-
Notifications
You must be signed in to change notification settings - Fork 101
276 lines (259 loc) · 12.3 KB
/
Copy pathtest.yaml
File metadata and controls
276 lines (259 loc) · 12.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
name: CI test suite
on:
pull_request:
push:
branches: [main]
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
pull-requests: write
jobs:
build-and-test:
runs-on: ubuntu-latest
outputs:
includes-varlock: ${{ steps.check-release.outputs.includes-varlock }}
release-packages: ${{ steps.check-release.outputs.packages }}
swift-changed: ${{ steps.check-swift.outputs.changed }}
rust-changed: ${{ steps.check-rust.outputs.changed }}
swift-cache-hit: ${{ steps.swift-cache-check.outputs.cache-hit }}
rust-cache-hit: ${{ steps.rust-cache-final.outputs.cache-hit }}
rust-source-hash: ${{ steps.rust-hash.outputs.hash }}
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Bun
uses: oven-sh/setup-bun@v2
- name: Use Node.js 24.x
uses: actions/setup-node@v6
with:
node-version: "24.x"
- name: Install js deps (w/ bun)
run: bun install
- name: Audit dependencies
run: bun run audit:changed
- name: Enable turborepo build cache
uses: rharkor/caching-for-turbo@56219402aacc0d06b650d898c222996dbc1191ec # v2.3.14
# ------------------------------------------------------------
- name: Bumpy release plan check
if: github.event_name == 'pull_request'
run: bunx @varlock/bumpy ci check
env:
GH_TOKEN: ${{ github.token }}
# lint, build, tests ---------------------------------
- name: ESLint
run: bun run lint
- name: TypeScript type check
run: bun run typecheck:all
- name: Build libraries
run: bun run build:libs
- name: Run tests
run: bun run test:ci
# Determine which packages will be preview-released (used to gate native builds)
- name: Check release packages
if: github.ref_name != 'main'
id: check-release
run: bun run scripts/check-release-packages.ts
# Check if native binary source changed (used to gate native builds)
- name: Check for Swift source changes
id: check-swift
if: steps.check-release.outputs.includes-varlock == 'true'
run: |
if git diff --name-only origin/main...HEAD | grep -qE '^(packages/encryption-binary-swift/|\.github/workflows/build-native-macos\.yaml)'; then
echo "changed=true" >> $GITHUB_OUTPUT
else
echo "changed=false" >> $GITHUB_OUTPUT
fi
- name: Check for Rust source changes
id: check-rust
if: steps.check-release.outputs.includes-varlock == 'true'
run: |
if git diff --name-only origin/main...HEAD | grep -qE '^(packages/encryption-binary-rust/|\.github/workflows/build-native-rust\.yaml)'; then
echo "changed=true" >> $GITHUB_OUTPUT
else
echo "changed=false" >> $GITHUB_OUTPUT
fi
# Check if native binary caches exist (lookup-only, no download)
- name: Check Swift binary cache
id: swift-cache-check
if: steps.check-release.outputs.includes-varlock == 'true' && steps.check-swift.outputs.changed != 'true'
uses: actions/cache/restore@v5
with:
path: packages/varlock/native-bins/darwin/VarlockEnclave.app
key: native-bin-macos-signed-${{ hashFiles('packages/encryption-binary-swift/swift/Package.swift', 'packages/encryption-binary-swift/swift/Sources/**') }}
lookup-only: true
# Compute Rust source hash once on Ubuntu — used for cache keys everywhere
# (hashFiles can differ across OSes, so we normalize it here)
- name: Compute Rust source hash
id: rust-hash
if: steps.check-release.outputs.includes-varlock == 'true'
run: |
HASH=${{ hashFiles('packages/encryption-binary-rust/Cargo.lock', 'packages/encryption-binary-rust/src/**') }}
echo "hash=$HASH" >> $GITHUB_OUTPUT
- name: Check Rust cache - linux-x64
id: rust-cache-check-linux-x64
if: steps.check-release.outputs.includes-varlock == 'true' && steps.check-rust.outputs.changed != 'true'
uses: actions/cache/restore@v5
with:
path: packages/varlock/native-bins/linux-x64/
key: native-bin-rust-linux-x64-${{ steps.rust-hash.outputs.hash }}
lookup-only: true
- name: Check Rust cache - linux-arm64
id: rust-cache-check-linux-arm64
if: steps.check-release.outputs.includes-varlock == 'true' && steps.check-rust.outputs.changed != 'true'
uses: actions/cache/restore@v5
with:
path: packages/varlock/native-bins/linux-arm64/
key: native-bin-rust-linux-arm64-${{ steps.rust-hash.outputs.hash }}
lookup-only: true
- name: Check Rust cache - win32-x64
id: rust-cache-check-win32-x64
if: steps.check-release.outputs.includes-varlock == 'true' && steps.check-rust.outputs.changed != 'true'
uses: actions/cache/restore@v5
with:
path: packages/varlock/native-bins/win32-x64/
key: native-bin-rust-win32-x64-${{ steps.rust-hash.outputs.hash }}
lookup-only: true
- name: Determine Rust cache status
id: rust-cache-final
if: steps.check-release.outputs.includes-varlock == 'true' && steps.check-rust.outputs.changed != 'true'
run: |
if [[ "${{ steps.rust-cache-check-linux-x64.outputs.cache-hit }}" == "true" \
&& "${{ steps.rust-cache-check-linux-arm64.outputs.cache-hit }}" == "true" \
&& "${{ steps.rust-cache-check-win32-x64.outputs.cache-hit }}" == "true" ]]; then
echo "cache-hit=true" >> $GITHUB_OUTPUT
else
echo "cache-hit=false" >> $GITHUB_OUTPUT
echo "::warning::Some Rust binary caches missing — will trigger rebuild"
fi
# Build + sign the macOS native binary if varlock is being released AND (source changed or cache missing)
build-native-macos:
needs: build-and-test
if: >-
needs.build-and-test.outputs.includes-varlock == 'true'
&& (needs.build-and-test.outputs.swift-changed == 'true' || needs.build-and-test.outputs.swift-cache-hit != 'true')
uses: ./.github/workflows/build-native-macos.yaml
with:
artifact-name: native-bin-macos-ci
secrets:
OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
# Build Rust native binaries if varlock is being released AND (source changed or cache missing)
build-native-rust:
needs: build-and-test
if: >-
needs.build-and-test.outputs.includes-varlock == 'true'
&& (needs.build-and-test.outputs.rust-changed == 'true' || needs.build-and-test.outputs.rust-cache-hit != 'true')
uses: ./.github/workflows/build-native-rust.yaml
with:
artifact-name: native-bin-rust-ci
source-hash: ${{ needs.build-and-test.outputs.rust-source-hash }}
# Publish preview packages via pkg-pr-new
release-preview-packages:
needs: [build-and-test, build-native-macos, build-native-rust]
