docs/CIPipelines.md
| Workflow | When it runs | What it does |
|---|---|---|
| CI | Every PR, merge_group, push to main, daily (midnight UTC) | C++ and Python tests across Linux, Windows, macOS; Python 3.10–3.14 (including free-threading variants); doc generation; proto generation; node test generation; daily run reports code coverage to Codecov |
| Windows_No_Exception_CI | Push and PR to main and rel-* | C++ tests compiled without exceptions; selective schema loading |
| Lint / Enforce style | Every PR | Required — runs lintrunner (ruff, mypy, clang-format, etc.) and verifies auto-generated files are up to date |
| Require label | Every PR | Requires at least one topic: or module: label (skipped for Dependabot PRs) |
| DCO | merge_group | Placeholder DCO job required to enable the GitHub merge queue |
| Workflow | When it runs | What it does |
|---|---|---|
| Create Releases | Push to main/rel-*, PRs targeting rel-* or labeled "run release CIs", weekly (Monday 00:00 UTC), workflow_dispatch | Orchestrator — calls WindowsRelease, LinuxRelease, MacRelease, PyodideRelease, and sdistRelease as reusable workflows |
| WindowsRelease | Called by Create Releases | Builds Windows wheels for x64, x86, and arm64; verifies with minimum supported packages (2)(3) |
| LinuxRelease | Called by Create Releases | Builds Linux wheels for x86_64 (manylinux_2_28) and aarch64; verifies with minimum supported packages (3) |
| MacRelease | Called by Create Releases | Builds macOS wheels (macos-14, MACOSX_DEPLOYMENT_TARGET=12.0); verifies with minimum supported packages (3) |
| PyodideRelease | Called by Create Releases and on every push | Builds a Pyodide (WebAssembly) wheel on Ubuntu using cibuildwheel with a pre-downloaded host protoc and protobuf source; runs a basic import test (3) |
| sdistRelease | Called by Create Releases | Builds and tests source distribution |
| Workflow | When it runs | What it does |
|---|---|---|
| CodeQL | Every PR, push to main/rel-*, weekly (Friday) | Static analysis of C++ and Python for security vulnerabilities |
| Scorecard | Push to main, weekly (Saturday) | OpenSSF supply-chain security scorecard; publishes results to code-scanning dashboard |
| Dependency Review | Every PR | Flags vulnerable or license-incompatible dependencies introduced by a PR |
| Workflow | When it runs | What it does |
|---|---|---|
| Pages | PRs to main, push to main | Builds and publishes ONNX documentation to GitHub Pages |
| Pixi CI | Weekly (Sunday 23:59 UTC) and on PRs | Builds, lints, and tests with the pixi environment manager on Linux, macOS, and Windows; opens an issue on failure when scheduled |
| Check URLs | Push to main/rel-*, monthly | Checks for broken URLs in the codebase |
| Stale | Daily | Warns and eventually closes stale issues and PRs |
| Dependabot | Monthly | Creates PRs for updated dependency versions |
(1) Release CIs run when:
(2) Minimum supported dependency versions are listed in [project.dependencies] in pyproject.toml.
(3) The PEP 770 SBOM (dist-info/sboms/sbom.cdx.json) is embedded in any wheel build where SKBUILD_METADATA_DIR is set (including local pip wheel builds). Only the cibuildwheel release pipeline patches the SBOM to reflect the actual protobuf tarball version, URL, and SHA-256 used for that specific build; other wheel builds embed the template values from sbom.cdx.json.