diff options
| -rw-r--r-- | .github/actions/setup-nix/action.yaml | 17 | ||||
| -rw-r--r-- | .github/workflows/audit.yaml | 30 | ||||
| -rw-r--r-- | .github/workflows/ci.yaml | 14 | ||||
| -rw-r--r-- | .github/workflows/format.yaml | 26 | ||||
| -rw-r--r-- | .github/workflows/lint.yaml | 37 | ||||
| -rw-r--r-- | .github/workflows/update-flake.yaml | 28 | ||||
| -rw-r--r-- | flake.lock | 53 | ||||
| -rw-r--r-- | flake.nix | 14 | ||||
| -rw-r--r-- | parts/dev.nix | 10 |
9 files changed, 154 insertions, 75 deletions
diff --git a/.github/actions/setup-nix/action.yaml b/.github/actions/setup-nix/action.yaml new file mode 100644 index 0000000..8afecd1 --- /dev/null +++ b/.github/actions/setup-nix/action.yaml @@ -0,0 +1,17 @@ +name: "setup nix & cachix" +description: "setup nix and cachix" +inputs: + cachix-token: + description: "cachix auth token" + default: "" + required: false + +runs: + using: "composite" + steps: + - uses: cachix/install-nix-action@v21 + + - uses: cachix/cachix-action@v12 + with: + name: getchoo + authToken: ${{ inputs.cachix-token }} diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml new file mode 100644 index 0000000..677ea14 --- /dev/null +++ b/.github/workflows/audit.yaml @@ -0,0 +1,30 @@ +name: audit crates +# this checks our dependencies for +# security advisories every saturday + +on: + schedule: + - cron: "0 0 * * 6" + push: + paths: + - "Cargo.lock" + pull_request: + paths: + - "Cargo.lock" + workflow_dispatch: + +jobs: + audit: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: setup nix & cachix + uses: ./.github/actions/setup-nix + with: + cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - name: run audit + run: | + nix build -L .#checks.x86_64-linux.audit diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1237ddc..bebf885 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,7 +6,6 @@ on: workflow_dispatch: permissions: - checks: write contents: write packages: write @@ -17,14 +16,11 @@ jobs: format: name: format project - if: github.event_name != 'pull_request' - needs: lint uses: ./.github/workflows/format.yaml build: runs-on: ubuntu-latest - needs: format - if: always() && (needs.format.result == 'success' || needs.format.result == 'skipped') + needs: lint strategy: matrix: @@ -33,12 +29,10 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v21 - - - uses: cachix/cachix-action@v12 + - name: setup nix & cachix + uses: ./.github/actions/setup-nix with: - name: getchoo - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - name: build run: | diff --git a/.github/workflows/format.yaml b/.github/workflows/format.yaml index b0eaddd..e189f46 100644 --- a/.github/workflows/format.yaml +++ b/.github/workflows/format.yaml @@ -13,31 +13,25 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 + - name: setup nix & cachix + uses: ./.github/actions/setup-nix with: - profile: minimal - toolchain: stable - override: true - components: clippy + cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - name: run cargo fmt - uses: actions-rs/cargo@v1 - with: - command: fmt - args: --all - - - uses: EndBug/add-and-commit@v9 - with: - default_author: github_actions - message: "chore: fmt rust files" + run: | + nix build -L .#checks.x86_64-linux.fmt nix-fmt: runs-on: ubuntu-latest - needs: cargo-fmt + if: github.event_name != 'pull_request' steps: - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v21 + - name: setup nix & cachix + uses: ./.github/actions/setup-nix + with: + cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - run: nix fmt diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 550e406..aab9e34 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -4,39 +4,22 @@ on: workflow_call: workflow_dispatch: -permissions: - checks: write - jobs: - cargo-check: + lint: runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - name: run cargo check - uses: actions-rs/cargo@v1 - with: - command: check + strategy: + matrix: + check: [teawiebot, clippy] - clippy: - runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: actions-rs/toolchain@v1 + - name: setup nix & cachix + uses: ./.github/actions/setup-nix with: - profile: minimal - toolchain: stable - override: true - components: clippy + cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - - uses: actions-rs/clippy-check@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - args: --all-features + - name: lint + run: | + nix build -L .#checks.x86_64-linux.