Merge pull request #39 from jimeh/use-nix

feat(build/deps): switch from Homebrew to Nix for build dependencies
jimeh · Nov 30, 2024 · bc0082e · bc0082e
2 parents 692c58e + 099c107
commit bc0082e
Show file tree

Hide file tree

Showing 7 changed files with 136 additions and 62 deletions.
diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
@@ -4,6 +4,10 @@ name: _build
 on:
   workflow_call:
     inputs:
+      should_run:
+        description: Whether or not to run the build job
+        type: boolean
+        default: false
       artifact_prefix:
         description: Artifact prefix
         type: string
@@ -103,15 +107,14 @@ jobs:
       check: ${{ steps.check.outputs.result }}
     steps:
       - name: Checkout build-emacs-for-macos repo
-        if: ${{ inputs.os != inputs.build_os }}
         uses: actions/checkout@v4
         with:
           repository: jimeh/build-emacs-for-macos
           ref: ${{ needs.prepare.outputs.builder_sha }}
       - uses: actions/setup-go@v5
         if: ${{ inputs.os != inputs.build_os }}
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - name: Build emacs-builder tool
         if: ${{ inputs.os != inputs.build_os }}
         run: make build
@@ -124,8 +127,11 @@ jobs:
       - name: Ensure emacs-builder is executable
         if: ${{ inputs.os == inputs.build_os }}
         run: chmod +x bin/emacs-builder
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: Plan build
         run: >-
+          nix develop --command
           bin/emacs-builder -l debug plan --output build-plan.yml
           --output-dir '${{ github.workspace }}/builds'
           ${{ needs.prepare.outputs.test_plan_args }}
@@ -163,34 +169,30 @@ jobs:
           repository: jimeh/build-emacs-for-macos
           ref: ${{ needs.prepare.outputs.builder_sha }}
           path: builder
-      - uses: ruby/setup-ruby@v1
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Download build-plan artifact
+        uses: actions/download-artifact@v4
         with:
-          ruby-version: "3.2"
-      - name: Update homebrew
-        run: brew update
-      - name: Fix system python breaking homebrew
-        run: >-
-          find "$(brew --prefix)/bin" -type l
-          -ilname '*/Library/Frameworks/Python.framework/*'
-          -delete
+          name: ${{ inputs.artifact_prefix }}build-plan
+          path: ./builder/
       - name: Install dependencies
-        run: make bootstrap
+        run: >-
+          nix develop
+          --command make bootstrap-ruby
         working-directory: builder
         env:
           BUNDLE_WITHOUT: "development"
-      - name: Download build-plan artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{ inputs.artifact_prefix }}build-plan
-          path: ./
       - name: Build Emacs
         run: >-
-          ./builder/build-emacs-for-macos
+          nix develop
+          --command ./build-emacs-for-macos
           --log-level debug
           --plan build-plan.yml
           --native-full-aot
           --no-self-sign
           ${{ inputs.build_args }}
+        working-directory: builder
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload unsigned app artifact
@@ -243,7 +245,7 @@ jobs:
           KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
 
           # import certificate and provisioning profile from secrets
-          echo -n "$CERT_BASE64" | base64 --decode --output "$CERTIFICATE_PATH"
+          echo -n "$CERT_BASE64" | base64 --decode > "$CERTIFICATE_PATH"
 
           # create temporary keychain
           security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

diff --git a/.github/workflows/_prepare.yml b/.github/workflows/_prepare.yml
@@ -12,7 +12,7 @@ on:
         description: Git ref to checkout of build-emacs-for-macos
         required: false
         type: string
-        default: "v0.6.48"
+        default: "v0.6.50"
     secrets:
       TAP_REPO_TOKEN:
         description: Personal Access Token for Homebrew Tap repo
@@ -38,7 +38,7 @@ jobs:
           if-no-files-found: error
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - name: Build emacs-builder tool
         run: make build
       - name: Upload emacs-builder artifact

