Improve CI workflow (#1)

* Remove clean timeout * Update branch name * Move run-streams job * Add install-tools.sh * Update repo_url to avoid a space into it * Fix ci script path * Move scripts into dedicated files * Checkout code because of two runners * Write in /tmp * Fix setup-project script * Add more ci scripts * Fix space * Add constants file * Use regex for certificate name * Update token * Use strategies
SRGSSR · Nov 11, 2024 · a33306c · a33306c
1 parent c82e5cd
commit a33306c
Show file tree

Hide file tree

Showing 12 changed files with 251 additions and 115 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,9 +2,15 @@
 name: CI
 on: [pull_request]
 env:
-  macos_ci_setup_token: ${{ secrets.MACOS_CI_SETUP_TOKEN }}
+  token: ${{ secrets.PILLARBOX_CI_CD_TOKEN }}
   vm_name: sequoia-for-pillarbox
   vm_image: ghcr.io/cirruslabs/macos-sequoia-xcode:latest
+  branch_name: ${{ github.head_ref }}
+  scripts_path: "/tmp/.$vm_name/macos-ci-setup"
+  ci_scripts_path: "${{ github.workspace }}/.github/workflows/scripts"
+  repo_url:
+    "https://${{ secrets.PILLARBOX_CI_CD_TOKEN }}@github.com/\
+    ${{ github.repository }}.git"
 jobs:
   install-tools:
     runs-on:
@@ -13,164 +19,108 @@ jobs:
       runner_group_label:
         ${{ steps.runner-group-label.outputs.runner_group_label }}
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       - name: Clone macos-ci-setup repository
         run: |
-          rm -rf ~/macos-ci-setup
-
-          git clone -b add-scripts \
-          https://${{ env.macos_ci_setup_token }}\
-          @github.com/SRGSSR/macos-ci-setup.git ~/macos-ci-setup
+          ${{ env.ci_scripts_path }}/clone-macos-ci-setup.sh \
+          ${{ env.scripts_path }} ${{ env.token }} "add-scripts"
 
-      - name: Runner labels
+      - name: Get runner group by runner name
         id: runner-group-label
         run: |
-          runner_group_label=\
-          $(~/macos-ci-setup/runner-group-label.sh $RUNNER_NAME)
+          ${{ env.ci_scripts_path }}/get-runner-group.sh \
+          ${{ env.scripts_path }} \
+          $RUNNER_NAME $GITHUB_OUTPUT
 
-          echo "runner_group_label=$runner_group_label" >> $GITHUB_OUTPUT
       - name: Install tools
         run: |
-          cd ~/macos-ci-setup
-
-          ./brew-fetch.sh ${{ env.vm_name }} \
-          "swiftlint shellcheck markdownlint-cli yamllint ffmpeg"
-
-          ./create-vm-for-project.sh ${{ env.vm_name }} ${{ env.vm_image }}
-
-          ./clone-repo-in-vm.sh ${{ env.vm_name }} ${{ github.ref_name }} \
-          "https://${{ env.macos_ci_setup_token }}\
-          @github.com/${{ github.repository }}.git"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "brew install --quiet \
-          swiftlint shellcheck markdownlint-cli yamllint ffmpeg"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "rbenv install --skip-existing 3.3.5"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "echo 'export PATH=\"$HOME/.rbenv/bin:$PATH\"' >> ~/.zshrc"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "rbenv init - >> ~/.zshrc"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "rbenv global 3.3.5"
+          ${{ env.ci_scripts_path }}/install-tools.sh \
+          ${{ env.scripts_path }} \
+          ${{ env.vm_name }} ${{ env.vm_image }} \
+          ${{ env.branch_name }} ${{ env.repo_url }}
 
