feat: manifest generation tooling, workflow optimization, and Python 3.13/3.14 support #11
+950
−175
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- dotnet-install.py: Add retry logic (8 attempts) for JSON fetching to handle network flakes. - Makefile: Upgrade Trivy to v0.68.2 and enforce build failure on High/Critical vulnerabilities. Signed-off-by: Adilhusain Shaikh <[email protected]>
- Add 'generate_partial_manifest.py' and 'apply_partial_manifests.py' scripts. - Add 'backfill-manifests.yml' workflow to process partial manifests. - Add unit tests for manifest generation and application logic. Signed-off-by: Adilhusain Shaikh <[email protected]> fix(tests): update error message assertion for invalid JSON handling Signed-off-by: Adilhusain Shaikh <[email protected]>
- release-matching-python-tags: Target Python 3.13.* and implement concurrency groups. - reusable-release-python-tar: Remove direct Git push logic; generate partial manifest artifacts instead. - release-matching-python-tags: Add 'update-manifests' job to aggregate partials and commit atomically. - Optimize 'max-parallel' and disable 'fail-fast' for better resilience. Signed-off-by: Adilhusain Shaikh <[email protected]>
- Drop legacy manifest files for Python 3.9, 3.10, 3.11, and 3.12. - Add and update manifest definitions for Python 3.13.x and 3.14.x on ppc64le and s390x architectures. Signed-off-by: Adilhusain Shaikh <[email protected]>
Signed-off-by: Adilhusain Shaikh <[email protected]>
…gged URLs Signed-off-by: Adilhusain Shaikh <[email protected]>
Signed-off-by: Adilhusain Shaikh <[email protected]>
Signed-off-by: Adilhusain Shaikh <[email protected]>
…nd improve descriptions Signed-off-by: Adilhusain Shaikh <[email protected]>
adilhusain-s
requested review from
anup-kodlekere,
mtarsel and
rahulssv-ibm
as code owners
Signed-off-by: Adilhusain Shaikh <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR stabilizes the release pipeline by introducing partial manifest tooling, refactoring CI workflows to eliminate race conditions, and improving fault tolerance across architectures.
The key motivation is reliability.
Before this change, the pipeline tightly coupled builds, releases, and git updates inside matrix jobs. This made releases fragile, hard to recover from, and increasingly error-prone after adding Trivy scanning. In particular:
This PR decouples artifact generation from manifest updates, introduces an explicit aggregation step, and makes the pipeline resilient to partial failures.
How the Release Pipeline Works (After This PR)
At a high level, the pipeline now runs in four clearly separated phases:
This separation is intentional and is what fixes the reliability issues.
Pipeline Flow Explained
1. Tag Discovery (
get-tagsjob)The workflow first determines which Python versions should be processed.
.github/release/python-tag-filter.txtexists, it is used as a filter (e.g.3.13.*).This keeps the workflow deterministic and avoids manual inputs while still allowing controlled releases.
2. Build & Package (Matrix Jobs)
For each discovered Python tag, the workflow runs a matrix build across:
ppc64le,s390x)22.04,24.04)Key design choices:
fail-fast: falseA failure on one architecture does not cancel other builds.
Partial manifests are uploaded as workflow artifacts and do not touch git.
3. Release Asset Finalization (
release-assetsjob)Once builds complete, a follow-up job ensures release assets are finalized per Python version.
4. Manifest Aggregation (
update-manifestsjob)Instead of each build job pushing to the repository, a single aggregation job now runs:
(missing artifacts are tolerated for failed architectures)
Concurrency is controlled so only one aggregation runs per ref.
If a build for one architecture fails, only that job needs to be rerun.
The regenerated partial manifest can then be recombined without restarting the full workflow.
Key Changes
Infrastructure & Security
dotnet-install.pyto handle transient network failuresv0.68.2with strict failure thresholdssudousagePartial Manifest Tooling
generate_partial_manifest.py: Generates architecture-scoped partial manifestsapply_partial_manifests.py: Merges partial manifestsbackfill-manifests.yml: Regenerates or fixes manifests for existing releases without rebuilding binariesThis prevents Trivy-generated assets from leaking into release metadata.
CI/CD Workflow Refactor
git pushoperations from matrix jobsThe pipeline now follows an Artifact → Aggregate → Commit model.
Technical Rationale
Pushing to
mainfrom within a matrix strategy caused race conditions and flaky failures.The new aggregation model eliminates these issues and allows partial recovery without full reruns.
Verification