diff options
Diffstat (limited to '.github')
| -rw-r--r-- | .github/dependabot.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/autobot.yaml | 4 | ||||
| -rw-r--r-- | .github/workflows/ci.yaml | 114 | ||||
| -rw-r--r-- | .github/workflows/clippy.yaml | 49 | ||||
| -rw-r--r-- | .github/workflows/docker.yaml | 61 | ||||
| -rw-r--r-- | .github/workflows/nix.yaml | 64 | ||||
| -rw-r--r-- | .github/workflows/update-flake.yaml | 60 |
7 files changed, 268 insertions, 88 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ea75cc8..f9f0b67 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,11 +5,11 @@ updates: schedule: interval: "weekly" commit-message: - prefix: "deps(actions)" + prefix: "ci" - package-ecosystem: "cargo" directory: "/" schedule: interval: "weekly" commit-message: - prefix: "deps(crates)" + prefix: "crates" diff --git a/.github/workflows/autobot.yaml b/.github/workflows/autobot.yaml index a8b959f..69d6ad0 100644 --- a/.github/workflows/autobot.yaml +++ b/.github/workflows/autobot.yaml @@ -5,14 +5,14 @@ on: pull_request jobs: automerge: name: Check and merge PR + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest permissions: contents: write pull-requests: write - if: github.actor == 'dependabot[bot]' - steps: - uses: dependabot/fetch-metadata@v2 id: metadata diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..67371c0 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,114 @@ +name: CI + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + +jobs: + build: + name: Build + + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] + + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Rust + uses: dtolnay/rust-toolchain@stable + with: + toolchain: stable + components: clippy + + - name: Setup Rust cache + uses: Swatinem/rust-cache@v2 + + - name: Run build + run: cargo build --locked --release + + clippy: + name: Run Clippy scan + + runs-on: ubuntu-latest + + permissions: + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v10 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v4 + + - name: Setup Rust cache + uses: Swatinem/rust-cache@v2 + + - name: Install SARIF tools + run: | + nix profile install \ + --inputs-from ./nix/dev \ + github:getchoo/nix-exprs#{clippy-sarif,sarif-fmt} + + - name: Fetch Cargo deps + run: | + nix develop ./nix/dev#ci --command \ + cargo fetch --locked + + - name: Run Clippy + continue-on-error: true + run: | + nix develop ./nix/dev#ci --command \ + cargo clippy \ + --all-features \ + --all-targets \ + --message-format=json \ + | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt + + - name: Upload results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: /tmp/clippy.sarif + wait-for-processing: true + + format: + name: Check formatting + + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v10 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v4 + + - name: Run treefmt + run: | + pushd nix/dev + nix fmt + popd + git diff --color=always --exit-code + + release-gate: + name: CI Release Gate + needs: [build, format] + + runs-on: ubuntu-latest + + steps: + - name: Exit with result + run: echo "We're good to go!" diff --git a/.github/workflows/clippy.yaml b/.github/workflows/clippy.yaml deleted file mode 100644 index 1c3a316..0000000 --- a/.github/workflows/clippy.yaml +++ /dev/null @@ -1,49 +0,0 @@ -name: Clippy - -on: - push: - branches: ["main"] - pull_request: - -jobs: - clippy: - name: Run Clippy scan - runs-on: ubuntu-latest - - permissions: - security-events: write - - steps: - - uses: actions/checkout@v4 - - - name: Install Rust - uses: dtolnay/rust-toolchain@stable - with: - toolchain: stable - components: clippy - - - name: Setup Rust cache - uses: Swatinem/rust-cache@v2 - - - name: Install SARIF tools - run: cargo install clippy-sarif sarif-fmt - - - name: Fetch Cargo deps - run: cargo fetch --locked - - - name: Run Clippy - continue-on-error: true - run: | - set -euxo pipefail - - cargo clippy \ - --all-features \ - --all-targets \ - --message-format=json \ - | clippy-sarif | tee /tmp/clippy.sarif | sarif-fmt - - - name: Upload results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: /tmp/clippy.sarif - wait-for-processing: true diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index d738366..5f45bec 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -1,27 +1,25 @@ -name: Push to image registry +name: Docker on: - check_suite: - types: [completed] + push: + branches: [main] + pull_request: workflow_dispatch: jobs: build: name: Build image - runs-on: ubuntu-latest strategy: + fail-fast: false matrix: arch: [x86_64, aarch64] - # https://github.com/sellout/bash-strict-mode/commit/9bf1d65c2f786a9887facfcb81e06d8b8b5f4667 - if: github.event.check_suite.app.name == 'Garnix CI' - && github.event.check_suite.conclusion == 'success' - && github.event.check_suite.latest_check_runs_count >= 8 - && github.event.check_suite.head_branch == 'main' + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - name: Install Nix uses: DeterminateSystems/nix-installer-action@v10 @@ -31,10 +29,17 @@ jobs: - name: Build Docker image id: build + env: + ARCH: ${{ matrix.arch }} run: | - nix build -L --accept-flake-config .