.github/workflows/release-binaries.yml - llvm-project - Git at Google

 name: Release Binaries

 on:
   workflow_dispatch:
     inputs:
       release-version:
         description: 'Release Version'
         required: false
         type: string
       upload:
         description: 'Upload binaries to the release page'
         required: true
         default: false
         type: boolean
       runs-on:
         description: "Runner to use for the build"
         required: true
         type: choice
         # We use ubuntu-22.04 rather than the latest version to make the built
         # binaries more portable (eg functional aginast older glibc).
         options:
           - ubuntu-22.04
           - ubuntu-22.04-arm
           - macos-13
           - macos-14

   workflow_call:
     inputs:
       release-version:
         description: 'Release Version'
         required: false
         type: string
       upload:
         description: 'Upload binaries to the release page'
         required: true
         default: false
         type: boolean
       runs-on:
         description: "Runner to use for the build"
         required: true
         type: string
     secrets:
       RELEASE_TASKS_USER_TOKEN:
         description: "Secret used to check user permissions."
         required: false


 permissions:
   contents: read # Default everything to read-only

 jobs:
   prepare:
     name: Prepare to build binaries
     runs-on: ${{ inputs.runs-on }}
     if: github.repository_owner == 'llvm'
     outputs:
       release-version: ${{ steps.vars.outputs.release-version }}
       ref: ${{ steps.vars.outputs.ref }}
       upload: ${{ steps.vars.outputs.upload }}
       target-cmake-flags: ${{ steps.vars.outputs.target-cmake-flags }}
       ccache: ${{ steps.vars.outputs.ccache }}
       build-flang: ${{ steps.vars.outputs.build-flang }}
       release-binary-basename: ${{ steps.vars.outputs.release-binary-basename }}
       release-binary-filename: ${{ steps.vars.outputs.release-binary-filename }}
       build-runs-on: ${{ steps.vars.outputs.build-runs-on }}
       test-runs-on: ${{ steps.vars.outputs.build-runs-on }}

     steps:
     # It's good practice to use setup-python, but this is also required on macos-14
     # due to https://github.com/actions/runner-images/issues/10385
     - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
       with:
         python-version: '3.12'

     - name: Checkout LLVM
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

     - name: Install Dependencies
       shell: bash
       run: |
         pip install --require-hashes -r ./llvm/utils/git/requirements.txt

     - name: Check Permissions
       if: github.event_name != 'pull_request'
       env:
         GITHUB_TOKEN: ${{ github.token }}
         USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
       shell: bash
       run: |
         ./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user "$GITHUB_ACTOR" --user-token "$USER_TOKEN" check-permissions

     - name: Collect Variables
       id: vars
       shell: bash
       # In order for the test-release.sh script to run correctly, the LLVM
       # source needs to be at the following location relative to the build dir:
       # | X.Y.Z-rcN | ./rcN/llvm-project
       # | X.Y.Z     | ./final/llvm-project
       #
       # We also need to set divergent flags based on the release version:
       # | X.Y.Z-rcN | -rc N -test-asserts
       # | X.Y.Z     | -final
       run: |
         trimmed=$(echo ${{ inputs.release-version }} | xargs)
         if [ -n "$trimmed" ]; then
           release_version="$trimmed"
           ref="llvmorg-$release_version"
         else
           release_version="${{ (github.event_name == 'pull_request' && format('PR{0}', github.event.pull_request.number)) || 'CI'}}-$GITHUB_SHA"
           ref="$GITHUB_SHA"
         fi
         if [ -n "${{ inputs.upload }}" ]; then
           upload="${{ inputs.upload }}"
         else
           upload="false"
         fi
         echo "release-version=$release_version">> $GITHUB_OUTPUT
         echo "ref=$ref" >> $GITHUB_OUTPUT
         echo "upload=$upload" >> $GITHUB_OUTPUT

         release_binary_basename="LLVM-$release_version-$RUNNER_OS-$RUNNER_ARCH"
         echo "release-binary-basename=$release_binary_basename" >> $GITHUB_OUTPUT
         echo "release-binary-filename=$release_binary_basename.tar.xz" >> $GITHUB_OUTPUT

         target="$RUNNER_OS-$RUNNER_ARCH"
         # The hendrikmuhs/ccache-action action does not support installing sccache
         # on arm64 Linux.
         if [ "$target" = "Linux-ARM64" ]; then
           echo ccache=ccache >> $GITHUB_OUTPUT
         else
           echo ccache=sccache >> $GITHUB_OUTPUT
         fi

