Add LTS build strategy documentation and update README #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'MediaPipe version to build (e.g., 0.10.26)' | |
| required: true | |
| default: '0.10.26' | |
| publish_to_pypi: | |
| description: 'Publish to PyPI' | |
| type: boolean | |
| default: false | |
| publish_to_github: | |
| description: 'Create GitHub Release' | |
| type: boolean | |
| default: true | |
| env: | |
| MEDIAPIPE_VERSION: ${{ github.event.inputs.version || '0.10.26' }} | |
| PYTHON_VERSION: '3.12' | |
| jobs: | |
| # Security scanning and dependency checks | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install security tools | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install safety bandit semgrep | |
| - name: Run safety check (vulnerability scanning) | |
| run: safety check --full-report | |
| - name: Run bandit (security linting) | |
| run: bandit -r scripts/ --exclude scripts/test-*.sh | |
| - name: Run semgrep (semantic security analysis) | |
| run: | | |
| semgrep --config auto --error . | |
| # Build wheels for all supported Python versions | |
| build-wheels: | |
| needs: security-scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ['3.9', '3.10', '3.11', '3.12', '3.13', '3.14'] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build wheel | |
| run: | | |
| export PYTHON_VERSION=${{ matrix.python-version }} | |
| export MEDIAPIPE_VERSION=${{ env.MEDIAPIPE_VERSION }} | |
| ./scripts/build.sh | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: wheels-py${{ matrix.python-version }} | |
| path: | | |
| wheels/*.whl | |
| logs/build-${{ env.MEDIAPIPE_VERSION }}-py${{ matrix.python-version }}.log | |
| # Run comprehensive tests (CPU-only in CI environment) | |
| test-wheels: | |
| needs: build-wheels | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ['3.9', '3.10', '3.11', '3.12', '3.13', '3.14'] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download wheel artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: wheels-py${{ matrix.python-version }} | |
| path: wheels/ | |
| - name: Run comprehensive tests (CPU-only mode in CI) | |
| run: | | |
| export PYTHON_VERSION=${{ matrix.python-version }} | |
| export MEDIAPIPE_VERSION=${{ env.MEDIAPIPE_VERSION }} | |
| echo "Note: Running in CI environment - GPU hardware not available" | |
| echo "Tests will run in CPU-only mode but verify wheel integrity and basic functionality" | |
| ./scripts/test-wheel-extensive.sh | |
| - name: Upload test results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: test-results-py${{ matrix.python-version }} | |
| path: logs/test-*-${{ env.MEDIAPIPE_VERSION }}-*.log | |
| # Generate SBOM and provenance information | |
| generate-sbom: | |
| needs: [build-wheels, test-wheels] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download all wheel artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: wheels-* | |
| path: wheels/ | |
| merge-multiple: true | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install SBOM tools | |
| run: | | |
| pip install cyclonedx-bom | |
| # Install other SBOM generation tools as needed | |
| - name: Generate SBOM | |
| run: | | |
| # Generate Software Bill of Materials for the built wheels | |
| cyclonedx-bom --format json --output sbom.json wheels/*.whl | |
| # Generate additional provenance information | |
| echo '{"build_info": {"mediapipe_version": "'${{ env.MEDIAPIPE_VERSION }}'", "build_date": "'$(date -Iseconds)'", "github_run_id": "'${{ github.run_id }}'", "github_sha": "'${{ github.sha }}'"}}' > provenance.json | |
| - name: Upload SBOM and provenance | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-provenance | |
| path: | | |
| sbom.json | |
| provenance.json | |
| # Publish to PyPI (only if requested and all tests pass) | |
| publish-pypi: | |
| needs: [test-wheels, generate-sbom] | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.inputs.publish_to_pypi == 'true' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) }} | |
