From 583bd5bd87295fc7e52b43dac3d486179db83440 Mon Sep 17 00:00:00 2001 From: Ryan Butler Date: Wed, 20 Nov 2024 11:35:44 -0500 Subject: [PATCH] implement liveusb artifact builds --- .github/workflows/nix-ci.yaml | 104 +++++++++++++++++++++++++++++++++ .github/workflows/rust-ci.yaml | 4 -- 2 files changed, 104 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/nix-ci.yaml diff --git a/.github/workflows/nix-ci.yaml b/.github/workflows/nix-ci.yaml new file mode 100644 index 0000000..fd48939 --- /dev/null +++ b/.github/workflows/nix-ci.yaml @@ -0,0 +1,104 @@ +name: Nix CI +on: + pull_request: + workflow_dispatch: + workflow_call: + secrets: + GIT_HUB_TOKEN: + required: true + CACHIX_AUTH_TOKEN: + required: false + push: + branches: + - main + - prod + tags: + - '**' + +env: + CI_NIXOS_HOSTNAMES: worldcoin-hil-munich-0 worldcoin-hil-munich-1 + +jobs: + fmt: + name: Format + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + with: + token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27 + with: + github_access_token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15 + continue-on-error: true + with: + name: worldcoin + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Print environment + run: | + uname -a + nix develop -c env + + - name: Check Nix formatting + run: | + nix develop -c \ + nixpkgs-fmt --check . + + liveusb: + name: Build Nix Targets + runs-on: public-ubuntu-22.04-32core + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + with: + token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27 + with: + github_access_token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15 + continue-on-error: true + with: + name: worldcoin + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Authorize private git repos + run: git config --global url."https://${{ secrets.GIT_HUB_TOKEN }}@github.com".insteadOf https://github.com + + - name: Build liveusb + run: | + set -Eeux -o pipefail + nix build .#packages.x86_64-linux.liveusb + ls -alh result/ + mkdir -p artifacts/liveusb + cp result/nixos.img artifacts/liveusb/nixos-liveusb.img + + - name: Build NixOS configurations + run: | + set -Eeux -o pipefail + # TODO: Build *all* configurations. + for hostname in ${CI_NIXOS_HOSTNAMES}; do + nix build .#nixosConfigurations.${hostname}.config.system.build.toplevel + done + + - name: Bundle artifacts + run: | + set -Eeuxo pipefail + mkdir artifacts_bundled + for b in artifacts/*; do + b="$(basename ${b})" + # We make sure that the tarball is idempotent: + # https://stackoverflow.com/a/54908072 + tar --sort=name --owner=root:0 --group=root:0 --mtime='@0' \ + -vahcf artifacts_bundled/${b}.tar.zst -C artifacts_linux/${b} . + done + ls -aRsh artifacts_bundled + + - name: Upload Artifacts + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # pin@v4.3.3 + if: github.event_name == 'workflow_dispatch' || format('refs/heads/{0}', github.event.repository.default_branch) == github.ref + with: + # upload v4 doesn't support writing multiple times to the same artifact name. + # so its important that we name it after the workflow and not something + # general like "artifacts" + name: nix + path: artifacts_bundled + if-no-files-found: error + retention-days: 14 diff --git a/.github/workflows/rust-ci.yaml b/.github/workflows/rust-ci.yaml index e964ee4..02e134a 100644 --- a/.github/workflows/rust-ci.yaml +++ b/.github/workflows/rust-ci.yaml @@ -38,10 +38,6 @@ jobs: - name: Check Rust formatting run: cargo fmt --check --all - - name: Check Nix formatting - run: | - nix develop -c \ - nixpkgs-fmt --check flake.nix clippy: name: Clippy