name: build on: workflow_call: inputs: projects: required: true type: string platform: required: true type: string new-version: type: boolean required: false default: false jobs: get-platform: runs-on: ubuntu-latest outputs: os: ${{ steps.platform.outputs.os }} build-os: ${{ steps.platform.outputs.build-os }} container: ${{ steps.platform.outputs.container }} test-matrix: ${{ steps.platform.outputs.test-matrix }} cache-set: ${{ steps.platform.outputs.cache-set }} steps: - uses: actions/checkout@v3 with: repository: teaxyz/pantry.core - uses: actions/cache@v3 with: path: | ~/.deno ~/.cache/deno key: ${{ runner.os }}-deno-get-platform-${{ hashFiles('deno.jsonc')}} - uses: teaxyz/setup@v0 - run: scripts/get-platform.ts ${{ inputs.projects }} id: platform env: PLATFORM: ${{ inputs.platform }} TEA_PANTRY_PATH: ${{ github.workspace }} build: runs-on: ${{ fromJson(needs.get-platform.outputs.build-os) }} container: ${{ fromJson(needs.get-platform.outputs.container) }} needs: [get-platform] steps: - uses: actions/checkout@v3 - uses: actions/cache@v3 with: path: ${{ needs.get-platform.outputs.cache-set }} key: ${{ runner.os }}-deno-build-${{ hashFiles('deno.jsonc')}} - uses: teaxyz/setup@v0 id: tea with: srcroot: null prefix: /opt - name: sanitize macOS runners if: fromJson(needs.get-platform.outputs.build-os) == 'macos-11' run: sudo mv /usr/local/bin/* /tmp/ - name: configure tea env run: | echo "$PWD/scripts:$TEA_PREFIX/tea.xyz/var/pantry/scripts" >> $GITHUB_PATH echo "TEA_PANTRY_PATH=$GITHUB_WORKSPACE" >> $GITHUB_ENV - run: tea +tea.xyz/brewkit build ${{ inputs.projects }} id: build env: GITHUB_TOKEN: ${{ github.token }} FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root - run: | ABS_PATHS=$(echo $PATHS | tr ' ' '\n' | sed -e "s_^_$TEA_PREFIX/_" | tr '\n' ' ') echo "paths=$ABS_PATHS" >> $GITHUB_OUTPUT if: startsWith(inputs.platform, 'darwin+') id: absolute-paths env: PATHS: ${{ steps.build.outputs.relative-paths }} TEA_PREFIX: ${{ steps.tea.outputs.prefix }} # sign macOS binaries - uses: teaxyz/pantry.core/.github/actions/apple-signing@main if: startsWith(inputs.platform, 'darwin+') && startsWith(github.repository, 'teaxyz') with: p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} identity: "Developer ID Application: Tea Inc. (7WV56FL599)" paths: ${{ steps.absolute-paths.outputs.paths }} # cache data we'll need in the bottling job - name: assemble artifact metadata run: | echo ${{ steps.build.outputs.pkgs }} >built echo ${{ steps.build.outputs.srcs }} >srcs working-directory: ${{ steps.tea.outputs.prefix }} # tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions # /ref https://github.com/actions/upload-artifact/issues/38 - name: create artifacts.tgz run: tar czvf $GITHUB_WORKSPACE/artifacts.tgz ${{ steps.build.outputs.relative-paths }} ${{ steps.build.outputs.srcs-relative-paths }} built srcs working-directory: ${{ steps.tea.outputs.prefix }} - name: upload artifacts uses: actions/upload-artifact@v3 with: name: ${{ inputs.platform }} path: artifacts.tgz if-no-files-found: error test: needs: [get-platform, build] runs-on: ${{ matrix.platform.os }} strategy: fail-fast: false matrix: platform: ${{ fromJson(needs.get-platform.outputs.test-matrix) }} outputs: HAS_SECRETS: ${{ env.HAS_SECRETS }} container: ${{ matrix.platform.container }} steps: - uses: actions/checkout@v3 - uses: actions/cache@v3 with: path: ${{ needs.get-platform.outputs.cache-set }} key: ${{ runner.os }}-deno-test-${{ hashFiles('deno.jsonc')}} - uses: teaxyz/setup@v0 with: srcroot: null - uses: actions/download-artifact@v3 with: name: ${{ inputs.platform }} - name: extract bottles run: tar xzvf artifacts.tgz -C $TEA_PREFIX - run: tea +tea.xyz/brewkit test ${{ inputs.projects }} env: TEA_PANTRY_PATH: ${{ github.workspace }} GITHUB_TOKEN: ${{github.token}} - name: post run: echo "HAS_SECRETS=$HAS_SECRETS" >>$GITHUB_ENV env: HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != null }} bottle: needs: [test] if: inputs.new-version == true uses: ./.github/workflows/bottle.yml with: new-version: ${{ inputs.new-version }} platform: ${{ inputs.platform }} secrets: inherit complain: needs: [test] if: inputs.new-version == true && failure() uses: ./.github/workflows/complain.yml with: projects: ${{ inputs.projects }} platform: ${{ inputs.platform }} secrets: inherit stage: needs: [test] # this only works for PRs from our team to our repo (security! :( ) if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') && needs.test.outputs.HAS_SECRETS == 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: actions/cache@v3 with: path: | ~/.deno ~/.cache/deno key: ${{ runner.os }}-deno-stage-${{ hashFiles('deno.jsonc')}} - uses: teaxyz/setup@v0 - name: configure scripts PATH run: echo "$PWD/scripts:$TEA_PREFIX/tea.xyz/var/pantry/scripts" >> $GITHUB_PATH - uses: actions/download-artifact@v3 with: name: ${{ inputs.platform }} - run: cache-artifacts.ts ${{github.repository}} ${{github.ref}} ${{inputs.platform}} artifacts.tgz env: AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}