pantry/scripts/bottle.ts

#!/usr/bin/env -S tea -E

/* ---
dependencies:
  gnu.org/tar: ^1.34
  tukaani.org/xz: ^5
  zlib.net: 1
  gnupg.org: ^2
args:
  - deno
  - run
  - --allow-net
  - --allow-run
  - --allow-env
  - --allow-read
  - --allow-write
  - --import-map={{ srcroot }}/import-map.json
--- */

import { Installation } from "types"
import { useCellar, usePrefix, useFlags, useCache } from "hooks"
import { backticks, panic, run } from "utils"
import { crypto } from "deno/crypto/mod.ts"
import { encode } from "deno/encoding/hex.ts"
import { encode as base64Encode } from "deno/encoding/base64.ts"
import { set_output } from "./utils/gha.ts"
import * as ARGV from "./utils/args.ts"
import Path from "path"

const cellar = useCellar()


//-------------------------------------------------------------------------- main

if (import.meta.main) {
  useFlags()

  const compression = Deno.env.get("COMPRESSION") == 'xz' ? 'xz' : 'gz'
  const gpgKey = Deno.env.get("GPG_KEY_ID") ?? panic("missing GPG_KEY_ID")
  const gpgPassphrase = Deno.env.get("GPG_PASSPHRASE") ?? panic("missing GPG_PASSPHRASE")
  const checksums: string[] = []
  const signatures: string[] = []
  const bottles: Path[] = []

  for await (const pkg of ARGV.pkgs()) {
    console.log({ bottling: pkg })

    const installation = await cellar.resolve(pkg)
    const path = await bottle(installation, compression)
    const checksum = await sha256(path)
    const signature = await gpg(path, { gpgKey, gpgPassphrase })

    console.log({ bottled: path })

    bottles.push(path)
    checksums.push(checksum)
    signatures.push(signature)
  }

  await set_output("bottles", bottles.map(b => b.relative({ to: usePrefix() })))
  await set_output("checksums", checksums)
  await set_output("signatures", signatures)
}


//------------------------------------------------------------------------- funcs
export async function bottle({ path: kegdir, pkg }: Installation, compression: 'gz' | 'xz'): Promise<Path> {
  const tarball = useCache().path({ pkg, type: 'bottle', compression })
  const z = compression == 'gz' ? 'z' : 'J'
  const cwd = usePrefix()
  const cmd = ["tar", `c${z}f`, tarball, kegdir.relative({ to: cwd })]
  await run({ cmd, cwd })
  return tarball
}

export async function sha256(file: Path): Promise<string> {
  return await Deno.open(file.string, { read: true })
    .then(file => crypto.subtle.digest("SHA-256", file.readable))
    .then(buf => new TextDecoder().decode(encode(new Uint8Array(buf))))
}

interface GPGCredentials {
  gpgKey: string
  gpgPassphrase: string
}

async function gpg(file: Path, { gpgKey, gpgPassphrase }: GPGCredentials): Promise<string> {
  const rv = await backticks({
    cmd: [
      "gpg",
      "--detach-sign",
      "--armor",
      "--output",
      "-",
      "--local-user",
      gpgKey,
      "--passphrase",
      gpgPassphrase,
      file.string
    ]
  })
  return base64Encode(rv)
}
infra 2022-08-01 22:43:40 +03:00			`#!/usr/bin/env -S tea -E`

			`/* ---`
Upload .tar.xz bottles too 2022-09-26 17:56:15 +03:00			`dependencies:`
			`gnu.org/tar: ^1.34`
			`tukaani.org/xz: ^5`
			`zlib.net: 1`
gpg sign bottles 2022-11-25 06:32:26 +03:00			`gnupg.org: ^2`
infra 2022-08-01 22:43:40 +03:00			`args:`
			`- deno`
			`- run`
			`- --allow-net`
			`- --allow-run`
various fixes (#80) 2022-08-17 15:22:22 +03:00			`- --allow-env`
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`- --allow-read`
			`- --allow-write`
infra 2022-08-01 22:43:40 +03:00			`- --import-map={{ srcroot }}/import-map.json`
			`--- */`

Refactor (#142) 2022-09-20 14:53:40 +03:00			`import { Installation } from "types"`
Refactor 2022-09-27 22:11:35 +03:00			`import { useCellar, usePrefix, useFlags, useCache } from "hooks"`
jeez, i'm dumb 2022-12-01 23:59:02 +03:00			`import { backticks, panic, run } from "utils"`
Include bottle checksums in CI artifacts v3: wherein everyone stays in their lane 2022-08-26 02:59:37 +03:00			`import { crypto } from "deno/crypto/mod.ts"`
Refactor (#142) 2022-09-20 14:53:40 +03:00			`import { encode } from "deno/encoding/hex.ts"`
gpg sign bottles 2022-11-25 06:32:26 +03:00			`import { encode as base64Encode } from "deno/encoding/base64.ts"`
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00			`import { set_output } from "./utils/gha.ts"`
read args from stdin or argv 2022-09-30 16:03:03 +03:00			`import * as ARGV from "./utils/args.ts"`
Refactor (#142) 2022-09-20 14:53:40 +03:00			`import Path from "path"`
various fixes (#80) 2022-08-17 15:22:22 +03:00
infra 2022-08-01 22:43:40 +03:00			`const cellar = useCellar()`


