name: build on: workflow_call: inputs: projects: required: true type: string platform: required: true type: string new-version: type: boolean required: false default: false jobs: get-platform: runs-on: ubuntu-latest outputs: os: ${{ steps.platform.outputs.os }} build-os: ${{ steps.platform.outputs.build-os }} container: ${{ steps.platform.outputs.container }} test-matrix: ${{ steps.platform.outputs.test-matrix }} cache-set: ${{ steps.platform.outputs.cache-set }} steps: - uses: teaxyz/pantry.core/.github/actions/get-platform@main id: platform with: platform: ${{ inputs.platform }} build: runs-on: ${{ fromJson(needs.get-platform.outputs.build-os) }} container: ${{ fromJson(needs.get-platform.outputs.container) }} needs: [get-platform] steps: - uses: actions/checkout@v3 - uses: teaxyz/pantry.core/.github/actions/setup-brewkit@main id: tea with: prefix: /opt - name: sanitize macOS runners if: fromJson(needs.get-platform.outputs.build-os) == 'macos-11' run: sudo mv /usr/local/bin/* /tmp/ - run: pkg build ${{ inputs.projects }} id: build env: GITHUB_TOKEN: ${{ github.token }} FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root - run: | ABS_PATHS=$(echo $PATHS | tr ' ' '\n' | sed -e "s_^_$TEA_PREFIX/_" | tr '\n' ' ') echo "paths=$ABS_PATHS" >> $GITHUB_OUTPUT if: startsWith(inputs.platform, 'darwin+') id: absolute-paths env: PATHS: ${{ steps.build.outputs.relative-paths }} TEA_PREFIX: ${{ steps.tea.outputs.prefix }} # sign macOS binaries - uses: teaxyz/pantry.core/.github/actions/codesign@main if: startsWith(inputs.platform, 'darwin+') && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name with: p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} identity: "Developer ID Application: Tea Inc. (7WV56FL599)" paths: ${{ steps.absolute-paths.outputs.paths }} # cache data we'll need in the bottling job - name: assemble artifact metadata run: | echo ${{ steps.build.outputs.pkgs }} >built echo ${{ steps.build.outputs.srcs-relative-paths }} >srcs working-directory: ${{ steps.tea.outputs.prefix }} # tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions # /ref https://github.com/actions/upload-artifact/issues/38 - name: create artifacts.tgz run: tar czvf $GITHUB_WORKSPACE/artifacts.tgz ${{ steps.build.outputs.relative-paths }} ${{ steps.build.outputs.srcs-relative-paths }} built srcs working-directory: ${{ steps.tea.outputs.prefix }} - name: upload artifacts uses: actions/upload-artifact@v3 with: name: ${{ inputs.platform }} path: artifacts.tgz if-no-files-found: error test: needs: [get-platform, build] runs-on: ${{ matrix.platform.os }} strategy: matrix: platform: ${{ fromJson(needs.get-platform.outputs.test-matrix) }} outputs: HAS_SECRETS: ${{ env.HAS_SECRETS }} container: ${{ matrix.platform.container }} steps: - uses: actions/checkout@v3 - uses: teaxyz/pantry.core/.github/actions/setup-brewkit@main - uses: teaxyz/setup@v0 with: srcroot: null - uses: actions/download-artifact@v3 with: name: ${{ inputs.platform }} - name: clean destination # Note: needed when changing a directory to a symlink, for example in # https://github.com/teaxyz/pantry.extra/pull/435 run: | tar tzf $GITHUB_WORKSPACE/artifacts.tgz | \ awk '{ print length, $0 }' | \ sort -n -s -r | \ cut -d" " -f2- | \ xargs rm -rf working-directory: ${{ env.TEA_PREFIX }} - name: extract bottles run: tar xzvf artifacts.tgz -C $TEA_PREFIX - run: pkg test ${{ inputs.projects }} env: GITHUB_TOKEN: ${{ github.token }} - name: '[post]' run: echo "HAS_SECRETS=$HAS_SECRETS" >>$GITHUB_ENV env: HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != null }} bottle: needs: [test] if: inputs.new-version == true uses: ./.github/workflows/bottle.yml with: new-version: ${{ inputs.new-version }} platform: ${{ inputs.platform }} secrets: inherit complain: needs: [test] if: inputs.new-version == true && failure() uses: ./.github/workflows/complain.yml with: projects: ${{ inputs.projects }} platform: ${{ inputs.platform }} secrets: inherit stage: needs: [test] # this only works for PRs from our team to our repo (security! :( ) if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') && needs.test.outputs.HAS_SECRETS == 'true' runs-on: ubuntu-latest steps: - uses: actions/download-artifact@v3 with: name: ${{ inputs.platform }} - uses: teaxyz/pantry.core/.github/actions/stage-build-artifacts@main with: platform: ${{ inputs.platform }} AWS_S3_BUCKET: ${{ secrets.AWS_S3_CACHE }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}