-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
230 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors | ||
| # | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| on: | ||
| workflow_call: | ||
| outputs: | ||
| result: | ||
| value: ${{ jobs.check.outputs.result }} | ||
|
|
||
| jobs: | ||
| check: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| result: ${{ steps.set-output.outputs.result }} | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 2 | ||
| - name: Check if build.yml is modified | ||
| id: build-yml-changed | ||
| uses: tj-actions/changed-files@v40 | ||
| with: | ||
| files: .github/workflows/build.yml | ||
| - name: Set output | ||
| id: set-output | ||
| run: | | ||
| # Not changed | ||
| if [ "${{ steps.build-yml-changed.outputs.any_changed }}" != "true" ]; | ||
| then | ||
| echo "result=not-changed" | ||
| echo "result=not-changed" >> "$GITHUB_OUTPUT" | ||
| exit 0 | ||
| fi | ||
| # Changed from external PR | ||
| if [ "${{ github.event_name }}" = "pull_request_target" ] && \ | ||
| [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; | ||
| then | ||
| echo "::error::"\ | ||
| "Editing workflow file '.github/workflows/build.yml' with PR from a"\ | ||
| "forked repository is not allowed. The change you are trying to do"\ | ||
| "requires internal PR from someone with write access to this repo." | ||
| echo "result=changed-from-fork" | ||
| echo "result=changed-from-fork" >> "$GITHUB_OUTPUT" | ||
| exit 1 | ||
| fi | ||
| # Changed from internal PR | ||
| echo "::error::"\ | ||
| "This change edits workflow file '.github/workflows/build.yml' from"\ | ||
| "an internal PR. Raising this error (but not failing the job) to notify"\ | ||
| "that the build workflow change will only take impact after merge."\ | ||
| "Therefore, you need to manually test the change (perhaps in a"\ | ||
| "forked repo) before merge to make sure the change does not break"\ | ||
| "anything."\ | ||
| "For now, there's no point of running the remaining build steps since"\ | ||
| "the results would not reflect the modification you have done to the"\ | ||
| "workflow, and might cause confusion or misinterpretation."\ | ||
| "Skipping the build step." | ||
| echo "result=changed-from-internal" | ||
| echo "result=changed-from-internal" >> "$GITHUB_OUTPUT" | ||
| exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,166 @@ | ||
| # SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors | ||
| # | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| name: build | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - '**' | ||
| workflow_dispatch: | ||
| pull_request_target: | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| # This workflow uses environment-based authorization together | ||
| # with 'pull_request_target' trigger as explained in: | ||
| # https://ssrc.atlassian.net/wiki/x/OABjMg | ||
| # check-identity: | ||
| # runs-on: ubuntu-latest | ||
| # outputs: | ||
| # authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}} | ||
| # environment: 'internal-build-workflow' | ||
| # steps: | ||
| # - name: Check identity | ||
| # id: check-authorized-user | ||
| # shell: bash | ||
| # run: | | ||
| # authorized_user='False' | ||
| # for user in ${{ vars.AUTHORIZED_USERS }}; | ||
| # do | ||
| # if [ "$user" = "${{ github.actor }}" ]; then | ||
| # authorized_user='True' | ||
| # break | ||
| # fi | ||
| # done | ||
| # echo "github.event_name: ${{ github.event_name }}" | ||
| # echo "github.repository: ${{ github.repository }}" | ||
| # echo "github.event.pull_request.head.repo.full_name: ${{ github.event.pull_request.head.repo.full_name }}" | ||
| # echo "github.actor: ${{ github.actor }}" | ||
| # echo "authorized_user=$authorized_user" | ||
| # echo "authorized_user=$authorized_user" >> "$GITHUB_OUTPUT" | ||
| # | ||
| # authorize-internal: | ||
| # needs: [check-identity] | ||
| # runs-on: ubuntu-latest | ||
| # if: ${{ needs.check-identity.outputs.authorized_user == 'True' }} | ||
| # steps: | ||
| # - name: Authorize internal | ||
| # run: echo "authorized" | ||
| # | ||
| # authorize-external: | ||
| # needs: [check-identity] | ||
| # runs-on: ubuntu-latest | ||
| # if: ${{ needs.check-identity.outputs.authorized_user == 'False' }} | ||
| # environment: | ||
| # ${{ ( github.event_name == 'pull_request_target' && | ||
| # github.event.pull_request.head.repo.full_name != github.repository && | ||
| # 'external-build-workflow' ) || ( 'internal-build-workflow' ) }} | ||
