name: build on: workflow_call: inputs: projects: required: true type: string jobs: queue-builder: runs-on: ubuntu-latest steps: - name: queue run: | curl https://app.tea.xyz/api/builder/enqueue \ -H "authorization: bearer ${{ secrets.TEA_API_TOKEN }}" \ -d "$GITHUB_SHA ${{ inputs.projects }}" build: runs-on: ${{ matrix.os }} strategy: matrix: include: - os: macos-11 container: ~ - os: ubuntu-latest container: image: ghcr.io/teaxyz/infuser:main options: --memory=16g container: ${{ matrix.container }} defaults: run: working-directory: pantry outputs: built: ${{ steps.build.outputs.pkgs }} pkgs: ${{ steps.sorted.outputs.pkgs }} ${{ steps.sorted.outputs.pre-install }} steps: - name: co pantry uses: actions/checkout@v3 with: path: pantry - name: co cli uses: actions/checkout@v3 with: path: cli repository: teaxyz/cli token: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} - name: HACKS run: | case ${{ matrix.os }} in ubuntu-latest) rm -rf /opt/tea.xyz/var/pantry ln -s $GITHUB_WORKSPACE/pantry /opt/tea.xyz/var/pantry # no git in our image, needed for tea finding SRCROOT mkdir .git ../cli/.git #FIXME needed for gdk-pixbuf apt --yes install shared-mime-info #FIXME **we provide curl** but it fails, we must figure out why apt --yes install curl ;; macos-11) # screws up a lot of build scripts # TODO stop using GHA images or chroot or something for x in /usr/local/*; do sudo mv $x /tmp; done sudo mkdir -p /opt/tea.xyz/var sudo chown -R $(whoami):staff /opt ln -s $GITHUB_WORKSPACE/pantry /opt/tea.xyz/var/pantry # HACKs for teaxyz/setup since it currently requires the working dir to be a srcroot cp README.md .. mkdir ../.git # for scripts/fix-machos.rb sudo gem install ruby-macho ;; *) exit 1 esac touch /opt/.hack - uses: teaxyz/setup@v0 env: TEA_SECRET: ${{ secrets.TEA_SECRET }} VERBOSE: 1 id: tea with: prefix: /opt - name: sort topologically run: scripts/sort.ts ${{ inputs.projects }} id: sorted - run: ../cli/scripts/install.ts ${{ steps.sorted.outputs.pre-install }} - run: scripts/build.ts ${{ steps.sorted.outputs.pkgs }} id: build env: # GITHUB_TOKEN doesn't have private access to teaxyz/cli. # TODO restore to ${{ github.token }} when public GITHUB_TOKEN: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root - name: upload artifacts uses: actions/upload-artifact@v3 with: name: ${{ matrix.os }} path: | ${{ steps.build.outputs.paths }} ${{ steps.tea.outputs.prefix }}/.hack # ^^ so the uploaded artifacts keep eg. foo.com/v1.2.3 as prefixes if-no-files-found: error test: needs: [build] runs-on: ${{ matrix.os }} defaults: run: working-directory: pantry strategy: matrix: os: - macos-11 - ubuntu-latest steps: - uses: actions/checkout@v3 with: path: pantry - name: co cli uses: actions/checkout@v3 with: path: cli repository: teaxyz/cli token: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} - name: HACKS run: | mkdir -p ~/opt/tea.xyz/var ln -s $GITHUB_WORKSPACE/pantry ~/opt/tea.xyz/var/pantry cp README.md .. - uses: teaxyz/setup@v0 id: tea env: TEA_SECRET: ${{ secrets.TEA_SECRET }} - uses: actions/download-artifact@v3 with: name: ${{ matrix.os }} path: ${{ steps.tea.outputs.prefix }} - run: echo ${{ inputs.projects }} | xargs -tn1 scripts/test.ts bottle: defaults: run: working-directory: pantry needs: [test, build] runs-on: ${{ matrix.platform }} strategy: matrix: platform: - macos-11 - ubuntu-latest compression: - xz - gz steps: - uses: actions/checkout@v3 with: path: pantry - name: co cli uses: actions/checkout@v3 with: path: cli repository: teaxyz/cli token: ${{ secrets.TEMP_JACOBS_GITHUB_PAT }} - name: HACKS run: | mkdir -p ~/opt/tea.xyz/var ln -s $GITHUB_WORKSPACE/pantry ~/opt/tea.xyz/var/pantry cp README.md .. - uses: teaxyz/setup@v0 id: tea env: TEA_SECRET: ${{ secrets.TEA_SECRET }} - uses: actions/download-artifact@v3 with: name: ${{ matrix.platform }} path: ${{ steps.tea.outputs.prefix }} - run: scripts/bottle.ts ${{ needs.build.outputs.built }} id: bottle env: COMPRESSION: ${{ matrix.compression }} - run: ls -la ${{ steps.bottle.outputs.bottles }} - name: upload bottles id: upload run: scripts/upload.ts --pkgs ${{ needs.build.outputs.built }} --bottles ${{ steps.bottle.outputs.bottles }} --checksums ${{ steps.bottle.outputs.checksums }} env: AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} #NOTE ideally we’d invalidate all at once so this is atomic # however GHA can’t consolidate outputs from a matrix :/ - uses: chetan/invalidate-cloudfront-action@v2 env: PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }} DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }} AWS_REGION: us-east-1 AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} notify: if: always() needs: [bottle] runs-on: ubuntu-latest steps: - uses: rtCamp/action-slack-notify@v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} SLACK_MESSAGE: build job for ${{ inputs.projects }} ${{ needs.verify-relocatable.result }} SLACK_COLOR: $ {{ needs.verify-relocatable.result }}