-
Notifications
You must be signed in to change notification settings - Fork 1.4k
129 lines (113 loc) · 4.17 KB
/
cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: cd
# creates a draft release with srcs and binary products attached
on:
workflow_dispatch:
inputs:
version:
required: true
concurrency:
group: cd/${{ github.event.inputs.version }}
cancel-in-progress: true
jobs:
qa:
uses: ./.github/workflows/ci.yml
integration-tests:
uses: ./.github/workflows/ci.shellcode.yml
attach-srcs:
runs-on: ubuntu-latest
needs: [qa, integration-tests]
env:
FILENAME: pkgx-${{ github.event.inputs.version }}
steps:
- uses: actions/checkout@v4
with:
path: ${{ env.FILENAME }}
- name: clean
run: rm -rf ${{ env.FILENAME }}/.github .gitbook.yml
- name: stamp version.ts
run: echo "export default function() { return '${{github.event.inputs.version}}' }" > $FILENAME/src/modes/version.ts
- name: include GPG pubkey
run: echo "${{ secrets.GPG_PUBLIC_KEY }}" | base64 -d > $FILENAME/pkgx.dev.pub.asc
- run: tar cJf $FILENAME.tar.xz $FILENAME
- name: attach srcs to release
run: gh release upload --clobber
v${{ github.event.inputs.version }}
../$FILENAME.tar.xz
working-directory:
${{ env.FILENAME }}
env:
# using this token rather than github.token due to `release not found` bug
# https://github.com/pkgxdev/cli/issues/5252
GH_TOKEN: ${{ secrets.GH_TOKEN }}
- uses: actions/upload-artifact@v4
with:
name: srcs
path: ${{ env.FILENAME }}.tar.xz
if-no-files-found: error
attach-binary-products:
needs: attach-srcs
permissions:
actions: write
strategy:
matrix:
platform:
- os: macos-latest
build-id: darwin+x86-64
- os: ubuntu-latest
build-id: linux+x86-64
- os: [self-hosted, macOS, ARM64]
build-id: darwin+aarch64
- os: [self-hosted, linux, ARM64]
build-id: linux+aarch64
fail-fast: false
runs-on: ${{ matrix.platform.os }}
name: ${{ matrix.platform.build-id }}
env:
FILENAME: pkgx-${{ github.event.inputs.version }}+${{ matrix.platform.build-id }}.tar.xz
steps:
- uses: actions/download-artifact@v4
with:
name: srcs
- uses: pkgxdev/dev@v0
- run: pkgx +xz tar xJf pkgx-${{ github.event.inputs.version }}.tar.xz --strip-components=1
- run: deno task compile
- uses: pkgxdev/brewkit/actions/setup-codesign@v0
if: startsWith(matrix.platform.build-id, 'darwin+')
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
# codesign always fails for deno binaries, even though it
# signs fine. See https://github.com/denoland/deno/issues/575
- run: codesign
--sign "$APPLE_IDENTITY" --force
--preserve-metadata=entitlements,requirements,flags,runtime ./pkgx || true
env:
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
- name: sanity check
run: test "$(./pkgx --version)" = "pkgx ${{ github.event.inputs.version }}"
- run: tar cJf $FILENAME pkgx
- name: GPG sign archive
# NOTE the +sqlite3 is a bug that we can’t figure out that only fails
# on darwin aarch64 in CI, the sqlite dep is not installed for some
# reason. Works locally! So we're confused and stuck.
run: |
./pkgx gpg-agent --daemon || true
echo $GPG_PRIVATE_KEY | \
base64 -d | \
./pkgx +sqlite3 gpg --import --batch --yes
./pkgx gpg \
--detach-sign --armor \
--local-user $GPG_KEY_ID \
$FILENAME
env:
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
- name: attach product to release
run: ./pkgx gh release upload --clobber
v${{ github.event.inputs.version }}
$FILENAME $FILENAME.asc
env:
# using this token rather than github.token due to `release not found` bug
# https://github.com/pkgxdev/cli/issues/5252
GH_TOKEN: ${{ secrets.GH_TOKEN }}
GH_REPO: pkgxdev/pkgx