr-info | |
| uses: nv-gha-runners/get-pr-info@090577647b8ddc4e06e809e264f7881650ecdccf # main | |
| if: ${{ startsWith(github.ref_name, 'pull-request/') }} | |
| - name: Validate release tag format | |
| if: ${{ github.ref_type == 'tag' }} | |
| run: | | |
| set -e | |
| tag="${{ github.ref_name }}" | |
| if [[ "$tag" == v* ]]; then | |
| echo "Error: release tags must not start with 'v'; use raw SemVer such as 0.1.0 or 0.1.0-rc.1" >&2 | |
| exit 1 | |
| fi | |
| if [[ ! "$tag" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-((alpha|beta|rc)\.[0-9]+))?$ ]]; then | |
| echo "Error: unsupported release tag format '$tag'; use 0.1.0 or prereleases like 0.1.0-rc.1" >&2 | |
| exit 1 | |
| fi | |
| - name: Derive workflow policy | |
| id: policy | |
| env: | |
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| REF_NAME: ${{ github.ref_name }} | |
| REF_TYPE: ${{ github.ref_type }} | |
| run: | | |
| set -euo pipefail | |
| full_ci=false | |
| publish_docs=false | |
| publish_packages=false | |
| if [[ "$REF_TYPE" == "tag" || "$REF_NAME" == "$DEFAULT_BRANCH" ]]; then | |
| full_ci=true | |
| fi | |
| if [[ "$REF_TYPE" == "tag" ]]; then | |
| publish_docs=true | |
| fi | |
| if [[ "$REF_TYPE" == "tag" && ! "$REF_NAME" =~ -alpha\.[0-9]+$ ]]; then | |
| publish_packages=true | |
| fi | |
| { | |
| printf 'full_ci=%s\n' "$full_ci" | |
| printf 'publish_docs=%s\n' "$publish_docs" | |
| printf 'publish_packages=%s\n' "$publish_packages" | |
| } >> "$GITHUB_OUTPUT" | |
| outputs: | |
| full_ci: ${{ steps.policy.outputs.full_ci }} | |
| is_pr: ${{ startsWith(github.ref_name, 'pull-request/') }} | |
| is_main_branch: ${{ github.ref_name == 'main' }} | |
| has_skip_ci_label: ${{ steps.get-pr-info.outcome == 'success' && contains(fromJSON(steps.get-pr-info.outputs.pr-info).labels.*.name, 'skip-ci') || false }} | |
| publish_docs: ${{ steps.policy.outputs.publish_docs }} | |
| publish_packages: ${{ steps.policy.outputs.publish_packages }} | |
| pr_info: ${{ steps.get-pr-info.outcome == 'success' && steps.get-pr-info.outputs.pr-info || '' }} | |
| ci_changes: | |
| name: Changes | |
| needs: [prepare] | |
| uses: ./.github/workflows/ci_changes.yml | |
| if: ${{ ! fromJSON(needs.prepare.outputs.has_skip_ci_label) }} | |
| permissions: | |
| contents: read | |
| with: | |
| # Info about the PR. Empty for non PR branches. Useful for extracting PR number, title, etc. | |
| pr_info: ${{ needs.prepare.outputs.pr_info }} | |
| full_ci: ${{ needs.prepare.outputs.full_ci == 'true' }} | |
| ref_name: ${{ github.ref_name }} | |
| default_branch: ${{ github.event.repository.default_branch }} | |
| ci_check: | |
| name: Check | |
| needs: [prepare, ci_changes] | |
| uses: ./.github/workflows/ci_check.yml | |
| if: ${{ needs.ci_changes.result == 'success' }} | |
| permissions: | |
| contents: read | |
| with: | |
| full_ci: ${{ needs.prepare.outputs.full_ci == 'true' }} | |
| base: ${{ needs.ci_changes.outputs.base }} | |
| ci_docs: | |
| name: Documentation | |
| needs: [prepare, ci_changes, ci_check] | |
| uses: ./.github/workflows/ci_docs.yml | |
| if: >- | |
| ${{ | |
| !cancelled() | |
| && needs.ci_changes.result == 'success' | |
| && needs.ci_check.result == 'success' | |
| && needs.ci_changes.outputs.run_docs == 'true' | |
| }} | |
| permissions: | |
| contents: read | |
| with: | |
| ref_type: ${{ github.ref_type }} | |
| ref_name: ${{ github.ref_name }} | |
| publish_docs: ${{ needs.prepare.outputs.publish_docs == 'true' }} | |
| ci_rust: | |
| name: Rust | |
| needs: [prepare, ci_changes, ci_check] | |
| uses: ./.github/workflows/ci_rust.yml | |
| if: ${{ needs.ci_check.result == 'success' && needs.ci_changes.outputs.run_rust == 'true' }} | |
| permissions: | |
| contents: read | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| ci_go: | |
| name: Go | |
| needs: [prepare, ci_changes, ci_check] | |
| uses: ./.github/workflows/ci_go.yml | |
| if: ${{ needs.ci_check.result == 'success' && needs.ci_changes.outputs.run_go == 'true' }} | |
| permissions: | |
| contents: read | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| ci_node: | |
