Merge pull request #420 from solarwinds/NH-89339-add-rl-scans

NH-89339 Add RL scanning to PyPI/TestPyPI publishes

.github/workflows/build_aarch64.yaml

@@ -0,0 +1,38 @@
+# © 2024 SolarWinds Worldwide, LLC. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+name: Build aarch64
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        type: string
+        required: true
+        description: 'APM Python version, e.g. 2.1.0'
+    outputs:
+      artifact-name:
+        description: 'Name of zip archive of sdist and wheels'
+        value: ${{ jobs.build_aarch64.outputs.artifact-name }}
+
+jobs:
+  build_aarch64:
+    name: Build aarch64
+    runs-on:
+      group: apm-arm-runner
+    outputs:
+      artifact-name: scan-aarch64-${{ inputs.version }}.zip
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build aarch64
+        uses: ./.github/actions/package_solarwinds_apm_aarch64
+      - name: Package sdist and wheels for upload
+        run: zip -r scan-aarch64-${{ inputs.version }}.zip dist/*
+      - uses: actions/upload-artifact@v4
+        name: Upload zip for scan and publish
+        with:
+          name: scan-aarch64-${{ inputs.version }}.zip
+          path: scan-aarch64-${{ inputs.version }}.zip

.github/workflows/build_publish_pypi_and_draft_release.yaml

@@ -29,48 +29,77 @@ jobs:
     - name: Check version
       run: cd .github/scripts && ./is_publishable.sh ${{ github.event.inputs.version }}
 
-  build_publish_sdist_and_x86_64:
-    name: Build and publish sdist and x86_64
+  get_apm_python_version:
+    name: Get APM Python version
     needs: is_publishable
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: ./.github/actions/package_solarwinds_apm_x86_64
-    - name: Install Twine
-      run: pip install --upgrade --no-cache-dir --prefer-binary twine
-    - name: Check distribution artifacts
-      run: twine check dist/*
-    - name: Publish sdist and x86_64 wheels to PyPi
-      env:
-        TWINE_NON_INTERACTIVE: 1
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.SW_APM_PYPI_UPLOAD_TOKEN }}
-      run: twine upload dist/*
+    # Outputs SW_APM_VERSION
+    uses: ./.github/workflows/get_apm_python_version.yaml
 
-  build_publish_aarch64:
-    name: Build and publish aarch64
+  build_sdist_and_x86_64:
+    name: Build sdist and x86_64
+    needs: get_apm_python_version
+    # Outputs artifact-name
+    uses: ./.github/workflows/build_x86_64.yaml
+    with:
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+
+  scan_sdist_and_x86_64:
+    name: RL scan aarch64 build
     needs:
-      - is_publishable
-    runs-on:
-      group: apm-arm-runner
-    steps:
-      - uses: actions/checkout@v4
-      - name: Build aarch64
-        uses: ./.github/actions/package_solarwinds_apm_aarch64
-      - name: Install Twine
-        run: pip install --upgrade --no-cache-dir --prefer-binary twine
-      - name: Check distribution artifacts
-        run: twine check dist/*
-      - name: Publish aarch64 wheels to TestPyPi
-        env:
-          TWINE_NON_INTERACTIVE: 1
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.SW_APM_PYPI_UPLOAD_TOKEN }}
-        run: twine upload dist/*.whl
+      - get_apm_python_version
+      - build_sdist_and_x86_64
+    uses: ./.github/workflows/reversinglabs_scan.yaml
+    with:
+      artifact-name: ${{ needs.build_sdist_and_x86_64.outputs.artifact-name }}
+      package-name: apm-python-pypi-sdist-x86_64
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+    secrets: inherit
+
+  publish_sdist_and_x86_64:
+    name: Publish sdist and x86_64 to PyPI
+    needs:
+      - build_sdist_and_x86_64
+      - scan_sdist_and_x86_64
+    uses: ./.github/workflows/publish_x86_64.yaml
+    with:
+      artifact-name: ${{ needs.build_sdist_and_x86_64.outputs.artifact-name }}
+      repository-name: pypi
+    secrets: inherit
+
+  build_aarch64:
+    name: Build aarch64
+    needs: get_apm_python_version
+    # Outputs artifact-name
+    uses: ./.github/workflows/build_aarch64.yaml
+    with:
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+
+  scan_aarch64:
+    name: RL scan aarch64 build
+    needs:
+      - get_apm_python_version
+      - build_aarch64
+    uses: ./.github/workflows/reversinglabs_scan.yaml
+    with:
+      artifact-name: ${{ needs.build_aarch64.outputs.artifact-name }}
+      package-name: apm-python-pypi-aarch64
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+    secrets: inherit
+
+  publish_aarch64:
+    name: Publish aarch64 to PyPI
+    needs:
+      - build_aarch64
+      - scan_aarch64
+    uses: ./.github/workflows/publish_aarch64.yaml
+    with:
+      artifact-name: ${{ needs.build_aarch64.outputs.artifact-name }}
+      repository-name: pypi
+    secrets: inherit
 
