workflows: Add a new job for packaging release sources

[tstellar]

This job uses the new artifact attestations:
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

This will allow users to verify that the sources came from a specific workflow run in the llvm-project repository. Currently, this job does not automatically upload sources to the release page, but rather it attaches them the workflow run as artifacts. The release manager is expected to download, verify, and sign the sources before uploading them to the release page.

We may be able to automatically upload them in the future once we have a process for signing the binaries within the github workflow. Technically, though, the binaries are being signed as part of the attestation process, but the only way to verify the signatures is using the gh command line tool, and I don't think it is best to rely on that, since the tool may not be easily available on all systems.

[llvmbot]

@llvm/pr-subscribers-github-workflow

Author: Tom Stellard (tstellar)

Changes

This job uses the new artifact attestations:
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

This will allow users to verify that the sources came from a specific workflow run in the llvm-project repository. Currently, this job does not automatically upload sources to the release page, but rather it attaches them the workflow run as artifacts. The release manager is expected to download, verify, and sign the sources before uploading them to the release page.

We may be able to automatically upload them in the future once we have a process for signing the binaries within the github workflow. Technically, though, the binaries are being signed as part of the attestation process, but the only way to verify the signatures is using the gh command line tool, and I don't think it is best to rely on that, since the tool may not be easily available on all systems.

---

Full diff: https://github.com/llvm/llvm-project/pull/91834.diff

2 Files Affected:

• (added) .github/workflows/release-sources.yml (+57)
• (modified) .github/workflows/release-tasks.yml (+8)

diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
new file mode 100644
index 0000000000000..0029078ccb7ee
--- /dev/null
+++ b/.github/workflows/release-sources.yml
@@ -0,0 +1,57 @@
+name: Release Sources
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+    inputs:
+      release-version:
+        description: Release Version
+        required: true
+        type: string
+  workflow_call:
+    inputs:
+      release-version:
+        description: Release Version
+        required: true
+        type: string
+jobs:
+  release-sources:
+    name: Package Release Sources
+    if: github.repository_owner == 'llvm'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    steps:
+      - name: Checkout LLVM
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: llvmorg-${{ inputs.release-version }}
+          fetch-tags: true
+      - name: Install Dependencies
+        run: |
+          pip install -r ./llvm/utils/git/requirements.txt
+      - name: Check Permissions
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
+        run: |
+          ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user ${{ github.actor }} --user-token "$USER_TOKEN" check-permissions
+      - name: Create Tarballs
+        run: |
+          ./llvm/utils/release/export.sh -release "${{ inputs.release-version }}" -final
+      - name: Attest Build Provenance
+        id: provenance
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: "*.xz"
+      - name: Create Tarball Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
+        with:
+          path: |
+            *.xz
+            ${{ steps.provenance.outputs.bundle-path }}
+
+
diff --git a/.github/workflows/release-tasks.yml b/.github/workflows/release-tasks.yml
index 29049ff014288..b85a8144a9f18 100644
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@@ -85,3 +85,11 @@ jobs:
     with:
       release-version: ${{ needs.validate-tag.outputs.release-version }}
       upload: true
+
+  release-sources:
+    name: Package Release Sources
+    needs:
+      - validate-tag
+    uses: ./.github/workflows/release-sources.yml
+    with:
+      release-version: ${{ needs.validate-tag.outputs.release-version }}

[tstellar]

cc @diogoteles08 @joycebrum

[tru]

If I understand this correctly - this step will replace the export command I run locally to create the source packages? Instead I will download the sources from this WF, PGP sign it and then upload to the release?

[tstellar]

@tru I've added some documentation explaining the process.

[diogoteles08]

Hey @tstellar, awesome job working at this, it looks great!

If you allow me to drop a small nit pick, I'd suggest that you install the python dependencies for you build using the "secure Install" features -- That'd be a very similar change to what I did on #75859 . Of course that's not necessary, but would add an extra security layer to your release =)

[boomanaiden154]

One nit, overall LGTM.

[tru]

LGTM

[tstellar]

Hey @tstellar, awesome job working at this, it looks great!

If you allow me to drop a small nit pick, I'd suggest that you install the python dependencies for you build using the "secure Install" features -- That'd be a very similar change to what I did on #75859 . Of course that's not necessary, but would add an extra security layer to your release =)

I've created a new PR for this here: #92305

[boomanaiden154]

LGTM.