| name: Node.js | |
| needs: [prepare, ci_changes, ci_check] | |
| uses: ./.github/workflows/ci_node.yml | |
| if: ${{ needs.ci_check.result == 'success' && needs.ci_changes.outputs.run_node == 'true' }} | |
| permissions: | |
| contents: read | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| with: | |
| ref_type: ${{ github.ref_type }} | |
| ref_name: ${{ github.ref_name }} | |
| ci_python: | |
| name: Python | |
| needs: [prepare, ci_changes, ci_check] | |
| uses: ./.github/workflows/ci_python.yml | |
| if: ${{ needs.ci_check.result == 'success' && needs.ci_changes.outputs.run_python == 'true' }} | |
| permissions: | |
| contents: read | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| with: | |
| ref_type: ${{ github.ref_type }} | |
| ref_name: ${{ github.ref_name }} | |
| ci_wasm: | |
| name: WebAssembly | |
| needs: [prepare, ci_changes, ci_check] | |
| uses: ./.github/workflows/ci_wasm.yml | |
| if: ${{ needs.ci_check.result == 'success' && needs.ci_changes.outputs.run_wasm == 'true' }} | |
| permissions: | |
| contents: read | |
| secrets: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| with: | |
| ref_type: ${{ github.ref_type }} | |
| ref_name: ${{ github.ref_name }} | |
| ci_required: | |
| name: CI Pipeline | |
| needs: | |
| - prepare | |
| - ci_changes | |
| - ci_check | |
| - ci_docs | |
| - ci_rust | |
| - ci_go | |
| - ci_node | |
| - ci_python | |
| - ci_wasm | |
| if: ${{ always() && !cancelled() && needs.prepare.result == 'success' && ! fromJSON(needs.prepare.outputs.has_skip_ci_label) }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Verify required CI jobs | |
| env: | |
| CHANGES_RESULT: ${{ needs.ci_changes.result }} | |
| CHECK_RESULT: ${{ needs.ci_check.result }} | |
| DOCS_RESULT: ${{ needs.ci_docs.result }} | |
| RUST_RESULT: ${{ needs.ci_rust.result }} | |
| GO_RESULT: ${{ needs.ci_go.result }} | |
| NODE_RESULT: ${{ needs.ci_node.result }} | |
| PYTHON_RESULT: ${{ needs.ci_python.result }} | |
| WEBASSEMBLY_RESULT: ${{ needs.ci_wasm.result }} | |
| publish_docs: ${{ needs.prepare.outputs.publish_docs }} | |
| publish_packages: ${{ needs.prepare.outputs.publish_packages }} | |
| run: | | |
| set -euo pipefail | |
| failed=false | |
| require_success() { | |
| local name="$1" | |
| local result="$2" | |
| if [[ "$result" != "success" ]]; then | |
| echo "Error: ${name} finished with result '${result}', expected success" >&2 | |
| failed=true | |
| fi | |
| } | |
| allow_success_or_skipped() { | |
| local name="$1" | |
| local result="$2" | |
| if [[ "$result" != "success" && "$result" != "skipped" ]]; then | |
| echo "Error: ${name} finished with result '${result}', expected success or skipped" >&2 | |
| failed=true | |
| fi | |
| } | |
| require_success "Changes" "$CHANGES_RESULT" | |
| require_success "Check" "$CHECK_RESULT" | |
| if [[ "$publish_docs" == "true" ]]; then | |
| require_success "Documentation" "$DOCS_RESULT" | |
| else | |
| allow_success_or_skipped "Documentation" "$DOCS_RESULT" | |
| fi | |
| if [[ "$publish_packages" == "true" ]]; then | |
| require_success "Rust" "$RUST_RESULT" | |
| require_success "Node.js" "$NODE_RESULT" | |
| require_success "Python" "$PYTHON_RESULT" | |
| require_success "WebAssembly" "$WEBASSEMBLY_RESULT" | |
| else | |
| allow_success_or_skipped "Rust" "$RUST_RESULT" | |
| allow_success_or_skipped "Node.js" "$NODE_RESULT" | |
| allow_success_or_skipped "Python" "$PYTHON_RESULT" | |
| allow_success_or_skipped "WebAssembly" "$WEBASSEMBLY_RESULT" | |
| fi | |
| allow_success_or_skipped "Go" "$GO_RESULT" | |
| if [[ "$failed" == "true" ]]; then | |
| exit 1 | |
| fi | |
| deploy-docs: | |
| name: Deploy Documentation | |
| needs: [prepare, ci_required] | |
| if: ${{ needs.prepare.outputs.publish_docs == 'true' && needs.ci_required.result == 'success' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pages: write | |
| id-token: write | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deployment.outputs.page_url }} | |
| steps: | |
| - name: Deploy GitHub Pages Site | |
