Add component governance manifest for WebGPU EP#28599
Open
adrastogi wants to merge 1 commit into
Open
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Comment on lines
+110
to
+112
| raise ValueError( | ||
| f"Dawn manifest commit {git['commitHash']} does not match {DEPS_TXT} commit {expected_commit}" | ||
| ) |
Contributor
There was a problem hiding this comment.
Suggested change
| raise ValueError( | |
| f"Dawn manifest commit {git['commitHash']} does not match {DEPS_TXT} commit {expected_commit}" | |
| ) | |
| raise ValueError(f"Dawn manifest commit {git['commitHash']} does not match {DEPS_TXT} commit {expected_commit}") |
| from pathlib import Path | ||
| from typing import Any | ||
|
|
||
|
|
Contributor
There was a problem hiding this comment.
Suggested change
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,168 @@ | |||
| #!/usr/bin/env python3 | |||
| @@ -0,0 +1,168 @@ | |||
| #!/usr/bin/env python3 | |||
|
|
||
| """Validate WebGPU Component Governance manifest drift.""" | ||
|
|
||
| from __future__ import annotations |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a WebGPU-scoped Component Governance manifest and supporting tooling/docs so WebGPU packaging pipelines can generate accurate third-party notices for Dawn/DXC and Dawn-derived dependencies without treating them as global ORT deps.
Changes:
- Added
cgmanifests/webgpu/cgmanifest.jsoncapturing Dawn, DXC, and Dawn DEPS-derived git dependencies with classification metadata. - Added documentation describing the manifest scope, dependency classification policy, and update workflow.
- Added a Python validator to detect drift between the manifest and the pinned Dawn commit (
cmake/deps.txt) and DXC release (plugin-win-webgpu-stage.yml).
Show a summary per file
| File | Description |
|---|---|
| tools/python/validate_webgpu_cgmanifest.py | Adds a drift-check script for Dawn commit + DXC release pins referenced by WebGPU builds. |
| cgmanifests/webgpu/README.md | Documents scope, classification policy, and maintenance steps for the WebGPU manifest. |
| cgmanifests/webgpu/cgmanifest.json | New WebGPU-specific dependency inventory (Dawn root + DEPS graph + DXC release metadata). |
| cgmanifests/README.md | Notes the existence/scope of the WebGPU-specific manifest. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 4
| See [here](https://docs.opensource.microsoft.com/tools/cg/cgmanifest.html) for details. No newline at end of file | ||
| See [here](https://docs.opensource.microsoft.com/tools/cg/cgmanifest.html) for details. | ||
|
|
||
| The WebGPU-specific manifest is in `webgpu\cgmanifest.json`. It is scoped to builds that enable the WebGPU |
Comment on lines
+28
to
+32
| 1. Update the Dawn registration to match the `dawn` entry in `cmake\deps.txt`. | ||
| 2. Re-audit the pinned upstream Dawn `DEPS` file and update Dawn-derived registrations, comments, and | ||
| `dependencyRoots`. | ||
| 3. If the Windows WebGPU plugin pipeline changes the downloaded DXC release, update the DirectXShaderCompiler release | ||
| registration to match `tools\ci_build\github\azure-pipelines\stages\plugin-win-webgpu-stage.yml`. |
edgchen1
reviewed
May 20, 2026
|
|
||
| 1. Update the Dawn registration to match the `dawn` entry in `cmake\deps.txt`. | ||
| 2. Re-audit the pinned upstream Dawn `DEPS` file and update Dawn-derived registrations, comments, and | ||
| `dependencyRoots`. |
Contributor
There was a problem hiding this comment.
is this a manual process or is it possible to script it? if it's manual, it would be good to have more detailed instructions on how to do this.
edgchen1
reviewed
May 20, 2026
| 1. Update the Dawn registration to match the `dawn` entry in `cmake\deps.txt`. | ||
| 2. Re-audit the pinned upstream Dawn `DEPS` file and update Dawn-derived registrations, comments, and | ||
| `dependencyRoots`. | ||
| 3. If the Windows WebGPU plugin pipeline changes the downloaded DXC release, update the DirectXShaderCompiler release |
Contributor
There was a problem hiding this comment.
why is the one we're downloading different from Dawn's DirectXShaderCompiler commit?
https://github.com/google/dawn/blob/ec7b457e5bb1fcec6f59733c4f3dd84d2f885a38/DEPS#L373
@guschmue do you know?
edgchen1
reviewed
May 20, 2026
| See [here](https://docs.opensource.microsoft.com/tools/cg/cgmanifest.html) for details. | ||
|
|
||
| The WebGPU-specific manifest is in `webgpu\cgmanifest.json`. It is scoped to builds that enable the WebGPU | ||
| Execution Provider and should be selected explicitly by WebGPU packaging or NOTICE-generation pipelines. |
Contributor
There was a problem hiding this comment.
is there a way to configure this scoping? IIRC, all the cgmanifest.json files were picked up by default.
edgchen1
reviewed
May 20, 2026
| @@ -0,0 +1,168 @@ | |||
| #!/usr/bin/env python3 | |||
Contributor
There was a problem hiding this comment.
perhaps we can put this helper script in the cgmanifests/webgpu directory. it's most relevant there
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Added a WebGPU-specific Component Governance manifest for Dawn and related dependencies.
Added documentation for the manifest scope, dependency classification, and maintenance steps. Added a validation script to catch Dawn and DXC pin drift.
Motivation and Context
WebGPU builds depend on Dawn and related components that are not part of vanilla ONNX Runtime builds.
Downstream WebGPU packaging needs ORT-owned metadata to generate complete third-party notices without maintaining a duplicate dependency inventory.