move all actions to brewkit (#38)

* move all actions to `brewkit`

* move scripts

* prep for merge

* make actions/scripts top-level; move utils

Author: jhheider

.github/workflows/retagger.yml

@@ -0,0 +1,15 @@
+on:
+  release:
+    types:
+      - created
+      - edited
+permissions:
+  contents: write
+jobs:
+  retag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: fischerscode/tagger@v0
+        with:
+          prefix: v

actions/bottle/action.yml

@@ -0,0 +1,37 @@
+name: tea/pantry/bottle
+description: internal tea.xyz specific at this time
+
+inputs:
+  gpg-key-id:
+    description: gpg key id
+    required: true
+  gpg-key-passphrase:
+    description: gpg key passphrase
+    required: true
+  built:
+    description: packages to bottle
+    required: true
+  compression:
+    description: compression to use (gz or xz)
+    required: true
+outputs:
+  bottles:
+    description: bottle files
+    value: ${{ steps.bottle.outputs.bottles }}
+  checksums:
+    description: checksum files
+    value: ${{ steps.bottle.outputs.checksums }}
+  signatures:
+    description: signature files
+    value: ${{ steps.bottle.outputs.signatures }}
+
+runs:
+  using: composite
+  steps:
+    - run: ${{ github.action_path }}/bottle.ts ${{ inputs.built }}
+      id: bottle
+      shell: sh
+      env:
+        COMPRESSION: ${{ inputs.compression }}
+        GPG_KEY_ID: ${{ inputs.gpg-key-id }}
+        GPG_PASSPHRASE: ${{ inputs.gpg-passphrase }}

actions/bottle/bottle.ts

@@ -0,0 +1,102 @@
+#!/usr/bin/env tea
+
+/* ---
+dependencies:
+  gnu.org/tar: ^1.34
+  tukaani.org/xz: ^5
+  zlib.net: 1
+  gnupg.org: ^2
+args:
+  - deno
+  - run
+  - --allow-net
+  - --allow-run
+  - --allow-env
+  - --allow-read
+  - --allow-write
+--- */
+
+import { Installation } from "types"
+import { useCellar, usePrefix, useFlags, useCache } from "hooks"
+import { backticks, panic, run } from "utils"
+import { crypto } from "deno/crypto/mod.ts"
+import { encode } from "deno/encoding/hex.ts"
+import { encode as base64Encode } from "deno/encoding/base64.ts"
+import { set_output } from "../../libexec/utils/gha.ts"
+import * as ARGV from "../../libexec/utils/args.ts"
+import Path from "path"
+
+const cellar = useCellar()
+
+
+//-------------------------------------------------------------------------- main
+
+if (import.meta.main) {
+  useFlags()
+
+  const compression = Deno.env.get("COMPRESSION") == 'xz' ? 'xz' : 'gz'
+  const gpgKey = Deno.env.get("GPG_KEY_ID") ?? panic("missing GPG_KEY_ID")
+  const gpgPassphrase = Deno.env.get("GPG_PASSPHRASE") ?? panic("missing GPG_PASSPHRASE")
+  const checksums: string[] = []
+  const signatures: string[] = []
+  const bottles: Path[] = []
+
+  for await (const pkg of ARGV.pkgs()) {
+    console.log({ bottling: pkg })
+
+    const installation = await cellar.resolve(pkg)
+    const path = await bottle(installation, compression)
+    const checksum = await sha256(path)
+    const signature = await gpg(path, { gpgKey, gpgPassphrase })
+
+    console.log({ bottled: path })
+
+    bottles.push(path)
+    checksums.push(checksum)
+    signatures.push(signature)
+  }
+
+  await set_output("bottles", bottles.map(b => b.relative({ to: usePrefix() })))
+  await set_output("checksums", checksums)
+  await set_output("signatures", signatures)
+}
+
+
+//------------------------------------------------------------------------- funcs
+export async function bottle({ path: kegdir, pkg }: Installation, compression: 'gz' | 'xz'): Promise<Path> {
+  const tarball = useCache().path({ pkg, type: 'bottle', compression })
+  const z = compression == 'gz' ? 'z' : 'J'
+  const cwd = usePrefix()
+  const cmd = ["tar", `c${z}f`, tarball, kegdir.relative({ to: cwd })]
+  await run({ cmd, cwd })
+  return tarball
+}
+
+export async function sha256(file: Path): Promise<string> {
+  return await Deno.open(file.string, { read: true })
+    .then(file => crypto.subtle.digest("SHA-256", file.readable))
+    .then(buf => new TextDecoder().decode(encode(new Uint8Array(buf))))
+}
+
+interface GPGCredentials {
+  gpgKey: string
+  gpgPassphrase: string
+}
+
+async function gpg(file: Path, { gpgKey, gpgPassphrase }: GPGCredentials): Promise<string> {
+  const rv = await backticks({
+    cmd: [
+      "gpg",
+      "--detach-sign",
+      "--armor",
+      "--output",
+      "-",
+      "--local-user",
+      gpgKey,
+      "--passphrase",
+      gpgPassphrase,
+      file.string
+    ]
+  })
+  return base64Encode(rv)
+}

