ci fixups #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: brew pr-pull | |
| on: | |
| pull_request_target: | |
| types: | |
| - labeled | |
| workflow_dispatch: | |
| inputs: | |
| pull_request: | |
| description: Pull request number | |
| type: number | |
| required: true | |
| large_runner: | |
| description: "Run the upload job on a large runner? (default: false)" | |
| type: boolean | |
| required: false | |
| default: false | |
| autosquash: | |
| description: "Squash pull request commits according to Homebrew style? (default: false)" | |
| type: boolean | |
| required: false | |
| default: false | |
| warn_on_upload_failure: | |
| description: "Pass `--warn-on-upload-failure` to `brew pr-pull`? (default: false)" | |
| type: boolean | |
| required: false | |
| default: false | |
| message: | |
| description: "Message to include when autosquashing revision bumps, deletions, and rebuilds (requires autosquash)" | |
| required: false | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| bottles: ${{ steps.pr-branch-check.outputs.bottles }} | |
| head_sha: ${{ steps.pr-branch-check.outputs.head_sha }} | |
| branch: ${{ steps.pr-branch-check.outputs.branch }} | |
| remote_branch: ${{ steps.pr-branch-check.outputs.remote_branch }} | |
| remote: ${{ steps.pr-branch-check.outputs.remote }} | |
| replace: ${{ steps.pr-branch-check.outputs.replace }} | |
| requires_merge: ${{ steps.pr-branch-check.outputs.requires_merge }} | |
| steps: | |
| - name: Check PR approval | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| if jq --exit-status 'all(.[].state; .!= "APPROVED")' | |
| then | |
| echo "::error ::PR #$PR is not approved!" | |
| exit 1 | |
| fi < <( | |
| gh api \ | |
| --header 'Accept: application/vnd.github+json' \ | |
| --header 'X-GitHub-Api-Version: 2022-11-28' \ | |
| --paginate \ | |
| "repos/$GITHUB_REPOSITORY/pulls/$PR/reviews" | |
| ) | |
| - name: Check PR branch for mergeability | |
| id: pr-branch-check | |
| env: | |
| GH_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
| run: | | |
| pr_data="$( | |
| gh api \ | |
| --header 'Accept: application/vnd.github+json' \ | |
| --header 'X-GitHub-Api-Version: 2022-11-28' \ | |
| "repos/$GH_REPO/pulls/$PR" | |
| )" | |
| pushable="$(jq .maintainer_can_modify <<< "$pr_data")" | |
| branch="$(jq --raw-output .head.ref <<< "$pr_data")" | |
| remote="$(jq --raw-output .head.repo.clone_url <<< "$pr_data")" | |
| head_repo="$(jq --raw-output .head.repo.full_name <<< "$pr_data")" | |
| head_repo_owner="$(jq --raw-output .head.repo.owner.login <<< "$pr_data")" | |
| head_sha="$(jq --raw-output .head.sha <<< "$pr_data")" | |
| fork_type="$(jq --raw-output .head.repo.owner.type <<< "$pr_data")" | |
| state="$(jq --raw-output .state <<< "$pr_data")" | |
| node_id="$(jq --raw-output .node_id <<< "$pr_data")" | |
| merged="$(jq --raw-output .merged <<< "$pr_data")" | |
| automerge_enabled="$(jq --raw-output '.auto_merge != null' <<< "$pr_data")" | |
| if [[ -z "$pushable" ]] || | |
| [[ -z "$branch" ]] || | |
| [[ -z "$remote" ]] || | |
| [[ -z "$head_repo" ]] || | |
| [[ -z "$head_repo_owner" ]] || | |
