|
| 1 | +name: 🌊 Build SEA Node Binaries |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_call: |
| 5 | + inputs: |
| 6 | + force: |
| 7 | + description: 'Force rebuild (ignore cache)' |
| 8 | + required: false |
| 9 | + type: boolean |
| 10 | + default: false |
| 11 | + workflow_dispatch: |
| 12 | + inputs: |
| 13 | + force: |
| 14 | + description: 'Force rebuild (ignore cache)' |
| 15 | + required: false |
| 16 | + type: boolean |
| 17 | + default: false |
| 18 | + # Removed push/pull_request triggers to prevent automatic builds. |
| 19 | + # Run manually via workflow_dispatch or via workflow_call from build-socketbin.yml. |
| 20 | + |
| 21 | +permissions: |
| 22 | + contents: read |
| 23 | + |
| 24 | +concurrency: |
| 25 | + group: build-sea-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} |
| 26 | + cancel-in-progress: true |
| 27 | + |
| 28 | +jobs: |
| 29 | + build-sea: |
| 30 | + name: 🌊 Build SEA binary - ${{ matrix.platform }}-${{ matrix.arch }} |
| 31 | + runs-on: ${{ matrix.runner }} |
| 32 | + timeout-minutes: 60 |
| 33 | + strategy: |
| 34 | + fail-fast: false |
| 35 | + matrix: |
| 36 | + include: |
| 37 | + # Linux builds (standard runners - SEA is just bundling). |
| 38 | + - runner: ubuntu-latest |
| 39 | + os: linux |
| 40 | + platform: linux |
| 41 | + arch: x64 |
| 42 | + - runner: ubuntu-latest |
| 43 | + os: linux |
| 44 | + platform: linux |
| 45 | + arch: arm64 |
| 46 | + |
| 47 | + # macOS builds (standard runners - SEA is just bundling). |
| 48 | + - runner: macos-latest-large |
| 49 | + os: darwin |
| 50 | + platform: darwin |
| 51 | + arch: x64 |
| 52 | + - runner: macos-latest-large |
| 53 | + os: darwin |
| 54 | + platform: darwin |
| 55 | + arch: arm64 |
| 56 | + |
| 57 | + # Windows builds (standard runners - SEA is just bundling). |
| 58 | + - runner: windows-latest |
| 59 | + os: windows |
| 60 | + platform: win32 |
| 61 | + arch: x64 |
| 62 | + - runner: windows-latest |
| 63 | + os: windows |
| 64 | + platform: win32 |
| 65 | + arch: arm64 |
| 66 | + |
| 67 | + steps: |
| 68 | + - name: Checkout |
| 69 | + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
| 70 | + |
| 71 | + - name: Setup Node.js |
| 72 | + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 |
| 73 | + with: |
| 74 | + node-version: 22 |
| 75 | + |
| 76 | + - name: Setup pnpm |
| 77 | + uses: pnpm/action-setup@9fd676a19091d4595eefd76e4bd31c97133911f1 # v4.2.0 |
| 78 | + with: |
| 79 | + version: ^10.16.0 |
| 80 | + |
| 81 | + - name: Install dependencies |
| 82 | + run: pnpm install --frozen-lockfile |
| 83 | + |
| 84 | + - name: Generate WASM cache keys |
| 85 | + id: wasm-cache-keys |
| 86 | + shell: bash |
| 87 | + run: | |
| 88 | + YOGA_HASH=$(find packages/yoga-layout -type f \( -name "*.cpp" -o -name "*.h" -o -name "*.mjs" -o -name "CMakeLists.txt" \) | sort | xargs sha256sum | sha256sum | cut -d' ' -f1) |
| 89 | + echo "yoga-hash=$YOGA_HASH" >> $GITHUB_OUTPUT |
| 90 | +
|
| 91 | + AI_HASH=$(find packages/socketbin-cli-ai -type f \( -name "*.mjs" -o -name "*.ts" \) | sort | xargs sha256sum | sha256sum | cut -d' ' -f1) |
| 92 | + echo "ai-hash=$AI_HASH" >> $GITHUB_OUTPUT |
| 93 | +
|
| 94 | + ONNX_HASH=$(find packages/onnx-runtime-builder -type f \( -name "*.mjs" -o -name "*.patch" \) | sort | xargs sha256sum | sha256sum | cut -d' ' -f1) |
| 95 | + echo "onnx-hash=$ONNX_HASH" >> $GITHUB_OUTPUT |
| 96 | +
|
| 97 | + - name: Restore Yoga Layout WASM cache |
| 98 | + id: yoga-cache |
| 99 | + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 |
| 100 | + with: |
| 101 | + path: packages/yoga-layout/build/wasm |
| 102 | + key: yoga-wasm-${{ steps.wasm-cache-keys.outputs.yoga-hash }} |
| 103 | + restore-keys: yoga-wasm- |
| 104 | + |
| 105 | + - name: Restore AI models cache |
| 106 | + id: ai-cache |
| 107 | + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 |
| 108 | + with: |
| 109 | + path: packages/socketbin-cli-ai/dist |