making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`//-------------------------------------------------------------------------- main`
infra 2022-08-01 22:43:40 +03:00
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`if (import.meta.main) {`
			`useFlags()`
infra 2022-08-01 22:43:40 +03:00
Upload .tar.xz bottles too 2022-09-26 17:56:15 +03:00			`const compression = Deno.env.get("COMPRESSION") == 'xz' ? 'xz' : 'gz'`
jeez, i'm dumb 2022-12-01 23:59:02 +03:00			`const gpgKey = Deno.env.get("GPG_KEY_ID") ?? panic("missing GPG_KEY_ID")`
			`const gpgPassphrase = Deno.env.get("GPG_PASSPHRASE") ?? panic("missing GPG_PASSPHRASE")`
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00			`const checksums: string[] = []`
gpg sign bottles 2022-11-25 06:32:26 +03:00			`const signatures: string[] = []`
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`const bottles: Path[] = []`
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00
read args from stdin or argv 2022-09-30 16:03:03 +03:00			`for await (const pkg of ARGV.pkgs()) {`
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00			`console.log({ bottling: pkg })`
infra 2022-08-01 22:43:40 +03:00
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`const installation = await cellar.resolve(pkg)`
Upload .tar.xz bottles too 2022-09-26 17:56:15 +03:00			`const path = await bottle(installation, compression)`
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`const checksum = await sha256(path)`
gpg sign bottles 2022-11-25 06:32:26 +03:00			`const signature = await gpg(path, { gpgKey, gpgPassphrase })`
infra 2022-08-01 22:43:40 +03:00
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00			`console.log({ bottled: path })`
Include bottle checksums in CI artifacts v3: wherein everyone stays in their lane 2022-08-26 02:59:37 +03:00
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`bottles.push(path)`
+portable fontconfig (#134) Only changes the cache location 2022-09-14 22:48:36 +03:00			`checksums.push(checksum)`
gpg sign bottles 2022-11-25 06:32:26 +03:00			`signatures.push(signature)`
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`}`
Include bottle checksums in CI artifacts v3: wherein everyone stays in their lane 2022-08-26 02:59:37 +03:00
separate upload logic from bottling logic to deal with S3 503s ??? sync script changes amazingly close wip wip wip 2022-12-07 22:33:13 +03:00			`await set_output("bottles", bottles.map(b => b.relative({ to: usePrefix() })))`
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00			`await set_output("checksums", checksums)`
gpg sign bottles 2022-11-25 06:32:26 +03:00			`await set_output("signatures", signatures)`
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`}`
infra 2022-08-01 22:43:40 +03:00

			`//------------------------------------------------------------------------- funcs`
Upload .tar.xz bottles too 2022-09-26 17:56:15 +03:00			`export async function bottle({ path: kegdir, pkg }: Installation, compression: 'gz' \| 'xz'): Promise<Path> {`
Refactor 2022-09-27 22:11:35 +03:00			`const tarball = useCache().path({ pkg, type: 'bottle', compression })`
Upload .tar.xz bottles too 2022-09-26 17:56:15 +03:00			`const z = compression == 'gz' ? 'z' : 'J'`
Simplify builds by building to /opt/project/src 2022-09-21 09:35:03 +03:00			`const cwd = usePrefix()`
Upload .tar.xz bottles too 2022-09-26 17:56:15 +03:00			const cmd = ["tar", `c${z}f`, tarball, kegdir.relative({ to: cwd })]
Simplify builds by building to /opt/project/src 2022-09-21 09:35:03 +03:00			`await run({ cmd, cwd })`
infra 2022-08-01 22:43:40 +03:00			`return tarball`
			`}`

store sources from build pipeline Use relative-path srcs only 2022-10-03 20:22:25 +03:00			`export async function sha256(file: Path): Promise<string> {`
fix making tar.xz bottles (#158) 2022-09-28 18:14:46 +03:00			`return await Deno.open(file.string, { read: true })`
Refactor (#142) 2022-09-20 14:53:40 +03:00			`.then(file => crypto.subtle.digest("SHA-256", file.readable))`
			`.then(buf => new TextDecoder().decode(encode(new Uint8Array(buf))))`
making things relocatable (#122) 2022-09-08 23:40:35 +03:00			`}`
gpg sign bottles 2022-11-25 06:32:26 +03:00
			`interface GPGCredentials {`
			`gpgKey: string`
			`gpgPassphrase: string`
			`}`

			`async function gpg(file: Path, { gpgKey, gpgPassphrase }: GPGCredentials): Promise<string> {`
			`const rv = await backticks({`
			`cmd: [`
			`"gpg",`
			`"--detach-sign",`
			`"--armor",`
			`"--output",`
			`"-",`
			`"--local-user",`
			`gpgKey,`
			`"--passphrase",`
			`gpgPassphrase,`
			`file.string`
			`]`
			`})`
			`return base64Encode(rv)`
			`}`