pantry/.github/workflows/bottle.yml
Jacob Heider 68a47ae737
make branches actually parallel (#167)
* make branches actually parallel

* more

* wut

* wip

* wip
2023-02-02 20:07:32 -05:00

252 lines
8.4 KiB
YAML

name: bottle
on:
workflow_call:
inputs:
new-version:
type: boolean
required: false
default: false
platform:
required: true
type: string
jobs:
get-platform:
runs-on: ubuntu-latest
outputs:
os: ${{ steps.platform.outputs.OS }}
steps:
- uses: actions/checkout@v3
with:
repository: teaxyz/pantry.core
- uses: teaxyz/setup@v0
- run: scripts/get-platform.ts ${{ inputs.projects }}
id: platform
env:
PLATFORM: ${{ inputs.platform }}
bottle:
needs: [get-platform]
runs-on: ${{ fromJson(needs.get-platform.outputs.os) }}
defaults:
run:
working-directory: tea.xyz/var/pantry
outputs:
srcs: ${{ env.srcs }}
built: ${{ env.built }}
pr: ${{ env.PR }}
steps:
- uses: actions/checkout@v3
with:
path: tea.xyz/var/cli
repository: teaxyz/cli
- uses: actions/checkout@v3
with:
path: pantry
- uses: teaxyz/setup@v0
id: tea
with:
srcroot: tea.xyz/var/pantry
prefix: ${{ github.workspace }}
- name: configure scripts PATH
run: echo "$PWD/scripts:$TEA_PREFIX/tea.xyz/var/pantry/scripts" >> $GITHUB_PATH
- uses: actions/download-artifact@v3
if: ${{ inputs.new-version }}
with:
name: ${{ inputs.platform }}
path: tea.xyz/var/pantry
- run: scripts/fetch-pr-artifacts.ts ${{ github.repository }} ${{ github.sha }} ${{ inputs.platform }} >>$GITHUB_ENV
if: ${{ !inputs.new-version }}
env:
GITHUB_TOKEN: ${{github.token}}
AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- run: tar xzf artifacts.tgz -C ${{ steps.tea.outputs.prefix }}
- run: |
for file in built relative-paths srcs; do
echo "$file=$(cat $file)" >>$GITHUB_ENV
done
working-directory: ${{ steps.tea.outputs.prefix }}
# the next three steps bless our code for Apple. It might be the case they should be
# encapulated separately.
# FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
# ago, and we need bugfixes.
# FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
# github has a doc with similar content, but it's not returning to me atm.
- uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
if: startsWith(inputs.platform, 'darwin+')
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
# Codesign libs and bins
- name: Codesign package
if: startsWith(inputs.platform, 'darwin+')
run: |
for PKG in ${{ env.relative-paths }}; do
find /opt/$PKG -name '*.so' -or -name '*.dylib' -print0 | \
xargs -0 codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" --force -v --deep --timestamp --preserve-metadata=entitlements -o runtime || true
codesign -s "Developer ID Application: Tea Inc. (7WV56FL599)" -v --force --deep --timestamp --preserve-metadata=entitlements -o runtime /opt/$PKG/bin/* || true
done
working-directory: ${{ steps.tea.outputs.prefix }}
# This isn't very informative, but even a no-op is safer than none
- name: Check codesigning
if: startsWith(inputs.platform, 'darwin+')
run: |
for PKG in ${{ env.relative-paths }}; do
for SIG in `find /opt/$PKG -name '*.so' -or -name '*.dylib'` `find /opt/$PKG/bin -type f`; do
codesign -vvv --deep --strict "$SIG"
done
done
working-directory: ${{ steps.tea.outputs.prefix }}
# Needed for self-hosted runner, since it doesn't destroy itself automatically.
- name: Delete keychain
if: always() && inputs.platform == 'darwin+aarch64'
run: security delete-keychain signing_temp.keychain
- run: |
tea +gnupg.org gpg-agent --daemon || true
echo $GPG_PRIVATE_KEY | \
base64 -d | \
tea +gnupg.org gpg --import --batch --yes
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
- run: scripts/bottle.ts $built
id: bottle-xz
env:
COMPRESSION: xz
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- run: scripts/bottle.ts $built
id: bottle-gz
env:
COMPRESSION: gz
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- run: |
echo ${{ steps.bottle-gz.outputs.bottles }} ${{ steps.bottle-xz.outputs.bottles }} >bottles
echo ${{ steps.bottle-gz.outputs.checksums }} ${{ steps.bottle-xz.outputs.checksums }} >checksums
echo ${{ steps.bottle-gz.outputs.signatures }} ${{ steps.bottle-xz.outputs.signatures }} >signatures
SRCS=$(echo $srcs | tr -d '~')
tar cf $GITHUB_WORKSPACE/artifacts.tar \
$SRCS \
${{ steps.bottle-gz.outputs.bottles }} \
${{ steps.bottle-xz.outputs.bottles }} \
bottles checksums signatures
working-directory: ${{ steps.tea.outputs.prefix }}
- name: upload artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ inputs.platform }}-bottles
path: artifacts.tar
if-no-files-found: error
upload:
needs: [bottle]
runs-on: ubuntu-latest
defaults:
run:
working-directory: tea.xyz/var/pantry
steps:
- uses: actions/checkout@v3
with:
path: tea.xyz/var/cli
repository: teaxyz/cli
- uses: actions/checkout@v3
with:
path: pantry
- uses: teaxyz/setup@v0
id: tea
with:
srcroot: tea.xyz/var/pantry
prefix: ${{ github.workspace }}
- uses: actions/download-artifact@v3
with:
name: ${{ inputs.platform }}-bottles
- run: |
tar xvf $GITHUB_WORKSPACE/artifacts.tar
for file in bottles checksums signatures; do
echo "$file=$(cat $file)" >>$GITHUB_ENV
done
working-directory: ${{ steps.tea.outputs.prefix }}
- name: configure scripts PATH
run: echo "$PWD/scripts:$TEA_PREFIX/tea.xyz/var/pantry/scripts" >> $GITHUB_PATH
- name: upload bottles
id: upload
run: scripts/upload.ts
--pkgs ${{ needs.bottle.outputs.built }} ${{ needs.bottle.outputs.built }}
--srcs ${{ needs.bottle.outputs.srcs }} ${{ needs.bottle.outputs.srcs }}
--bottles $bottles
--checksums $checksums
--signatures $signatures
env:
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- uses: chetan/invalidate-cloudfront-action@v2
env:
PATHS: ${{ steps.upload.outputs.cf-invalidation-paths }}
DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
AWS_REGION: us-east-1
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
cleanup:
runs-on: ubuntu-latest
needs: [bottle, upload]
if: ${{ !inputs.new-version }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- run: |
REPO=$(echo ${{github.repository}} | sed -e 's_teaxyz/__')
if test -z "$PR"; then
echo "no PR to clean up"
exit 0
fi
aws s3 rm --recursive s3://$AWS_S3_CACHE/pull-request/$REPO/$PR
env:
AWS_S3_CACHE: ${{ secrets.AWS_S3_CACHE }}
PR: ${{ needs.bottle.outputs.pr }}
complain:
needs: [upload]
if: inputs.new-version == 'true' && failure()
uses: ./.github/workflows/complain.yml
with:
projects: ${{ inputs.projects }}
platform: ${{ inputs.platform }}
secrets: inherit