         # The macOS builds try to cross compile some libraries so we need to
         # add extra CMake args to disable them.
         # See https://github.com/llvm/llvm-project/issues/99767
         if [ "$RUNNER_OS" = "macOS" ]; then
           target_cmake_flags="$target_cmake_flags -DBOOTSTRAP_BOOTSTRAP_COMPILER_RT_ENABLE_IOS=OFF"
           if [ "$RUNNER_ARCH" = "ARM64" ]; then
             arches=arm64
           else
             arches=x86_64
             # Disable Flang builds on macOS x86_64.  The FortranLower library takes
             # 2-3 hours to build on macOS, much slower than on Linux.
             # The long build time causes the release build to time out on x86_64,
             # so we need to disable flang there.
             target_cmake_flags="$target_cmake_flags -DLLVM_RELEASE_ENABLE_PROJECTS='clang;lld;lldb;clang-tools-extra;polly;mlir'"
           fi
           target_cmake_flags="$target_cmake_flags -DBOOTSTRAP_BOOTSTRAP_DARWIN_osx_ARCHS=$arches -DBOOTSTRAP_BOOTSTRAP_DARWIN_osx_BUILTIN_ARCHS=$arches"
         fi

         build_flang="true"

         if [ "$RUNNER_OS" = "Windows" ]; then
           # The build times out on Windows, so we need to disable LTO.
           target_cmake_flags="$target_cmake_flags -DLLVM_RELEASE_ENABLE_LTO=OFF"
         fi

         echo "target-cmake-flags=$target_cmake_flags" >> $GITHUB_OUTPUT
         echo "build-flang=$build_flang" >> $GITHUB_OUTPUT
         case "${{ inputs.runs-on }}" in
           ubuntu-22.04*)
             build_runs_on="depot-${{ inputs.runs-on }}-16"
             test_runs_on=$build_runs_on
             ;;
           macos-13)
             if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
               build_runs_on="${{ inputs.runs-on }}"
             else
               build_runs_on="macos-13-large"
             fi
             test_runs_on="${{ inputs.runs-on }}"
             ;;
           macos-14)
             if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
               build_runs_on="${{ inputs.runs-on }}"
             else
               build_runs_on="depot-macos-14"
             fi
             test_runs_on="${{ inputs.runs-on }}"
             ;;
           *)
             test_runs_on="${{ inputs.runs-on }}"
             build_runs_on=$test_runs_on
             ;;
         esac
         echo "build-runs-on=$build_runs_on" >> $GITHUB_OUTPUT
         echo "test-runs-on=$test_runs_on" >> $GITHUB_OUTPUT

   build-release-package:
     name: "Build Release Package"
     needs: prepare
     if: github.repository_owner == 'llvm'
     runs-on: ${{ needs.prepare.outputs.build-runs-on }}
     steps:

     - name: Checkout Actions
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
         sparse-checkout: |
           .github/workflows/
         sparse-checkout-cone-mode: false
         # Check out outside of working directory so the source checkout doesn't
         # remove it.
         path: workflows

     # actions/checkout does not support paths outside of the GITHUB_WORKSPACE.
     # Also, anything that we put inside of GITHUB_WORKSPACE will be overwritten
     # by future actions/checkout steps.  Therefore, in order to checkout the
     # latest actions from main, we need to first checkout out the actions inside of
     # GITHUB_WORKSPACE (see previous step), then use actions/checkout to checkout
     # the code being built and the move the actions from main back into GITHUB_WORKSPACE,
     # becasue the uses on composite actions only reads workflows from inside GITHUB_WORKSPACE.
     - shell: bash
       run: mv workflows  ../workflows-main

     - name: Checkout LLVM
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: ${{ needs.prepare.outputs.ref }}

     - name: Copy main workflows
       shell: bash
       run: |
         mv ../workflows-main .

