pantry/.github/workflows/pkg-platform.yml
2023-12-13 05:55:26 -05:00

210 lines
6.9 KiB
YAML

name: pkg for platform
run-name: pkging ${{ inputs.project }} (${{ inputs.name }})
on:
workflow_call:
inputs:
name:
description: >
pretty name for the workflow to make GitHub Actions matrix output
more legible
required: false
type: string
os:
required: true
type: string
container:
required: false
type: string
pkg:
description: eg. `example.com@1.2.3`
required: true
type: string
dry-run:
description: dry runs do not modify bottle storage
type: boolean
default: false
test-os:
description: a JSON array of runner-names
required: true
type: string
test-container:
description: >
A JSON array of docker image names or `[null]`.
Indeed! You cannot leave this as `null` or undefined.
Sorry, GHA is not flexible enough to efficiently work around this.
required: true
type: string
secrets:
APPLE_CERTIFICATE_P12: { required: false }
APPLE_CERTIFICATE_P12_PASSWORD: { required: false }
APPLE_IDENTITY: { required: false }
GPG_KEY_ID: { required: true }
GPG_PRIVATE_KEY: { required: true }
AWS_ACCESS_KEY_ID: { required: false }
AWS_S3_BUCKET: { required: true }
AWS_SECRET_ACCESS_KEY: { required: true }
AWS_CF_DISTRIBUTION_ID: { required: true }
jobs:
build:
name: build (${{inputs.name}})
runs-on: ${{ fromJSON(inputs.os) }}
container: ${{ inputs.container }}
outputs:
pkg: ${{ steps.build.outputs.pkgspec }}
project: ${{ steps.build.outputs.project }}
version: ${{ steps.build.outputs.version }}
platform: ${{ steps.build.outputs.platform }}
arch: ${{ steps.build.outputs.arch }}
env:
PKGX_PANTRY_PATH: ${{ github.workspace }}
steps:
- uses: actions/checkout@v4
- uses: pkgxdev/setup@v2
with:
PKGX_DIR: /opt
- uses: ./.github/actions/setup
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
- uses: pkgxdev/brewkit/build@v1
id: build
with:
pkg: ${{ inputs.pkg }}
- uses: styfle/cancel-workflow-action@0.12.0
if: steps.build.outputs.noop
- uses: pkgxdev/brewkit/audit@v1
- uses: pkgxdev/brewkit/upload-build-artifact@v1
test:
name: test (${{inputs.name}}) ${{ matrix.container || ''}} ${{ join(matrix.os) }}
needs: build
strategy:
matrix:
os: ${{ fromJSON(inputs.test-os) }}
container: ${{ fromJSON(inputs.test-container) }}
runs-on: ${{ matrix.os }}
container: ${{ matrix.container }}
env:
PKGX_PANTRY_PATH: ${{ github.workspace }}
steps:
- uses: pkgxdev/setup@v2
- uses: actions/checkout@v4
- uses: pkgxdev/brewkit/download-build-artifact@v1
- uses: pkgxdev/brewkit/test@v1
with:
pkg: ${{ needs.build.outputs.pkg }}
bottle:
name: bottle (${{inputs.name}}+${{matrix.compression}})
needs: [build, test]
strategy:
matrix:
compression: [xz, gz]
runs-on: ubuntu-latest
outputs:
paths: ${{ steps.put.outputs.cf-paths }}
env:
PREFIX: ${{ needs.build.outputs.project }}/${{ needs.build.outputs.platform }}/${{ needs.build.outputs.arch }}/v${{ needs.build.outputs.version }}.tar.${{ matrix.compression }}
steps:
- uses: pkgxdev/setup@v2
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: import GPG key
run:
echo $GPG_PRIVATE_KEY |
base64 -d |
pkgx gpg --import --batch --yes
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
- uses: pkgxdev/brewkit/download-build-artifact@v1
id: dl
with:
platform: ${{ inputs.name }}
extract: false
- uses: pkgxdev/brewkit/bottle@v1
id: bottle
with:
file: ${{ steps.dl.outputs.filename }}
compression: ${{ matrix.compression }}
- name: gpg
run: pkgx gpg
--detach-sign
--armor
--output ${{ steps.bottle.outputs.filename }}.asc
--local-user ${{ secrets.GPG_KEY_ID }}
${{ steps.bottle.outputs.filename }}
- name: sha
run: pkgx
sha256sum
${{ steps.bottle.outputs.filename }} > ${{ steps.bottle.outputs.filename }}.sha256sum
- name: s3 put
run: |
aws s3 cp ${{ steps.bottle.outputs.filename }} $URL
aws s3 cp ${{ steps.bottle.outputs.filename }}.asc $URL.asc
aws s3 cp ${{ steps.bottle.outputs.filename }}.sha256sum $URL.sha256sum
echo "cf-paths=/$PREFIX /$PREFIX.asc /$PREFIX.sha256sum" >> $GITHUB_OUTPUT
env:
URL: s3://${{ secrets.AWS_S3_BUCKET }}/${{ env.PREFIX }}
id: put
if: ${{ ! inputs.dry-run }}
versions:
runs-on: ubuntu-latest
needs: [bottle, build]
env:
DIRNAME: ${{ needs.build.outputs.project }}/${{ needs.build.outputs.platform }}/${{ needs.build.outputs.arch }}
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: pkgxdev/setup@v2
- name: generate versions.txt
run: |
aws s3 cp \
s3://${{ secrets.AWS_S3_BUCKET }}/${{ needs.build.outputs.project }}/${{ needs.build.outputs.platform }}/${{ needs.build.outputs.arch }}/versions.txt \
./remote-versions.txt
echo "$SCRIPT" > script.ts
pkgx deno run -A script.ts ./remote-versions.txt ${{ needs.build.outputs.version }} > versions.txt
env:
SCRIPT: |
import SemVer, { compare } from "https://raw.githubusercontent.com/pkgxdev/libpkgx/main/src/utils/semver.ts"
const versions = Deno.readTextFileSync(Deno.args[0]).trim().split("\n").filter(x => x)
versions.push(Deno.args[1])
const out = versions.map(x => new SemVer(x)).sort(compare).join("\n")
await Deno.stdout.write(new TextEncoder().encode(out.trim()))
- name: s3 put
run: aws s3 cp versions.txt s3://${{ secrets.AWS_S3_BUCKET }}/$DIRNAME/versions.txt
if: ${{ ! inputs.dry-run }}
- name: invalidate cloudfront
run: aws cloudfront create-invalidation
--distribution-id ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
--paths
/$DIRNAME/versions.txt
${{ needs.bottle.outputs.paths }}
if: ${{ ! inputs.dry-run }}