pantry/.github/workflows/bottle.yml

name: bottle

on:
  workflow_call:
    inputs:
      new-version:
        type: boolean
        required: false
        default: false

jobs:
  bottle:
    runs-on: ${{ matrix.platform.os }}
    defaults:
      run:
        working-directory: tea.xyz/var/pantry
    strategy:
      matrix:
        platform:
          - os: macos-11
            name: darwin+x86-64
          - os: ubuntu-latest
            name: linux+x86-64
          - os: [self-hosted, macOS, ARM64]
            name: darwin+aarch64
          - os: [self-hosted, linux, ARM64]
            name: linux+aarch64
    outputs:
      srcs: ${{ env.srcs }}
      built: ${{ env.built }}
      pr: ${{ env.PR }}
    steps:
      - uses: actions/checkout@v3
        with:
          path: tea.xyz/var/cli
          repository: teaxyz/cli

      - uses: actions/checkout@v3
        with:
          path: pantry

      - uses: teaxyz/setup@v0
        id: tea
        with:
          srcroot: tea.xyz/var/pantry
          prefix: ${{ github.workspace }}

      - run: |
          # in case this PR contains updates to the scripts
          #TODO only do for PRs
          if test "$GITHUB_REPOSITORY" = "teaxyz/pantry.core"; then
            cp -rv $GITHUB_WORKSPACE/pantry/scripts/* $(tea --prefix)/tea.xyz/var/pantry/scripts
          fi

      - uses: actions/download-artifact@v3
        if: ${{ inputs.new-version }}
        with:
          name: ${{ matrix.platform.name }}
          path: tea.xyz/var/pantry

      - run: scripts/fetch-pr-artifacts.ts ${{ github.repository }} ${{ github.sha }} ${{ matrix.platform.name }} >>$GITHUB_ENV
        if: ${{ !inputs.new-version }}
        env:
          GITHUB_TOKEN: ${{github.token}}
          AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - run: tar xzf artifacts.tgz -C ${{ steps.tea.outputs.prefix }}

      - run: |
          for file in built relative-paths srcs; do
            echo "$file=$(cat $file)" >>$GITHUB_ENV
          done
        working-directory: ${{ steps.tea.outputs.prefix }}

      # the next three steps bless our code for Apple. It might be the case they should be
      # encapulated separately.
      # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
      # ago, and we need bugfixes.
      # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
      # github has a doc with similar content, but it's not returning to me atm.
      - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
        if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
        with:
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}

      # Codesign libs and bins
      - name: Codesign package
        if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
        run: |
          for PKG in ${{ env.relative-paths }}; do
            find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
              xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
            codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
          done
        working-directory: ${{ steps.tea.outputs.prefix }}

      # This isn't very informative, but even a no-op is safer than none
      - name: Check codesigning
        if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
        run: |
          for PKG in ${{ env.relative-paths }}; do
            for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
              codesign -vvv --deep --strict "$SIG"
            done
          done
        working-directory: ${{ steps.tea.outputs.prefix }}

      # Needed for self-hosted runner, since it doesn't destroy itself automatically.
      - name: Delete keychain
        if: always() && matrix.platform.name == 'darwin+aarch64'
        run: security delete-keychain signing_temp.keychain

      - run: |
          tea +gnupg.org gpg-agent --daemon || true
          echo $GPG_PRIVATE_KEY | \
            base64 -d | \
            tea +gnupg.org gpg --import --batch --yes
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}

      - run: scripts/bottle.ts $built
        id: bottle-xz
        env:
          COMPRESSION: xz
          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

      - run: scripts/bottle.ts $built
        id: bottle-gz
        env:
          COMPRESSION: gz
          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

      - run: |
          echo ${{ steps.bottle-gz.outputs.bottles }} ${{ steps.bottle-xz.outputs.bottles }} >bottles
          echo ${{ steps.bottle-gz.outputs.checksums }} ${{ steps.bottle-xz.outputs.checksums }} >checksums
          echo ${{ steps.bottle-gz.outputs.signatures }} ${{ steps.bottle-xz.outputs.signatures }} >signatures

          tar cf $GITHUB_WORKSPACE/artifacts.tar \
            $srcs \
            ${{ steps.bottle-gz.outputs.bottles }} \
            ${{ steps.bottle-xz.outputs.bottles }} \
            bottles checksums signatures

        working-directory: ${{ steps.tea.outputs.prefix }}

      - name: upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: ${{ matrix.platform.name }}-bottles
          path: artifacts.tar
          if-no-files-found: error

  upload:
    needs: [bottle]
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: tea.xyz/var/pantry
    strategy:
      matrix:
        platform:
          - os: macos-11
            name: darwin+x86-64
          - os: ubuntu-latest
            name: linux+x86-64
          - os: [self-hosted, macOS, ARM64]
            name: darwin+aarch64
          - os: [self-hosted, linux, ARM64]
            name: linux+aarch64
    steps:
      - uses: actions/checkout@v3
        with:
          path: tea.xyz/var/cli
          repository: teaxyz/cli

      - uses: actions/checkout@v3
        with:
          path: pantry

      - uses: teaxyz/setup@v0
        id: tea
        with:
          srcroot: tea.xyz/var/pantry
          prefix: ${{ github.workspace }}

      - uses: actions/download-artifact@v3
        with:
          name: ${{ matrix.platform.name }}-bottles

      - run: |
          tar xvf $GITHUB_WORKSPACE/artifacts.tar

          for file in bottles checksums signatures; do
            echo "$file=$(cat $file)" >>$GITHUB_ENV
          done
        working-directory: ${{ steps.tea.outputs.prefix }}

      - run: |
          # in case this PR contains updates to the scripts
          #TODO only do for PRs
          if test "$GITHUB_REPOSITORY" = "teaxyz/pantry.core"; then
            cp -rv $GITHUB_WORKSPACE/pantry/scripts/* $(tea --prefix)/tea.xyz/var/pantry/scripts
          fi

      - name: upload bottles
        id: upload
        run: scripts/upload.ts
          --pkgs ${{ needs.bottle.outputs.built }} ${{ needs.bottle.outputs.built }}
          --srcs ${{ needs.bottle.outputs.srcs }} ${{ needs.bottle.outputs.srcs }}
          --bottles $bottles
          --checksums $checksums
          --signatures $signatures
        env:
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      #NOTE ideally we’d invalidate all at once so this is atomic
      # however GHA can’t consolidate outputs from a matrix :/
      - uses: chetan/invalidate-cloudfront-action@v2
        env:
          PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }}
          DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
          AWS_REGION: us-east-1
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

  cleanup:
    runs-on: ubuntu-latest
    needs: [bottle, upload]
    if: ${{ !inputs.new-version }}
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - run: |
          REPO=$(echo ${{github.repository}} | sed -e 's_teaxyz/__')

          if test -z "$PR"; then
            echo "no PR to clean up"
            exit 0
          fi

          aws s3 rm --recursive s3://$AWS_S3_CACHE/pull-request/$REPO/$PR
        env:
          AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
          PR: ${{ needs.bottle.outputs.pr }}