Build vendored artifacts in CI (#37127)

* Build vendored artifacts in CI

* parallel

* deterministic

* fix up

* fix gitignores

* lil more

* lil more consistency

.github/workflows/vendor_third_party.yaml

@@ -0,0 +1,51 @@
+name: vendor third_party
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    if: github.ref != 'refs/heads/master'
+    strategy:
+      matrix:
+        os: [ubuntu-24.04, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        submodules: true
+    - name: Build
+      run: third_party/build.sh
+    - name: Package artifacts
+      run: |
+        git add -A third_party/
+        git diff --cached --name-only -- third_party/ | tar -cf /tmp/third_party_build.tar -T -
+    - uses: actions/upload-artifact@v4
+      with:
+        name: third-party-${{ runner.os }}
+        path: /tmp/third_party_build.tar
+
+  commit:
+    needs: build
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+    - uses: actions/checkout@v6
+    - uses: actions/download-artifact@v4
+      with:
+        path: /tmp/artifacts
+    - name: Commit vendored libraries
+      run: |
+        for f in /tmp/artifacts/*/third_party_build.tar; do
+          tar xf "$f"
+        done
+        git add third_party/
+        if git diff --cached --quiet; then
+          echo "No changes to commit"
+          exit 0
+        fi
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+        git commit -m "third_party: rebuild vendor libraries"
+        git push

third_party/acados/.gitignore

@@ -1,5 +1,9 @@
 acados_repo/
-lib
+/lib
 !x86_64/
 !larch64/
 !aarch64/
+!Darwin/
+!*.so
+!*.so.*
+!*.dylib

third_party/acados/acados_template/gnsf/__init__.py

@@ -0,0 +1 @@
+

third_party/acados/build.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -e
 
+export SOURCE_DATE_EPOCH=0
+export ZERO_AR_DATE=1
+
 DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null && pwd)"
 
 ARCHNAME="x86_64"

third_party/build.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -e
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null && pwd)"
+
+# Reproducible builds: pin timestamps to epoch
+export SOURCE_DATE_EPOCH=0
+export ZERO_AR_DATE=1
+
+pids=()
+names=()
+logs=()
+
+for script in "$DIR"/*/build.sh; do
+  [ -f "$script" ] || continue
+  name=$(basename "$(dirname "$script")")
+  log=$(mktemp)
+  names+=("$name")
+  logs+=("$log")
+  (cd "$(dirname "$script")" && bash "$(basename "$script")") >"$log" 2>&1 &
+  pids+=($!)
+done
+
+failed=0
+for i in "${!pids[@]}"; do
+  echo "--- ${names[$i]} ---"
+  if wait "${pids[$i]}"; then
+    echo "OK"
+  else
+    echo "FAILED (exit $?)"
+    failed=1
+  fi
+  cat "${logs[$i]}"
+  rm -f "${logs[$i]}"
+  echo
+done
+
+[ $failed -ne 0 ] && exit $failed
+
+# Repack ar archives with deterministic headers (zero timestamps/uid/gid)
+# Skip foreign-platform archives that ar can't read (e.g. Mach-O on Linux)
+while IFS= read -r -d '' lib; do
+  tmpdir=$(mktemp -d)
+  lib=$(realpath "$lib")
+  if (cd "$tmpdir" && ar x "$lib" 2>/dev/null); then
+    (cd "$tmpdir" && ar Drcs repacked.a * && mv repacked.a "$lib")
+  fi
+  rm -rf "$tmpdir"
+done < <(find "$DIR" -name '*.a' \
+  \( -path '*/x86_64/*' -o -path '*/Darwin/*' -o -path '*/larch64/*' -o -path '*/aarch64/*' \) \
+  -print0)
+
+echo -e "\033[32mAll third_party builds succeeded.\033[0m"

third_party/libyuv/.gitignore

@@ -1 +1,2 @@
-libyuv/
+/libyuv/
+!*.a

third_party/libyuv/build.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -e
 
+export SOURCE_DATE_EPOCH=0
+export ZERO_AR_DATE=1
+
 DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null && pwd)"
 
 ARCHNAME=$(uname -m)

third_party/libyuv/x86_64/include

@@ -1 +0,0 @@
-../include

third_party/raylib/.gitignore

@@ -1,3 +1,4 @@
 /raylib_repo/
 /raylib_python_repo/
 /wheel/
+!*.a

third_party/raylib/build.sh

@@ -1,6 +1,9 @@
 #!/usr/bin/env bash
 set -e
 
+export SOURCE_DATE_EPOCH=0
+export ZERO_AR_DATE=1
+
 SUDO=""
 
 # Use sudo if not root