     - name: Setup Stage
       id: setup-stage
       uses: ./workflows-main/.github/workflows/release-binaries-setup-stage

     - name: Configure
       id: build
       shell: bash
       env:
         CCACHE_BIN: ${{ needs.prepare.outputs.ccache }}
       run: |
         # There were some issues on the ARM64 MacOS runners with trying to build x86 object,
         # so we need to set some extra cmake flags to disable this.
         cmake -G Ninja -S llvm -B ${{ steps.setup-stage.outputs.build-prefix }}/build \
             ${{ needs.prepare.outputs.target-cmake-flags }} \
             -C clang/cmake/caches/Release.cmake \
             -DBOOTSTRAP_LLVM_PARALLEL_LINK_JOBS=1 \
             -DBOOTSTRAP_BOOTSTRAP_CPACK_PACKAGE_FILE_NAME="${{ needs.prepare.outputs.release-binary-basename }}"

     - name: Build
       shell: bash
       run: |
         ninja -v -C ${{ steps.setup-stage.outputs.build-prefix }}/build stage2-package
         release_dir=`find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname 'stage2-bins'`
         mv $release_dir/${{ needs.prepare.outputs.release-binary-filename }} .

     - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 #v4.3.0
       with:
         name: ${{ runner.os }}-${{ runner.arch }}-release-binary
         # Due to path differences on Windows when running in bash vs running on node,
         # we need to search for files in the current workspace.
         path: |
           ${{ needs.prepare.outputs.release-binary-filename }}

     # Clean up some build files to reduce size of artifact.
     - name: Clean Up Build Directory
       shell: bash
       run: |
         find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname ${{ needs.prepare.outputs.release-binary-filename }} -delete
         find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname _CPack_Packages -prune -exec rm -r {} +

     - name: Save Stage
       uses: ./workflows-main/.github/workflows/release-binaries-save-stage
       with:
         build-prefix: ${{ steps.setup-stage.outputs.build-prefix }}

   upload-release-binaries:
     name: "Upload Release Binaries"
     needs:
       - prepare
       - build-release-package
     if: >-
       github.event_name != 'pull_request' &&
       needs.prepare.outputs.upload == 'true'
     runs-on: ubuntu-24.04
     permissions:
       contents: write # For release uploads
       id-token: write     # For artifact attestations
       attestations: write # For artifact attestations

     steps:
     - name: Checkout Release Scripts
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         sparse-checkout: |
           llvm/utils/release/github-upload-release.py
           llvm/utils/git/requirements.txt
         sparse-checkout-cone-mode: false

     - name: 'Download artifact'
       uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
       with:
         pattern: '*-release-binary'
         merge-multiple: true

     - name: Attest Build Provenance
       id: provenance
       uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
       with:
         subject-path: ${{ needs.prepare.outputs.release-binary-filename }}

     - name: Rename attestation file
       run:
         mv ${{ steps.provenance.outputs.bundle-path }} ${{ needs.prepare.outputs.release-binary-filename }}.jsonl

     - name: Upload Build Provenance
       uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
       with:
         name: ${{ needs.prepare.outputs.release-binary-filename }}-attestation
         path: ${{ needs.prepare.outputs.release-binary-filename }}.jsonl

     - name: Install Python Requirements
       run: |
         pip install --require-hashes -r ./llvm/utils/git/requirements.txt

     - name: Upload Release
       shell: bash
       run: |
         ./llvm/utils/release/github-upload-release.py \
         --token ${{ github.token }} \
         --release ${{ needs.prepare.outputs.release-version }} \
         upload \
         --files ${{ needs.prepare.outputs.release-binary-filename }}*

   test-release:
     name: "Test Release"
     needs:
       - prepare
       - build-release-package
     if: >-
       github.repository_owner == 'llvm'
     runs-on: ${{ needs.prepare.outputs.test-runs-on }}
     steps:
     - name: Checkout Actions
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
         sparse-checkout: |
           .github/workflows/
         sparse-checkout-cone-mode: false
         path: workflows
     - name: Setup Stage
       id: setup-stage
       uses: ./workflows/.github/workflows/release-binaries-setup-stage
       with:
         previous-artifact: build-release-package

