tree-wide: back to attic & gha again

author: seth <[email protected]> 2023-12-13 22:06:24 -0500
committer: seth <[email protected]> 2023-12-14 03:34:54 -0500
commit: 78a344c27ded577693734ed733a57cfd582700a3 (patch)
tree: 2679c6b33073c70c6f33a66f5ef3955fefe64bff /.github
parent: 974decdfa3449f47892532f9ac728275fb9fa2df (diff)
2 files changed, 139 insertions, 12 deletions
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..60e2dec
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,123 @@
+name: CI
+
+on:
+  pull_request:
+  workflow_call:
+    secrets:
+      ATTIC_TOKEN:
+        required: true
+  workflow_dispatch:
+
+jobs:
+  eval:
+    name: Evaluate flake
+    runs-on: ubuntu-latest
+
+    outputs:
+      matrix: ${{ steps.evaluate.outputs.matrix }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Evaluate matrix
+        id: evaluate
+        run: |
+          set -eu
+          echo "matrix=$(nix eval --show-trace --json .#githubWorkflow.matrix)" >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: eval
+
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.eval.outputs.matrix) }}
+
+    name: Build (${{ matrix.attr }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup QEMU
+        if: matrix.arch == 'aarch64'
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: "arm64"
+
+      - name: Install Nix
+        if: matrix.arch != 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Install Nix (with aarch64)
+        if: matrix.arch == 'aarch64'
+        uses: DeterminateSystems/nix-installer-action@v9
+        with:
+          extra-conf: "extra-platforms = aarch64-linux arm-linux"
+
+      - name: Setup local Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Setup Attic cache
+        if: github.event_name != 'pull_request'
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: flake
+          token: ${{ secrets.ATTIC_TOKEN }}
+
+      - name: Run build
+        run: |
+          nix build -L --accept-flake-config .#${{ matrix.attr }}
+
+  check:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    name: Check flake (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Setup local Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Setup Attic cache
+        if: github.event_name != 'pull_request'
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: flake
+          token: ${{ secrets.ATTIC_TOKEN }}
+
+      - name: Run check
+        run: nix flake check --show-trace --accept-flake-config
+
+  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
+  gate:
+    needs: [build, check]
+
+    name: CI Gate
+    runs-on: ubuntu-latest
+
+    if: always()
+
+    steps:
+      - name: Exit with result
+        run: |
+          build_result="${{ needs.build.result }}"
+          check_result="${{ needs.check.result }}"
+
+          results=("$build_result" "$check_result")
+
+          for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done
+
+          exit 0
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
index 083269b..0311f3f 100644
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -1,34 +1,38 @@
 name: Deploy infrastructure
 
 on:
-  check_suite:
-    types: [completed]
+  push:
+    branches: [main]
   workflow_dispatch:
 
 jobs:
+  ci:
+    name: CI
+    uses: ./.github/workflows/ci.yaml
+    secrets: inherit
+
   nixos:
-    name: Deploy NixOS systems
+    needs: ci
 
+    name: Deploy NixOS systems
     runs-on: ubuntu-latest
 
     concurrency:
       group: deploy
       cancel-in-progress: true
 
-    # https://github.com/sellout/bash-strict-mode/commit/9bf1d65c2f786a9887facfcb81e06d8b8b5f4667
-    if: github.event.check_suite.app.name == 'Garnix CI'
-      && github.event.check_suite.conclusion == 'success'
-      && github.event.check_suite.latest_check_runs_count >= 12
-      && github.event.check_suite.head_branch == 'main'
-
     steps:
       - uses: actions/checkout@v4
 
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@v9
 
-      - name: Setup local Nix cache
-        uses: DeterminateSystems/magic-nix-cache-action@v2
+      - name: Setup Attic cache
+        uses: ryanccn/attic-action@v0
+        with:
+          endpoint: https://cache.mydadleft.me
+          cache: flake
+          token: ${{ secrets.ATTIC_TOKEN }}
 
       - name: Connect to Tailscale
         uses: tailscale/github-action@v2
@@ -97,7 +101,7 @@ jobs:
       - name: Validate plan
         run: |
           nix develop --accept-flake-config \
-            --command tofu validate 
+            --command tofu validate
 
       - name: Apply
         run: |
author	seth <[email protected]>	2023-12-13 22:06:24 -0500
committer	seth <[email protected]>	2023-12-14 03:34:54 -0500
commit	78a344c27ded577693734ed733a57cfd582700a3 (patch)
tree	2679c6b33073c70c6f33a66f5ef3955fefe64bff /.github
parent	974decdfa3449f47892532f9ac728275fb9fa2df (diff)