diff options
Diffstat (limited to '.github')
| -rwxr-xr-x | .github/eval-flake.sh | 90 | ||||
| -rw-r--r-- | .github/workflows/ci.yaml | 113 | ||||
| -rw-r--r-- | .github/workflows/deploy.yaml | 18 |
3 files changed, 212 insertions, 9 deletions
diff --git a/.github/eval-flake.sh b/.github/eval-flake.sh new file mode 100755 index 0000000..ceebcc9 --- /dev/null +++ b/.github/eval-flake.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +set -euo pipefail +### this is inspired by the ci script in [nixpkgs-unfree](https://github.com/numtide/nixpkgs-unfree) +### link: https://github.com/numtide/nixpkgs-unfree/blob/127b9b18583de04c6207c2a0e674abf64fc4a3b1/ci.sh +# +## MIT License +## +## Copyright (c) 2022 Jonas Chevalier +## +## Permission is hereby granted, free of charge, to any person obtaining a copy +## of this software and associated documentation files (the "Software"), to deal +## in the Software without restriction, including without limitation the rights +## to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +## copies of the Software, and to permit persons to whom the Software is +## furnished to do so, subject to the following conditions: +## +## The above copyright notice and this permission notice shall be included in all +## copies or substantial portions of the Software. +## +## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +## IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +## FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +## AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +## LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +## OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +## SOFTWARE. + +function get_os() { + case "$1" in + "x86_64-linux") echo "ubuntu-latest" ;; + "x86_64-darwin") echo "macos-latest" ;; + "aarch64-linux") echo "ubuntu-latst" ;; + esac +} + +args=( + --gc-roots-dir gc-roots + --check-cache-status + --force-recurse + --option allow-import-from-derivation true + --show-trace + --flake + '.#hydraJobs' +) + +if [[ -n "${GITHUB_STEP_SUMMARY-}" ]]; then + log() { + echo "$*" >> "$GITHUB_STEP_SUMMARY" + } +else + log() { + echo "$*" + } +fi + +jobs=$(nix-eval-jobs "${args[@]}" | jq -r '. | @base64') +jq -n '{"include": []}' > matrix.json + +had_error=0 +echo "$jobs" | while read -r job; do + job=$(echo "$job" | base64 -d) + attr=$(echo "$job" | jq -r .attr) + echo "## $attr" + + error=$(echo "$job" | jq -r '.error') + if [[ $error == null ]]; then + log "### ✅ $attr" + + system=$(echo "$job" | jq -r .system) + isCached=$(echo "$job" | jq -r .isCached) + + jq ".include += [{\"attr\": \"$attr\", \"os\": \"$(get_os "$system")\", \"isCached\": $isCached}]" < matrix.json > matrix.json.tmp + mv matrix.json.tmp matrix.json + else + log "### ❌ $attr" + log + log "<details><summary>Evaluation error:</summary><pre>" + log "$error" + log "</pre></details>" + had_error=1 + fi +done + +if [[ $had_error -gt 0 ]]; then + rm matrix.json + exit 1 +fi + +echo "matrix=$(jq -r 'tostring' matrix.json)" >> "$GITHUB_OUTPUT" +rm matrix.json diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..c4fc11e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,113 @@ +name: CI + +on: + pull_request: + workflow_call: + secrets: + CACHIX_AUTH_TOKEN: + description: "auth token for cachi" + workflow_dispatch: + +jobs: + eval: + name: Evaluate flake + runs-on: ubuntu-latest + + outputs: + matrix: ${{ steps.eval.outputs.matrix }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Cachix + uses: cachix/cachix-action@v13 + with: + name: getchoo + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: Evaluate jobs + id: eval + run: | + nix shell --inputs-from . \ + nixpkgs#{bash,coreutils,jq,nix-eval-jobs} \ + --command bash ./.github/eval-flake.sh + + build: + needs: eval + + strategy: + matrix: ${{ fromJSON(needs.eval.outputs.matrix) }} + + name: Build (${{ matrix.attr }}) + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Cachix + uses: cachix/cachix-action@v13 + with: + name: getchoo + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: Check if cached + if: ${{ matrix.isCached }} + run: | + echo ${{ matrix.attr }} is already built! + + - name: Run build + if: ${{ !matrix.isCached }} + run: | + nix build --print-build-logs --fallback \ + .#hydraJobs.${{ matrix.attr }} + + check: + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + + name: Check flake (${{ matrix.os }}) + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Cachix + uses: cachix/cachix-action@v13 + with: + name: getchoo + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: Run check + run: | + nix flake check \ + --print-build-logs \ + --fallback \ + --show-trace \ + --option allow-import-from-derivation true + + gate: + needs: [build, check] + + name: CI Gate + runs-on: ubuntu-latest + + if: always() + + steps: + - name: Exit with result + run: | + build_result="${{ needs.build.result }}" + check_result="${{ needs.check.result }}" + results=("$build_result" "$check_result") + for result in "${results[@]}"; do [ "$result" != "success" ] && exit 1; done + exit 0 diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 695d63c..98b3b1d 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,21 +1,21 @@ name: Deploy infrastructure on: - check_suite: - types: [completed] + push: + branches: [main] workflow_dispatch: jobs: + ci: + uses: ./.github/workflows/ci.yaml + secrets: inherit + nixos: + needs: ci + name: Deploy NixOS systems runs-on: ubuntu-latest - # https://github.com/sellout/bash-strict-mode/commit/9bf1d65c2f786a9887facfcb81e06d8b8b5f4667 - if: github.event.check_suite.app.name == 'Garnix CI' - && github.event.check_suite.conclusion == 'success' - && github.event.check_suite.latest_check_runs_count >= 10 - && github.event.check_suite.head_branch == 'main' - concurrency: group: deploy cancel-in-progress: true @@ -49,9 +49,9 @@ jobs: --command deploy opentofu: - name: Apply OpenTofu plan needs: nixos + name: Apply OpenTofu plan runs-on: ubuntu-latest concurrency: |