pantry/.github/workflows/bottle.yml
2023-01-03 18:18:49 -05:00

256 lines
8.9 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: bottle
on:
workflow_call:
inputs:
new-version:
type: boolean
required: false
default: false
jobs:
bottle:
runs-on: ${{ matrix.platform.os }}
defaults:
run:
working-directory: tea.xyz/var/pantry
strategy:
matrix:
platform:
- os: macos-11
name: darwin+x86-64
- os: ubuntu-latest
name: linux+x86-64
- os: [self-hosted, macOS, ARM64]
name: darwin+aarch64
- os: [self-hosted, linux, ARM64]
name: linux+aarch64
outputs:
srcs: ${{ env.srcs }}
built: ${{ env.built }}
pr: ${{ env.PR }}
steps:
- uses: actions/checkout@v3
with:
path: tea.xyz/var/cli
repository: teaxyz/cli
- uses: actions/checkout@v3
with:
path: pantry
- uses: teaxyz/setup@v0
id: tea
with:
srcroot: tea.xyz/var/pantry
prefix: ${{ github.workspace }}
- run: |
# in case this PR contains updates to the scripts
#TODO only do for PRs
if test "$GITHUB_REPOSITORY" = "teaxyz/pantry.core"; then
cp -rv $GITHUB_WORKSPACE/pantry/scripts/* $(tea --prefix)/tea.xyz/var/pantry/scripts
fi
- uses: actions/download-artifact@v3
if: ${{ inputs.new-version }}
with:
name: ${{ matrix.platform.name }}
path: tea.xyz/var/pantry
- run: scripts/fetch-pr-artifacts.ts ${{ github.repository }} ${{ github.sha }} ${{ matrix.platform.name }} >>$GITHUB_ENV
if: ${{ !inputs.new-version }}
env:
GITHUB_TOKEN: ${{github.token}}
AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- run: tar xzf artifacts.tgz -C ${{ steps.tea.outputs.prefix }}
- run: |
for file in built relative-paths srcs; do
echo "$file=$(cat $file)" >>$GITHUB_ENV
done
working-directory: ${{ steps.tea.outputs.prefix }}
# the next three steps bless our code for Apple. It might be the case they should be
# encapulated separately.
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
# ago, and we need bugfixes.
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
# github has a doc with similar content, but it's not returning to me atm.
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
# Codesign libs and bins
- name: Codesign package
if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
run: |
for PKG in ${{ env.relative-paths }}; do
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
done
working-directory: ${{ steps.tea.outputs.prefix }}
# This isn't very informative, but even a no-op is safer than none
- name: Check codesigning
if: matrix.platform.name == 'darwin+aarch64' || matrix.platform.name == 'darwin+x86-64'
run: |
for PKG in ${{ env.relative-paths }}; do
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
codesign -vvv --deep --strict "$SIG"
done
done
working-directory: ${{ steps.tea.outputs.prefix }}
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
- name: Delete keychain
if: always() && matrix.platform.name == 'darwin+aarch64'
run: security delete-keychain signing_temp.keychain
- run: |
tea +gnupg.org gpg-agent --daemon || true
echo $GPG_PRIVATE_KEY | \
base64 -d | \
tea +gnupg.org gpg --import --batch --yes
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
- run: scripts/bottle.ts $built
id: bottle-xz
env:
COMPRESSION: xz
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- run: scripts/bottle.ts $built
id: bottle-gz
env:
COMPRESSION: gz
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- run: |
echo ${{ steps.bottle-gz.outputs.bottles }} ${{ steps.bottle-xz.outputs.bottles }} >bottles
echo ${{ steps.bottle-gz.outputs.checksums }} ${{ steps.bottle-xz.outputs.checksums }} >checksums
echo ${{ steps.bottle-gz.outputs.signatures }} ${{ steps.bottle-xz.outputs.signatures }} >signatures
tar cf $GITHUB_WORKSPACE/artifacts.tar \
$srcs \
${{ steps.bottle-gz.outputs.bottles }} \
${{ steps.bottle-xz.outputs.bottles }} \
bottles checksums signatures
working-directory: ${{ steps.tea.outputs.prefix }}
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.platform.name }}-bottles
path: artifacts.tar
if-no-files-found: error
upload:
needs: [bottle]
runs-on: ubuntu-latest
defaults:
run:
working-directory: tea.xyz/var/pantry
strategy:
matrix:
platform:
- os: macos-11
name: darwin+x86-64
- os: ubuntu-latest
name: linux+x86-64
- os: [self-hosted, macOS, ARM64]
name: darwin+aarch64
- os: [self-hosted, linux, ARM64]
name: linux+aarch64
steps:
- uses: actions/checkout@v3
with:
path: tea.xyz/var/cli
repository: teaxyz/cli
- uses: actions/checkout@v3
with:
path: pantry
- uses: teaxyz/setup@v0
id: tea
with:
srcroot: tea.xyz/var/pantry
prefix: ${{ github.workspace }}
- uses: actions/download-artifact@v3
with:
name: ${{ matrix.platform.name }}-bottles
- run: |
tar xvf $GITHUB_WORKSPACE/artifacts.tar
for file in bottles checksums signatures; do
echo "$file=$(cat $file)" >>$GITHUB_ENV
done
working-directory: ${{ steps.tea.outputs.prefix }}
- run: |
# in case this PR contains updates to the scripts
#TODO only do for PRs
if test "$GITHUB_REPOSITORY" = "teaxyz/pantry.core"; then
cp -rv $GITHUB_WORKSPACE/pantry/scripts/* $(tea --prefix)/tea.xyz/var/pantry/scripts
fi
- name: upload bottles
id: upload
run: scripts/upload.ts
--pkgs ${{ needs.bottle.outputs.built }} ${{ needs.bottle.outputs.built }}
--srcs ${{ needs.bottle.outputs.srcs }} ${{ needs.bottle.outputs.srcs }}
--bottles $bottles
--checksums $checksums
--signatures $signatures
env:
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
#NOTE ideally wed invalidate all at once so this is atomic
# however GHA cant consolidate outputs from a matrix :/
- uses: chetan/invalidate-cloudfront-action@v2
env:
PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }}
DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
cleanup:
runs-on: ubuntu-latest
needs: [bottle, upload]
if: ${{ !inputs.new-version }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- run: |
REPO=$(echo ${{github.repository}} | sed -e 's_teaxyz/__')
if test -z "$PR"; then
echo "no PR to clean up"
exit 0
fi
aws s3 rm --recursive s3://$AWS_S3_CACHE/pull-request/$REPO/$PR
env:
AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
PR: ${{ needs.bottle.outputs.pr }}