| # environment: | |
| # name: pypi # Uncomment after setting up PyPI trusted publishing | |
| # url: https://pypi.org/p/mediapipe-gpu | |
| permissions: | |
| id-token: write # IMPORTANT: this permission is mandatory for trusted publishing | |
| steps: | |
| - name: Download all wheel artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: wheels-* | |
| path: dist/ | |
| merge-multiple: true | |
| - name: Publish to PyPI | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| attestations: true # Enable cryptographic attestations | |
| # Create GitHub Release with all artifacts | |
| create-release: | |
| needs: [test-wheels, generate-sbom, publish-pypi] | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.inputs.publish_to_github != 'false' }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v4 | |
| - name: Generate release notes | |
| run: | | |
| cat > release_notes.md << EOF | |
| # MediaPipe GPU Wheels ${{ env.MEDIAPIPE_VERSION }} | |
| This release provides MediaPipe Python wheels with GPU support via OpenGL ES and headless EGL. | |
| ## What's New | |
| - MediaPipe version: ${{ env.MEDIAPIPE_VERSION }} | |
| - GPU acceleration via Mesa drivers | |
| - Support for all major GPUs (AMD, Intel, NVIDIA, etc.) | |
| - Compatible with Python 3.9 through 3.14 | |
| ## Installation | |
| \`\`\`bash | |
| # Choose the wheel for your Python version | |
| pip install https://github.com/${{ github.repository }}/releases/download/v${{ env.MEDIAPIPE_VERSION }}-gpu/mediapipe-${{ env.MEDIAPIPE_VERSION }}-cp312-cp312-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl | |
| \`\`\` | |
| ## Runtime Dependencies | |
| **Debian/Ubuntu:** | |
| \`\`\`bash | |
| apt-get install -y libegl1-mesa libgles2-mesa | |
| \`\`\` | |
| **Fedora/RHEL:** | |
| \`\`\`bash | |
| dnf install -y mesa-libEGL mesa-libGLES | |
| \`\`\` | |
| ## Security & Verification | |
| - **Cryptographic Attestations**: All wheels include PyPI attestations for provenance verification | |
| - **SBOM**: Software Bill of Materials included for supply chain transparency | |
| - **Build Logs**: Complete build and test logs available for inspection | |
| - **Security Scan**: Automated vulnerability scanning performed | |
| ## Testing Notes | |
| - **CI Environment**: Tests run in GitHub Actions (CPU-only, no GPU hardware available) | |
| - **GPU Functionality**: Not tested in CI - requires hardware with GPU drivers | |
| - **Test Coverage**: Comprehensive testing of wheel integrity, imports, and CPU functionality | |
| - **Local Testing**: Run \`./scripts/test-wheel-extensive.sh\` locally with GPU hardware for full testing | |
| ## Files Included | |
| This release includes: | |
| - Python wheels for all supported versions (3.9-3.14) | |
| - Build logs for each wheel | |
| - Test results and performance benchmarks | |
| - Software Bill of Materials (SBOM) | |
| - Build provenance information | |
| ## Verification | |
| To verify the integrity of downloaded wheels: | |
| \`\`\`bash | |
| # Verify wheel hashes match the release | |
| sha256sum *.whl | |
| # For advanced verification, check PyPI attestations | |
| python -m pip install pypi-attestations | |
| pypi-attestations verify mediapipe==${{ env.MEDIAPIPE_VERSION }} | |
| \`\`\` | |
| --- | |
| **Build Information:** | |
| - GitHub Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} | |
| - Commit: ${{ github.sha }} | |
| - Build Date: $(date -Iseconds) | |
| EOF | |
| - name: Create GitHub Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: v${{ env.MEDIAPIPE_VERSION }}-gpu | |
| name: MediaPipe ${{ env.MEDIAPIPE_VERSION }} GPU Wheels | |
| body_path: release_notes.md | |
| files: | | |
| wheels-*/*.whl | |
| wheels-*/build-*.log | |
| test-results-*/*.log | |
| sbom-provenance/sbom.json | |
| sbom-provenance/provenance.json | |
| draft: false | |
| prerelease: false | |
| generate_release_notes: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |