test: artifact hashes

behnazh · behnazh · commit 7b088403312e · 2025-04-14T15:40:40.000+10:00
diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
@@ -27,35 +27,44 @@ on:
         type: boolean
         required: true
         description: Enable or disable running pip_audit to check installed packages for vulnerabilities
-    outputs:
-      artifacts-sha256:
-        value: ${{ jobs.build.outputs.artifacts-sha256 }}
-        description: The hash of the artifacts
 permissions:
   contents: read
 env:
-  ARTIFACT_OS: ubuntu-latest # The default OS for release.
-  ARTIFACT_PYTHON: '3.13' # The default Python version for release.
+  RELEASE_OS_X86_64: ubuntu-24.04        # Default OS for x86_64-compatible release artifacts.
+  RELEASE_OS_ARM64: ubuntu-24.04-arm     # Default OS for ARM64-compatible release artifacts.
+  RELEASE_PYTHON_VERSION: '3.13'         # Default Python version used for release artifacts.
 
 jobs:
   build:
     # Uncomment the following to disable checks and tests for Draft pull requests.
     # if: github.event.pull_request.draft == false
-    outputs:
-      artifacts-sha256: ${{ steps.compute-hash.outputs.artifacts-sha256 }}
     name: Build Python ${{ matrix.python }} on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         # It is recommended to pin a Runner version specifically:
         # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
-        # os: [ubuntu-24.04, ubuntu-24.04-arm, macos-latest, windows-latest]
-        os: [ubuntu-24.04, ubuntu-24.04-arm]
+        os: [ubuntu-24.04, ubuntu-24.04-arm, macos-latest, windows-latest]
         python: ['3.10', '3.11', '3.12', '3.13']
 
     steps:
 
+    # Create a GitHub Actions environment variable that maps a matrix.os value to a more descriptive environment
+    # value (e.g., ubuntu-x86-64 or ubuntu-arm64).
+    - name: Set the architecture label
+      run: |
+        if [[ "${{ matrix.os }}" == "ubuntu-24.04" ]]; then
+          echo "ARCH_ENV=ubuntu-x86-64" >> "$GITHUB_ENV"
+        elif [[ "${{ matrix.os }}" == "ubuntu-24.04-arm" ]]; then
+          echo "ARCH_ENV=ubuntu-arm64" >> "$GITHUB_ENV"
+        else
+          echo "ARCH_ENV=unknown" >> "$GITHUB_ENV"
+        fi
+
+    - name: Test the env variable
+      run: echo "Architecture-specific env ${{ ARCH_ENV }}"
+
     - name: Harden Runner
       uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
@@ -99,24 +108,33 @@ jobs:
         HYPOTHESIS_PROFILE: github
 
     # Generate the requirements.txt that contains the hash digests of the dependencies and
-    # generate the SBOM using CyclonDX SBOM generator.
+    # generate the SBOM using CyclonDX SBOM generator for the release Python version and
+    # supported release OS targets.
     - name: Generate requirements.txt and SBOM
-      if: matrix.python == env.ARTIFACT_PYTHON
+      if: >
+        matrix.python == env.RELEASE_PYTHON_VERSION &&
+        (matrix.os == env.RELEASE_OS_X86_64 || matrix.os == env.RELEASE_OS_ARM64)
       run: make requirements sbom
 
     # Remove the old requirements.txt file (which includes _all_ packages) and generate a
-    # new one for the package and its actual and required dependencies only.
+    # new one for the package and its actual and required dependencies only. Run this step
+    # for the release Python version and supported release OS targets only.
     - name: Prune packages and generate required requirements.txt
-      if: matrix.python == env.ARTIFACT_PYTHON
+      if: >
+        matrix.python == env.RELEASE_PYTHON_VERSION &&
+        (matrix.os == env.RELEASE_OS_X86_64 || matrix.os == env.RELEASE_OS_ARM64)
       run: |
         rm requirements.txt
         make prune requirements
 