actions/cache/action.yml

@@ -0,0 +1,28 @@
+name: tea.xyz/pantry/actions/cache
+description: cache deno deps
+
+inputs:
+  cache-name:
+    description: name of the job to use on the cache key
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - run: |
+        if test "$RUNNER_OS" = "macOS"; then
+          echo "cache=~/Library/Caches/deno" >> $GITHUB_OUTPUT
+        else
+          echo "cache=~/.cache/deno" >> $GITHUB_OUTPUT
+        fi
+      id: os-cache
+      shell: sh
+
+    - uses: actions/cache@v3
+      with:
+        path: |
+          ~/.deno
+          ${{ steps.os-cache.outputs.cache }}
+        # This isn't perfect (can't hash stuff outside github.workspace, and if the there scripts change, the hash won't)
+        # but it's good enough for now. It's slightly conservative, since it monitors all .ts files, but that's fine.
+        key: ${{ runner.os }}-deno-${{ inputs.cache-name }}-${{ hashFiles('**/deno.jsonc', '**/*.ts') }}

actions/codesign/action.yml

@@ -0,0 +1,98 @@
+name: Apple Codesigning
+description: Codesigns macOS binaries
+
+inputs:
+  p12-file-base64:
+    description: Base64 encoded p12 file
+    required: true
+  p12-password:
+    description: Password for p12 file
+    required: true
+  identity:
+    description: Identity to use for signing
+    required: true
+  paths:
+    description: paths to sign
+    required: true
+
+runs:
+  using: composite
+  steps:
+    # Only runs on macOS
+    - name: Check platform
+      shell: sh
+      run: |
+        if [[ "$RUNNER_OS" != "macOS" ]]; then
+          echo "This action only runs on macOS"
+          exit 1
+        fi
+
+    # the next three steps bless our code for Apple. It might be the case they should be
+    # encapulated separately.
+    # FIXME: using an explicit commit in a PR isn't great, but the last release was almost 3 years
+    # ago, and we need bugfixes.
+    # FIXME: replace this with a tea script based on https://localazy.com/blog/how-to-automatically-sign-macos-apps-using-github-actions
+    # github has a doc with similar content, but it's not returning to me atm.
+
+    # apple-actions/import-codesign-certs will fail if the keychain already exists, so we prophylactically
+    # delete it if it does.
+    - name: Delete keychain
+      shell: sh
+      run: security delete-keychain signing_temp.keychain || true
+
+    - uses: apple-actions/import-codesign-certs@d54750db52a4d3eaed0fc107a8bab3958f3f7494
+      with:
+        p12-file-base64: ${{ inputs.p12-file-base64 }}
+        p12-password: ${{ inputs.p12-password }}
+
+    - name: Create file list
+      shell: sh
+      id: files
+      run: |
+        echo "sign<<EOF" >> $GITHUB_OUTPUT
+        /usr/bin/find $PATHS \
+          -type f \
+          -not -name '*.py' \
+          -not -name '*.pyc' \
+          -not -name '*.txt' \
+          -not -name '*.h' | \
+          /usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+        # `tea` won't pass strict checking due to a deno bug with the way
+        # MachO headers are created
+        # https://github.com/denoland/deno/issues/17753
+        echo "check<<EOF" >> $GITHUB_OUTPUT
+        /usr/bin/find $PATHS \
+          -type f \
+          -not -name '*.py' \
+          -not -name '*.pyc' \
+          -not -name '*.txt' \
+          -not -name '*.h' \
+          -not -name tea | \
+          /usr/bin/sed -e 's/ /\\ /g' >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+      env:
+        PATHS: ${{ inputs.paths }}
+
+    - name: Codesign files
+      shell: sh
+      run: |
+        echo "$FILES" | \
+          /usr/bin/xargs /usr/bin/codesign -s "$IDENTITY" --force -v --timestamp || true
+      env:
+        FILES: ${{ steps.files.outputs.sign }}
+        IDENTITY: ${{ inputs.identity }}
+
+    # This isn't very informative, but even a no-op is safer than none
+    - name: Check codesigning
+      shell: sh
+      run: echo "$FILES" | /usr/bin/xargs /usr/bin/codesign -vvv --strict
+      env:
+        FILES: ${{ steps.files.outputs.check }}
+
+    # Needed for self-hosted runner, since it doesn't destroy itself automatically.
+    - name: Delete keychain
+      if: always()
+      shell: sh
+      run: security delete-keychain signing_temp.keychain

actions/fetch-pr-artifacts/action.yml

@@ -0,0 +1,35 @@
+name: tea/pantry/fetch-pr-artifacts
+description: internal tea.xyz specific at this time
+
+inputs:
+  platform:
+    description: platform+arch to fetch
+    required: true
+  token:
+    description: github token
+    default: ${{ github.token }}
+    required: true
+  AWS_S3_BUCKET:
+    description: AWS S3 bucket to use for cache
+    required: true
+  AWS_ACCESS_KEY_ID:
+    description: AWS access key id
+    required: true
+  AWS_SECRET_ACCESS_KEY:
+    description: AWS secret access key
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - run:
+        ${{ github.action_path }}/fetch-pr-artifacts.ts
+          ${{ github.repository }}
+          ${{ github.sha }}
+          ${{ inputs.platform }} >>$GITHUB_ENV
+      shell: sh
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        AWS_S3_BUCKET: ${{ inputs.AWS_S3_BUCKET }}
+        AWS_ACCESS_KEY_ID: ${{ inputs.AWS_ACCESS_KEY_ID }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.AWS_SECRET_ACCESS_KEY }}