diff --git a/.github/workflows/_release.yml b/.github/workflows/_release.yml
@@ -1,14 +1,17 @@
 ---
 # Requires _prepare.yml and _build.yml re-usable workflows to have run.
 name: _release
+concurrency:
+  group: _release
+  cancel-in-progress: false
 on:
   workflow_call:
     inputs:
       os:
         description: GitHub Actions runner OS
         type: string
         required: false
-        default: "macos-12"
+        default: "macos-13"
       plan_artifact:
         description: Name of artifact containing a emacs-builder plan yaml file
         type: string
@@ -17,15 +20,6 @@ on:
         description: Name of artifact containing a *.dmg files to release
         type: string
         required: true
-      test_build_name:
-        description: "Test build name"
-        type: string
-        required: false
-      update_casks:
-        description: "Update casks in homebrew tap?"
-        type: boolean
-        required: true
-        default: true
     secrets:
       TAP_REPO_TOKEN:
         description: Personal Access Token for Homebrew Tap repo
@@ -61,14 +55,5 @@ jobs:
           $(find builds -name '*.dmg' -or -name '*.sha256')
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Trigger update casks workflow in homebrew tap
-        if: >-
-          steps.dmg.outputs.result != 'fail' &&
-          inputs.test_build_name == '' &&
-          inputs.update_casks
-        run: >-
-          gh workflow run --repo jimeh/homebrew-emacs-builds update-casks.yml
-        env:
-          GITHUB_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
       - run: echo 'No DMG artifact available, was there a new commit to build?'
         if: ${{ steps.dmg.outputs.result == 'fail' }}
diff --git a/.github/workflows/_update-casks.yml b/.github/workflows/_update-casks.yml
@@ -0,0 +1,27 @@
+---
+name: _update-casks
+concurrency:
+  group: _update-casks
+  cancel-in-progress: false
+on:
+  workflow_call:
+    inputs:
+      os:
+        description: GitHub Actions runner OS
+        type: string
+        required: false
+        default: "ubuntu-latest"
+    secrets:
+      TAP_REPO_TOKEN:
+        description: Personal Access Token for Homebrew Tap repo
+        required: true
+
+jobs:
+  emacs-builds:
+    runs-on: ${{ inputs.os }}
+    steps:
+      - name: Trigger update casks workflow in homebrew tap
+        run: >-
+          gh workflow run --repo jimeh/homebrew-emacs-builds update-casks.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,15 +13,15 @@ on:
       builder_ref:
         description: "Git ref to checkout of build-emacs-for-macos"
         required: true
-        default: "v0.6.48"
+        default: "v0.6.50"
       builder_args:
         description: Custom arguments passed to build script
         required: false
         default: ""
       os:
-        description: 'Runner OS ("macos-12", "macos-13", or "macos-latest")'
+        description: 'Runner OS ("macos-13", "macos-14", or "macos-latest")'
         required: true
-        default: "macos-12"
+        default: "macos-13"
       test_build_name:
         description: "Test build name"
         required: false
@@ -62,7 +62,7 @@ jobs:
     needs: [prepare]
     with:
       os: ${{ github.event.inputs.os }}
-      build_os: "macos-12"
+      build_os: "macos-13"
       artifact_prefix: "x86_64-"
       git_ref: ${{ github.event.inputs.git_ref }}
       git_sha: ${{ github.event.inputs.git_sha }}
@@ -82,14 +82,19 @@ jobs:
   release_x86_64:
     name: Release (x86_64)
     uses: ./.github/workflows/_release.yml
-    needs: [build_x86_64]
-    if: ${{ needs.build_x86_64.outputs.package_created }}
+    # Depend on both build_x86_64 and build_arm64, but only run if build_x86_64
+    # was successful and a package was created. This ensure wait for all builds
+    # to complete before running any release jobs.
+    needs: [build_x86_64, build_arm64]
+    if: |
+      always() &&
+      needs.build_x86_64.result == 'success' &&
+      needs.build_x86_64.outputs.package_created &&
+      needs.build_arm64.result != 'failure'
     with:
       os: ${{ github.event.inputs.os }}
       plan_artifact: x86_64-build-plan
       dmg_artifact: x86_64-dmg
-      test_build_name: ${{ github.event.inputs.test_build_name }}
-      update_casks: true
     secrets:
       TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
 
