refactor(build): avoid release publishing race conditions

Only run release jobs after all build jobs have completed, ensure only
one release job runs at a time, and also ensure update casks only runs
once after all release jobs have completed.

.github/workflows/_build.yml

@@ -4,6 +4,10 @@ name: _build
 on:
   workflow_call:
     inputs:
+      should_run:
+        description: Whether or not to run the build job
+        type: boolean
+        default: false
       artifact_prefix:
         description: Artifact prefix
         type: string
@@ -103,7 +107,6 @@ jobs:
       check: ${{ steps.check.outputs.result }}
     steps:
       - name: Checkout build-emacs-for-macos repo
-        if: ${{ inputs.os != inputs.build_os }}
         uses: actions/checkout@v4
         with:
           repository: jimeh/build-emacs-for-macos
@@ -124,8 +127,11 @@ jobs:
       - name: Ensure emacs-builder is executable
         if: ${{ inputs.os == inputs.build_os }}
         run: chmod +x bin/emacs-builder
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: Plan build
         run: >-
+          nix develop --command
           bin/emacs-builder -l debug plan --output build-plan.yml
           --output-dir '${{ github.workspace }}/builds'
           ${{ needs.prepare.outputs.test_plan_args }}
@@ -239,7 +245,7 @@ jobs:
           KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
 
           # import certificate and provisioning profile from secrets
-          echo -n "$CERT_BASE64" | base64 --decode --output "$CERTIFICATE_PATH"
+          echo -n "$CERT_BASE64" | base64 --decode > "$CERTIFICATE_PATH"
 
           # create temporary keychain
           security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

.github/workflows/_release.yml

@@ -1,14 +1,17 @@
 ---
 # Requires _prepare.yml and _build.yml re-usable workflows to have run.
 name: _release
+concurrency:
+  group: _release
+  cancel-in-progress: false
 on:
   workflow_call:
     inputs:
       os:
         description: GitHub Actions runner OS
         type: string
         required: false
-        default: "macos-12"
+        default: "macos-13"
       plan_artifact:
         description: Name of artifact containing a emacs-builder plan yaml file
         type: string
@@ -17,15 +20,6 @@ on:
         description: Name of artifact containing a *.dmg files to release
         type: string
         required: true
-      test_build_name:
-        description: "Test build name"
-        type: string
-        required: false
-      update_casks:
-        description: "Update casks in homebrew tap?"
-        type: boolean
-        required: true
-        default: true
     secrets:
       TAP_REPO_TOKEN:
         description: Personal Access Token for Homebrew Tap repo
@@ -61,14 +55,5 @@ jobs:
           $(find builds -name '*.dmg' -or -name '*.sha256')
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Trigger update casks workflow in homebrew tap
-        if: >-
-          steps.dmg.outputs.result != 'fail' &&
-          inputs.test_build_name == '' &&
-          inputs.update_casks
-        run: >-
-          gh workflow run --repo jimeh/homebrew-emacs-builds update-casks.yml
-        env:
-          GITHUB_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
       - run: echo 'No DMG artifact available, was there a new commit to build?'
         if: ${{ steps.dmg.outputs.result == 'fail' }}

.github/workflows/build.yml

@@ -19,9 +19,9 @@ on:
         required: false
         default: ""
       os:
-        description: 'Runner OS ("macos-12", "macos-13", or "macos-latest")'
+        description: 'Runner OS ("macos-13", "macos-14", or "macos-latest")'
         required: true
-        default: "macos-12"
+        default: "macos-13"
       test_build_name:
         description: "Test build name"
         required: false
@@ -62,7 +62,7 @@ jobs:
     needs: [prepare]
     with:
       os: ${{ github.event.inputs.os }}
-      build_os: "macos-12"
+      build_os: "macos-13"
       artifact_prefix: "x86_64-"
       git_ref: ${{ github.event.inputs.git_ref }}
       git_sha: ${{ github.event.inputs.git_sha }}
@@ -82,14 +82,18 @@ jobs:
   release_x86_64:
     name: Release (x86_64)
     uses: ./.github/workflows/_release.yml
-    needs: [build_x86_64]
-    if: ${{ needs.build_x86_64.outputs.package_created }}
+    # Depend on both build_x86_64 and build_arm64, but only run if build_x86_64
+    # was successful and a package was created. This ensure wait for all builds
+    # to complete before running any release jobs.
+    needs: [build_x86_64, build_arm64]
+    if: |
+      always() &&
+      needs.build_x86_64.result == 'success' &&
+      needs.build_x86_64.outputs.package_created
     with:
       os: ${{ github.event.inputs.os }}
       plan_artifact: x86_64-build-plan
       dmg_artifact: x86_64-dmg
-      test_build_name: ${{ github.event.inputs.test_build_name }}
-      update_casks: true
     secrets:
       TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
 
@@ -124,13 +128,44 @@ jobs:
   release_arm64:
     name: Release (arm64)
     uses: ./.github/workflows/_release.yml
-    needs: [build_arm64]
-    if: ${{ needs.build_arm64.outputs.package_created }}
+    # Depend on both build_arm64 and build_x86_64, but only run if build_arm64
+    # was successful and a package was created. This ensure wait for all builds
+    # to complete before running any release jobs.
+    needs: [build_arm64, build_x86_64]
+    if: |
+      always() &&
+      needs.build_arm64.result == 'success' &&
+      needs.build_arm64.outputs.package_created
     with:
       os: ${{ github.event.inputs.os }}
       plan_artifact: arm64-build-plan
       dmg_artifact: arm64-dmg
-      test_build_name: ${{ github.event.inputs.test_build_name }}
-      update_casks: false
     secrets:
       TAP_REPO_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}
+
+  # ----------------------------------------------------------------------------
+  # Trigger update casks workflow in homebrew tap
+  # ----------------------------------------------------------------------------
+
+  update_casks:
+    name: Update Casks
+    concurrency:
+      group: _update-casks
+    runs-on: "ubuntu-latest"
+    # Depend on both release jobs, but only run if either of them was
+    # successful. This ensures we only run this job once all release jobs have
+    # been completed.
+    needs: [release_x86_64, release_arm64]
+    if: >-
+      always() &&
+      github.event.inputs.test_build_name == '' &&
+      (
+        needs.build_x86_64.result == 'success' ||
+        needs.build_arm64.result == 'success'
+      )
+    steps:
+      - name: Trigger update casks workflow in homebrew tap
+        run: >-
+          gh workflow run --repo jimeh/homebrew-emacs-builds update-casks.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.TAP_REPO_TOKEN }}