-
Notifications
You must be signed in to change notification settings - Fork 20
130 lines (117 loc) · 4.56 KB
/
test-ghaf-infra.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
name: Run pre-push checks
on:
push:
branches:
- main
pull_request_target:
branches:
- main
jobs:
# Checks if the author of pull request is in our predefined list of authorized users
check-identity:
runs-on: ubuntu-latest
outputs:
authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}}
environment: 'internal'
steps:
- name: Check identity
id: check-authorized-user
shell: bash
run: |
# AUTHORIZED_USERS is a newline separated list of usernames
if echo "${{ vars.AUTHORIZED_USERS }}" | tr -s '[:space:]' '\n' | grep -Fxq "${{ github.actor }}"; then
echo "User is authorized"
echo "authorized_user=True" >> "$GITHUB_OUTPUT"
else
echo "User not authorized"
echo "authorized_user=False" >> "$GITHUB_OUTPUT"
fi
# Authorization passes without approval if
# - the event is not a pull request (eg. push to main)
# - pull request comes from another branch in the same repo
# - author is in our predefined list of authorized users
# If none of these conditions are met, the workflow requires
# manual approval from a maintainer with write permissions to continue
authorize:
needs: [check-identity]
environment: ${{
( github.event_name != 'pull_request_target' ||
github.event.pull_request.head.repo.full_name == github.repository ||
needs.check-identity.outputs.authorized_user == 'True' )
&& 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- run: echo "Auth OK"
# Send a warning and fail this job if the workflow file was changed.
# Rest of the workflow continues as normal but the job failure will grab author's attention.
no-workflow-changes:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request_target' }}
steps:
- uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Check if workflow is modified
id: workflow-changed
uses: tj-actions/[email protected]
with:
files: .github/workflows/test-ghaf-infra.yml
- name: Send warning
run: |
if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then
echo "::error::"\
"This change edits workflow file '.github/workflows/test-ghaf-infra.yml'."\
"Raising this error to notify that the workflow change will only take impact after merge."\
"Therefore, you need to manually test the change (perhaps in a forked repo) "\
"before merging to make sure the change does not break anything."
exit 1
fi
build_matrix:
name: "build"
# Don't run unless authorization was successful
needs: [authorize]
runs-on: ubuntu-latest
timeout-minutes: 360
strategy:
matrix:
include:
- arch: x86_64-linux
- arch: aarch64-linux
if: ${{ always() && needs.authorize.result == 'success' }}
concurrency:
# Cancel any in-progress workflow runs from the same PR or branch,
# allowing matrix jobs to run concurrently:
group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }}
cancel-in-progress: true
steps:
- name: Checkout
uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Install nix
uses: cachix/install-nix-action@v30
- uses: cachix/cachix-action@v15
with:
name: ghaf-dev
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Prepare build
run: |
sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >builder_key"
- name: Build ${{ matrix.arch }}
run: |
if [ "${{ matrix.arch }}" == "x86_64-linux" ]; then
BUILDER='${{ vars.BUILDER_X86 }}'
TARGET='x86'
elif [ "${{ matrix.arch }}" == "aarch64-linux" ]; then
BUILDER='${{ vars.BUILDER_AARCH }}'
TARGET='aarch'
else
echo "::error::Unknown architecture: '${{ matrix.arch }}'"
exit 1
fi
OPTS="--remote $BUILDER --remote-ssh-option IdentityFile builder_key"
nix develop --command bash -c "./scripts/nix-fast-build.sh -t $TARGET -o '$OPTS'"