pyca
CI: Enable GitHub Actions App for ppc64le (Power architecture) support
Hi cryptography team,
We’ve successfully tested CI workflow changes for the ppc64le (Power) architecture using GitHub Actions (GHA) service provided by IBM. You can see an example run here: 🔗 CI run example 📌 Related NumPy tracking issue: https://github.com/numpy/numpy/issues/29125
We’d now like to propose enabling the GitHub Actions app in this repository to allow running CI jobs for ppc64le directly via GitHub Actions. This would support upstream compatibility and help ensure continued support for the Power architecture in cryptography.
A few key details about the setup:
✅ Ephemeral and secure runners, isolated per job
🛠️ Maintained by IBM, integrated with GitHub’s standard GHA workflows
📚 Technical documentation: https://github.com/IBM/actionspz/tree/main/docs
We’re happy to assist with the setup or provide any additional details the team may need.
Thanks so much!
This is something we'd definitely be potentially interested in.
Can you show us:
a) What a PR to any repo to add the configuration looks like? b) How many concurrent builds can we do? c) What sort of performance we can expect? d) How are the images maintained -- do they match upstream GHA images?
I see in your issue tracker that one of your criteria for projects that are getting onboarded is knowing a bit about load. If we choose to integrate this we'll be running it in our standard CI as well as our wheel builder since we do not produce wheels for untested architectures. So far this month we've run the CI workflow ~180 times and the wheel builder ~20 times, so you could expect us to run somewhere around 10-20 jobs per day on average (with heavy spikes occasionally during active development windows).
Thanks! I’m happy to provide more detail on how this works:
a) What does a PR to any repo to add the configuration look like? Yes, typically a PR is submitted to add the configuration needed to enable ppc64le and/or s390x builds. This involves updating the workflow file that triggers the job you want to run on these architectures — specifically by adding the appropriate labels (e.g., runs-on: ubuntu-24.04-ppc64le or runs-on: ubuntu-24.04-s390x). However, this is only part of the setup. In addition, the repository must install the GitHub App that provides access to the hosted runners for Power (ppc64le) and Z (s390x) systems. This is a one-time onboarding step at the organization level.
b) How many concurrent builds can we do? Our infrastructure is in a state of constant growth, and the number of concurrent builds depends on the type of build being run. We currently support multiple concurrent builds, but we do not assign a dedicated VM per project. Instead, builds run in containers on shared VMs. Concurrency is managed through rate limiting at the organization level to ensure fair distribution of resources across all users.
c) What sort of performance can we expect? The performance is on par with what you’d expect from modern x86_64 or arm64 GitHub-hosted runners. Builds will run on POWER9, POWER10, or IBM LinuxONE hardware, depending on the workflow configuration. While we abstract those details away, you should expect reliable and consistent build speeds for typical open source workloads.
d) How are the images maintained? Do they match upstream GHA images? The container images used on the Power and Z runners are maintained via the gaplib project: GitHub - ppc64le/gaplib: GitHub Actions on Power/Z LXD Image Build. These images are kept aligned with GitHub-hosted runner images (such as ubuntu-latest), with additional customizations for the target architecture. This ensures a consistent and familiar build environment across platforms.
For further reference:
📘 Technical documentation: IBM ActionsPZ Docs
✅ Recent CI example: Cryptography on ppc64le
Please feel free to reach out if you have more questions.
Thanks!
Each hosted runner VM can handle up to 4 concurrent jobs (containers). There's no restriction on how frequently jobs can be triggered — they can run as often as needed.
What I'm trying to understand is: if we trigger 8 new jobs, will all of those run concurrently, or will we experience queuing?
What I'm trying to understand is: if we trigger 8 new jobs, will all of those run concurrently, or will we experience queuing?
Yes, 8 jobs can run concurrently. Based on the current load, there is a chance you will experience queuing, though we are working on scaling the number of workers based on demand.
Ok. Based on this I think we're interested in getting this setup. We'd be happy to take a PR for this if it's something you already have.
Ok. Based on this I think we're interested in getting this setup. We'd be happy to take a PR for this if it's something you already have.
Thanks @alex, I'm currently working on the CI changes for ppc64le. I plan to raise a PR next week and will keep you updated once it's ready.
Great
On Thu, Jun 26, 2025 at 7:23 AM sandeepgupta12 @.***> wrote:
sandeepgupta12 left a comment (pyca/cryptography#13086) https://github.com/pyca/cryptography/issues/13086#issuecomment-3008682276
Ok. Based on this I think we're interested in getting this setup. We'd be happy to take a PR for this if it's something you already have.
Thanks @alex https://github.com/alex, I'm currently working on the CI changes for ppc64le. I plan to raise a PR next week and will keep you updated once it's ready.
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/13086#issuecomment-3008682276, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBC2QF4KO7FPZOR7SM33FP673AVCNFSM6AAAAAB7NCY3DCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMBYGY4DEMRXGY . You are receiving this because you were mentioned.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
Hi @alex,
As mentioned earlier, I’ve completed the CI changes for ppc64le and opened the following PRs:
- https://github.com/pyca/cryptography/pull/13130
- https://github.com/pyca/infra/pull/702
Looking forward to your feedback!
Hi @alex,
Could you please upload the ppc64le wheel to PyPI? Let me know if there’s anything else I need to take care of to support this.
Thanks!
It'll go out with our next release. We'll discuss if we want to do a 45.0.x release for this.
It'll go out with our next release. We'll discuss if we want to do a 45.0.x release for this.
Hi @alex
I noticed that version 45.0.6 was released yesterday, but I don’t see the ppc64le wheel published on PyPI yet. Could you please confirm if it’s planned for a later patch release, or if there's anything else needed from my side to support this?
Appreciate your help!
It'll be in 46, CI had changed sufficiently since 45 that we weren't comfortable with a backport.
On Thu, Aug 7, 2025 at 2:51 AM sandeepgupta12 @.***> wrote:
sandeepgupta12 left a comment (pyca/cryptography#13086) https://github.com/pyca/cryptography/issues/13086#issuecomment-3162734873
It'll go out with our next release. We'll discuss if we want to do a 45.0.x release for this.
Hi @alex https://github.com/alex
I noticed that version 45.0.6 was released yesterday, but I don’t see the ppc64le wheel published on PyPI yet. Could you please confirm if it’s planned for a later patch release, or if there's anything else needed from my side to support this?
Appreciate your help!
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/13086#issuecomment-3162734873, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBDM6ATDFYKF4AP7RCT3MLZPFAVCNFSM6AAAAAB7NCY3DCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTCNRSG4ZTIOBXGM . You are receiving this because you were mentioned.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.