name: bottle on: workflow_call: inputs: new-version: type: boolean required: false default: false platform: required: true type: string jobs: get-platform: runs-on: ubuntu-latest outputs: os: ${{ steps.platform.outputs.OS }} steps: - uses: actions/checkout@v3 with: repository: teaxyz/pantry.core - uses: teaxyz/setup@v0 - run: scripts/get-platform.ts ${{ inputs.projects }} id: platform env: PLATFORM: ${{ inputs.platform }} bottle: needs: [get-platform] runs-on: ${{ fromJson(needs.get-platform.outputs.os) }} defaults: run: working-directory: tea.xyz/var/pantry outputs: srcs: ${{ env.srcs }} built: ${{ env.built }} pr: ${{ env.PR }} steps: - uses: actions/checkout@v3 with: path: tea.xyz/var/cli repository: teaxyz/cli - uses: actions/checkout@v3 with: path: pantry - uses: teaxyz/setup@v0 id: tea with: srcroot: tea.xyz/var/pantry prefix: ${{ github.workspace }} - name: configure scripts PATH run: echo "$PWD/scripts:$TEA_PREFIX/tea.xyz/var/pantry/scripts" >> $GITHUB_PATH - uses: actions/download-artifact@v3 if: ${{ inputs.new-version }} with: name: ${{ inputs.platform }} path: tea.xyz/var/pantry - run: scripts/fetch-pr-artifacts.ts ${{ github.repository }} ${{ github.sha }} ${{ inputs.platform }} >>$GITHUB_ENV if: ${{ !inputs.new-version }} env: GITHUB_TOKEN: ${{github.token}} AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: tar xzf artifacts.tgz -C ${{ steps.tea.outputs.prefix }} - run: | for file in built relative-paths srcs; do echo "$file=$(cat $file)" >>$GITHUB_ENV done working-directory: ${{ steps.tea.outputs.prefix }} # the next three steps bless our code for Apple. It might be the case they should be # encapulated separately. # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years # ago, and we need bugfixes. # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions # github has a doc with similar content, but it's not returning to me atm. - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494 if: startsWith(inputs.platform, 'darwin+') with: p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }} # Codesign libs and bins - name: Codesign package if: startsWith(inputs.platform, 'darwin+') run: | for PKG in ${{ env.relative-paths }}; do find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \ xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true done working-directory: ${{ steps.tea.outputs.prefix }} # This isn't very informative, but even a no-op is safer than none - name: Check codesigning if: startsWith(inputs.platform, 'darwin+') run: | for PKG in ${{ env.relative-paths }}; do for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do codesign -vvv --deep --strict "$SIG" done done working-directory: ${{ steps.tea.outputs.prefix }} # Needed for self-hosted runner, since it doesn't destroy itself automatically. - name: Delete keychain if: always() && inputs.platform == 'darwin+aarch64' run: security delete-keychain signing_temp.keychain - run: | tea +gnupg.org gpg-agent --daemon || true echo $GPG_PRIVATE_KEY | \ base64 -d | \ tea +gnupg.org gpg --import --batch --yes env: GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - run: scripts/bottle.ts $built id: bottle-xz env: COMPRESSION: xz GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: scripts/bottle.ts $built id: bottle-gz env: COMPRESSION: gz GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: | echo ${{ steps.bottle-gz.outputs.bottles }} ${{ steps.bottle-xz.outputs.bottles }} >bottles echo ${{ steps.bottle-gz.outputs.checksums }} ${{ steps.bottle-xz.outputs.checksums }} >checksums echo ${{ steps.bottle-gz.outputs.signatures }} ${{ steps.bottle-xz.outputs.signatures }} >signatures SRCS=$(echo $srcs | tr -d '~') tar cf $GITHUB_WORKSPACE/artifacts.tar \ $SRCS \ ${{ steps.bottle-gz.outputs.bottles }} \ ${{ steps.bottle-xz.outputs.bottles }} \ bottles checksums signatures working-directory: ${{ steps.tea.outputs.prefix }} - name: upload artifacts uses: actions/upload-artifact@v3 with: name: ${{ inputs.platform }}-bottles path: artifacts.tar if-no-files-found: error upload: needs: [bottle] runs-on: ubuntu-latest defaults: run: working-directory: tea.xyz/var/pantry steps: - uses: actions/checkout@v3 with: path: tea.xyz/var/cli repository: teaxyz/cli - uses: actions/checkout@v3 with: path: pantry - uses: teaxyz/setup@v0 id: tea with: srcroot: tea.xyz/var/pantry prefix: ${{ github.workspace }} - uses: actions/download-artifact@v3 with: name: ${{ inputs.platform }}-bottles - run: | tar xvf $GITHUB_WORKSPACE/artifacts.tar for file in bottles checksums signatures; do echo "$file=$(cat $file)" >>$GITHUB_ENV done working-directory: ${{ steps.tea.outputs.prefix }} - name: configure scripts PATH run: echo "$PWD/scripts:$TEA_PREFIX/tea.xyz/var/pantry/scripts" >> $GITHUB_PATH - name: upload bottles id: upload run: scripts/upload.ts --pkgs ${{ needs.bottle.outputs.built }} ${{ needs.bottle.outputs.built }} --srcs ${{ needs.bottle.outputs.srcs }} ${{ needs.bottle.outputs.srcs }} --bottles $bottles --checksums $checksums --signatures $signatures env: AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - uses: chetan/invalidate-cloudfront-action@v2 env: PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }} DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }} AWS_REGION: us-east-1 AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} cleanup: runs-on: ubuntu-latest needs: [bottle, upload] if: ${{ !inputs.new-version }} steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - run: | REPO=$(echo ${{github.repository}} | sed -e 's_teaxyz/__') if test -z "$PR"; then echo "no PR to clean up" exit 0 fi aws s3 rm --recursive s3://$AWS_S3_CACHE/pull-request/$REPO/$PR env: AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }} PR: ${{ needs.bottle.outputs.pr }} complain: if: failure() && inputs.new-version == 'true' needs: [upload] runs-on: ubuntu-latest steps: - uses: martialonline/workflow-status@v3 id: status - uses: rtCamp/action-slack-notify@v2 if: ${{ env.SLACK_WEBHOOK != '' }} env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} SLACK_MESSAGE: new-version:${{ inputs.projects }} (${{ inputs.platform }}) ${{ steps.status.outputs.status }} SLACK_COLOR: ${{ steps.status.outputs.status }} - uses: actions/checkout@v3 if: ${{ steps.status.outputs.status == 'failure' }} - uses: JasonEtco/create-an-issue@v2 if: ${{ steps.status.outputs.status == 'failure' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PACKAGE: ${{ inputs.projects }} (${{ inputs.platform }}) URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}