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "sudo gem install bundler -v 2.5.22"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "curl --location \
-          https://github.com/shaka-project/shaka-packager\
-          /releases/download/v3.2.0/packager-osx-arm64 -o \
-          /opt/homebrew/bin/shaka-packager"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "chmod a+x /opt/homebrew/bin/shaka-packager"
+  run-streams:
+    needs: install-tools
+    runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
 
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "source ~/.zshrc"
+      - name: Run test streams
+        run: |
+          ${{ env.ci_scripts_path }}/vm-run-test-streams.sh \
+          ${{ env.scripts_path }} ${{ env.vm_name }}
 
   setup-project:
     needs: install-tools
     runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       - name: Setup project
         run: |
-          cd ~/macos-ci-setup
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && rm -rf Configuration"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && Scripts/checkout-configuration.sh \
-          https://${{ env.macos_ci_setup_token }}\
-          @github.com/SRGSSR/pillarbox-apple-configuration.git \
-          certificate HEAD Configuration"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "security unlock-keychain -p 'admin' \
-          ~/Library/Keychains/login.keychain-db && \
-          security import ~/_repo/Configuration/6YXTQTG8JJ_development.p12 \
-          -k ~/Library/Keychains/login.keychain-db \
-          -P '6YXTQTG8JJ' -T /usr/bin/security -T /usr/bin/codesign"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "security set-key-partition-list -S apple-tool:,apple: -s -k 'admin' \
-          ~/Library/Keychains/login.keychain-db"
-
-          ./run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && make setup"
+          ${{ env.ci_scripts_path }}/setup-project.sh \
+          ${{ env.scripts_path }} ${{ env.vm_name }} ${{ env.token }}
 
   check-quality:
     needs: [install-tools, setup-project]
     runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
     steps:
-      - name: Run the quality check
-        run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh \
-          ${{ env.vm_name }} "cd ~/_repo && make check-quality"
+      - name: Checkout code
+        uses: actions/checkout@v4
 
-  run-streams:
-    needs: install-tools
-    runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
-    steps:
-      - name: Run test streams
+      - name: Run the quality check
         run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && make test-streams-start"
+          ${{ env.ci_scripts_path }}/vm-check-quality.sh \
+          ${{ env.scripts_path }} ${{ env.vm_name }}
 
   resolve-spm-dependencies:
     needs: [install-tools, run-streams, setup-project]
     runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       - name: Resolve SPM dependencies
         run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && xcodebuild -resolvePackageDependencies -verbose"
+          ${{ env.ci_scripts_path }}/vm-resolve-spm-dependencies.sh \
+          ${{ env.scripts_path }} ${{ env.vm_name }}
 
-  test-ios:
+  tests:
     needs: [install-tools, resolve-spm-dependencies]
     runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
+    strategy:
+      matrix:
+        platform: [ios, tvos]
     steps:
-      - name: Run the iOS tests
-        run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && make test-ios"
+      - name: Checkout code
+        uses: actions/checkout@v4
 
-  test-tvos:
-    needs: [install-tools, resolve-spm-dependencies]
-    runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
-    steps:
-      - name: Run the tvOS tests
+      - name: Run tests
         run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && make test-tvos"
+          ${{ env.ci_scripts_path }}/vm-test.sh \
+          ${{ env.scripts_path }} ${{ env.vm_name }} ${{ matrix.platform }}
 
-  archive-demo-ios:
-    needs: [install-tools, test-ios, test-tvos]
+  archive-demos:
+    needs: [install-tools, tests]
     runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
+    strategy:
+      matrix:
+        platform: [ios, tvos]
     steps:
-      - name: Archive the iOS demo
-        run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && security unlock-keychain -p 'admin' \
-          ~/Library/Keychains/login.keychain-db && make archive-demo-ios"
+      - name: Checkout code
+        uses: actions/checkout@v4
 