     - name: Run Tests
       shell: bash
       run: |
         ninja -C ${{ steps.setup-stage.outputs.build-prefix }}/build stage2-check-all
	name: Release Binaries

	on:
	workflow_dispatch:
	inputs:
	release-version:
	description: 'Release Version'
	required: false
	type: string
	upload:
	description: 'Upload binaries to the release page'
	required: true
	default: false
	type: boolean
	runs-on:
	description: "Runner to use for the build"
	required: true
	type: choice
	# We use ubuntu-22.04 rather than the latest version to make the built
	# binaries more portable (eg functional aginast older glibc).
	options:
	- ubuntu-22.04
	- ubuntu-22.04-arm
	- macos-13
	- macos-14

	workflow_call:
	inputs:
	release-version:
	description: 'Release Version'
	required: false
	type: string
	upload:
	description: 'Upload binaries to the release page'
	required: true
	default: false
	type: boolean
	runs-on:
	description: "Runner to use for the build"
	required: true
	type: string
	secrets:
	RELEASE_TASKS_USER_TOKEN:
	description: "Secret used to check user permissions."
	required: false


	permissions:
	contents: read # Default everything to read-only

	jobs:
	prepare:
	name: Prepare to build binaries
	runs-on: ${{ inputs.runs-on }}
	if: github.repository_owner == 'llvm'
	outputs:
	release-version: ${{ steps.vars.outputs.release-version }}
	ref: ${{ steps.vars.outputs.ref }}
	upload: ${{ steps.vars.outputs.upload }}
	target-cmake-flags: ${{ steps.vars.outputs.target-cmake-flags }}
	ccache: ${{ steps.vars.outputs.ccache }}
	build-flang: ${{ steps.vars.outputs.build-flang }}
	release-binary-basename: ${{ steps.vars.outputs.release-binary-basename }}
	release-binary-filename: ${{ steps.vars.outputs.release-binary-filename }}
	build-runs-on: ${{ steps.vars.outputs.build-runs-on }}
	test-runs-on: ${{ steps.vars.outputs.build-runs-on }}

	steps:
	# It's good practice to use setup-python, but this is also required on macos-14
	# due to https://github.com/actions/runner-images/issues/10385
	- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f
	with:
	python-version: '3.12'

	- name: Checkout LLVM
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

	- name: Install Dependencies
	shell: bash
	run: \|
	pip install --require-hashes -r ./llvm/utils/git/requirements.txt

	- name: Check Permissions
	if: github.event_name != 'pull_request'
	env:
	GITHUB_TOKEN: ${{ github.token }}
	USER_TOKEN: ${{ secrets.RELEASE_TASKS_USER_TOKEN }}
	shell: bash
	run: \|
	./llvm/utils/release/./github-upload-release.py --token "$GITHUB_TOKEN" --user "$GITHUB_ACTOR" --user-token "$USER_TOKEN" check-permissions

	- name: Collect Variables
	id: vars
	shell: bash
	# In order for the test-release.sh script to run correctly, the LLVM
	# source needs to be at the following location relative to the build dir:
	# \| X.Y.Z-rcN \| ./rcN/llvm-project
	# \| X.Y.Z \| ./final/llvm-project
	#
	# We also need to set divergent flags based on the release version:
	# \| X.Y.Z-rcN \| -rc N -test-asserts
	# \| X.Y.Z \| -final
	run: \|
	trimmed=$(echo ${{ inputs.release-version }} \| xargs)
	if [ -n "$trimmed" ]; then
	release_version="$trimmed"
	ref="llvmorg-$release_version"
	else
	release_version="${{ (github.event_name == 'pull_request' && format('PR{0}', github.event.pull_request.number)) \|\| 'CI'}}-$GITHUB_SHA"
	ref="$GITHUB_SHA"
	fi
	if [ -n "${{ inputs.upload }}" ]; then
	upload="${{ inputs.upload }}"
	else
	upload="false"
	fi
	echo "release-version=$release_version">> $GITHUB_OUTPUT
	echo "ref=$ref" >> $GITHUB_OUTPUT
	echo "upload=$upload" >> $GITHUB_OUTPUT

	release_binary_basename="LLVM-$release_version-$RUNNER_OS-$RUNNER_ARCH"
	echo "release-binary-basename=$release_binary_basename" >> $GITHUB_OUTPUT
	echo "release-binary-filename=$release_binary_basename.tar.xz" >> $GITHUB_OUTPUT

	target="$RUNNER_OS-$RUNNER_ARCH"
	# The hendrikmuhs/ccache-action action does not support installing sccache
	# on arm64 Linux.
	if [ "$target" = "Linux-ARM64" ]; then
	echo ccache=ccache >> $GITHUB_OUTPUT
	else
	echo ccache=sccache >> $GITHUB_OUTPUT
	fi