| 110 | + key: ai-models-${{ steps.wasm-cache-keys.outputs.ai-hash }} |
| 111 | + restore-keys: ai-models- |
| 112 | + |
| 113 | + - name: Restore ONNX Runtime cache |
| 114 | + id: onnx-cache |
| 115 | + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 |
| 116 | + with: |
| 117 | + path: packages/onnx-runtime-builder/dist |
| 118 | + key: onnx-runtime-${{ steps.wasm-cache-keys.outputs.onnx-hash }} |
| 119 | + restore-keys: onnx-runtime- |
| 120 | + |
| 121 | + - name: Setup Python for WASM builds |
| 122 | + if: steps.yoga-cache.outputs.cache-hit != 'true' || steps.ai-cache.outputs.cache-hit != 'true' || steps.onnx-cache.outputs.cache-hit != 'true' |
| 123 | + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 |
| 124 | + with: |
| 125 | + python-version: '3.11' |
| 126 | + |
| 127 | + - name: Build WASM assets on cache miss |
| 128 | + if: steps.yoga-cache.outputs.cache-hit != 'true' || steps.ai-cache.outputs.cache-hit != 'true' || steps.onnx-cache.outputs.cache-hit != 'true' |
| 129 | + run: | |
| 130 | + echo "⚠️ WASM cache miss detected - building from source" |
| 131 | + echo "This will take 30-60 minutes. Consider running build-wasm.yml workflow to prime cache." |
| 132 | + echo "" |
| 133 | + echo "Cache status:" |
| 134 | + echo " Yoga Layout: ${{ steps.yoga-cache.outputs.cache-hit == 'true' && '✓ cached' || '✗ missing' }}" |
| 135 | + echo " AI Models: ${{ steps.ai-cache.outputs.cache-hit == 'true' && '✓ cached' || '✗ missing' }}" |
| 136 | + echo " ONNX Runtime: ${{ steps.onnx-cache.outputs.cache-hit == 'true' && '✓ cached' || '✗ missing' }}" |
| 137 | + echo "" |
| 138 | +
|
| 139 | + # Install Emscripten if needed for Yoga/ONNX. |
| 140 | + if [ "${{ steps.yoga-cache.outputs.cache-hit }}" != "true" ] || [ "${{ steps.onnx-cache.outputs.cache-hit }}" != "true" ]; then |
| 141 | + echo "::group::Installing Emscripten" |
| 142 | + git clone https://github.com/emscripten-core/emsdk.git |
| 143 | + cd emsdk |
| 144 | + ./emsdk install latest |
| 145 | + ./emsdk activate latest |
| 146 | + source ./emsdk_env.sh |
| 147 | + cd .. |
| 148 | + echo "::endgroup::" |
| 149 | + fi |
| 150 | +
|
| 151 | + # Install Python deps if needed for AI models. |
| 152 | + if [ "${{ steps.ai-cache.outputs.cache-hit }}" != "true" ]; then |
| 153 | + echo "::group::Installing Python dependencies" |
| 154 | + python3 -m pip install --upgrade pip |
| 155 | + python3 -m pip install transformers torch optimum[onnx] "onnxruntime>=1.20.0" |
| 156 | + echo "::endgroup::" |
| 157 | + fi |
| 158 | +
|
| 159 | + # Build missing WASM assets. |
| 160 | + if [ "${{ steps.yoga-cache.outputs.cache-hit }}" != "true" ]; then |
| 161 | + echo "::group::Building Yoga Layout WASM" |
| 162 | + pnpm --filter @socketsecurity/yoga-layout run build |
| 163 | + echo "::endgroup::" |
| 164 | + fi |
| 165 | +
|
| 166 | + if [ "${{ steps.ai-cache.outputs.cache-hit }}" != "true" ]; then |
| 167 | + echo "::group::Building AI models (10-15 minutes)" |
| 168 | + pnpm --filter @socketbin/cli-ai run build |
| 169 | + echo "::endgroup::" |
| 170 | + fi |
| 171 | +
|
| 172 | + if [ "${{ steps.onnx-cache.outputs.cache-hit }}" != "true" ]; then |
| 173 | + echo "::group::Building ONNX Runtime (20-30 minutes)" |
| 174 | + pnpm --filter @socketsecurity/onnx-runtime-builder run build |
| 175 | + echo "::endgroup::" |
| 176 | + fi |
| 177 | +
|
| 178 | + echo "✓ WASM assets built successfully" |
| 179 | +
|
| 180 | + - name: Generate SEA build cache key |
| 181 | + id: sea-cache-key |
| 182 | + shell: bash |
| 183 | + run: | |
| 184 | + HASH=$(find packages/node-sea-builder packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) | sort | xargs sha256sum | sha256sum | cut -d' ' -f1) |
| 185 | + echo "hash=$HASH" >> $GITHUB_OUTPUT |
| 186 | +
|
| 187 | + - name: Restore SEA binary cache |
| 188 | + id: sea-cache |
| 189 | + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 |
