Define variables separately

Preparing to add a matrix to the build job. Variables should only be set
once and can be done outside of the matrix.

Author: victorlin

.github/workflows/ci.yml

@@ -17,18 +17,9 @@ jobs:
       - uses: actions/checkout@v6
       - uses: nextstrain/.github/actions/shellcheck@master
 
-  # Build multi-platform builder and final images with caching from Docker Hub
-  # and GitHub Container Registry; push to GitHub Container Registry.
-  build:
+  vars:
     runs-on: ubuntu-latest
     steps:
-
-    - uses: actions/checkout@v6
-
-    - uses: actions/setup-python@v6
-      with:
-        python-version: '>=3.8'
-
     - name: Set $CACHE_DATE
       run: echo "CACHE_DATE=$(date --utc +%Y%m%dT%H%M%SZ)" | tee -a "$GITHUB_ENV"
 
@@ -42,6 +33,23 @@ jobs:
       # and hyphens.
       run: echo "TAG=branch-${GITHUB_REF_NAME//[^A-Za-z0-9._-]/-}" | tee -a "$GITHUB_ENV"
 
+    outputs:
+      cache-date: ${{ env.CACHE_DATE }}
+      tag: ${{ env.TAG }}
+
+  # Build multi-platform builder and final images with caching from Docker Hub
+  # and GitHub Container Registry; push to GitHub Container Registry.
+  build:
+    needs: vars
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: actions/checkout@v6
+
+    - uses: actions/setup-python@v6
+      with:
+        python-version: '>=3.8'
+
     - uses: docker/setup-qemu-action@v3
 
     # GITHUB_TOKEN is unreliable¹ so use a token from nextstrain-bot.
@@ -53,6 +61,9 @@ jobs:
         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
 
     - run: ./devel/build -p linux/amd64,linux/arm64 -r ghcr.io -t "$TAG" -l logs/
+      env:
+        TAG: ${{ needs.vars.outputs.tag }}
+        CACHE_DATE: ${{ needs.vars.outputs.cache-date }}
 
     - if: always()
       name: Upload build logs as artifacts
@@ -75,13 +86,10 @@ jobs:
         } >> "$GITHUB_STEP_SUMMARY"
         done
 
-    outputs:
-      tag: ${{ env.TAG }}
-
   # Run tests with the final image from GitHub Container Registry.
   test:
     name: test (${{ matrix.platform }})
-    needs: build
+    needs: [vars, build]
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -119,21 +127,21 @@ jobs:
 
     - run: make test
       env:
-        IMAGE: ghcr.io/nextstrain/base:${{ needs.build.outputs.tag }}
+        IMAGE: ghcr.io/nextstrain/base:${{ needs.vars.outputs.tag }}
         DOCKER_DEFAULT_PLATFORM: ${{ matrix.platform }}
 
     - uses: nextstrain/.github/actions/setup-nextstrain-cli@master
 
     - name: Run zika-tutorial
       run: |
         git clone https://github.com/nextstrain/zika-tutorial
-        nextstrain build --image ghcr.io/nextstrain/base:${{ needs.build.outputs.tag }} zika-tutorial -F
+        nextstrain build --image ghcr.io/nextstrain/base:${{ needs.vars.outputs.tag }} zika-tutorial -F
       env:
         DOCKER_DEFAULT_PLATFORM: ${{ matrix.platform }}
 
   validate-platforms:
     name: Validate platforms
-    needs: build
+    needs: [vars, build]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -147,13 +155,13 @@ jobs:
         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
 
     - name: Validate final images
-      run: ./devel/validate-platforms -r ghcr.io -t ${{ needs.build.outputs.tag }}
+      run: ./devel/validate-platforms -r ghcr.io -t ${{ needs.vars.outputs.tag }}
 
   # "Push" (copy) the builder and final images from GitHub Container Registry to
   # Docker Hub, where they will persist. Do this regardless of test results.
   push-branch:
-    if: startsWith(needs.build.outputs.tag, 'branch-') && github.event_name != 'pull_request'
-    needs: build
+    if: startsWith(needs.vars.outputs.tag, 'branch-') && github.event_name != 'pull_request'
+    needs: [vars, build]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -171,13 +179,13 @@ jobs:
         password: ${{ secrets.DOCKER_TOKEN }}
 
     - name: Copy $TAG images to Docker Hub
-      run: ./devel/copy-images -i ghcr.io -o docker.io -t ${{ needs.build.outputs.tag }}
+      run: ./devel/copy-images -i ghcr.io -o docker.io -t ${{ needs.vars.outputs.tag }}
 
   # "Push" (copy) the builder and final images from GitHub Container Registry to
   # Docker Hub, where they will persist. Only do this if tests pass.
   push-build:
-    if: startsWith(needs.build.outputs.tag, 'build-')
-    needs: [build, test, validate-platforms]
+    if: startsWith(needs.vars.outputs.tag, 'build-')
+    needs: [vars, build, test, validate-platforms]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -196,7 +204,7 @@ jobs:
 
     - name: Copy $TAG + latest images to Docker Hub
       run: |
-        ./devel/copy-images -i ghcr.io -o docker.io -t ${{ needs.build.outputs.tag }} -l
+        ./devel/copy-images -i ghcr.io -o docker.io -t ${{ needs.vars.outputs.tag }} -l
 
   # Run pathogen repo CI builds with the final image
   # This is running pathogen-repo-ci@v0 for pathogen repos that do not conform
@@ -206,7 +214,7 @@ jobs:
   test-pathogen-repo-ci-v0:
     # Only one of push-{branch,build} runs for any given workflow run, and
     # we're ok with either of them.
-    needs: [build, push-branch, push-build]
+    needs: [vars, push-branch, push-build]
     if: |2
          success()
       || needs.push-branch.result == 'success'
@@ -227,7 +235,7 @@ jobs:
       runtimes: |
         - docker
       env: |
-        NEXTSTRAIN_DOCKER_IMAGE: nextstrain/base:${{ needs.build.outputs.tag }}
+        NEXTSTRAIN_DOCKER_IMAGE: nextstrain/base:${{ needs.vars.outputs.tag }}
       artifact-name: ${{ matrix.pathogen }}-outputs
       continue-on-error: true
     secrets: inherit
@@ -239,7 +247,7 @@ jobs:
   test-pathogen-repo-ci:
     # Only one of push-{branch,build} runs for any given workflow run, and
     # we're ok with either of them.
-    needs: [build, push-branch, push-build]
+    needs: [vars, push-branch, push-build]
     if: |2
          success()
       || needs.push-branch.result == 'success'
@@ -267,15 +275,15 @@ jobs:
       runtimes: |
         - docker
       env: |
-        NEXTSTRAIN_DOCKER_IMAGE: nextstrain/base:${{ needs.build.outputs.tag }}
+        NEXTSTRAIN_DOCKER_IMAGE: nextstrain/base:${{ needs.vars.outputs.tag }}
       artifact-name: ${{ matrix.pathogen }}-outputs
       continue-on-error: true
     secrets: inherit
 
   # Delete the builder and final images from GitHub Container Registry.
   cleanup-registry:
     if: always()
-    needs: [build, test, validate-platforms, push-branch, push-build]
+    needs: [vars, build, test, validate-platforms, push-branch, push-build]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v6
@@ -285,6 +293,6 @@ jobs:
         github-token: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
         script: |
           const script = require('./devel/delete-from-ghcr.js');
-          const tag = "${{ needs.build.outputs.tag }}";
+          const tag = "${{ needs.vars.outputs.tag }}";
           const token = "${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}";
           script({fetch, octokit: github, tag, token});