2022-12-21 00:54:26 +03:00
|
|
|
|
name: bottle
|
|
|
|
|
|
2022-12-21 02:29:41 +03:00
|
|
|
|
on:
|
|
|
|
|
workflow_call:
|
|
|
|
|
inputs:
|
|
|
|
|
new-version:
|
|
|
|
|
type: boolean
|
|
|
|
|
required: false
|
|
|
|
|
default: false
|
2022-12-21 00:54:26 +03:00
|
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
|
bottle:
|
|
|
|
|
runs-on: ${{ matrix.platform.os }}
|
|
|
|
|
defaults:
|
|
|
|
|
run:
|
|
|
|
|
working-directory: tea.xyz/var/pantry
|
|
|
|
|
strategy:
|
|
|
|
|
matrix:
|
|
|
|
|
platform:
|
|
|
|
|
- os: macos-11
|
|
|
|
|
name: darwin+x86-64
|
|
|
|
|
- os: ubuntu-latest
|
|
|
|
|
name: linux+x86-64
|
|
|
|
|
- os: [self-hosted, macOS, ARM64]
|
|
|
|
|
name: darwin+aarch64
|
|
|
|
|
- os: [self-hosted, linux, ARM64]
|
|
|
|
|
name: linux+aarch64
|
|
|
|
|
outputs:
|
|
|
|
|
srcs: ${{ env.srcs }}
|
|
|
|
|
built: ${{ env.built }}
|
|
|
|
|
steps:
|
|
|
|
|
- uses: actions/checkout@v3
|
|
|
|
|
with:
|
|
|
|
|
path: tea.xyz/var/cli
|
|
|
|
|
repository: teaxyz/cli
|
|
|
|
|
|
|
|
|
|
- uses: actions/checkout@v3
|
|
|
|
|
with:
|
|
|
|
|
path: pantry
|
|
|
|
|
|
|
|
|
|
- uses: teaxyz/setup@v0
|
|
|
|
|
id: tea
|
|
|
|
|
with:
|
|
|
|
|
srcroot: tea.xyz/var/pantry
|
|
|
|
|
prefix: ${{ github.workspace }}
|
|
|
|
|
|
|
|
|
|
- run: |
|
|
|
|
|
# in case this PR contains updates to the scripts
|
|
|
|
|
#TODO only do for PRs
|
|
|
|
|
if test "$GITHUB_REPOSITORY" = "teaxyz/pantry.core"; then
|
|
|
|
|
cp -rv $GITHUB_WORKSPACE/pantry/scripts/* $(tea --prefix)/tea.xyz/var/pantry/scripts
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
- uses: actions/download-artifact@v3
|
2022-12-21 02:29:41 +03:00
|
|
|
|
if: ${{ inputs.new-version }}
|
2022-12-21 00:54:26 +03:00
|
|
|
|
with:
|
|
|
|
|
name: ${{ matrix.platform.name }}
|
|
|
|
|
path: tea.xyz/var/pantry
|
|
|
|
|
|
|
|
|
|
- run: scripts/fetch-pr-artifacts.ts ${{ github.repository }} ${{ github.sha }} ${{ matrix.platform.name }}
|
2022-12-21 02:29:41 +03:00
|
|
|
|
if: ${{ !inputs.new-version }}
|
2022-12-21 00:54:26 +03:00
|
|
|
|
env:
|
|
|
|
|
GITHUB_TOKEN: ${{github.token}}
|
|
|
|
|
AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
|
|
|
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
|
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
|
|
|
|
|
|
|
|
- run: tar xzf artifacts.tgz -C ${{ steps.tea.outputs.prefix }}
|
|
|
|
|
|
|
|
|
|
- run: |
|
|
|
|
|
for file in built relative-paths srcs; do
|
|
|
|
|
echo "$file=$(cat $file)" >>$GITHUB_ENV
|
|
|
|
|
done
|
|
|
|
|
working-directory: ${{ steps.tea.outputs.prefix }}
|
|
|
|
|
|
|
|
|
|
# the next three steps bless our code for Apple. It might be the case they should be
|
|
|
|
|
# encapulated separately.
|
|
|
|
|
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
|
|
|
|
|
# ago, and we need bugfixes.
|
|
|
|
|
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
|
|
|
|
|
# github has a doc with similar content, but it's not returning to me atm.
|
|
|
|
|
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
|
|
|
|
|
if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
|
|
|
|
|
with:
|
|
|
|
|
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
|
|
|
|
|
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
|
|
|
|
|
|
|
|
|
|
# Codesign libs and bins
|
|
|
|
|
- name: Codesign package
|
|
|
|
|
if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
|
|
|
|
|
run: |
|
|
|
|
|
for PKG in ${{ env.relative-paths }}; do
|
|
|
|
|
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
|
|
|
|
|
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
|
|
|
|
|
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
|
|
|
|
|
done
|
|
|
|
|
working-directory: ${{ steps.tea.outputs.prefix }}
|
|
|
|
|
|
|
|
|
|
# This isn't very informative, but even a no-op is safer than none
|
|
|
|
|
- name: Check codesigning
|
|
|
|
|
if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
|
|
|
|
|
run: |
|
|
|
|
|
for PKG in ${{ env.relative-paths }}; do
|
|
|
|
|
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
|
|
|
|
|
codesign -vvv --deep --strict "$SIG"
|
|
|
|
|
done
|
|
|
|
|
done
|
|
|
|
|
working-directory: ${{ steps.tea.outputs.prefix }}
|
|
|
|
|
|
|
|
|
|
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
|
|
|
|
|
- name: Delete keychain
|
|
|
|
|
if: always() && matrix.platform.name == 'darwin+aarch64'
|
|
|
|
|
run: security delete-keychain signing_temp.keychain
|
|
|
|
|
|
|
|
|
|
- run: |
|
|
|
|
|
tea +gnupg.org gpg-agent --daemon || true
|
|
|
|
|
echo $GPG_PRIVATE_KEY | \
|
|
|
|
|
base64 -d | \
|
|
|
|
|
tea +gnupg.org gpg --import --batch --yes
|
|
|
|
|
env:
|
|
|
|
|
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
|
|
|
|
|
|
|
|
|
- run: scripts/bottle.ts $built
|
|
|
|
|
id: bottle-xz
|
|
|
|
|
env:
|
|
|
|
|
COMPRESSION: xz
|
|
|
|
|
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
|
|
|
|
|
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
|
|
|
|
|
|
|
|
|
- run: scripts/bottle.ts $built
|
|
|
|
|
id: bottle-gz
|
|
|
|
|
env:
|
|
|
|
|
COMPRESSION: gz
|
|
|
|
|
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
|
|
|
|
|
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
|
|
|
|
|
|
|
|
|
- run: |
|
|
|
|
|
echo ${{ steps.bottle-gz.outputs.bottles }} ${{ steps.bottle-xz.outputs.bottles }} >bottles
|
|
|
|
|
echo ${{ steps.bottle-gz.outputs.checksums }} ${{ steps.bottle-xz.outputs.checksums }} >checksums
|
|
|
|
|
echo ${{ steps.bottle-gz.outputs.signatures }} ${{ steps.bottle-xz.outputs.signatures }} >signatures
|
|
|
|
|
|
|
|
|
|
tar cf $GITHUB_WORKSPACE/artifacts.tar \
|
|
|
|
|
$srcs \
|
|
|
|
|
${{ steps.bottle-gz.outputs.bottles }} \
|
|
|
|
|
${{ steps.bottle-xz.outputs.bottles }} \
|
|
|
|
|