	# The macOS builds try to cross compile some libraries so we need to
	# add extra CMake args to disable them.
	# See https://github.com/llvm/llvm-project/issues/99767
	if [ "$RUNNER_OS" = "macOS" ]; then
	target_cmake_flags="$target_cmake_flags -DBOOTSTRAP_BOOTSTRAP_COMPILER_RT_ENABLE_IOS=OFF"
	if [ "$RUNNER_ARCH" = "ARM64" ]; then
	arches=arm64
	else
	arches=x86_64
	# Disable Flang builds on macOS x86_64. The FortranLower library takes
	# 2-3 hours to build on macOS, much slower than on Linux.
	# The long build time causes the release build to time out on x86_64,
	# so we need to disable flang there.
	target_cmake_flags="$target_cmake_flags -DLLVM_RELEASE_ENABLE_PROJECTS='clang;lld;lldb;clang-tools-extra;polly;mlir'"
	fi
	target_cmake_flags="$target_cmake_flags -DBOOTSTRAP_BOOTSTRAP_DARWIN_osx_ARCHS=$arches -DBOOTSTRAP_BOOTSTRAP_DARWIN_osx_BUILTIN_ARCHS=$arches"
	fi

	build_flang="true"

	if [ "$RUNNER_OS" = "Windows" ]; then
	# The build times out on Windows, so we need to disable LTO.
	target_cmake_flags="$target_cmake_flags -DLLVM_RELEASE_ENABLE_LTO=OFF"
	fi

	echo "target-cmake-flags=$target_cmake_flags" >> $GITHUB_OUTPUT
	echo "build-flang=$build_flang" >> $GITHUB_OUTPUT
	case "${{ inputs.runs-on }}" in
	ubuntu-22.04*)
	build_runs_on="depot-${{ inputs.runs-on }}-16"
	test_runs_on=$build_runs_on
	;;
	macos-13)
	if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
	build_runs_on="${{ inputs.runs-on }}"
	else
	build_runs_on="macos-13-large"
	fi
	test_runs_on="${{ inputs.runs-on }}"
	;;
	macos-14)
	if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
	build_runs_on="${{ inputs.runs-on }}"
	else
	build_runs_on="depot-macos-14"
	fi
	test_runs_on="${{ inputs.runs-on }}"
	;;
	*)
	test_runs_on="${{ inputs.runs-on }}"
	build_runs_on=$test_runs_on
	;;
	esac
	echo "build-runs-on=$build_runs_on" >> $GITHUB_OUTPUT
	echo "test-runs-on=$test_runs_on" >> $GITHUB_OUTPUT

	build-release-package:
	name: "Build Release Package"
	needs: prepare
	if: github.repository_owner == 'llvm'
	runs-on: ${{ needs.prepare.outputs.build-runs-on }}
	steps:

	- name: Checkout Actions
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	ref: ${{ (github.event_name == 'pull_request' && github.sha) \|\| 'main' }}
	sparse-checkout: \|
	.github/workflows/
	sparse-checkout-cone-mode: false
	# Check out outside of working directory so the source checkout doesn't
	# remove it.
	path: workflows

	# actions/checkout does not support paths outside of the GITHUB_WORKSPACE.
	# Also, anything that we put inside of GITHUB_WORKSPACE will be overwritten
	# by future actions/checkout steps. Therefore, in order to checkout the
	# latest actions from main, we need to first checkout out the actions inside of
	# GITHUB_WORKSPACE (see previous step), then use actions/checkout to checkout
	# the code being built and the move the actions from main back into GITHUB_WORKSPACE,
	# becasue the uses on composite actions only reads workflows from inside GITHUB_WORKSPACE.
	- shell: bash
	run: mv workflows ../workflows-main

	- name: Checkout LLVM
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	ref: ${{ needs.prepare.outputs.ref }}

	- name: Copy main workflows
	shell: bash
	run: \|
	mv ../workflows-main .

