name: build on: workflow_call: inputs: projects: required: true type: string env: TEA_SECRET: ${{ secrets.TEA_SECRET }} jobs: build: runs-on: ${{ matrix.os }} strategy: matrix: include: - os: macos-11 - os: ubuntu-latest container: image: debian:buster-slim options: --memory=16g - os: [self-hosted, macOS, ARM64] tag: darwin-aarch64 - os: [self-hosted, linux, ARM64] tag: linux-aarch64 container: ${{ matrix.container }} outputs: built: ${{ steps.build.outputs.pkgs }} srcs: ${{ steps.build.outputs.srcs }} pkgs: ${{ steps.sorted.outputs.pkgs }} ${{ steps.sorted.outputs.pre-install }} steps: - name: co pantry uses: actions/checkout@v3 with: path: pantry - name: co cli uses: actions/checkout@v3 with: path: cli repository: teaxyz/cli token: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} - run: | if test -d $TEA_PREFIX/tea.xyz; then find $TEA_PREFIX/tea.xyz -mindepth 1 -maxdepth 1 -not \( -path $TEA_PREFIX/tea.xyz/var \) -print0 | \ xargs -0 rm -rf fi if: ${{ matrix.tag }} env: TEA_PREFIX: /opt - uses: teaxyz/setup@v0 id: tea with: srcroot: pantry prefix: /opt - name: HACKS run: | case ${{ matrix.os }} in ubuntu-latest) #FIXME our LLVM doesn't provide c/c++ headers for some reason apt-get update apt-get --yes install libc-dev libstdc++-8-dev libgcc-8-dev ;; macos-11) #FIXME we need a clean install of macOS for builds #TODO stop using GHA images or chroot or something for x in /usr/local/*; do sudo mv $x /tmp; done ;; *) # self-hosted runner. noop echo ;; esac rm -rf /opt/tea.xyz/var ln -s $GITHUB_WORKSPACE /opt/tea.xyz/var - run: pantry/scripts/sort.ts ${{ inputs.projects }} id: sorted - run: cli/scripts/install.ts ${{ steps.sorted.outputs.pre-install }} #FIXME remove later - run: find /opt -name bin -type d -exec find {} -type f -print0 \; | xargs -0 chmod 777 - run: pantry/scripts/build.ts ${{ steps.sorted.outputs.pkgs }} id: build env: # GITHUB_TOKEN doesn't have private access to teaxyz/cli. # TODO restore to ${{ github.token }} when public GITHUB_TOKEN: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root # tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions # /ref https://github.com/actions/upload-artifact/issues/38 - run: tar czf $GITHUB_WORKSPACE/artifacts.tgz ${{ steps.build.outputs.relative-paths }} ${{ steps.build.outputs.srcs-relative-paths }} working-directory: ${{ steps.tea.outputs.prefix }} - name: upload artifacts uses: actions/upload-artifact@v3 with: name: ${{ matrix.tag || matrix.os }} path: artifacts.tgz if-no-files-found: error test: needs: [build] runs-on: ${{ matrix.os }} defaults: run: working-directory: tea.xyz/var/pantry/scripts strategy: matrix: include: - os: macos-11 - os: ubuntu-latest - os: ubuntu-latest container: ghcr.io/teaxyz/infuser:slim-latest - os: ubuntu-latest container: debian:buster-slim - os: [self-hosted, macOS, ARM64] tag: darwin-aarch64 - os: [self-hosted, linux, ARM64] tag: linux-aarch64 container: ${{ matrix.container }} steps: - uses: actions/checkout@v3 with: path: tea.xyz/var/pantry - uses: actions/checkout@v3 with: path: tea.xyz/var/cli repository: teaxyz/cli token: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} - run: | apt-get update apt-get --yes install libc-dev libstdc++-8-dev libgcc-8-dev if: ${{ matrix.container != '' }} - run: | if test -d $TEA_PREFIX/tea.xyz; then find $TEA_PREFIX/tea.xyz -mindepth 1 -maxdepth 1 -not \( -path $TEA_PREFIX/tea.xyz/var \) -print0 | \ xargs -0 rm -rf fi if: ${{ matrix.tag }} env: TEA_PREFIX: ${{ github.workspace }} - uses: teaxyz/setup@v0 id: tea with: prefix: ${{ github.workspace }} srcroot: tea.xyz/var/pantry - uses: actions/download-artifact@v3 with: name: ${{ matrix.tag || matrix.os }} - run: tar xzf artifacts.tgz working-directory: ${{ steps.tea.outputs.prefix }} - run: ./test.ts ${{ inputs.projects }} bottle: defaults: run: working-directory: tea.xyz/var/pantry/scripts needs: [test, build] runs-on: ${{ matrix.platform.os }} strategy: matrix: platform: - os: macos-11 - os: ubuntu-latest - os: [self-hosted, macOS, ARM64] tag: darwin-aarch64 - os: [self-hosted, linux, ARM64] tag: linux-aarch64 compression: - xz - gz steps: - uses: actions/checkout@v3 with: path: tea.xyz/var/pantry - uses: actions/checkout@v3 with: path: tea.xyz/var/cli repository: teaxyz/cli token: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} - run: | if test -d $TEA_PREFIX/tea.xyz; then find $TEA_PREFIX/tea.xyz -mindepth 1 -maxdepth 1 -not \( -path $TEA_PREFIX/tea.xyz/var \) -print0 | \ xargs -0 rm -rf fi if: ${{ matrix.platform.tag }} env: TEA_PREFIX: ${{ github.workspace }} - uses: teaxyz/setup@v0 id: tea with: prefix: ${{ github.workspace }} srcroot: tea.xyz/var/pantry - uses: actions/download-artifact@v3 with: name: ${{ matrix.platform.tag || matrix.platform.os }} path: ${{ steps.tea.outputs.prefix }} - run: tar xzf artifacts.tgz working-directory: ${{ steps.tea.outputs.prefix }} - run: ./bottle.ts ${{ needs.build.outputs.built }} id: bottle env: COMPRESSION: ${{ matrix.compression }} - name: upload bottles id: upload run: ./upload.ts --pkgs ${{ needs.build.outputs.built }} --srcs ${{ needs.build.outputs.srcs }} --bottles ${{ steps.bottle.outputs.bottles }} --checksums ${{ steps.bottle.outputs.checksums }} env: AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} #NOTE ideally we’d invalidate all at once so this is atomic # however GHA can’t consolidate outputs from a matrix :/ - uses: chetan/invalidate-cloudfront-action@v2 env: PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }} DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }} AWS_REGION: us-east-1 AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} notify: if: always() needs: [bottle] runs-on: ubuntu-latest steps: - uses: martialonline/workflow-status@v3 id: status - uses: rtCamp/action-slack-notify@v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} SLACK_MESSAGE: build job for ${{ inputs.projects }} ${{ steps.status.outputs.status }} SLACK_COLOR: ${{ steps.status.outputs.status }}