     # Find the paths to the artifact files that will be included in the release, compute
     # the SHA digest for all the release files and encode them using Base64, and export it
-    # from this job.
+    # from this job. Run this step for the release Python version and supported release
+    # OS targets only.
     - name: Compute package hash
-      if: matrix.python == env.ARTIFACT_PYTHON
+      if: >
+        matrix.python == env.RELEASE_PYTHON_VERSION &&
+        (matrix.os == env.RELEASE_OS_X86_64 || matrix.os == env.RELEASE_OS_ARM64)
       id: compute-hash
       shell: bash
       run: |
@@ -131,15 +149,28 @@ jobs:
         sha256sum --version
         DIGEST=$(sha256sum "$TARBALL_PATH" "$WHEEL_PATH" "$REQUIREMENTS_PATH" "$SBOM_PATH" "$HTML_DOCS_PATH" "$MARKDOWN_DOCS_PATH" "$BUILD_EPOCH_PATH" | base64 -w0)
         echo "Digest of artifacts is $DIGEST."
-        echo "artifacts-sha256=$DIGEST" >> "$GITHUB_OUTPUT"
+        echo "$DIGEST" > artifacts-sha256-file-${{ ARCH_ENV }}
 
-    # For now only generate artifacts for the specified OS and Python version in env variables.
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
+    # Run this step for the release Python version and supported release OS targets only.
     - name: Upload the package artifact for debugging and release
-      if: matrix.python == env.ARTIFACT_PYTHON
+      if: >
+        matrix.python == env.RELEASE_PYTHON_VERSION &&
+        (matrix.os == env.RELEASE_OS_X86_64 || matrix.os == env.RELEASE_OS_ARM64)
       uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
-        name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
-        path: dist
+        name: artifacts-${{ ARCH_ENV }}
+        path: ./dist*/
         if-no-files-found: error
         retention-days: 7
+
+    # Run this step for the release Python version and supported release OS targets only.
+    - name: Upload artifacts-sha256
+      if: >
+        matrix.python == env.RELEASE_PYTHON_VERSION &&
+        (matrix.os == env.RELEASE_OS_X86_64 || matrix.os == env.RELEASE_OS_ARM64)
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+      with:
+        name: artifacts-sha256-file-${{ ARCH_ENV }}
+        path: artifacts-sha256-file-${{ ARCH_ENV }}
+        retention-days: 7
diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml
@@ -38,18 +38,30 @@ jobs:
     - name: Download artifact
       uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
-        path: dist
-        merge-multiple: true
+        path: downloads
 
     # Verify hashes by first computing hashes for the artifacts and then comparing them
     # against the hashes computed by the build job.
     - name: Verify the artifact hash
-      env:
-        ARTIFACT_HASH: ${{ needs.build.outputs.artifacts-sha256 }}
       run: |
         set -euo pipefail
-        echo "Hash of package should be $ARTIFACT_HASH."
-        echo "Decoding the artifact hash:"
-        ls dist
-        echo "$ARTIFACT_HASH" | base64 --decode
-        echo "$ARTIFACT_HASH" | base64 --decode | sha256sum --strict --check --status || exit 1
+        cd downloads
+        for ARCH in "ubuntu-x86-64" "ubuntu-arm64"; do
+          HASH_DIR="artifacts-sha256-file-${ARCH}"
+          ARTIFACT_DIR="artifacts-${ARCH}"
+          HASH_FILE="${HASH_DIR}/artifacts-sha256-file-${ARCH}"
+
+          echo "Verifying artifacts for ${ARCH}"
+          echo "Decoding expected SHA256 digest:"
+          DECODED_HASH=$(base64 --decode "${HASH_FILE}")
+          echo "$DECODED_HASH"
+
+          cd "${ARTIFACT_DIR}"
+          echo "$DECODED_HASH" | sha256sum --strict --check --status || {
+            echo "Hash verification failed for ${ARCH}!"
+            exit 1
+          }
+          cd - > /dev/null
+
+          echo "Hash verified successfully for ${ARCH}"
+        done