| [[ -z "$head_sha" ]] || | |
| [[ -z "$fork_type" ]] || | |
| [[ -z "$state" ]] || | |
| [[ -z "$merged" ]] || | |
| [[ -z "$node_id" ]] || | |
| [[ -z "$automerge_enabled" ]] | |
| then | |
| echo "::error ::Failed to get PR data!" | |
| exit 1 | |
| fi | |
| if [[ "$state" = "closed" ]] | |
| then | |
| echo "::error ::PR #$PR is closed!" | |
| exit 1 | |
| fi | |
| bottles=true | |
| while IFS='' read -r label | |
| do | |
| if [[ "$label" = "CI-syntax-only" ]] || | |
| [[ "$label" = "CI-no-bottles" ]] || | |
| [[ "$label" = "CI-published-bottle-commits" ]] | |
| then | |
| echo '::notice ::No bottles to publish according to PR labels.' | |
| bottles=false | |
| break | |
| fi | |
| done < <(jq --raw-output '.labels[].name' <<< "$pr_data") | |
| requires_merge=true | |
| if [[ "$merged" = "true" || "$automerge_enabled" = "true" ]] | |
| then | |
| echo '::notice ::Pull request is either already merged or queued to merge.' | |
| requires_merge=false | |
| fi | |
| if [[ "$branch" = "master" ]] | |
| then | |
| branch="$head_repo_owner/master" | |
| remote_branch="master" | |
| else | |
| remote_branch="$branch" | |
| fi | |
| { | |
| echo "bottles=$bottles" | |
| echo "head_sha=$head_sha" | |
| echo "branch=$branch" | |
| echo "remote_branch=$remote_branch" | |
| echo "remote=$remote" | |
| echo "node_id=$node_id" | |
| echo "requires_merge=$requires_merge" | |
| echo "replace=${{ inputs.autosquash }}" | |
| } >> "$GITHUB_OUTPUT" | |
| if "$pushable" && [[ "$fork_type" != "Organization" ]] || | |
| [[ "$head_repo" = "$GH_REPO" ]] || | |
| [[ "$bottles" = "false" ]] | |
| then | |
| exit 0 | |
| elif "$pushable" || [[ "$fork_type" = "Organization" ]] | |
| then | |
| MESSAGE="$ORG_FORK_MESSAGE" | |
| else | |
| MESSAGE="$NON_PUSHABLE_MESSAGE" | |
| fi | |
| echo "replace=true" >> "$GITHUB_OUTPUT" | |
| gh pr comment "$PR" --body "$MESSAGE" --repo "$GITHUB_REPOSITORY" | |
| gh pr edit --add-label 'no push access' "$PR" --repo "$GITHUB_REPOSITORY" | |
| pr-pull: | |
| needs: check | |
| if: contains(github.event.pull_request.labels.*.name, 'pr-pull') | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-12, macos-13, macos-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Set up Homebrew | |
| id: set-up-homebrew | |
| uses: Homebrew/actions/setup-homebrew@master | |
| - name: Configure Git user | |
| id: git-user-config | |
| uses: Homebrew/actions/git-user-config@master | |
| with: | |
| username: ${{ (github.actor != 'github-actions[bot]' && github.actor) || vars.LYRAPHASE_RUNNER_USER }} | |
| - name: Checkout PR branch | |
| working-directory: ${{steps.set-up-homebrew.outputs.repository-path}} | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr checkout "$PR" --repo "$GITHUB_REPOSITORY" | |
| - name: Pull bottles | |
| id: pr-pull | |
| env: | |
| HOMEBREW_NO_AUTO_UPDATE: 1 | |
| BREWTESTBOT_NAME_EMAIL: ${{ vars.LYRAPHASE_RUNNER_NAME_EMAIL }} | |
| HOMEBREW_GITHUB_PACKAGES_USER: ${{ vars.LYRAPHASE_RUNNER_USER }} | |
| HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{ secrets.LYRAPHASE_RUNNER_PACKAGES_TOKEN }} | |
| HOMEBREW_GITHUB_API_TOKEN: ${{ github.token }} | |