| id: deployment | |
| uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 | |
| publish-rust: | |
| name: Publish (crates.io) | |
| needs: [prepare, ci_required] | |
| if: ${{ needs.prepare.outputs.publish_packages == 'true' && needs.ci_required.result == 'success' }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| environment: crates.io | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Load CI tool versions | |
| id: ci-config | |
| uses: ./.github/actions/load-ci-tool-versions | |
| - uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4 | |
| with: | |
| cache: false | |
| toolchain: ${{ steps.ci-config.outputs.rust_version }} | |
| - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8 | |
| with: | |
| version: ${{ steps.ci-config.outputs.uv_version }} | |
| enable-cache: true | |
| cache-dependency-glob: ${{ github.workspace }}/uv.lock | |
| - name: Install managed Python | |
| run: | | |
| set -e | |
| UV_PYTHON_DOWNLOADS=manual uv python install --managed-python ${{ steps.ci-config.outputs.default_python_version }} | |
| - uses: taiki-e/install-action@5939f3337e40968c39aa70f5ecb1417a92fb25a0 # v2.75.15 | |
| with: | |
| tool: just@${{ steps.ci-config.outputs.just_version }} | |
| - name: Set project release version | |
| working-directory: ${{ github.workspace }} | |
| run: just set-version "${{ github.ref_name }}" | |
| - name: Authenticate to crates.io with trusted publishing | |
| id: crates-io-auth | |
| uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4 | |
| - name: Publish to crates.io with trusted publishing | |
| working-directory: ${{ github.workspace }} | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ steps.crates-io-auth.outputs.token }} | |
| run: | | |
| set -euo pipefail | |
| for package in nemo-flow nemo-flow-adaptive nemo-flow-ffi; do | |
| cargo publish --package "$package" --no-verify --allow-dirty | |
| done | |
| publish-python: | |
| name: Publish (PyPI) | |
| needs: [prepare, ci_required] | |
| if: ${{ needs.prepare.outputs.publish_packages == 'true' && needs.ci_required.result == 'success' }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| environment: pypi | |
| steps: | |
| - name: Download wheel artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: wheel-* | |
| merge-multiple: true | |
| path: dist/ | |
| - name: Publish to PyPI with trusted publishing | |
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 | |
| publish-npm: | |
| name: Publish (npm) | |
| needs: [prepare, ci_required] | |
| if: ${{ needs.prepare.outputs.publish_packages == 'true' && needs.ci_required.result == 'success' }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| environment: npm | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Load CI tool versions | |
| id: ci-config | |
| uses: ./.github/actions/load-ci-tool-versions | |
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 | |
| with: | |
| node-version: ${{ steps.ci-config.outputs.node_version }} | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Download consolidated Node package artifact | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: npm-consolidated | |
| path: . | |
| - name: Download WebAssembly artifact | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: wasm-bundler | |
| path: wasm-package/ | |
| - name: Select npm dist-tag | |
| run: | | |
| set -e | |
| npm_tag="latest" | |
| if [[ "${{ github.ref_name }}" =~ -(alpha|beta|rc)\.[0-9]+$ ]]; then | |
| npm_tag="next" | |
| fi | |
| printf 'NEMO_FLOW_NPM_DIST_TAG=%s\n' "$npm_tag" >> "$GITHUB_ENV" | |
| - name: Publish Node.js package to npm | |
| run: | | |
| set -euo pipefail | |
| unzip -q ./consolidated.zip -d combined | |
| echo "Platform binaries included:" | |
| ls -la combined/package/*.node | |
| npm publish ./combined/package --access public --tag "${NEMO_FLOW_NPM_DIST_TAG}" | |
| - name: Publish WebAssembly package to npm | |
| run: | | |
| set -e | |
| for pkg in ./wasm-package/*.tgz; do | |
| echo "Publishing ${pkg}..." | |
| npm publish "${pkg}" --access public --tag "${NEMO_FLOW_NPM_DIST_TAG}" | |
| done |