| 190 | + with: |
| 191 | + path: packages/node-sea-builder/dist/socket-sea-${{ matrix.platform }}-${{ matrix.arch }} |
| 192 | + key: node-sea-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.sea-cache-key.outputs.hash }} |
| 193 | + restore-keys: node-sea-${{ matrix.platform }}-${{ matrix.arch }}- |
| 194 | + |
| 195 | + - name: Build CLI (required for SEA) |
| 196 | + if: steps.sea-cache.outputs.cache-hit != 'true' || inputs.force |
| 197 | + run: pnpm --filter @socketsecurity/cli run build |
| 198 | + |
| 199 | + - name: Build SEA binary |
| 200 | + if: steps.sea-cache.outputs.cache-hit != 'true' || inputs.force |
| 201 | + run: pnpm --filter @socketbin/node-sea-builder run build |
| 202 | + |
| 203 | + - name: Verify SEA binary |
| 204 | + shell: bash |
| 205 | + run: | |
| 206 | + echo "=== SEA Binary Build Artifacts ===" |
| 207 | + mkdir -p packages/node-sea-builder/dist |
| 208 | + ls -lh packages/node-sea-builder/dist/ |
| 209 | + echo "" |
| 210 | + BINARY_PATH="packages/node-sea-builder/dist/socket-sea-${{ matrix.platform }}-${{ matrix.arch }}" |
| 211 | + if [ -f "$BINARY_PATH" ] || [ -f "${BINARY_PATH}.exe" ]; then |
| 212 | + if [ "${{ matrix.os }}" = "windows" ]; then |
| 213 | + echo "socket-sea-${{ matrix.platform }}-${{ matrix.arch }}.exe size: $(du -h ${BINARY_PATH}.exe | cut -f1)" |
| 214 | + else |
| 215 | + echo "socket-sea-${{ matrix.platform }}-${{ matrix.arch }} size: $(du -h $BINARY_PATH | cut -f1)" |
| 216 | + fi |
| 217 | + else |
| 218 | + echo "⚠️ Binary not found at expected path" |
| 219 | + fi |
| 220 | +
|
| 221 | + - name: Upload SEA binary |
| 222 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 |
| 223 | + with: |
| 224 | + name: socket-sea-${{ matrix.platform }}-${{ matrix.arch }} |
| 225 | + path: | |
| 226 | + packages/node-sea-builder/dist/socket-sea-${{ matrix.platform }}-${{ matrix.arch }} |
| 227 | + packages/node-sea-builder/dist/socket-sea-${{ matrix.platform }}-${{ matrix.arch }}.exe |
| 228 | + retention-days: 7 |
| 229 | + if-no-files-found: warn |
| 230 | + |
| 231 | + summary: |
| 232 | + name: 📊 🌊 SEA Node Build Summary |
| 233 | + needs: [build-sea] |
| 234 | + if: always() |
| 235 | + runs-on: ubuntu-latest |
| 236 | + steps: |
| 237 | + - name: Generate summary |
| 238 | + run: | |
| 239 | + echo "# 🌊 SEA Node Build Summary" >> $GITHUB_STEP_SUMMARY |
| 240 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 241 | + echo "## ✅ Build Complete" >> $GITHUB_STEP_SUMMARY |
| 242 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 243 | + echo "SEA (Single Executable Application) binaries built successfully and cached." >> $GITHUB_STEP_SUMMARY |
| 244 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 245 | + echo "### 📦 Build Method" >> $GITHUB_STEP_SUMMARY |
| 246 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 247 | + echo "| Method | Description | Size |" >> $GITHUB_STEP_SUMMARY |
| 248 | + echo "|--------|-------------|------|" >> $GITHUB_STEP_SUMMARY |
| 249 | + echo "| 🌊 SEA | Single Executable Application | ~70 MB |" >> $GITHUB_STEP_SUMMARY |
| 250 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 251 | + echo "### 🎯 Platforms Built" >> $GITHUB_STEP_SUMMARY |
| 252 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 253 | + echo "- 🐧 Linux (x64, arm64)" >> $GITHUB_STEP_SUMMARY |
| 254 | + echo "- 🍎 macOS (x64, arm64)" >> $GITHUB_STEP_SUMMARY |
| 255 | + echo "- 🪟 Windows (x64, arm64)" >> $GITHUB_STEP_SUMMARY |
| 256 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 257 | + echo "### 🎯 Next Steps" >> $GITHUB_STEP_SUMMARY |
| 258 | + echo "" >> $GITHUB_STEP_SUMMARY |
| 259 | + echo "- These binaries are now cached for E2E tests" >> $GITHUB_STEP_SUMMARY |
| 260 | + echo "- Use \`publish-socketbin.yml\` to publish to npm" >> $GITHUB_STEP_SUMMARY |
| 261 | + echo "- Cache is invalidated when source files change" >> $GITHUB_STEP_SUMMARY |
0 commit comments