Merge upstream #35

Workflow file for this run

	# GENERATED, DO NOT EDIT!
	# To change, edit `src/python/pants_release/generate_github_workflows.py` and run:
	# pants run src/python/pants_release/generate_github_workflows.py


	concurrency:
	cancel-in-progress: false
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.sha }}
	env:
	HONEYCOMB_API_KEY: --DISABLED--
	PANTS_CONFIG_FILES: +['pants.ci.toml']
	PANTS_DISABLE_GETS: '1'
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: 'False'
	RUST_BACKTRACE: all
	jobs:
	bootstrap_pants_linux_x86_64:
	env:
	PANTS_REMOTE_CACHE_READ: 'false'
	PANTS_REMOTE_CACHE_WRITE: 'false'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Bootstrap Pants, test and lint Rust (Linux-x86_64)
	needs:
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Install Protoc
	uses: arduino/setup-protoc@3ea1d70ac22caff0b66ed6cb37d5b7aadebd4623
	with:
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	version: 23.x
	- name: Set rustup profile
	run: rustup set profile default
	- name: Cache Rust toolchain
	uses: actions/cache@v5
	with:
	key: Linux-x86_64-rustup-${{ hashFiles('src/rust/rust-toolchain') }}-v2
	path: \|
	~/.rustup/toolchains/1.93.0-*
	~/.rustup/update-hashes
	~/.rustup/settings.toml
	- id: get-engine-hash
	name: Get native engine hash
	run: echo "hash=$(./build-support/bin/rust/print_engine_hash.sh)" >> $GITHUB_OUTPUT
	shell: bash
	- name: Cache native engine
	uses: actions/cache@v5
	with:
	key: Linux-x86_64-engine-${{ steps.get-engine-hash.outputs.hash }}-v1
	path: \|-
	src/python/pants/bin/native_client
	src/python/pants/bin/sandboxer
	src/python/pants/engine/internals/native_engine.so
	src/python/pants/engine/internals/native_engine.so.metadata
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Bootstrap Pants
	run: ./pants version > ${{ runner.temp }}/_pants_version.stdout && [[ -s ${{ runner.temp }}/_pants_version.stdout ]]
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run smoke tests
	run: \|
	./pants list ::
	./pants roots
	./pants help goals
	./pants help targets
	./pants help subsystems
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-bootstrap-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	- name: Upload native binaries
	uses: actions/upload-artifact@v6
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: \|-
	src/python/pants/bin/native_client
	src/python/pants/bin/sandboxer
	src/python/pants/engine/internals/native_engine.so
	src/python/pants/engine/internals/native_engine.so.metadata
	- env:
	TMPDIR: ${{ runner.temp }}
	if: needs.classify_changes.outputs.rust == 'true'
	name: Test and lint Rust
	run: \|-
	sudo apt-get install -y pkg-config fuse libfuse-dev
	./build-support/bin/check_rust_pre_commit.sh
	./cargo test --locked --all --tests --benches -- --nocapture
	timeout-minutes: 60
	build_wheels_linux_x86_64:
	container:
	image: quay.io/pypa/manylinux_2_28_x86_64:latest
	volumes:
	- /:/mnt/host-root
	env:
	ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
	MODE: debug
	PANTS_REMOTE_CACHE_READ: 'false'
	PANTS_REMOTE_CACHE_WRITE: 'false'
	if: ((github.repository_owner == 'pantsbuild') && (needs.classify_changes.outputs.release == 'true' \|\| needs.classify_changes.outputs.ci_config == 'true')) && (needs.classify_changes.outputs.no_code != 'true')
	name: Build wheels (Linux-x86_64)
	needs:
	- classify_changes
	permissions:
	attestations: write
	contents: write
	id-token: write
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Free up disk space
	run: \|-
	df -h
	rm -rf /mnt/host-root/usr/share/dotnet \|\| true
	rm -rf /mnt/host-root/usr/local/lib/android \|\| true
	rm -rf /mnt/host-root/opt/ghc \|\| true
	rm -rf /mnt/host-root/usr/local/.ghcup \|\| true
	df -h
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- name: Configure Git
	run: git config --global safe.directory "$GITHUB_WORKSPACE"
	- name: Install rustup
	run: \|
	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -v -y --default-toolchain none
	echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
	- name: Install Rust toolchain
	run: \|
	# Set the default toolchain. Installs the toolchain if it is not already installed.
	rustup default 1.93.0
	cargo version
	- name: Expose Pythons
	run: \|
	echo "/opt/python/cp37-cp37m/bin" >> $GITHUB_PATH
	echo "/opt/python/cp38-cp38/bin" >> $GITHUB_PATH
	echo "/opt/python/cp39-cp39/bin" >> $GITHUB_PATH
	echo "/opt/python/cp310-cp310/bin" >> $GITHUB_PATH
	echo "/opt/python/cp311-cp311/bin" >> $GITHUB_PATH
	echo "/opt/python/cp312-cp312/bin" >> $GITHUB_PATH
	echo "/opt/python/cp313-cp313/bin" >> $GITHUB_PATH
	- name: Install Protoc
	uses: arduino/setup-protoc@3ea1d70ac22caff0b66ed6cb37d5b7aadebd4623
	with:
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	version: 23.x
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Build wheels
	run: ./pants run src/python/pants_release/release.py -- build-wheels
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Build Pants PEX
	run: ./pants package src/python/pants:pants-pex
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-wheels-and-pex-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	timeout-minutes: 90
	check_release_notes:
	name: Ensure PR has release notes
	needs:
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	if: github.event_name == 'pull_request' && !needs.classify_changes.outputs.notes
	name: Ensure appropriate label
	uses: mheap/github-action-required-labels@v4.0.0
	with:
	count: 1
	labels: release-notes:not-required, category:internal
	message: \|2

	Please do one of:

	- add release notes to the appropriate file in `docs/notes`

	- label this PR with `release-notes:not-required` if it does not need them (for
	instance, if this is fixing a minor typo in documentation)

	- label this PR with `category:internal` if it's an internal change

	Feel free to ask a maintainer for help if you are not sure what is appropriate!
	mode: minimum
	classify_changes:
	name: Classify changes
	outputs:
	ci_config: ${{ steps.classify.outputs.ci_config }}
	dev_utils: ${{ steps.classify.outputs.dev_utils }}
	docs: ${{ steps.classify.outputs.docs }}
	no_code: ${{ steps.classify.outputs.no_code }}
	notes: ${{ steps.classify.outputs.notes }}
	other: ${{ steps.classify.outputs.other }}
	release: ${{ steps.classify.outputs.release }}
	rust: ${{ steps.classify.outputs.rust }}
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- id: classify
	name: Classify changed files
	run: \|
	if [[ -z $GITHUB_EVENT_PULL_REQUEST_BASE_SHA ]]; then
	# push: compare to the immediate parent, which should already be fetched
	# (checkout's fetch_depth defaults to 10)
	comparison_sha=$(git rev-parse HEAD^)
	else
	# pull request: compare to the base branch, ensuring that commit exists
	git fetch --depth=1 "$GITHUB_EVENT_PULL_REQUEST_BASE_SHA"
	comparison_sha="$GITHUB_EVENT_PULL_REQUEST_BASE_SHA"
	fi
	echo "comparison_sha=$comparison_sha"

	change_labels=$(git diff --name-only "$comparison_sha" HEAD \| python build-support/bin/classify_changed_files.py)
	echo "Change Labels:"
	for i in ${change_labels}; do
	echo "${i}=true" \| tee -a $GITHUB_OUTPUT
	done
	lint_python:
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Lint Python and Shell
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Lint
	run: \|
	./pants lint check ::
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-lint-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	timeout-minutes: 30
	merge_ok:
	if: always()
	name: Merge OK
	needs:
	- set_merge_ok
	runs-on:
	- ubuntu-22.04
	steps:
	- run: \|
	merge_ok="${{ needs.set_merge_ok.outputs.merge_ok }}"
	if [[ "${merge_ok}" == "true" ]]; then
	echo "Merge OK"
	exit 0
	else
	echo "Merge NOT OK"
	exit 1
	fi
	set_merge_ok:
	if: always() && !contains(needs..result, 'failure') && !contains(needs..result, 'cancelled')
	name: Set Merge OK
	needs:
	- classify_changes
	- check_release_notes
	- bootstrap_pants_linux_x86_64
	- build_wheels_linux_x86_64
	- check_release_notes
	- classify_changes
	- lint_python
	- test_python_linux_x86_64_0
	- test_python_linux_x86_64_1
	- test_python_linux_x86_64_2
	- test_python_linux_x86_64_3
	- test_python_linux_x86_64_4
	- test_python_linux_x86_64_5
	- test_python_linux_x86_64_6
	- test_python_linux_x86_64_7
	- test_python_linux_x86_64_8
	- test_python_linux_x86_64_9
	outputs:
	merge_ok: ${{ steps.set_merge_ok.outputs.merge_ok }}
	runs-on:
	- ubuntu-22.04
	steps:
	- id: set_merge_ok
	run: echo 'merge_ok=true' >> ${GITHUB_OUTPUT}
	test_python_linux_x86_64_0:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 0/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 0/10
	run: \|
	./pants test --shard=0/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-0_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_1:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 1/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 1/10
	run: \|
	./pants test --shard=1/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-1_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_2:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 2/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 2/10
	run: \|
	./pants test --shard=2/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-2_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_3:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 3/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 3/10
	run: \|
	./pants test --shard=3/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-3_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_4:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 4/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 4/10
	run: \|
	./pants test --shard=4/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-4_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_5:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 5/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 5/10
	run: \|
	./pants test --shard=5/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-5_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_6:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 6/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 6/10
	run: \|
	./pants test --shard=6/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-6_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_7:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 7/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 7/10
	run: \|
	./pants test --shard=7/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-7_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_8:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 8/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 8/10
	run: \|
	./pants test --shard=8/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-8_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	test_python_linux_x86_64_9:
	env:
	PANTS_PROCESS_EXECUTION_LOCAL_PARALLELISM: '1'
	if: needs.classify_changes.outputs.no_code != 'true'
	name: Test Python (Linux-x86_64) Shard 9/10
	needs:
	- bootstrap_pants_linux_x86_64
	- classify_changes
	runs-on:
	- ubuntu-22.04
	steps:
	- name: Check out code
	uses: actions/checkout@v6
	with:
	fetch-depth: 10
	- env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	name: Launch bazel-remote
	run: \|
	mkdir -p ~/bazel-remote
	if [[ -z "${AWS_ACCESS_KEY_ID}" ]]; then
	CACHE_WRITE=false
	# If no secret read/write creds, use hard-coded read-only creds, so that
	# cross-fork PRs can at least read from the cache.
	# These creds are hard-coded here in this public repo, which makes the bucket
	# world-readable. But since putting raw AWS tokens in a public repo, even
	# deliberately, is icky, we base64-them. This will at least help hide from
	# automated scanners that look for checked in AWS keys.
	# Not that it would be terrible if we were scanned, since this is public
	# on purpose, but it's best not to draw attention.
	AWS_ACCESS_KEY_ID=$(echo 'QUtJQVY2QTZHN1JRVkJJUVM1RUEK' \| base64 -d)
	AWS_SECRET_ACCESS_KEY=$(echo 'd3dOQ1k1eHJJWVVtejZBblV6M0l1endXV0loQWZWcW9GZlVjMDlKRwo=' \| base64 -d)
	else
	CACHE_WRITE=true
	fi
	docker run --detach -u 1001:1000 -v ~/bazel-remote:/data -p 9092:9092 buchgr/bazel-remote-cache:v2.4.1 --s3.auth_method=access_key --s3.access_key_id="${AWS_ACCESS_KEY_ID}" --s3.secret_access_key="${AWS_SECRET_ACCESS_KEY}" --s3.bucket=cache.pantsbuild.org --s3.endpoint=s3.us-east-1.amazonaws.com --max_size 30
	echo "PANTS_REMOTE_STORE_ADDRESS=grpc://localhost:9092" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_READ=true" >> "$GITHUB_ENV"
	echo "PANTS_REMOTE_CACHE_WRITE=${CACHE_WRITE}" >> "$GITHUB_ENV"
	- name: Install AdoptJDK
	uses: actions/setup-java@v5
	with:
	distribution: adopt
	java-version: '11'
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.25.3
	- name: Install Go
	uses: actions/setup-go@v6
	with:
	go-version: 1.24.9
	- if: runner.os == 'Linux'
	name: Download Apache `thrift` binary (Linux)
	run: \|
	mkdir -p "${HOME}/.thrift"
	curl --fail -L https://binaries.pantsbuild.org/bin/thrift/linux/x86_64/0.15.0/thrift -o "${HOME}/.thrift/thrift"
	chmod +x "${HOME}/.thrift/thrift"
	echo "${HOME}/.thrift" >> $GITHUB_PATH
	- name: Set up Python 3.7, 3.8, 3.9, 3.10, 3.12, 3.13, 3.11
	uses: actions/setup-python@v6
	with:
	python-version: \|-
	3.7
	3.8
	3.9
	3.10
	3.12
	3.13
	3.11
	- name: Download native binaries
	uses: actions/download-artifact@v7
	with:
	name: native_binaries.${{ matrix.python-version }}.Linux-x86_64
	path: src/python/pants
	- name: Make native-client runnable
	run: chmod +x src/python/pants/bin/native_client
	- env:
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	name: Run Python test shard 9/10
	run: \|
	./pants test --shard=9/10 ::
	- continue-on-error: true
	env:
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	HONEYCOMB_API_KEY: ${{ secrets.HONEYCOMB_API_KEY \|\| '--DISABLED--' }}
	PANTS_SHOALSOFT_OPENTELEMETRY_ENABLED: ${{ vars.OPENTELEMETRY_ENABLED \|\| 'False' }}
	if: always()
	name: Upload test reports
	run: \|
	export S3_DST=s3://logs.pantsbuild.org/test/reports/Linux-x86_64/$(git show --no-patch --format=%cd --date=format:%Y-%m-%d)/${GITHUB_REF_NAME//\//_}/${GITHUB_RUN_ID}/${GITHUB_RUN_ATTEMPT}/${GITHUB_JOB}
	echo "Uploading test reports to ${S3_DST}"
	./pants run ./src/python/pants_release/copy_to_s3.py -- --src-prefix=dist/test/reports --dst-prefix=${S3_DST} --path=""
	- continue-on-error: true
	if: always()
	name: Upload pants.log
	uses: actions/upload-artifact@v6
	with:
	name: logs-python-test-9_10-Linux-x86_64
	overwrite: 'true'
	path: .pants.d/workdir/*.log
	name: Pull Request CI
	'on':
	pull_request: {}
	push:
	branches:
	- main

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge upstream #35

Workflow file

Merge upstream #35

Uh oh!

Workflow file for this run