pantry/.github/workflows/build.yml

155 lines
5.3 KiB
YAML

name: build
on:
workflow_call:
inputs:
projects:
required: true
type: string
platform:
required: true
type: string
jobs:
get-platform:
runs-on: ubuntu-latest
outputs:
os: ${{ steps.platform.outputs.os }}
build-os: ${{ steps.platform.outputs.build-os }}
container: ${{ steps.platform.outputs.container }}
test-matrix: ${{ steps.platform.outputs.test-matrix }}
cache-set: ${{ steps.platform.outputs.cache-set }}
available: ${{ steps.platform.outputs.available }}
steps:
- uses: pkgxdev/brewkit/actions/get-platform@v0
id: platform
with:
platform: ${{ inputs.platform }}
projects: ${{ inputs.projects }}
build:
runs-on: ${{ fromJson(needs.get-platform.outputs.build-os) }}
container: ${{ fromJson(needs.get-platform.outputs.container) }}
needs: [get-platform]
if: ${{ needs.get-platform.outputs.available != '' }}
steps:
- uses: actions/checkout@v4
- uses: pkgxdev/brewkit/actions/setup-brewkit@v0
id: pkgx
with:
prefix: /opt
timeout-minutes: 10
- name: sanitize macOS runners
if: fromJson(needs.get-platform.outputs.build-os) == 'macos-11'
run: sudo mv /usr/local/bin/* /tmp/
# setup macOS codesigning
- uses: pkgxdev/brewkit/actions/setup-codesign@v0
if: startsWith(inputs.platform, 'darwin+') && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
- run: pkg build ${{ needs.get-platform.outputs.available }}
id: build
env:
GITHUB_TOKEN: ${{ github.token }}
FORCE_UNSAFE_CONFIGURE: 1 # some configure scripts refuse to run as root
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY || '-' }}
SRCROOT: $GITHUB_WORKSPACE
- run: |
ABS_PATHS=$(echo $PATHS | tr ' ' '\n' | sed -e "s_^_/opt/_" | tr '\n' ' ')
echo "paths=$ABS_PATHS" >> $GITHUB_OUTPUT
if: startsWith(inputs.platform, 'darwin+')
id: absolute-paths
env:
PATHS: ${{ steps.build.outputs.relative-paths }}
# cache data we'll need in the bottling job
- name: assemble artifact metadata
run: |
echo ${{ steps.build.outputs.pkgs }} >built
echo ${{ steps.build.outputs.srcs-relative-paths }} >srcs
working-directory: /opt
# tarring ourselves ∵ GHA-artifacts (ludicrously) lose permissions
# /ref https://github.com/actions/upload-artifact/issues/38
- name: create artifacts.tgz
run: tar czvf $GITHUB_WORKSPACE/artifacts.tgz
${{ steps.build.outputs.relative-paths }}
${{ steps.build.outputs.srcs-relative-paths }}
built srcs
working-directory: /opt
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ inputs.platform }}
path: artifacts.tgz
if-no-files-found: error
test:
needs: [get-platform, build]
if: ${{ needs.get-platform.outputs.available != '' }}
runs-on: ${{ matrix.platform.os }}
strategy:
matrix:
platform: ${{ fromJson(needs.get-platform.outputs.test-matrix) }}
name: test ${{ matrix.platform.name-extra }}
outputs:
HAS_SECRETS: ${{ env.HAS_SECRETS }}
container: ${{ matrix.platform.container }}
steps:
- uses: actions/checkout@v4
- uses: pkgxdev/brewkit/actions/setup-brewkit@v0
timeout-minutes: 10
- uses: actions/download-artifact@v3
with:
name: ${{ inputs.platform }}
- name: clean destination
# Note: needed when changing a directory to a symlink, for example in
# https://github.com/pkgxdev/pantry/pull/435
run: |
cd $HOME/.pkgx
tar tzf $GITHUB_WORKSPACE/artifacts.tgz | \
awk '{ print length, $0 }' | \
sort -n -s -r | \
cut -d" " -f2- | \
xargs rm -rf
- name: extract bottles
run: tar xzvf artifacts.tgz -C $HOME/.pkgx
- run: pkg test ${{ needs.get-platform.outputs.available }}
env:
GITHUB_TOKEN: ${{ github.token }}
# FIXME: this shouldn't be necessary, but it currently is for the
# ubuntu+container test matrix entries. :/
PKGX_PANTRY_PATH: $GITHUB_WORKSPACE
- name: "[post]"
run: echo "HAS_SECRETS=$HAS_SECRETS" >>$GITHUB_ENV
env:
HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != null }}
stage:
needs: [get-platform, test]
# this only works for PRs from our team to our repo (security! :( )
if: startsWith(github.ref, 'refs/pull/') && github.repository_owner == 'pkgxdev' && needs.test.outputs.HAS_SECRETS == 'true' && needs.get-platform.outputs.available != ''
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: ${{ inputs.platform }}
- uses: pkgxdev/brewkit/actions/stage-build-artifacts@v0
with:
platform: ${{ inputs.platform }}
AWS_S3_BUCKET: ${{ secrets.AWS_S3_CACHE }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}