bottles checksums signatures
|
|
|
|
|
|
|
|
|
|
working-directory: ${{ steps.tea.outputs.prefix }}
|
|
|
|
|
|
|
|
|
|
- name: upload artifacts
|
|
|
|
|
uses: actions/upload-artifact@v3
|
|
|
|
|
with:
|
|
|
|
|
name: ${{ matrix.platform.name }}-bottles
|
|
|
|
|
path: artifacts.tar
|
|
|
|
|
if-no-files-found: error
|
|
|
|
|
|
|
|
|
|
upload:
|
|
|
|
|
needs: [bottle]
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
defaults:
|
|
|
|
|
run:
|
|
|
|
|
working-directory: tea.xyz/var/pantry
|
|
|
|
|
strategy:
|
|
|
|
|
matrix:
|
|
|
|
|
platform:
|
|
|
|
|
- os: macos-11
|
|
|
|
|
name: darwin+x86-64
|
|
|
|
|
- os: ubuntu-latest
|
|
|
|
|
name: linux+x86-64
|
|
|
|
|
- os: [self-hosted, macOS, ARM64]
|
|
|
|
|
name: darwin+aarch64
|
|
|
|
|
- os: [self-hosted, linux, ARM64]
|
|
|
|
|
name: linux+aarch64
|
|
|
|
|
steps:
|
|
|
|
|
- uses: actions/checkout@v3
|
|
|
|
|
with:
|
|
|
|
|
path: tea.xyz/var/cli
|
|
|
|
|
repository: teaxyz/cli
|
|
|
|
|
|
|
|
|
|
- uses: actions/checkout@v3
|
|
|
|
|
with:
|
|
|
|
|
path: pantry
|
|
|
|
|
|
|
|
|
|
- uses: teaxyz/setup@v0
|
|
|
|
|
id: tea
|
|
|
|
|
with:
|
|
|
|
|
srcroot: tea.xyz/var/pantry
|
|
|
|
|
prefix: ${{ github.workspace }}
|
|
|
|
|
|
|
|
|
|
- uses: actions/download-artifact@v3
|
|
|
|
|
with:
|
|
|
|
|
name: ${{ matrix.platform.name }}-bottles
|
|
|
|
|
|
|
|
|
|
- run: |
|
|
|
|
|
tar xvf $GITHUB_WORKSPACE/artifacts.tar
|
|
|
|
|
|
|
|
|
|
for file in bottles checksums signatures; do
|
|
|
|
|
echo "$file=$(cat $file)" >>$GITHUB_ENV
|
|
|
|
|
done
|
|
|
|
|
working-directory: ${{ steps.tea.outputs.prefix }}
|
|
|
|
|
|
|
|
|
|
- run: |
|
|
|
|
|
# in case this PR contains updates to the scripts
|
|
|
|
|
#TODO only do for PRs
|
|
|
|
|
if test "$GITHUB_REPOSITORY" = "teaxyz/pantry.core"; then
|
|
|
|
|
cp -rv $GITHUB_WORKSPACE/pantry/scripts/* $(tea --prefix)/tea.xyz/var/pantry/scripts
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
- name: upload bottles
|
|
|
|
|
id: upload
|
|
|
|
|
run: scripts/upload.ts
|
|
|
|
|
--pkgs ${{ needs.bottle.outputs.built }} ${{ needs.bottle.outputs.built }}
|
|
|
|
|
--srcs ${{ needs.bottle.outputs.srcs }} ${{ needs.bottle.outputs.srcs }}
|
|
|
|
|
--bottles $bottles
|
|
|
|
|
--checksums $checksums
|
|
|
|
|
--signatures $signatures
|
|
|
|
|
env:
|
|
|
|
|
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
|
|
|
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
|
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
|
|
|
|
|
|
|
|
#NOTE ideally we’d invalidate all at once so this is atomic
|
|
|
|
|
# however GHA can’t consolidate outputs from a matrix :/
|
|
|
|
|
- uses: chetan/invalidate-cloudfront-action@v2
|
|
|
|
|
env:
|
|
|
|
|
PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }}
|
|
|
|
|
DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
|
|
|
|
|
AWS_REGION: us-east-1
|
|
|
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
|
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
needs: [upload]
|
|
|
|
|
if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.')
|
|
|
|
|
steps:
|
|
|
|
|
- name: Configure AWS Credentials
|
|
|
|
|
uses: aws-actions/configure-aws-credentials@v1
|
|
|
|
|
with:
|
|
|
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
|
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
|
|
|
aws-region: us-east-1
|
|
|
|
|
- run: |
|
|
|
|
|
REPO=$(echo ${{github.repository}} | sed -e 's_teaxyz/__')
|
|
|
|
|
PR=$(echo ${{github.ref}} | sed -e 's_refs/pull/\(.*\)/merge_\1_')
|
|
|
|
|
|
|
|
|
|
aws s3 rm --recursive s3://$AWS_S3_CACHE/pull-request/$REPO/$PR
|
|
|
|
|
env:
|
|
|
|
|
AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
|