#container-${{ matrix.arch }} + nix build \ + --fallback \ + --print-build-logs \ + ./nix/dev#container-"$ARCH" + + # exit if no `result` from nix build [ ! -L result ] && exit 1 - echo "path=$(realpath result)" >> "$GITHUB_OUTPUT" + echo "path=$(readlink -f ./result)" >> "$GITHUB_OUTPUT" - name: Upload image uses: actions/upload-artifact@v4 @@ -44,10 +49,21 @@ jobs: if-no-files-found: error retention-days: 1 + release-gate: + name: Docker Release Gate + needs: build + + runs-on: ubuntu-latest + + steps: + - name: Exit with result + run: echo "We're good to go!" + push: name: Push image + if: github.event_name == 'push' + needs: release-gate - needs: build runs-on: ubuntu-latest permissions: @@ -55,14 +71,15 @@ jobs: env: REGISTRY: ghcr.io - USERNAME: getchoo + USERNAME: ${{ github.actor }} steps: - name: Set image name run: | echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> "$GITHUB_ENV" - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - name: Download images uses: actions/download-artifact@v4 @@ -80,17 +97,15 @@ jobs: env: TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest run: | - set -eux - architectures=("x86_64" "aarch64") for arch in "${architectures[@]}"; do docker load < images/container-"$arch"/*.tar.gz - docker tag teawiebot:latest-"$arch" ${{ env.TAG }}-"$arch" - docker push ${{ env.TAG }}-"$arch" + docker tag teawiebot:latest-"$arch" "$TAG"-"$arch" + docker push "$TAG"-"$arch" done - docker manifest create ${{ env.TAG }} \ - --amend ${{ env.TAG }}-x86_64 \ - --amend ${{ env.TAG }}-aarch64 + docker manifest create "$TAG" \ + --amend "$TAG"-x86_64 \ + --amend "$TAG"-aarch64 - docker manifest push ${{ env.TAG }} + docker manifest push "$TAG" diff --git a/.github/workflows/nix.yaml b/.github/workflows/nix.yaml new file mode 100644 index 0000000..4427afa --- /dev/null +++ b/.github/workflows/nix.yaml @@ -0,0 +1,64 @@ +name: Nix + +on: + push: + branches: [main] + pull_request: + workflow_dispatch: + +jobs: + build: + name: Build + + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, macos-latest] + + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v10 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v4 + + - name: Run build + run: nix build --fallback --print-build-logs + + check: + name: Check flake + + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v10 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v4 + + - name: Run nix flake check + run: | + nix flake check \ + --all-systems \ + --fallback \ + --print-build-logs \ + --show-trace + + release-gate: + name: Nix Release Gate + needs: [build, check] + + runs-on: ubuntu-latest + + steps: + - name: Exit with result + run: echo "We're good to go!" diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml index 3726908..a3a6293 100644 --- a/.github/workflows/update-flake.yaml +++ b/.github/workflows/update-flake.yaml @@ -1,4 +1,4 @@ -name: Update flake.lock +name: Update lockfiles on: schedule: @@ -8,29 +8,65 @@ on: jobs: update: + name: Run update runs-on: ubuntu-latest permissions: contents: write pull-requests: write + env: + PR_BRANCH: "update-lockfiles" + steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@v4 - name: Install Nix uses: DeterminateSystems/nix-installer-action@v10 - - name: Update lockfile & make PR - uses: DeterminateSystems/update-flake-lock@v21 - id: update - with: - commit-msg: "flake: update inputs" - pr-title: "flake: update inputs" - token: ${{ github.token }} + - name: Set Git user info + run: | + git config user.name 'github-actions[bot]' + git config user.email 'github-actions[bot]@users.noreply.github.com' + + - name: Create new branch + id: branch + run: | + git switch -c "$PR_BRANCH" + + - name: Update flake inputs + run: | + pushd nix/dev + nix flake update \ + --commit-lock-file \ + --commit-lockfile-summary "nix: update dev flake.lock" + popd + + nix flake update \ + --commit-lock-file \ + --commit-lockfile-summary "nix: update flake.lock" + + - name: Make PR if needed + env: + GH_TOKEN: ${{ github.token }} + run: | + if ! git diff --color=always --exit-code origin/main; then + git fetch origin "$PR_BRANCH" || true + git push --force-with-lease -u origin "$PR_BRANCH" + + open_prs="$(gh pr list --base main --head "$PR_BRANCH" | wc -l)" + if [ "$open_prs" -eq 0 ]; then + gh pr create \ + --base main \ + --head "$PR_BRANCH" \ + --title "chore: update lockfiles" \ + --fill + fi + fi - name: Enable auto-merge shell: bash - run: gh pr merge --auto --rebase "$PR_ID" + run: gh pr merge --auto --squash env: - GH_TOKEN: ${{ github.token }} - PR_ID: ${{ steps.update.outputs.pull-request-number }} + GH_TOKEN: ${{ secrets.MERGE_TOKEN }} |