Back to Onnx

ONNX CI Pipelines

docs/CIPipelines.md

1.22.04.6 KB
Original Source
<!-- Copyright (c) ONNX Project Contributors SPDX-License-Identifier: Apache-2.0 -->

ONNX CI Pipelines

Core CI

WorkflowWhen it runsWhat it does
CIEvery PR, merge_group, push to main, daily (midnight UTC)C++ and Python tests across Linux, Windows, macOS; Python 3.10–3.14 (including free-threading variants); doc generation; proto generation; node test generation; daily run reports code coverage to Codecov
Windows_No_Exception_CIPush and PR to main and rel-*C++ tests compiled without exceptions; selective schema loading
Lint / Enforce styleEvery PRRequired — runs lintrunner (ruff, mypy, clang-format, etc.) and verifies auto-generated files are up to date
Require labelEvery PRRequires at least one topic: or module: label (skipped for Dependabot PRs)
DCOmerge_groupPlaceholder DCO job required to enable the GitHub merge queue

Release Builds (1)

WorkflowWhen it runsWhat it does
Create ReleasesPush to main/rel-*, PRs targeting rel-* or labeled "run release CIs", weekly (Monday 00:00 UTC), workflow_dispatchOrchestrator — calls WindowsRelease, LinuxRelease, MacRelease, PyodideRelease, and sdistRelease as reusable workflows
WindowsReleaseCalled by Create ReleasesBuilds Windows wheels for x64, x86, and arm64; verifies with minimum supported packages (2)(3)
LinuxReleaseCalled by Create ReleasesBuilds Linux wheels for x86_64 (manylinux_2_28) and aarch64; verifies with minimum supported packages (3)
MacReleaseCalled by Create ReleasesBuilds macOS wheels (macos-14, MACOSX_DEPLOYMENT_TARGET=12.0); verifies with minimum supported packages (3)
PyodideReleaseCalled by Create Releases and on every pushBuilds a Pyodide (WebAssembly) wheel on Ubuntu using cibuildwheel with a pre-downloaded host protoc and protobuf source; runs a basic import test (3)
sdistReleaseCalled by Create ReleasesBuilds and tests source distribution

Security and Supply Chain

WorkflowWhen it runsWhat it does
CodeQLEvery PR, push to main/rel-*, weekly (Friday)Static analysis of C++ and Python for security vulnerabilities
ScorecardPush to main, weekly (Saturday)OpenSSF supply-chain security scorecard; publishes results to code-scanning dashboard
Dependency ReviewEvery PRFlags vulnerable or license-incompatible dependencies introduced by a PR

Documentation and Maintenance

WorkflowWhen it runsWhat it does
PagesPRs to main, push to mainBuilds and publishes ONNX documentation to GitHub Pages
Pixi CIWeekly (Sunday 23:59 UTC) and on PRsBuilds, lints, and tests with the pixi environment manager on Linux, macOS, and Windows; opens an issue on failure when scheduled
Check URLsPush to main/rel-*, monthlyChecks for broken URLs in the codebase
StaleDailyWarns and eventually closes stale issues and PRs
DependabotMonthlyCreates PRs for updated dependency versions

  • (1) Release CIs run when:

    • A PR is merged into main or a rel-* branch
    • Weekly (Monday 00:00 UTC) — publishes a Python wheel to the onnx-weekly package on PyPI
    • Any PR targeting a rel-* branch
    • Any PR labeled "run release CIs" (maintainers only)
    • Manually via workflow_dispatch
  • (2) Minimum supported dependency versions are listed in [project.dependencies] in pyproject.toml.

  • (3) The PEP 770 SBOM (dist-info/sboms/sbom.cdx.json) is embedded in any wheel build where SKBUILD_METADATA_DIR is set (including local pip wheel builds). Only the cibuildwheel release pipeline patches the SBOM to reflect the actual protobuf tarball version, URL, and SHA-256 used for that specific build; other wheel builds embed the template values from sbom.cdx.json.