@@ -124,13 +129,37 @@ jobs:
   release_arm64:
     name: Release (arm64)
     uses: ./.github/workflows/_release.yml
-    needs: [build_arm64]
-    if: ${{ needs.build_arm64.outputs.package_created }}
+    # Depend on both build_arm64 and build_x86_64, but only run if build_arm64
+    # was successful and a package was created. This ensure wait for all builds
+    # to complete before running any release jobs.
+    needs: [build_arm64, build_x86_64]
+    if: |
+      always() &&
+      needs.build_arm64.result == 'success' &&
+      needs.build_arm64.outputs.package_created &&
+      needs.build_x86_64.result != 'failure'
     with:
       os: ${{ github.event.inputs.os }}
       plan_artifact: arm64-build-plan
       dmg_artifact: arm64-dmg
-      test_build_name: ${{ github.event.inputs.test_build_name }}
-      update_casks: false
+    secrets:
+      TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
+
+  # ----------------------------------------------------------------------------
+  # Trigger update casks workflow in homebrew tap
+  # ----------------------------------------------------------------------------
+
+  update_casks:
+    name: Update Casks
+    uses: ./.github/workflows/_update-casks.yml
+    # Depend on both release jobs, but only run if either of them was
+    # successful. This ensures we only run this job once all release jobs have
+    # been completed.
+    needs: [release_x86_64, release_arm64]
+    if: >-
+      always() &&
+      github.event.inputs.test_build_name == '' &&
+      contains(needs.*.result, 'success') &&
+      !contains(needs.*.result, 'failure')
     secrets:
       TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
diff --git a/.github/workflows/nightly-master.yml b/.github/workflows/nightly-master.yml
@@ -31,7 +31,7 @@ jobs:
     uses: ./.github/workflows/_build.yml
     needs: [prepare]
     with:
-      build_os: "macos-12"
+      build_os: "macos-13"
       artifact_prefix: "x86_64-"
       git_ref: "master"
       git_sha: ${{ github.event.inputs.git_sha }}
@@ -48,12 +48,18 @@ jobs:
   release_x86_64:
     name: Release (x86_64)
     uses: ./.github/workflows/_release.yml
-    needs: [build_x86_64]
-    if: ${{ needs.build_x86_64.outputs.package_created }}
+    # Depend on both build_x86_64 and build_arm64, but only run if build_x86_64
+    # was successful and a package was created. This ensure wait for all builds
+    # to complete before running any release jobs.
+    needs: [build_x86_64, build_arm64]
+    if: |
+      always() &&
+      needs.build_x86_64.result == 'success' &&
+      needs.build_x86_64.outputs.package_created &&
+      needs.build_arm64.result != 'failure'
     with:
       plan_artifact: x86_64-build-plan
       dmg_artifact: x86_64-dmg
-      update_casks: true
     secrets:
       TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
 
@@ -86,11 +92,36 @@ jobs:
   release_arm64:
     name: Release (arm64)
     uses: ./.github/workflows/_release.yml
-    needs: [build_arm64]
-    if: ${{ needs.build_arm64.outputs.package_created }}
+    # Depend on both build_arm64 and build_x86_64, but only run if build_arm64
+    # was successful and a package was created. This ensure wait for all builds
+    # to complete before running any release jobs.
+    needs: [build_arm64, build_x86_64]
+    if: |
+      always() &&
+      needs.build_arm64.result == 'success' &&
+      needs.build_arm64.outputs.package_created &&
+      needs.build_x86_64.result != 'failure'
     with:
       plan_artifact: arm64-build-plan
       dmg_artifact: arm64-dmg
-      update_casks: false
+    secrets:
+      TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
+
+  # ----------------------------------------------------------------------------
+  # Trigger update casks workflow in homebrew tap
+  # ----------------------------------------------------------------------------
+
+  update_casks:
+    name: Update Casks
+    uses: ./.github/workflows/_update-casks.yml
+    # Depend on both release jobs, but only run if either of them was
+    # successful. This ensures we only run this job once all release jobs have
+    # been completed.
+    needs: [release_x86_64, release_arm64]
+    if: >-
+      always() &&
+      github.event.inputs.test_build_name == '' &&
+      contains(needs.*.result, 'success') &&
+      !contains(needs.*.result, 'failure')
     secrets:
       TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
diff --git a/.github/workflows/update-metadata.yml b/.github/workflows/update-metadata.yml
@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout meta branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: meta
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.23"
       - name: update total downloads shield JSON
         run: >-
           go run . badges downloads
@@ -25,7 +25,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
       - name: commit and push changes to meta branch
-        uses: stefanzweifel/git-auto-commit-action@v4
+        uses: stefanzweifel/git-auto-commit-action@v5
         with:
           commit_message: "chore(meta): update metadata files"
           commit_user_name: github-actions[bot]