| # steps: | ||
| # - name: Authorize external | ||
| # run: echo "authorized" | ||
| # | ||
| # authorize: | ||
| # needs: [authorize-internal, authorize-external] | ||
| # runs-on: ubuntu-latest | ||
| # # See: https://github.com/actions/runner/issues/491#issuecomment-660122693 | ||
| # if: | | ||
| # always() && | ||
| # (needs.authorize-internal.result == 'success' || needs.authorize-internal.result == 'skipped') && | ||
| # (needs.authorize-external.result == 'success' || needs.authorize-external.result == 'skipped') && | ||
| # !(needs.authorize-internal.result == 'skipped' && needs.authorize-external.result == 'skipped') | ||
| # steps: | ||
| # - name: Authorize | ||
| # run: echo "authorized" | ||
|
|
||
| build-yml-check: | ||
| uses: ./.github/workflows/build-yml-check.yml | ||
|
|
||
| build_matrix: | ||
| name: "build" | ||
| needs: [build-yml-check] # [authorize, build-yml-check] | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 360 | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - arch: x86_64-linux | ||
| target: fmo-os-installer-debug | ||
| # - arch: x86_64-linux | ||
| # target: fmo-os-installer-debug | ||
| if: | | ||
| always() && | ||
| # needs.authorize.result == 'success' && | ||
| needs.build-yml-check.outputs.result == 'not-changed' | ||
| concurrency: | ||
| # Cancel any in-progress workflow runs from the same PR or branch, | ||
| # allowing matrix jobs to run concurrently: | ||
| group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }}.${{ matrix.target }} | ||
| cancel-in-progress: true | ||
| steps: | ||
| - name: Maximize space available on rootfs | ||
| # Why not use https://github.com/easimon/maximize-build-space directly? | ||
| # The reason is: we want to maximize the space on rootfs, since that's | ||
| # where the nix store (`/nix/store`) is located. Github action | ||
| # https://github.com/easimon/maximize-build-space maximizes | ||
| # the builder space on ${GITHUB_WORKSPACE}, which is not what we need. | ||
| # Alternatively, we could move the nix store to ${GITHUB_WORKSPACE} | ||
| # and use https://github.com/easimon/maximize-build-space as such, but | ||
| # we suspect other tooling (e.g. cachix) would not work well with such | ||
| # configuration. | ||
| run: | | ||
| echo "Available storage before cleanup:" | ||
| df -h | ||
| echo | ||
| echo "Removing unwanted software... " | ||
| sudo rm -rf /usr/share/dotnet | ||
| sudo rm -rf /usr/local/lib/android | ||
| sudo rm -rf /opt/ghc | ||
| sudo rm -rf /opt/hostedtoolcache/CodeQL | ||
| sudo docker image prune --all --force | ||
| echo "... done" | ||
| echo | ||
| echo "Available storage after cleanup:" | ||
| df -h | ||
| - name: Print runner system info | ||
| run: sudo apt-get update; sudo apt-get install -y inxi; sudo inxi -c0 --width -1 --basic --memory-short | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | ||
| - name: Install nix | ||
| uses: cachix/install-nix-action@v24 | ||
| with: | ||
| extra_nix_config: | | ||
| # trusted-public-keys = ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY= cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= | ||
| # substituters = https://ghaf-dev.cachix.org?priority=20 https://cache.vedenemo.dev https://cache.nixos.org | ||
| system-features = nixos-test benchmark big-parallel kvm | ||
| # builders-use-substitutes = true | ||
| # builders = @/etc/nix/machines | ||
| # - name: Configure remote builder | ||
| # run: | | ||
| # sudo sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >/etc/nix/id_builder_key" | ||
| # sudo sh -c "echo '${{ vars.BUILDER_SSH_KNOWN_HOST }}' >>/etc/ssh/ssh_known_hosts" | ||
| # sudo sh -c "echo '${{ vars.BUILDER_MACHINE_CONFIG }}' >/etc/nix/machines" | ||
| # - name: Install cachix | ||
| # run: | | ||
| # nix-env -iA cachix -f https://cachix.org/api/v1/install | ||
| # echo "Using cachix version:" | ||
| # cachix --version | ||
| - name: Build ${{ matrix.arch }}.${{ matrix.target }} | ||
| run: | | ||
| # if [ "${{ secrets.CACHIX_AUTH_TOKEN }}" == "" ]; then | ||
| # echo "::error::Missing CACHIX_AUTH_TOKEN, will not build" | ||
| # exit 1 | ||
| # else | ||
| # echo "Running nix build, with cachix watch-exec" | ||
| # cachix authtoken ${{ secrets.CACHIX_AUTH_TOKEN }} | ||
| # cachix watch-exec ghaf-dev -- \ | ||
| # nix build .#packages.${{ matrix.arch }}.${{ matrix.target }} | ||
| # fi | ||
| nix build .#packages.${{ matrix.arch }}.${{ matrix.target }} |