diff --git a/.github/workflows/pin_deps.yml b/.github/workflows/pin_deps.yml index b93755a8..c5c414a0 100644 --- a/.github/workflows/pin_deps.yml +++ b/.github/workflows/pin_deps.yml @@ -13,16 +13,17 @@ defaults: jobs: pin: name: Generate dependency lock - runs-on: ${{ matrix.os.runner_name }} + runs-on: ${{ runner.os }} strategy: fail-fast: false # Don't cancel other jobs if one fails matrix: - os: - - runner_name: ubuntu-latest - os_family: Linux - - runner_os_name: macos-latest + os: [ubuntu-latest, macos-latest, windows-latest] + include: + - os: macos-latest os_family: Darwin - - runner_name: windows-latest + - os: ubuntu-latest + os_family: Linux + - os: windows-latest os_family: Windows steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 @@ -31,9 +32,9 @@ jobs: python-version: 3.11 cache: pip cache-dependency-path: | - model_signing/install/requirements_${{ matrix.os.os_family }}.txt - model_signing/install/requirements_test_${{ matrix.os.os_family }}.txt - slsa_for_models/install/requirements_${{ matrix.os.os_family }}.txt + model_signing/install/requirements_${{ matrix.include.os_family }}.txt + model_signing/install/requirements_test_${{ matrix.include.os_family }}.txt + slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt - name: Create an empty virtualenv and install `pip-tools` run: | set -exuo pipefail @@ -45,16 +46,16 @@ jobs: run: | set -exuo pipefail .github/workflows/scripts/venv_activate.sh - pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ matrix.os.os_family }}.txt model_signing/install/requirements.in - pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ matrix.os.os_family }}.txt model_signing/install/requirements_test.in - pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ matrix.os.os_family }}.txt slsa_for_models/install/requirements.in + pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_${{ matrix.include.os_family }}.txt model_signing/install/requirements.in + pip-compile --upgrade --generate-hashes --strip-extras --output-file=model_signing/install/requirements_test_${{ matrix.include.os_family }}.txt model_signing/install/requirements_test.in + pip-compile --upgrade --generate-hashes --strip-extras --output-file=slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt slsa_for_models/install/requirements.in - name: Test freeze file (for model signing) run: | set -exuo pipefail rm -rf venv # Need clean sandbox python -m venv venv .github/workflows/scripts/venv_activate.sh - pip install -r model_signing/install/requirements_${{ matrix.os.os_family }}.txt + pip install -r model_signing/install/requirements_${{ matrix.include.os_family }}.txt pip list # For debugging - name: Test freeze file (for testing model signing) run: | @@ -62,7 +63,7 @@ jobs: rm -rf venv # Need clean sandbox python -m venv venv .github/workflows/scripts/venv_activate.sh - pip install -r model_signing/install/requirements_test_${{ matrix.os.os_family }}.txt + pip install -r model_signing/install/requirements_test_${{ matrix.include.os_family }}.txt pip list # For debugging - name: Test freeze file (for SLSA for models) run: | @@ -70,13 +71,13 @@ jobs: rm -rf venv # Need clean sandbox python -m venv venv .github/workflows/scripts/venv_activate.sh - pip install -r slsa_for_models/install/requirements_${{ matrix.os.os_family }}.txt + pip install -r slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt pip list # For debugging - name: Upload freeze files uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: - name: freeze-files-${{ matrix.os.runner_name }} - path: ./*/install/requirements*${{ matrix.os.os_family }}*txt + name: freeze-files-${{ runner.os }} + path: ./*/install/requirements*${{ matrix.include.os_family }}*txt # Separate PR creation job to make sure it creates only one single PR with # all changed files, eliminate race-conditions and restrict permissions only diff --git a/.github/workflows/slsa_for_ml.yml b/.github/workflows/slsa_for_ml.yml index 38091a86..8830ffb8 100644 --- a/.github/workflows/slsa_for_ml.yml +++ b/.github/workflows/slsa_for_ml.yml @@ -29,16 +29,17 @@ defaults: jobs: train: name: Train model - runs-on: ${{ matrix.os.runner_name }} + runs-on: ${{ runner.os }} strategy: fail-fast: false # Don't cancel other jobs if one fails matrix: - os: - - runner_name: ubuntu-latest - os_family: Linux - - runner_os_name: macos-latest + os: [ubuntu-latest, macos-latest, windows-latest] + include: + - os: macos-latest os_family: Darwin - - runner_name: windows-latest + - os: ubuntu-latest + os_family: Linux + - os: windows-latest os_family: Windows outputs: hash-ubuntu-latest: ${{ steps.hash.outputs.hash-ubuntu-latest }} @@ -51,13 +52,13 @@ jobs: with: python-version: 3.11 cache: pip - cache-dependency-path: slsa_for_models/install/requirements_${{ matrix.os.os_family }}.txt + cache-dependency-path: slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt - name: Install dependencies run: | set -exuo pipefail python -m venv venv .github/workflows/scripts/venv_activate.sh - python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ matrix.os.os_family }}.txt + python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt - name: Build model env: MODEL_TYPE: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} @@ -69,7 +70,7 @@ jobs: - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: path: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }} - name: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}_${{ matrix.os.os_family }} + name: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}_${{ matrix.include.os_family }} if-no-files-found: error - id: hash env: @@ -77,7 +78,7 @@ jobs: run: | set -euo pipefail (sha256sum -t "$MODEL" || shasum -a 256 "$MODEL") > checksum - echo "hash-${{ matrix.os.runner_name }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}" + echo "hash-${{ runner.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}" provenance: # TODO(mihaimaruseac): Don't run on pull requests for now @@ -93,5 +94,5 @@ jobs: contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects: "${{ needs.train.outputs[format('hash-{0}', matrix.os)] }}" + base64-subjects: "${{ needs.train.outputs[format('hash-{0}', runner.os)] }}" upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index d63e5d16..4e7aea78 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -16,16 +16,17 @@ defaults: jobs: model-signing-unit-tests: name: Run unit tests for signing - runs-on: ${{ matrix.os.runner_name }} + runs-on: ${{ runner.os }} strategy: fail-fast: false # Don't cancel other jobs if one fails matrix: - os: - - runner_name: ubuntu-latest - os_family: Linux - - runner_os_name: macos-latest + os: [ubuntu-latest, macos-latest, windows-latest] + include: + - os: macos-latest os_family: Darwin - - runner_name: windows-latest + - os: ubuntu-latest + os_family: Linux + - os: windows-latest os_family: Windows steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 @@ -34,15 +35,15 @@ jobs: python-version: 3.11 cache: pip cache-dependency-path: | - model_signing/install/requirements_${{ matrix.os.os_family }}.txt - model_signing/install/requirements_test_${{ matrix.os.os_family }}.txt + model_signing/install/requirements_${{ matrix.include.os_family }}.txt + model_signing/install/requirements_test_${{ matrix.include.os_family }}.txt - name: Install dependencies run: | set -exuo pipefail python -m venv venv .github/workflows/scripts/venv_activate.sh - python -m pip install --require-hashes -r model_signing/install/requirements_${{ matrix.os.os_family }}.txt - python -m pip install --require-hashes -r model_signing/install/requirements_test_${{ matrix.os.os_family }}.txt + python -m pip install --require-hashes -r model_signing/install/requirements_${{ matrix.include.os_family }}.txt + python -m pip install --require-hashes -r model_signing/install/requirements_test_${{ matrix.include.os_family }}.txt - name: Run unit tests run: | set -euo pipefail diff --git a/.github/workflows/validate_deps.yml b/.github/workflows/validate_deps.yml index a17ad1a2..d5b8065e 100644 --- a/.github/workflows/validate_deps.yml +++ b/.github/workflows/validate_deps.yml @@ -18,16 +18,17 @@ defaults: jobs: model-signing: name: Test model signing dependencies - runs-on: ${{ matrix.os.runner_name }} + runs-on: ${{ runner.os }} strategy: fail-fast: false # Don't cancel other jobs if one fails matrix: - os: - - runner_name: ubuntu-latest - os_family: Linux - - runner_os_name: macos-latest + os: [ubuntu-latest, macos-latest, windows-latest] + include: + - os: macos-latest os_family: Darwin - - runner_name: windows-latest + - os: ubuntu-latest + os_family: Linux + - os: windows-latest os_family: Windows steps: - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5 @@ -35,17 +36,17 @@ jobs: with: python-version: 3.11 cache: pip - cache-dependency-path: model_signing/install/requirements_${{ matrix.os.runner_name.os_family }}.txt + cache-dependency-path: model_signing/install/requirements_${{ matrix.include.os_family }}.txt - name: Install dependencies run: | set -exuo pipefail python -m venv venv .github/workflows/scripts/venv_activate.sh - python -m pip install --require-hashes -r model_signing/install/requirements_${{ matrix.os.runner_name.os_family }}.txt + python -m pip install --require-hashes -r model_signing/install/requirements_${{ matrix.include.os_family }}.txt slsa-for-ml: name: Test SLSA for ML demo dependencies - runs-on: ${{ matrix.os.runner_name }} + runs-on: ${{ runner.os }} strategy: fail-fast: false # Don't cancel other jobs if one fails matrix: @@ -56,10 +57,10 @@ jobs: with: python-version: 3.11 cache: pip - cache-dependency-path: slsa_for_models/install/requirements_${{ matrix.os.runner_name.os_family }}.txt + cache-dependency-path: slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt - name: Install dependencies run: | set -exuo pipefail python -m venv venv .github/workflows/scripts/venv_activate.sh - python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ matrix.os.runner_name.os_family }}.txt + python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ matrix.include.os_family }}.txt