   create_release:
     name: Create draft release
-    needs: [build_publish_sdist_and_x86_64, build_publish_aarch64]
+    needs: [publish_sdist_and_x86_64, publish_aarch64]
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/build_publish_testpypi.yaml

@@ -14,41 +14,69 @@ permissions:
   contents: read
 
 jobs:
-  build_publish_sdist_and_x86_64:
-    name: Build and publish sdist and x86_64
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - name: Build x86_64
-      uses: ./.github/actions/package_solarwinds_apm_x86_64
-    - name: Install Twine
-      run: pip install --upgrade --no-cache-dir --prefer-binary twine
-    - name: Check distribution artifacts
-      run: twine check dist/*
-    - name: Publish sdist and x86_64 wheels to TestPyPi
-      env:
-        TWINE_NON_INTERACTIVE: 1
-        TWINE_REPOSITORY: testpypi
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.SW_APM_TESTPYPI_UPLOAD_TOKEN }}
-      run: twine upload dist/*
-
-  build_publish_aarch64:
-    name: Build and publish aarch64
-    runs-on:
-      group: apm-arm-runner
-    steps:
-      - uses: actions/checkout@v4
-      - name: Build aarch64
-        uses: ./.github/actions/package_solarwinds_apm_aarch64
-      - name: Install Twine
-        run: pip install --upgrade --no-cache-dir --prefer-binary twine
-      - name: Check distribution artifacts
-        run: twine check dist/*
-      - name: Publish aarch64 wheels to TestPyPi
-        env:
-          TWINE_NON_INTERACTIVE: 1
-          TWINE_REPOSITORY: testpypi
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.SW_APM_TESTPYPI_UPLOAD_TOKEN }}
-        run: twine upload dist/*.whl
+  get_apm_python_version:
+    name: Get APM Python version
+    # Outputs sw-apm-version
+    uses: ./.github/workflows/get_apm_python_version.yaml
+
+  build_sdist_and_x86_64:
+    name: Build sdist and x86_64
+    needs: get_apm_python_version
+    # Outputs artifact-name
+    uses: ./.github/workflows/build_x86_64.yaml
+    with:
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+
+  scan_sdist_and_x86_64:
+    name: RL scan sdist and x86_64 build
+    needs:
+      - get_apm_python_version
+      - build_sdist_and_x86_64
+    uses: ./.github/workflows/reversinglabs_scan.yaml
+    with:
+      artifact-name: ${{ needs.build_sdist_and_x86_64.outputs.artifact-name }}
+      package-name: apm-python-pypi-sdist-x86_64
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+    secrets: inherit
+
+  publish_sdist_and_x86_64:
+    name: Publish sdist and x86_64 to TestPyPI
+    needs:
+      - build_sdist_and_x86_64
+      - scan_sdist_and_x86_64
+    uses: ./.github/workflows/publish_x86_64.yaml
+    with:
+      artifact-name: ${{ needs.build_sdist_and_x86_64.outputs.artifact-name }}
+      repository-name: testpypi
+    secrets: inherit
+
+  build_aarch64:
+    name: Build aarch64
+    needs: get_apm_python_version
+    # Outputs artifact-name
+    uses: ./.github/workflows/build_aarch64.yaml
+    with:
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+
+  scan_aarch64:
+    name: RL scan aarch64 build
+    needs:
+      - get_apm_python_version
+      - build_aarch64
+    uses: ./.github/workflows/reversinglabs_scan.yaml
+    with:
+      artifact-name: ${{ needs.build_aarch64.outputs.artifact-name }}
+      package-name: apm-python-pypi-aarch64
+      version: ${{ needs.get_apm_python_version.outputs.sw-apm-version }}
+    secrets: inherit
+
+  publish_aarch64:
+    name: Publish aarch64 to TestPyPI
+    needs:
+      - build_aarch64
+      - scan_aarch64
+    uses: ./.github/workflows/publish_aarch64.yaml
+    with:
+      artifact-name: ${{ needs.build_aarch64.outputs.artifact-name }}
+      repository-name: testpypi
+    secrets: inherit

