microsoft · snnn · Apr 24, 2025
diff --git a/.github/actions/locate-vcvarsall-and-setup-env/action.yml b/.github/actions/locate-vcvarsall-and-setup-env/action.yml
@@ -14,7 +14,7 @@ runs:
   steps:
 
     - name: Setup VCPKG
-      uses: microsoft/onnxruntime-github-actions/setup-build-tools@v0.0.5
+      uses: microsoft/onnxruntime-github-actions/setup-build-tools@v0.0.6
       with:
         vcpkg-version: '2025.03.19'
         vcpkg-hash: '17e96169cd3f266c4716fcdc1bb728e6a64f103941ece463a2834d50694eba4fb48f30135503fd466402afa139abc847ef630733c442595d1c34979f261b0114'

diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -6,17 +6,119 @@ on:
     branches:
       - main
       - rel-*
+      - snnn/ci
   pull_request:
     branches:
       - main
       - rel-*
   workflow_dispatch:
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' }}
-  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.sha }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
 
 jobs:
+  AndroidBinarySizeCheckJob_MinimalBaseline:
+    runs-on: ["self-hosted", "1ES.Pool=onnxruntime-github-Ubuntu2204-AMD-CPU"]
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+
+    - name: Setup Android NDK
+      uses: ./.github/actions/setup-android-ndk
+      with:
+        ndk-version: 28.0.13004108
+
+    - name: Get Docker Image using Action
+      uses: microsoft/onnxruntime-github-actions/build-docker-image@v0.0.6
+      id: build_docker_image_step
+      with:
+        dockerfile: ${{ github.workspace }}/tools/ci_build/github/linux/docker/inference/x86_64/default/cpu/Dockerfile
+        image-name: ghcr.io/microsoft/onnxruntime/onnxruntimecpubuildcix64
+        push: true
+        azure-container-registry-name: onnxruntimebuildcache
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Set variables from config file
+      id: set_vars
+      run: |
+        import json, os
+
+        config_file_path = "tools/ci_build/github/linux/ort_minimal/build_check_binsize_config/android_minimal_baseline.config"
+        with open(config_file_path, mode="r") as config_file:
+            config = json.load(config_file)
+
+        def set_var(name, value):
+            print(f"Setting variable: {name} = '{value}'")
+            # Use GITHUB_ENV for setting environment variables
+            with open(os.environ['GITHUB_ENV'], 'a') as f:
+                f.write(f"{name}={value}\n")
+
+        set_var("BuildConfigType", config["type"])
+        set_var("BuildConfigOs", config["os"])
+      shell: python
+      working-directory: ${{ github.workspace }}
+
+    - name: Export GitHub Actions cache environment variables
+      uses: actions/github-script@v7
+      with:
+        script: |
+          core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
+          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+
+    - name: 1a. Build onnxruntime
+      run: |
+        set -e -x
+        BINARY_SIZE_THRESHOLD_ARGS=""
+        echo "Binary size threshold in bytes: 1306224"
+        BINARY_SIZE_THRESHOLD_ARGS="--threshold_size_in_bytes 1306224"
+
+        # Ensure ANDROID_NDK_HOME is available and get its real path
+        if [ -z "$ANDROID_NDK_HOME" ]; then
+          echo "ANDROID_NDK_HOME is not set."
+          exit 1
+        fi
+        NDK_HOME_REALPATH=$(realpath $ANDROID_NDK_HOME)
+
+        # Ensure ANDROID_HOME is available
+        if [ -z "$ANDROID_HOME" ]; then
+          echo "ANDROID_HOME is not set. Using default /usr/local/lib/android/sdk"
+          export ANDROID_HOME=/usr/local/lib/android/sdk
+        fi
+
+        docker run -e SYSTEM_COLLECTIONURI --rm \
+          --volume ${{ github.workspace }}:/onnxruntime_src \
+          --volume ${{ runner.temp }}:/build \
+          --volume $ANDROID_HOME:/android_home \
+          --volume $NDK_HOME_REALPATH:/ndk_home \
+          -w /onnxruntime_src \
+          -e ALLOW_RELEASED_ONNX_OPSET_ONLY=1 \
+          -e NIGHTLY_BUILD=1 \
+          -e BUILD_BUILDNUMBER=${{ github.run_number }} \
+          -e BUILD_SOURCEVERSION=${{ github.sha }} \
+          -e BUILD_ID=${{ github.run_id }} \
+          -e BUILD_REASON=${{ github.event_name }} \
+          -e BUILD_BRANCH=${{ github.ref }} \
+          -e ACTIONS_CACHE_URL \
+          -e ACTIONS_RUNTIME_TOKEN \
+          -e RUNNER_TEMP=/build \
+          ${{ steps.build_docker_image_step.outputs.full-image-name }} \
+            bash -c "python3 -m pip install -r /onnxruntime_src/tools/ci_build/requirements/pybind/requirements.txt && \
+                     python3 tools/ci_build/github/linux/ort_minimal/build_ort_and_check_binary_size.py \
+                       --build_dir /build/1a \
+                       ${BINARY_SIZE_THRESHOLD_ARGS} \
+                       tools/ci_build/github/linux/ort_minimal/build_check_binsize_config/android_minimal_baseline.config"
+      shell: bash
+
   android_nnapi_ep:
     runs-on: ["self-hosted", "1ES.Pool=onnxruntime-github-Ubuntu2204-AMD-CPU"]
     steps:
@@ -30,7 +132,7 @@ jobs:
           architecture: x64
 
 
-      - uses: microsoft/onnxruntime-github-actions/setup-build-tools@v0.0.5
+      - uses: microsoft/onnxruntime-github-actions/setup-build-tools@v0.0.6
         with:
           vcpkg-version: '2025.03.19'
           vcpkg-hash: '17e96169cd3f266c4716fcdc1bb728e6a64f103941ece463a2834d50694eba4fb48f30135503fd466402afa139abc847ef630733c442595d1c34979f261b0114'
@@ -71,7 +173,9 @@ jobs:
 
 
       - name: Build Minimal ORT with NNAPI and run tests
-        run:  tools/ci_build/github/linux/ort_minimal/nnapi_minimal_build_minimal_ort_and_run_tests.sh "$(pwd)"
+        run:
+          tools/ci_build/github/linux/ort_minimal/nnapi_minimal_build_minimal_ort_and_run_tests.sh
+          "$(pwd)"
         shell: bash
 
       - name: Install psutil for emulator shutdown by run_android_emulator.py

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,16 +8,17 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main", nuget_pkg, rel-* ]
+    branches: ["main", nuget_pkg, rel-*]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
     - cron: '41 13 * * 0'
   workflow_dispatch:
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref
+    || github.sha }}
   cancel-in-progress: true
 
 jobs:
@@ -32,44 +33,44 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'java', 'javascript', 'python' ]
+        language: ['java', 'javascript', 'python']
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
 
         # Details on CodeQL's query packs refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        queries: security-extended,security-and-quality
+          queries: security-extended,security-and-quality
 
     # Setup Java to use a version that is not too old for the project
-    - if: ${{ matrix.language == 'java' }}
-      name: Setup Java 11
-      uses: actions/setup-java@v4
-      with:
-        java-version: '11'
-        distribution: 'microsoft'
+      - if: ${{ matrix.language == 'java' }}
+        name: Setup Java 11
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'microsoft'
 
-    - if: ${{ matrix.language == 'javascript' }}
-      uses: actions/setup-node@v4
-      with:
-        node-version: 20
+      - if: ${{ matrix.language == 'javascript' }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
-    - if: ${{ matrix.language != 'cpp' }}
-      name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      - if: ${{ matrix.language != 'cpp' }}
+        name: Autobuild
+        uses: github/codeql-action/autobuild@v3
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml
@@ -12,53 +12,56 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref
+    || github.sha }}
   cancel-in-progress: true
 
 jobs:
   iOS_CI_on_Mac:
     runs-on: macos-14
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - name: Use Xcode ${{ env.XCODE_VERSION }}
-      shell: bash
-      run: |
-        set -e -x
-        XCODE_DEVELOPER_DIR="/Applications/Xcode_${{ env.XCODE_VERSION }}.app/Contents/Developer"
-        sudo xcode-select --switch "${XCODE_DEVELOPER_DIR}"
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: false
+      - name: Use Xcode ${{ env.XCODE_VERSION }}
+        shell: bash
+        run: |
+          set -e -x
+          XCODE_DEVELOPER_DIR="/Applications/Xcode_${{ env.XCODE_VERSION }}.app/Contents/Developer"
+          sudo xcode-select --switch "${XCODE_DEVELOPER_DIR}"
 
-    - name: Export GitHub Actions cache environment variables
-      uses: actions/github-script@v7
-      with:
-        script: |
-          core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
-          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+      - name: Export GitHub Actions cache environment variables
+        uses: actions/github-script@v7
+        with:
+          script: |
+            core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
+            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
 
-    - name: (CPU, CoreML, XNNPACK EPs) Build onnxruntime for iOS x86_64 and run tests using simulator
-      shell: bash
-      run: |
-        python3 ${{ github.workspace }}/tools/ci_build/build.py \
-          --skip_submodule_sync \
-          --build_dir ${{ github.workspace }}/iOS \
-          --build_shared_lib \
-          --use_coreml \
-          --use_xnnpack \
-          --ios \
-          --apple_sysroot iphonesimulator \
-          --osx_arch x86_64 \
-          --apple_deploy_target=15.1 \
-          --use_xcode \
-          --config RelWithDebInfo \
-          --build_apple_framework \
-          --parallel \
-          --use_binskim_compliant_compile_flags
-      env:
-        ORT_GET_SIMULATOR_DEVICE_INFO_REQUESTED_RUNTIME_VERSION: ${{ env.IOS_SIMULATOR_RUNTIME_VERSION }}
+      - name: (CPU, CoreML, XNNPACK EPs) Build onnxruntime for iOS x86_64 and run
+          tests using simulator
+        shell: bash
+        run: |
+          python3 ${{ github.workspace }}/tools/ci_build/build.py \
+            --skip_submodule_sync \
+            --build_dir ${{ github.workspace }}/iOS \
+            --build_shared_lib \
+            --use_coreml \
+            --use_xnnpack \
+            --ios \
+            --apple_sysroot iphonesimulator \
+            --osx_arch x86_64 \
+            --apple_deploy_target=15.1 \
+            --use_xcode \
+            --config RelWithDebInfo \
+            --build_apple_framework \
+            --parallel \
+            --use_binskim_compliant_compile_flags
+        env:
+          ORT_GET_SIMULATOR_DEVICE_INFO_REQUESTED_RUNTIME_VERSION: ${{ env.IOS_SIMULATOR_RUNTIME_VERSION
+            }}
 
     timeout-minutes: 150
     env:
       XCODE_VERSION: 15.3.0
-      IOS_SIMULATOR_RUNTIME_VERSION: 17.4
+      IOS_SIMULATOR_RUNTIME_VERSION: 17.4