| PULL_REQUEST: ${{ github.event.pull_request.number }} | |
| run: | | |
| brew pr-pull \ | |
| --debug \ | |
| --no-upload \ | |
| --clean \ | |
| --autosquash \ | |
| --tap="$GITHUB_REPOSITORY" \ | |
| --github-org="${GITHUB_REPOSITORY_OWNER}" \ | |
| --committer="$BREWTESTBOT_NAME_EMAIL" \ | |
| --root-url="https://ghcr.io/v2/${GITHUB_REPOSITORY_OWNER}/${GITHUB_REPOSITORY#*/homebrew-}" \ | |
| --retain-bottle-dir \ | |
| "$PULL_REQUEST" | |
| - name: Generate build provenance | |
| uses: actions/attest-build-provenance@v1 | |
| with: | |
| github-token: '${{ secrets.LYRAPHASE_RUNNER_PACKAGES_TOKEN }}' | |
| subject-path: '${{steps.pr-pull.outputs.bottle_path}}/*.tar.gz' | |
| - name: Upload bottles to GitHub Packages | |
| id: pr-upload | |
| working-directory: ${{steps.pr-pull.outputs.bottle_path}} | |
| env: | |
| HOMEBREW_NO_AUTO_UPDATE: 1 | |
| BREWTESTBOT_NAME_EMAIL: ${{ vars.LYRAPHASE_RUNNER_NAME_EMAIL }} | |
| HOMEBREW_GITHUB_PACKAGES_USER: ${{ vars.LYRAPHASE_RUNNER_USER }} | |
| HOMEBREW_GITHUB_PACKAGES_TOKEN: ${{ secrets.LYRAPHASE_RUNNER_PACKAGES_TOKEN }} | |
| REPO_PATH: ${{steps.set-up-homebrew.outputs.repository-path}} | |
| run: | | |
| # Don't quote arguments that might be empty; this causes errors when `brew` | |
| # interprets them as empty arguments when we want `brew` to ignore them instead. | |
| brew pr-upload \ | |
| --debug \ | |
| --committer="$BREWTESTBOT_NAME_EMAIL" \ | |
| --root-url="https://ghcr.io/v2/${GITHUB_REPOSITORY_OWNER}/${GITHUB_REPOSITORY#*/homebrew-}" \ | |
| ${{inputs.warn_on_upload_failure && '--warn-on-upload-failure' || ''}} | |
| echo "head_sha=$(git -C "$REPO_PATH" rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| - name: Push commits | |
| uses: Homebrew/actions/git-try-push@master | |
| with: | |
| token: ${{ secrets.LYRAPHASE_RUNNER_AUTOMERGE_TOKEN }} | |
| directory: ${{ steps.set-up-homebrew.outputs.repository-path }} | |
| remote: ${{ needs.check.outputs.remote }} | |
| branch: ${{ needs.check.outputs.branch }} | |
| remote_branch: ${{ needs.check.outputs.remote_branch }} | |
| env: | |
| GIT_COMMITTER_NAME: ${{ vars.LYRAPHASE_RUNNER_USER }} | |
| GIT_COMMITTER_EMAIL: ${{ vars.LYRAPHASE_RUNNER_EMAIL }} | |
| # HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }} | |
| # TODO: Find out if this permission is needed? | |
| # id-token: write | |
| # OIDC JWT token request access | |
| # Reference: https://github.com/github/docs/issues/25952#issuecomment-1616560496 | |
| - name: Post comment on failure | |
| if: failure() | |
| uses: Homebrew/actions/post-comment@master | |
| with: | |
| token: ${{secrets.GITHUB_TOKEN}} | |
| issue: ${{ inputs.pull_request || github.event.pull_request.number }} | |
| body: ":warning: @${{github.actor}} bottle publish [failed](${{env.RUN_URL}})." | |
| bot_body: ":warning: Bottle publish [failed](${{env.RUN_URL}})." | |
| bot: github-actions[bot] | |
| # - name: Delete branch | |
| # if: github.event.pull_request.head.repo.fork == false | |
| # env: | |
| # BRANCH: ${{ github.event.pull_request.head.ref }} | |
| # run: git push --delete origin $BRANCH |