HongChuang/ultralytics-ascend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

ultralytics 8.3.48 split PyPI publish jobs for security (#18111)

Browse source 
Signed-off-by: Glenn Jocher <glenn.jocher@ultralytics.com>
This commit is contained in:
Glenn Jocher 2024-12-08 18:49:15 +01:00 committed by GitHub
parent de1af2b560
commit e0f8eda366
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 70 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

116
.github/workflows/publish.yml vendored
View file

@ -13,32 +13,23 @@ on:
description: Publish to PyPI description: Publish to PyPI
jobs: jobs:
publish: check:
if: github.repository == 'ultralytics/ultralytics' && github.actor == 'glenn-jocher' if: github.repository == 'ultralytics/ultralytics' && github.actor == 'glenn-jocher'
name: Publish
runs-on: ubuntu-latest runs-on: ubuntu-latest
environment: # for GitHub Deployments tab
name: Release - PyPI
url: https://pypi.org/p/ultralytics
permissions: permissions:
id-token: write # for PyPI trusted publishing contents: write
outputs:
increment: ${{ steps.check_pypi.outputs.increment }}
current_tag: ${{ steps.check_pypi.outputs.current_tag }}
previous_tag: ${{ steps.check_pypi.outputs.previous_tag }}
steps: steps:
- name: Checkout code - uses: actions/checkout@v4
uses: actions/checkout@v4 - uses: actions/setup-python@v5
with:
token: ${{ secrets._GITHUB_TOKEN }}
- name: Git config
run: |
git config --global user.name "UltralyticsAssistant"
git config --global user.email "web@ultralytics.com"
- name: Set up Python environment
uses: actions/setup-python@v5
with: with:
python-version: "3.x" python-version: "3.x"
- uses: astral-sh/setup-uv@v4 - uses: astral-sh/setup-uv@v4
- name: Install dependencies - run: uv pip install --system --no-cache ultralytics-actions
run: uv pip install --system --no-cache ultralytics-actions build twine toml - id: check_pypi
- name: Check PyPI version
shell: python shell: python
run: | run: |
import os import os
@ -49,30 +40,63 @@ jobs:
os.system(f'echo "previous_tag=v{online_version}" >> $GITHUB_OUTPUT') os.system(f'echo "previous_tag=v{online_version}" >> $GITHUB_OUTPUT')
if publish: if publish:
print('Ready to publish new version to PyPI ✅.') print('Ready to publish new version to PyPI ✅.')
id: check_pypi - name: Tag and Release
- name: Build package if: steps.check_pypi.outputs.increment == 'True'
if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
run: python -m build
- name: Publish to PyPI
continue-on-error: true
if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
uses: pypa/gh-action-pypi-publish@release/v1
- name: Publish new tag
continue-on-error: true
if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
run: |
git tag -a "${{ steps.check_pypi.outputs.current_tag }}" -m "$(git log -1 --pretty=%B)" # i.e. "v0.1.2 commit message"
git push origin "${{ steps.check_pypi.outputs.current_tag }}"
- name: Publish new release
continue-on-error: true
if: (github.event_name == 'push' || github.event.inputs.pypi == 'true') && steps.check_pypi.outputs.increment == 'True'
env: env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets._GITHUB_TOKEN }}
CURRENT_TAG: ${{ steps.check_pypi.outputs.current_tag }} CURRENT_TAG: ${{ steps.check_pypi.outputs.current_tag }}
PREVIOUS_TAG: ${{ steps.check_pypi.outputs.previous_tag }} PREVIOUS_TAG: ${{ steps.check_pypi.outputs.previous_tag }}
run: ultralytics-actions-summarize-release OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
shell: bash run: |
git config --global user.name "UltralyticsAssistant"
git config --global user.email "web@ultralytics.com"
git tag -a "$CURRENT_TAG" -m "$(git log -1 --pretty=%B)"
git push origin "$CURRENT_TAG"
ultralytics-actions-summarize-release
uv cache prune --ci
build:
needs: check
if: needs.check.outputs.increment == 'True'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.x"
- uses: astral-sh/setup-uv@v4
- run: uv pip install --system --no-cache build
- run: python -m build
- uses: actions/upload-artifact@v4
with:
name: dist
path: dist/
- run: uv cache prune --ci
publish:
needs: [check, build]
if: needs.check.outputs.increment == 'True'
runs-on: ubuntu-latest
environment: # for GitHub Deployments tab
name: Release - PyPI
url: https://pypi.org/p/ultralytics
permissions:
id-token: write # for PyPI trusted publishing
steps:
- uses: actions/download-artifact@v4
with:
name: dist
path: dist/
- uses: pypa/gh-action-pypi-publish@release/v1
notify:
needs: [check, publish]
if: always() && needs.check.outputs.increment == 'True'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Extract PR Details - name: Extract PR Details
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@ -82,18 +106,16 @@ jobs:
PR_TITLE=$(echo "${PR_JSON}" | jq -r '.title') PR_TITLE=$(echo "${PR_JSON}" | jq -r '.title')
echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}" echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}"
echo "PR_TITLE=${PR_TITLE}" >> "${GITHUB_ENV}" echo "PR_TITLE=${PR_TITLE}" >> "${GITHUB_ENV}"
- name: Prune uv Cache - name: Notify Success
run: uv cache prune --ci if: needs.publish.result == 'success' && github.event_name == 'push'
- name: Notify on Slack (Success)
if: success() && github.event_name == 'push' && steps.check_pypi.outputs.increment == 'True'
uses: slackapi/slack-github-action@v2.0.0 uses: slackapi/slack-github-action@v2.0.0
with: with:
webhook-type: incoming-webhook webhook-type: incoming-webhook
webhook: ${{ secrets.SLACK_WEBHOOK_URL_YOLO }} webhook: ${{ secrets.SLACK_WEBHOOK_URL_YOLO }}
payload: | payload: |
text: "<!channel> GitHub Actions success for ${{ github.workflow }} ✅\n\n\n*Repository:* https://github.com/${{ github.repository }}\n*Action:* https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Author:* ${{ github.actor }}\n*Event:* NEW `${{ github.repository }} ${{ steps.check_pypi.outputs.current_tag }}` pip package published 😃\n*Job Status:* ${{ job.status }}\n*Pull Request:* <https://github.com/${{ github.repository }}/pull/${{ env.PR_NUMBER }}> ${{ env.PR_TITLE }}\n" text: "<!channel> GitHub Actions success for ${{ github.workflow }} ✅\n\n\n*Repository:* https://github.com/${{ github.repository }}\n*Action:* https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\n*Author:* ${{ github.actor }}\n*Event:* NEW `${{ github.repository }} ${{ needs.check.outputs.current_tag }}` pip package published 😃\n*Job Status:* ${{ job.status }}\n*Pull Request:* <https://github.com/${{ github.repository }}/pull/${{ env.PR_NUMBER }}> ${{ env.PR_TITLE }}\n"
- name: Notify on Slack (Failure) - name: Notify Failure
if: failure() if: needs.publish.result != 'success'
uses: slackapi/slack-github-action@v2.0.0 uses: slackapi/slack-github-action@v2.0.0
with: with:
webhook-type: incoming-webhook webhook-type: incoming-webhook

2
ultralytics/__init__.py
View file

@ -1,6 +1,6 @@
# Ultralytics YOLO 🚀, AGPL-3.0 license # Ultralytics YOLO 🚀, AGPL-3.0 license
__version__ = "8.3.47" __version__ = "8.3.48"
import os import os