# Run even if native builds were skipped (source unchanged), but not if anything failed. Skip on main.
if: always() && !failure() && !cancelled() && github.ref_name != 'main'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup Bun
uses: oven-sh/setup-bun@v2
- name: Use Node.js 24.x
uses: actions/setup-node@v6
with:
node-version: "24.x"
- name: Install node deps
run: bun install
- name: Enable turborepo build cache
uses: rharkor/caching-for-turbo@56219402aacc0d06b650d898c222996dbc1191ec # v2.3.14
# Get signed macOS .app if varlock is being released
# If the macOS build ran this run, download the artifact directly
# Otherwise, restore from cross-run cache
- name: Download macOS native binary (from this run)
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-macos.result == 'success'
uses: actions/download-artifact@v8
with:
name: native-bin-macos-ci
path: packages/varlock/native-bins/darwin/VarlockEnclave.app
- name: Restore cached macOS native binary (from prior run)
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-macos.result != 'success'
uses: actions/cache/restore@v5
with:
path: packages/varlock/native-bins/darwin/VarlockEnclave.app
key: native-bin-macos-signed-${{ hashFiles('packages/encryption-binary-swift/swift/Package.swift', 'packages/encryption-binary-swift/swift/Sources/**') }}
- name: Verify and fix native binary permissions
if: needs.build-and-test.outputs.includes-varlock == 'true'
run: |
BINARY=packages/varlock/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt
if [ ! -f "$BINARY" ]; then
echo "::error::macOS native binary not found — cannot publish varlock preview without it"
exit 1
fi
chmod +x "$BINARY"
# Get Rust native binaries if varlock is being released
# If the Rust build ran this run, download the artifacts; otherwise restore from cache
- name: Download Rust binaries (from this run)
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-rust.result == 'success'
uses: actions/download-artifact@v8
with:
pattern: native-bin-rust-ci-*
path: packages/varlock/native-bins/
merge-multiple: false
# Flatten: download-artifact creates subdirs per artifact name, but we need linux-x64/ etc.
- name: Flatten Rust artifact directories (from this run)
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-rust.result == 'success'
run: |
cd packages/varlock/native-bins
for dir in native-bin-rust-ci-*/; do
subdir=$(echo "$dir" | sed 's/native-bin-rust-ci-//' | sed 's/\///')
mv "$dir" "$subdir" 2>/dev/null || true
done
- uses: actions/cache/restore@v5
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-rust.result != 'success'
with:
path: packages/varlock/native-bins/linux-x64/
key: native-bin-rust-linux-x64-${{ needs.build-and-test.outputs.rust-source-hash }}
- uses: actions/cache/restore@v5
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-rust.result != 'success'
with:
path: packages/varlock/native-bins/linux-arm64/
key: native-bin-rust-linux-arm64-${{ needs.build-and-test.outputs.rust-source-hash }}
- uses: actions/cache/restore@v5
if: needs.build-and-test.outputs.includes-varlock == 'true' && needs.build-native-rust.result != 'success'
with:
path: packages/varlock/native-bins/win32-x64/
key: native-bin-rust-win32-x64-${{ needs.build-and-test.outputs.rust-source-hash }}
- name: Verify and fix Rust binary permissions
if: needs.build-and-test.outputs.includes-varlock == 'true'
run: |
MISSING=()
for SUBDIR in linux-x64 linux-arm64 win32-x64; do
if [ "$SUBDIR" = "win32-x64" ]; then
BIN="packages/varlock/native-bins/$SUBDIR/varlock-local-encrypt.exe"
else
BIN="packages/varlock/native-bins/$SUBDIR/varlock-local-encrypt"
fi
if [ ! -f "$BIN" ]; then
MISSING+=("$BIN")
elif [ "$SUBDIR" != "win32-x64" ]; then
chmod +x "$BIN" && echo "Fixed: $BIN"
fi
done
if [ ${#MISSING[@]} -gt 0 ]; then
echo "::error::Rust native binaries not found: ${MISSING[*]}"
echo "Cache may not be seeded yet — ensure release.yaml has run on main"
exit 1
fi
- name: Build publishable npm packages
if: needs.build-and-test.outputs.release-packages != '[]'
run: bun run build:libs
env:
BUILD_TYPE: preview
- name: Release preview packages
if: needs.build-and-test.outputs.release-packages != '[]'
run: bun run scripts/release-preview.ts
env:
RELEASE_PACKAGES: ${{ needs.build-and-test.outputs.release-packages }}