${{ matrix.check }} diff --git a/.github/workflows/update-flake.yaml b/.github/workflows/update-flake.yaml new file mode 100644 index 0000000..12d7607 --- /dev/null +++ b/.github/workflows/update-flake.yaml @@ -0,0 +1,28 @@ +name: update nix flake +# this is to make sure we can build against a +# recent version of nixos-unstable + +on: + schedule: + - cron: "0 0 * * 6" + workflow_dispatch: + +permissions: + contents: write + +jobs: + update-flake: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: setup nix & cachix + uses: ./.github/actions/setup-nix + with: + cachix-token: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - uses: DeterminateSystems/update-flake-lock@v19 + with: + commit-msg: "chore(flake): update inputs" + pr-title: "chore(flake): update inputs" @@ -1,5 +1,21 @@ { "nodes": { + "advisory-db": { + "flake": false, + "locked": { + "lastModified": 1684873045, + "narHash": "sha256-MVXbXNXcqiaeJZbwVw6R16xqxJkpm+ipAIljz4/9QaM=", + "owner": "rustsec", + "repo": "advisory-db", + "rev": "e162556b9e8c1542c187290453cbd322e8905f0c", + "type": "github" + }, + "original": { + "owner": "rustsec", + "repo": "advisory-db", + "type": "github" + } + }, "crane": { "inputs": { "flake-compat": [ @@ -14,11 +30,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1684468982, - "narHash": "sha256-EoC1N5sFdmjuAP3UOkyQujSOT6EdcXTnRw8hPjJkEgc=", + "lastModified": 1684981077, + "narHash": "sha256-68X9cFm0RTZm8u0rXPbeBzOVUH5OoUGAfeHHVoxGd9o=", "owner": "ipetkov", "repo": "crane", - "rev": "99de890b6ef4b4aab031582125b6056b792a4a30", + "rev": "35110cccf28823320f4fd697fcafcb5038683982", "type": "github" }, "original": { @@ -35,11 +51,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1684650006, - "narHash": "sha256-cIWPr9nCddVu3DITyHBNWy9tBbfc86u+BxPEnRWslMM=", + "lastModified": 1685427675, + "narHash": "sha256-fWvqK8RhC6LABuUM7JL+loHhoRFcJx8rkAXGroVeKKw=", "owner": "nix-community", "repo": "fenix", - "rev": "fb17fb7db07709d2aca1efc1000fb1cf60b00b4e", + "rev": "9ea56d5de762971f6a7319711bae0532ca454dc9", "type": "github" }, "original": { @@ -71,11 +87,11 @@ ] }, "locked": { - "lastModified": 1683560683, - "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "lastModified": 1685457039, + "narHash": "sha256-bEFtQm+YyLxQjKQAaBHJyPN1z2wbhBnr2g1NJWSYjwM=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "rev": "80717d11615b6f42d1ad2e18ead51193fc15de69", "type": "github" }, "original": { @@ -125,11 +141,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1684668519, - "narHash": "sha256-KkVvlXTqdLLwko9Y0p1Xv6KQ9QTcQorrU098cGilb7c=", + "lastModified": 1685399834, + "narHash": "sha256-Lt7//5snriXSdJo5hlVcDkpERL1piiih0UXIz1RUcC4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85340996ba67cc02f01ba324e18b1306892ed6f5", + "rev": "58c85835512b0db938600b6fe13cc3e3dc4b364e", "type": "github" }, "original": { @@ -156,11 +172,11 @@ ] }, "locked": { - "lastModified": 1684195081, - "narHash": "sha256-IKnQUSBhQTChFERxW2AzuauVpY1HRgeVzAjNMAA4B6I=", + "lastModified": 1685361114, + "narHash": "sha256-4RjrlSb+OO+e1nzTExKW58o3WRwVGpXwj97iCta8aj4=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "96eabec58248ed8f4b0ad59e7ce9398018684fdc", + "rev": "ca2fdbf3edda2a38140184da6381d49f8206eaf4", "type": "github" }, "original": { @@ -171,6 +187,7 @@ }, "root": { "inputs": { + "advisory-db": "advisory-db", "crane": "crane", "fenix": "fenix", "flake-compat": "flake-compat", @@ -183,11 +200,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1684616122, - "narHash": "sha256-PLQN+e93BC1Yiqt4QNCj3cJ4mHtsO7Xlgn0VprgxiX4=", + "lastModified": 1685378411, + "narHash": "sha256-Ufkqek5m8GzV3cz3Mw7bc0hO1d5hN0cO5BoTAK303K8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "a04d8456be1d289c814846178cc1ff63b4fc297b", + "rev": "bc8295255c5bcc293251d47590dcbfd320eaab87", "type": "github" }, "original": { @@ -12,26 +12,40 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + flake-compat = { url = "github:edolstra/flake-compat"; flake = false; }; + flake-parts = { url = "github:hercules-ci/flake-parts"; inputs.nixpkgs-lib.follows = "nixpkgs"; }; + # this is just to avoid having multiple versions in flake.lock flake-utils.url = "github:numtide/flake-utils"; + + # used for cargo audit + advisory-db = { + url = "github:rustsec/advisory-db"; + flake = false; + }; + + # our build framework crane = { url = "github:ipetkov/crane"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-compat.follows = "flake-compat"; inputs.flake-utils.follows = "flake-utils"; }; + + # toolchain management fenix = { url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; }; + pre-commit-hooks = { url = "github:cachix/pre-commit-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/parts/dev.nix b/parts/dev.nix index 01c33c6..65fcfd0 100644 --- a/parts/dev.nix +++ b/parts/dev.nix @@ -10,16 +10,18 @@ src, toolchain, ... - }: { + } @ args: { checks = let + inherit (craneLib) cargoAudit cargoClippy cleanCargoSource cargoFmt path; + commonArgs = { - inherit src; + src = cleanCargoSource (path args.src); }; - - inherit (craneLib) cargoClippy cargoFmt; in { inherit (self.packages.${system}) teawiebot; + audit = cargoAudit (commonArgs // {inherit (inputs) advisory-db;}); + clippy = cargoClippy (commonArgs // { inherit (self.packages.${system}) cargoArtifacts; |