.github/workflows/build_x86_64.yaml

@@ -0,0 +1,37 @@
+# © 2024 SolarWinds Worldwide, LLC. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+name: Build sdist and x86_64
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        type: string
+        required: true
+        description: 'APM Python version, e.g. 2.1.0'
+    outputs:
+      artifact-name:
+        description: 'Name of zip archive of sdist and wheels'
+        value: ${{ jobs.build_sdist_and_x86_64.outputs.artifact-name }}
+
+jobs:
+  build_sdist_and_x86_64:
+    name: Build sdist and x86_64
+    runs-on: ubuntu-latest
+    outputs:
+        artifact-name: scan-x86_64-${{ inputs.version }}.zip
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build sdist and x86_64
+      uses: ./.github/actions/package_solarwinds_apm_x86_64
+    - name: Package sdist and wheels for upload
+      run: zip -r scan-x86_64-${{ inputs.version }}.zip dist/*
+    - uses: actions/upload-artifact@v4
+      name: Upload zip for scan and publish
+      with:
+        name: scan-x86_64-${{ inputs.version }}.zip
+        path: scan-x86_64-${{ inputs.version }}.zip

.github/workflows/get_apm_python_version.yaml

@@ -0,0 +1,27 @@
+# © 2024 SolarWinds Worldwide, LLC. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+name: Get APM Python version
+
+on:
+  workflow_call:
+    outputs:
+      sw-apm-version:
+        description: 'APM Python version, e.g. 2.1.0'
+        value: ${{ jobs.get_apm_python_version.outputs.SW_APM_VERSION }}
+
+jobs:
+  get_apm_python_version:
+    name: Get APM Python version
+    runs-on: ubuntu-latest
+    outputs:
+      SW_APM_VERSION: ${{ steps.save-apm-python-version.outputs.SW_APM_VERSION }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: grep version from Python src
+      id: save-apm-python-version
+      run: |
+        echo "SW_APM_VERSION=$(grep __version__ ./solarwinds_apm/version.py | cut -d= -f 2 | tr -d ' "')" >> $GITHUB_OUTPUT

.github/workflows/publish_aarch64.yaml

@@ -0,0 +1,50 @@
+# © 2024 SolarWinds Worldwide, LLC. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+name: Publish aarch64
+
+on:
+  workflow_call:
+    inputs:
+      artifact-name:
+        type: string
+        required: true
+        description: 'Name of zip archive of sdist and wheels'
+      repository-name:
+        type: string
+        required: false
+        description: "testpypi or pypi"
+
+jobs:
+  publish_aarch64:
+    runs-on:
+      group: apm-arm-runner
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.artifact-name }}
+      - name: Unzip artifact with dist
+        run: unzip ${{ inputs.artifact-name }}
+      - name: Install Twine
+        run: pip install --upgrade --no-cache-dir --prefer-binary twine
+      - name: Check distribution artifacts
+        run: twine check dist/*
+      - if: ${{ inputs.repository-name == 'testpypi' }}
+        name: Publish aarch64 wheels to TestPyPI
+        env:
+          TWINE_NON_INTERACTIVE: 1
+          TWINE_REPOSITORY: testpypi
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.SW_APM_TESTPYPI_UPLOAD_TOKEN }}
+        run: twine upload dist/*.whl
+      - if: ${{ inputs.repository-name == 'pypi' }}
+        name: Publish aarch64 wheels to PyPI
+        env:
+          TWINE_NON_INTERACTIVE: 1
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.SW_APM_PYPI_UPLOAD_TOKEN }}
+        run: twine upload dist/*.whl