fix: support running in FIPS-enabled environments #2737
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: marimo bot | |
on: | |
issue_comment: | |
types: [created] | |
env: | |
TURBO_TEAM: marimo | |
jobs: | |
# Various jobs that can be triggered by comments | |
create-test-release: | |
if: > | |
( | |
github.event.issue.author_association == 'OWNER' || | |
github.event.issue.author_association == 'COLLABORATOR' || | |
github.event.issue.author_association == 'MEMBER' || | |
github.event.comment.author_association == 'OWNER' || | |
github.event.comment.author_association == 'COLLABORATOR' || | |
github.event.comment.author_association == 'MEMBER' | |
) && | |
github.event.issue.pull_request && | |
contains(github.event.comment.body, '/marimo create-test-release') | |
name: 📤 Publish test release | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
shell: bash | |
steps: | |
- name: 🛑 Cancel Previous Runs | |
uses: styfle/[email protected] | |
- name: 📝 Get PR Info | |
id: pr | |
env: | |
PR_NUMBER: ${{ github.event.issue.number }} | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_REPO: ${{ github.repository }} | |
COMMENT_AT: ${{ github.event.comment.created_at }} | |
run: | | |
pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" | |
head_sha="$(echo "$pr" | jq -r .head.sha)" | |
pushed_at="$(echo "$pr" | jq -r .pushed_at)" | |
if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then | |
echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" | |
exit 1 | |
fi | |
echo "head_sha=$head_sha" >> $GITHUB_OUTPUT | |
- name: ⬇️ Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ steps.pr.outputs.head_sha }} | |
- name: 📝 Initial Comment on PR | |
uses: actions/github-script@v7 | |
id: comment | |
with: | |
script: | | |
const comment = await github.rest.issues.createComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: context.issue.number, | |
body: '🚀 Starting test release process...' | |
}); | |
console.log(`Comment created with ID: ${comment.data.id}`); | |
return comment.data.id; | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
- name: ⎔ Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
cache: 'pnpm' | |
cache-dependency-path: '**/pnpm-lock.yaml' | |
registry-url: 'https://registry.npmjs.org' | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
- name: 📦 Build frontend | |
run: make fe | |
env: | |
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} | |
- name: 🥚 Install Hatch | |
uses: pypa/hatch@install | |
- name: Adapt pyproject.toml to build marimo-base | |
run: ./scripts/modify_pyproject_for_marimo_base.sh | |
# patch __init__.py version to be of the form | |
# X.Y.Z-dev9{4random digits} | |
# This must be a valid semver version from | |
# https://packaging.python.org/en/latest/discussions/versioning/ | |
- name: 🔨 Patch version number | |
run: | | |
# Get the version number | |
# - assumes version is on a line of the form __version__ == "x.y.z" | |
current_version=`grep '__version__' marimo/__init__.py | awk '{print $3}' | tr -d '"'` | |
# Generate a random 4-digit number | |
random_digits=`shuf -i 1000-9999 -n 1` | |
# Form the new version with the random digits | |
MARIMO_VERSION="${current_version}-dev9${random_digits}" | |
# Set the version in the environment for later steps | |
echo "MARIMO_VERSION=$MARIMO_VERSION" >> $GITHUB_ENV | |
sed -i "s/__version__ = \".*\"/__version__ = \"$MARIMO_VERSION\"/" marimo/__init__.py | |
- name: 📦 Build marimo | |
run: hatch build --clean | |
- name: 📦 Validate wheel under 2mb | |
run: ./scripts/validate_base_wheel_size.sh | |
- name: 📤 Upload to TestPyPI | |
env: | |
HATCH_INDEX_USER: ${{ secrets.TEST_PYPI_USER }} | |
HATCH_INDEX_AUTH: ${{ secrets.TEST_PYPI_MARIMO_BASE_PASSWORD }} | |
run: hatch publish --repo test | |
- name: 📦 Update package.json version from CLI | |
working-directory: frontend | |
run: | | |
echo "Updating package.json version to ${{ env.MARIMO_VERSION }}" | |
npm version ${{ env.MARIMO_VERSION }} --no-git-tag-version | |
- name: 📤 Upload wasm to npm | |
working-directory: frontend | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
run: | | |
for i in {1..3}; do | |
npm publish --access public && break || { | |
echo "Publish attempt $i failed, retrying..." | |
sleep 10 | |
} | |
done | |
- name: 📝 Update PR Comment | |
uses: actions/github-script@v7 | |
continue-on-error: true | |
with: | |
script: | | |
try { | |
const commentId = ${{steps.comment.outputs.result}} | |
console.log(`Updating comment with ID: ${commentId}`); | |
await github.rest.issues.updateComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
comment_id: commentId, | |
body: `🚀 Test release published. You may be able to view the changes at https://marimo.app?v=${process.env.MARIMO_VERSION}` | |
}); | |
} catch (err) { | |
console.error(err); | |
} | |
- name: 📝 Update PR Comment on Failure | |
if: failure() | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
try { | |
const commentId = ${{steps.comment.outputs.result}} | |
console.log(`Updating comment with ID: ${commentId}`); | |
await github.rest.issues.updateComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
comment_id: commentId, | |
body: `❌ Test release failed. Please check the workflow logs for more details.` | |
}); | |
} catch (err) { | |
console.error(err); | |
} |