-  archive-demo-tvos:
-    needs: [install-tools, test-ios, test-tvos]
-    runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
-    steps:
-      - name: Archive the tvOS demo
+      - name: Archive the demo
         run: |
-          ~/macos-ci-setup/run-vm-shell-command.sh ${{ env.vm_name }} \
-          "cd ~/_repo && security unlock-keychain -p 'admin' \
-          ~/Library/Keychains/login.keychain-db && make archive-demo-tvos"
+          ${{ env.ci_scripts_path }}/vm-test.sh \
+          ${{ env.scripts_path }} ${{ env.vm_name }} ${{ matrix.platform }}
 
   clean:
-    timeout-minutes: 2
-    needs: [install-tools, archive-demo-ios, archive-demo-tvos]
+    needs: [install-tools, archive-demos]
     runs-on: ${{ needs.install-tools.outputs.runner_group_label }}
     if: always()
     steps:

diff --git a/.github/workflows/scripts/clone-macos-ci-setup.sh b/.github/workflows/scripts/clone-macos-ci-setup.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+scripts_path_destination=$1
+github_token=$2
+branch=$3
+
+if [[ -z $scripts_path_destination || -z $github_token || -z $branch ]]
+then
+    echo "[!] Usage: $(echo $0) <scripts_path_destination> <github_token> <branch>"
+    exit 1
+fi
+
+rm -rf $scripts_path_destination
+git clone -b $branch "https://$github_token@github.com/SRGSSR/macos-ci-setup.git" $scripts_path_destination
diff --git a/.github/workflows/scripts/constants.sh b/.github/workflows/scripts/constants.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+REPOSITORY_PATH="~/_repo"
diff --git a/.github/workflows/scripts/get-runner-group.sh b/.github/workflows/scripts/get-runner-group.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+scripts_path="$1"
+runner_name="$2"
+github_output="$3"
+
+if [[ -z $scripts_path || -z $runner_name || -z $github_output ]]
+then
+    echo "[!] Usage: $(echo $0) <scripts_path> <runner_name> <github_output>"
+    exit 1
+fi
+
+
+runner_group_label=$($scripts_path/runner-group-label.sh $runner_name)
+echo "runner_group_label=$runner_group_label" >> $github_output
diff --git a/.github/workflows/scripts/install-tools.sh b/.github/workflows/scripts/install-tools.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+scripts_path="$1"
+vm_name="$2"
+vm_image="$3"
+branch_name="$4"
+repo_url="$5"
+
+if [[ -z $scripts_path || -z $vm_name || -z $vm_image || -z $branch_name || -z $repo_url ]]
+then
+    echo "[!] Usage: $(echo $0) <scripts_path> <vm_name> <vm_image> <branch_name> <repo_url>"
+    exit 1
+fi
+
+
+tools="swiftlint shellcheck markdownlint-cli yamllint ffmpeg"
+ruby_version="3.3.5"
+bundler_version="2.5.22"
+
+$scripts_path/brew-fetch.sh $vm_name $tools
+
+$scripts_path/create-vm-for-project.sh $vm_name $vm_image
+$scripts_path/clone-repo-in-vm.sh $vm_name $branch_name $repo_url
+
+$scripts_path/run-vm-shell-command.sh $vm_name "brew install --quiet $tools"
+$scripts_path/run-vm-shell-command.sh $vm_name "rbenv install --skip-existing $ruby_version"
+$scripts_path/run-vm-shell-command.sh $vm_name "echo 'export PATH=\"$HOME/.rbenv/bin:\$PATH\"' >> ~/.zshrc"
+$scripts_path/run-vm-shell-command.sh $vm_name "rbenv init - >> ~/.zshrc"
+$scripts_path/run-vm-shell-command.sh $vm_name "rbenv global $ruby_version"
+$scripts_path/run-vm-shell-command.sh $vm_name "sudo gem install bundler -v $bundler_version"
+$scripts_path/run-vm-shell-command.sh $vm_name "curl --location https://github.com/shaka-project/shaka-packager/releases/download/v3.2.0/packager-osx-arm64 -o /opt/homebrew/bin/shaka-packager"
