pantry/.github/workflows/bottle.yml

name: bottle

on:
  workflow_call:
    inputs:
      new-version:
        type: boolean
        required: false
        default: false
      platform:
        required: true
        type: string
    outputs:
      pr:
        description: 'The PR number'
        value: ${{ jobs.bottle.outputs.pr }}

jobs:
  get-platform:
    runs-on: ubuntu-latest
    outputs:
      os: ${{ steps.platform.outputs.os }}
      cache-set: ${{ steps.platform.outputs.cache-set }}
    steps:
      - uses: teaxyz/brewkit/actions/get-platform@v0
        id: platform
        with:
          platform: ${{ inputs.platform }}

  bottle:
    needs: [get-platform]
    runs-on: ${{ fromJson(needs.get-platform.outputs.os) }}
    outputs:
      srcs: ${{ env.srcs }}
      built: ${{ env.built }}
      pr: ${{ env.PR }}
    steps:
      - uses: teaxyz/brewkit/actions/setup-brewkit@v0
        id: tea

      - uses: actions/download-artifact@v3
        if: ${{ inputs.new-version }}
        with:
          name: ${{ inputs.platform }}

      - uses: teaxyz/brewkit/actions/fetch-pr-artifacts@v0
        if: ${{ !inputs.new-version }}
        with:
          platform: ${{ inputs.platform }}
          token: ${{ github.token }}
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_CACHE }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: clean destination
        # Note: needed when changing a directory to a symlink, for example in
        # https://github.com/teaxyz/pantry/pull/435
        run: |
          tar tzf $GITHUB_WORKSPACE/artifacts.tgz | \
            awk '{ print length, $0 }' | \
            sort -n -s -r | \
            cut -d" " -f2- | \
            xargs rm -rf
        working-directory: ${{ steps.tea.outputs.prefix }}

      - run: tar xzvf $GITHUB_WORKSPACE/artifacts.tgz
        working-directory: ${{ steps.tea.outputs.prefix }}

      - run: |
          for file in built srcs; do
            echo "$file=$(cat $file)" >>$GITHUB_ENV
          done
        working-directory: ${{ steps.tea.outputs.prefix }}

      - run: |
          tea +gnupg.org gpg-agent --daemon || true
          echo $GPG_PRIVATE_KEY | \
            base64 -d | \
            tea +gnupg.org gpg --import --batch --yes
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}

      - uses: teaxyz/brewkit/actions/bottle@v0
        id: bottle-xz
        with:
          built: ${{ env.built }}
          compression: xz
          gpg-key-id: ${{ secrets.GPG_KEY_ID }}
          gpg-key-passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - uses: teaxyz/brewkit/actions/bottle@v0
        id: bottle-gz
        with:
          built: ${{ env.built }}
          compression: gz
          gpg-key-id: ${{ secrets.GPG_KEY_ID }}
          gpg-key-passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - run: |
          echo ${{ steps.bottle-gz.outputs.bottles }} ${{ steps.bottle-xz.outputs.bottles }} >bottles
          echo ${{ steps.bottle-gz.outputs.checksums }} ${{ steps.bottle-xz.outputs.checksums }} >checksums
          echo ${{ steps.bottle-gz.outputs.signatures }} ${{ steps.bottle-xz.outputs.signatures }} >signatures

          SRCS=$(echo $srcs | tr -d '~')

          tar cf $GITHUB_WORKSPACE/artifacts.tar \
            $SRCS \
            ${{ steps.bottle-gz.outputs.bottles }} \
            ${{ steps.bottle-xz.outputs.bottles }} \
            bottles checksums signatures
        working-directory: ${{ steps.tea.outputs.prefix }}

      - name: upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: ${{ inputs.platform }}-bottles
          path: artifacts.tar
          if-no-files-found: error

  upload:
    needs: [bottle]
    runs-on: ubuntu-latest
    steps:
      - uses: teaxyz/brewkit/actions/setup-brewkit@v0
        with:
          prefix: ${{ github.workspace }}

      - uses: actions/download-artifact@v3
        with:
          name: ${{ inputs.platform }}-bottles

      - run: |
          tar xvf artifacts.tar

          for file in bottles checksums signatures; do
            echo "$file=$(cat $file)" >>$GITHUB_ENV
          done

      - uses: teaxyz/brewkit/actions/upload@v0
        id: upload
        with:
          pkgs: ${{ needs.bottle.outputs.built }} ${{ needs.bottle.outputs.built }}
          srcs: ${{ needs.bottle.outputs.srcs }} ${{ needs.bottle.outputs.srcs }}
          bottles: ${{ env.bottles }}
          checksums: ${{ env.checksums }}
          signatures: ${{ env.signatures }}
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - uses: chetan/invalidate-cloudfront-action@v2
        env:
          PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }}
          DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
          AWS_REGION: us-east-1
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}