pantry/.github/workflows/build.yml
Max Howell 9a351d6e8e
Don’t set TEA_PREFIX (#522)
* Don’t set TEA_PREFIX

Fixes https://github.com/teaxyz/cli/issues/427

We build to TEA_PREFIX by default in pantry dev-envs now. You can still override this if you want.

`TEA_PANTRY_PATH=foo tea bar` will now use

* wip
2023-03-09 10:39:49 -05:00

174 lines
5.6 KiB
YAML

name: build
on:
workflow_call:
inputs:
projects:
required: true
type: string
platform:
required: true
type: string
new-version:
type: boolean
required: false
default: false
jobs:
get-platform:
runs-on: ubuntu-latest
outputs:
os: ${{ steps.platform.outputs.os }}
build-os: ${{ steps.platform.outputs.build-os }}
container: ${{ steps.platform.outputs.container }}
test-matrix: ${{ steps.platform.outputs.test-matrix }}
cache-set: ${{ steps.platform.outputs.cache-set }}
steps:
- uses: teaxyz/pantry.core/.github/actions/get-platform@main
id: platform
with:
platform: ${{ inputs.platform }}
build:
runs-on: ${{ fromJson(needs.get-platform.outputs.build-os) }}
container: ${{ fromJson(needs.get-platform.outputs.container) }}
needs: [get-platform]
steps:
- uses: actions/checkout@v3
- uses: teaxyz/pantry.core/.github/actions/setup-brewkit@main
id: tea
with:
prefix: /opt
- name: sanitize macOS runners
if: fromJson(needs.get-platform.outputs.build-os) == 'macos-11'
run: sudo mv /usr/local/bin/* /tmp/
- run: pkg build ${{ inputs.projects }}
id: build
env:
GITHUB_TOKEN: ${{ github.token }}
FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root
- run: |
ABS_PATHS=$(echo $PATHS | tr ' ' '\n' | sed -e "s_^_$TEA_PREFIX/_" | tr '\n' ' ')
echo "paths=$ABS_PATHS" >> $GITHUB_OUTPUT
if: startsWith(inputs.platform, 'darwin+')
id: absolute-paths
env:
PATHS: ${{ steps.build.outputs.relative-paths }}
TEA_PREFIX: ${{ steps.tea.outputs.prefix }}
# sign macOS binaries
- uses: teaxyz/pantry.core/.github/actions/codesign@main
if: startsWith(inputs.platform, 'darwin+') && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
identity: "Developer ID Application: Tea Inc. (7WV56FL599)"
paths: ${{ steps.absolute-paths.outputs.paths }}
# cache data we'll need in the bottling job
- name: assemble artifact metadata
run: |
echo ${{ steps.build.outputs.pkgs }} >built
echo ${{ steps.build.outputs.srcs-relative-paths }} >srcs
working-directory: ${{ steps.tea.outputs.prefix }}
# tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions
# /ref https://github.com/actions/upload-artifact/issues/38
- name: create artifacts.tgz
run:
tar czvf $GITHUB_WORKSPACE/artifacts.tgz
${{ steps.build.outputs.relative-paths }}
${{ steps.build.outputs.srcs-relative-paths }}
built srcs
working-directory: ${{ steps.tea.outputs.prefix }}
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ inputs.platform }}
path: artifacts.tgz
if-no-files-found: error
test:
needs: [get-platform, build]
runs-on: ${{ matrix.platform.os }}
strategy:
matrix:
platform: ${{ fromJson(needs.get-platform.outputs.test-matrix) }}
outputs:
HAS_SECRETS: ${{ env.HAS_SECRETS }}
container: ${{ matrix.platform.container }}
steps:
- uses: actions/checkout@v3
- uses: teaxyz/pantry.core/.github/actions/setup-brewkit@main
- uses: teaxyz/setup@v0
with:
srcroot: null
- uses: actions/download-artifact@v3
with:
name: ${{ inputs.platform }}
- name: clean destination
# Note: needed when changing a directory to a symlink, for example in
# https://github.com/teaxyz/pantry.extra/pull/435
run: |
tar tzf $GITHUB_WORKSPACE/artifacts.tgz | \
awk '{ print length, $0 }' | \
sort -n -s -r | \
cut -d" " -f2- | \
xargs rm -rf
working-directory: ${{ env.TEA_PREFIX }}
- name: extract bottles
run: tar xzvf artifacts.tgz -C $TEA_PREFIX
- run: pkg test ${{ inputs.projects }}
env:
GITHUB_TOKEN: ${{ github.token }}
- name: '[post]'
run:
echo "HAS_SECRETS=$HAS_SECRETS" >>$GITHUB_ENV
env:
HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != null }}
bottle:
needs: [test]
if: inputs.new-version == true
uses: ./.github/workflows/bottle.yml
with:
new-version: ${{ inputs.new-version }}
platform: ${{ inputs.platform }}
secrets: inherit
complain:
needs: [test]
if: inputs.new-version == true && failure()
uses: ./.github/workflows/complain.yml
with:
projects: ${{ inputs.projects }}
platform: ${{ inputs.platform }}
secrets: inherit
stage:
needs: [test]
# this only works for PRs from our team to our repo (security! :( )
if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') && needs.test.outputs.HAS_SECRETS == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: ${{ inputs.platform }}
- uses: teaxyz/pantry.core/.github/actions/stage-build-artifacts@main
with:
platform: ${{ inputs.platform }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_CACHE }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}