+$scripts_path/run-vm-shell-command.sh $vm_name "chmod a+x /opt/homebrew/bin/shaka-packager"
+$scripts_path/run-vm-shell-command.sh $vm_name "source ~/.zshrc"
diff --git a/.github/workflows/scripts/setup-project.sh b/.github/workflows/scripts/setup-project.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+scripts_path="$1"
+vm_name="$2"
+github_token="$3"
+
+if [[ -z $scripts_path || -z $vm_name || -z $github_token ]]
+then
+    echo "[!] Usage: $(echo $0) <scripts_path> <vm_name> <github_token>"
+    exit 1
+fi
+
+source "$(dirname $(realpath $0))/constants.sh"
+source "$(dirname $(realpath $0))/unlock-keychain.sh"
+
+configuration_dir_path="$REPOSITORY_PATH/Configuration"
+configuration_repo="github.com/SRGSSR/pillarbox-apple-configuration.git"
+configuration_script="$REPOSITORY_PATH/Scripts/checkout-configuration.sh"
+configuration_branch="certificate"
+configuration_commit="HEAD"
+
+certificate_path=$(realpath "$configuration_dir_path/*.p12")
+certificate_password="6YXTQTG8JJ"
+
+function import_certificate {
+    security import $certificate_path -k $keychain_path -P $certificate_password -T /usr/bin/security -T /usr/bin/codesign
+}
+
+function add_certificate_to_keychain {
+    unlock_keychain && import_certificate
+}
+
+function authorize_access_to_certificate_private_key {
+    security set-key-partition-list -S apple-tool:,apple: -s -k $keychain_password $keychain_path
+}
+
+$scripts_path/run-vm-shell-command.sh $vm_name "rm -rf $configuration_dir_path"
+$scripts_path/run-vm-shell-command.sh $vm_name "$configuration_script https://$github_token@$configuration_repo $configuration_branch $configuration_commit $configuration_dir_path"
+$scripts_path/run-vm-shell-command.sh $vm_name echo $(add_certificate_to_keychain)
+$scripts_path/run-vm-shell-command.sh $vm_name echo $(authorize_access_to_certificate_private_key)
+$scripts_path/run-vm-shell-command.sh $vm_name "cd $REPOSITORY_PATH && make setup"
diff --git a/.github/workflows/scripts/unlock-keychain.sh b/.github/workflows/scripts/unlock-keychain.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+keychain_password="admin"
+keychain_path="~/Library/Keychains/login.keychain-db"
+
+function unlock_keychain {
+    security unlock-keychain -p $keychain_password $keychain_path
+}
diff --git a/.github/workflows/scripts/vm-archive.sh b/.github/workflows/scripts/vm-archive.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+scripts_path="$1"
+vm_name="$2"
+platform="$3"
+
+
+if [[ -z $scripts_path || -z $vm_name || -z $platform ]]
+then
+    echo "[!] Usage: $(echo $0) <scripts_path> <vm_name> <platform>"
+    exit 1
+fi
+
+source "$(dirname $(realpath $0))/constants.sh"
+source "$(dirname $(realpath $0))/unlock-keychain.sh"
+
+$scripts_path/run-vm-shell-command.sh $vm_name "cd $REPOSITORY_PATH && echo $(unlock_keychain) && make archive-demo-$(echo $platform)"
diff --git a/.github/workflows/scripts/vm-check-quality.sh b/.github/workflows/scripts/vm-check-quality.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+scripts_path="$1"
+vm_name="$2"
+
+if [[ -z $scripts_path || -z $vm_name ]]
+then
+    echo "[!] Usage: $(echo $0) <scripts_path> <vm_name>"
+    exit 1
+fi
+
+source "$(dirname $(realpath $0))/constants.sh"
+
+$scripts_path/run-vm-shell-command.sh $vm_name "cd $REPOSITORY_PATH && make check-quality"