	- name: Setup Stage
	id: setup-stage
	uses: ./workflows-main/.github/workflows/release-binaries-setup-stage

	- name: Configure
	id: build
	shell: bash
	env:
	CCACHE_BIN: ${{ needs.prepare.outputs.ccache }}
	run: \|
	# There were some issues on the ARM64 MacOS runners with trying to build x86 object,
	# so we need to set some extra cmake flags to disable this.
	cmake -G Ninja -S llvm -B ${{ steps.setup-stage.outputs.build-prefix }}/build \
	${{ needs.prepare.outputs.target-cmake-flags }} \
	-C clang/cmake/caches/Release.cmake \
	-DBOOTSTRAP_LLVM_PARALLEL_LINK_JOBS=1 \
	-DBOOTSTRAP_BOOTSTRAP_CPACK_PACKAGE_FILE_NAME="${{ needs.prepare.outputs.release-binary-basename }}"

	- name: Build
	shell: bash
	run: \|
	ninja -v -C ${{ steps.setup-stage.outputs.build-prefix }}/build stage2-package
	release_dir=`find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname 'stage2-bins'`
	mv $release_dir/${{ needs.prepare.outputs.release-binary-filename }} .

	- uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 #v4.3.0
	with:
	name: ${{ runner.os }}-${{ runner.arch }}-release-binary
	# Due to path differences on Windows when running in bash vs running on node,
	# we need to search for files in the current workspace.
	path: \|
	${{ needs.prepare.outputs.release-binary-filename }}

	# Clean up some build files to reduce size of artifact.
	- name: Clean Up Build Directory
	shell: bash
	run: \|
	find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname ${{ needs.prepare.outputs.release-binary-filename }} -delete
	find ${{ steps.setup-stage.outputs.build-prefix }}/build -iname _CPack_Packages -prune -exec rm -r {} +

	- name: Save Stage
	uses: ./workflows-main/.github/workflows/release-binaries-save-stage
	with:
	build-prefix: ${{ steps.setup-stage.outputs.build-prefix }}

	upload-release-binaries:
	name: "Upload Release Binaries"
	needs:
	- prepare
	- build-release-package
	if: >-
	github.event_name != 'pull_request' &&
	needs.prepare.outputs.upload == 'true'
	runs-on: ubuntu-24.04
	permissions:
	contents: write # For release uploads
	id-token: write # For artifact attestations
	attestations: write # For artifact attestations

	steps:
	- name: Checkout Release Scripts
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	sparse-checkout: \|
	llvm/utils/release/github-upload-release.py
	llvm/utils/git/requirements.txt
	sparse-checkout-cone-mode: false

	- name: 'Download artifact'
	uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
	with:
	pattern: '*-release-binary'
	merge-multiple: true

	- name: Attest Build Provenance
	id: provenance
	uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
	with:
	subject-path: ${{ needs.prepare.outputs.release-binary-filename }}

	- name: Rename attestation file
	run:
	mv ${{ steps.provenance.outputs.bundle-path }} ${{ needs.prepare.outputs.release-binary-filename }}.jsonl

	- name: Upload Build Provenance
	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 #v4.3.3
	with:
	name: ${{ needs.prepare.outputs.release-binary-filename }}-attestation
	path: ${{ needs.prepare.outputs.release-binary-filename }}.jsonl

	- name: Install Python Requirements
	run: \|
	pip install --require-hashes -r ./llvm/utils/git/requirements.txt

	- name: Upload Release
	shell: bash
	run: \|
	./llvm/utils/release/github-upload-release.py \
	--token ${{ github.token }} \
	--release ${{ needs.prepare.outputs.release-version }} \
	upload \
	--files ${{ needs.prepare.outputs.release-binary-filename }}*

	test-release:
	name: "Test Release"
	needs:
	- prepare
	- build-release-package
	if: >-
	github.repository_owner == 'llvm'
	runs-on: ${{ needs.prepare.outputs.test-runs-on }}
	steps:
	- name: Checkout Actions
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	ref: ${{ (github.event_name == 'pull_request' && github.sha) \|\| 'main' }}
	sparse-checkout: \|
	.github/workflows/
	sparse-checkout-cone-mode: false
	path: workflows
	- name: Setup Stage
	id: setup-stage
	uses: ./workflows/.github/workflows/release-binaries-setup-stage
	with:
	previous-artifact: build-release-package

	- name: Run Tests
	shell: bash
	run: \|
	ninja -C ${{ steps.setup-stage.outputs.build-prefix }}/build stage2-check-all