-
Notifications
You must be signed in to change notification settings - Fork 28
294 lines (242 loc) · 8.53 KB
/
CI.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
name: CI
on:
# Following https://github.com/orgs/community/discussions/26276
# to get builds on PRs and pushes to master but not double
# builds on PRs.
push:
branches:
- main
pull_request:
workflow_dispatch:
env:
NIX_CONFIG: accept-flake-config = true
jobs:
shellcheck:
runs-on: nixos
steps:
- uses: actions/checkout@v3
- name: Run shellcheck on scripts/*.sh
run: nix-shell -I nixpkgs=https://github.com/nixos/nixpkgs/archive/release-23.05.tar.gz -p shellcheck --run 'shellcheck scripts/*.sh'
check:
runs-on: nixos
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # the check script below needs the whole history
- name: Run checks
run: nix develop -c ./scripts/check.sh
build-repo:
runs-on: nixos
steps:
- name: Checkout main
uses: actions/checkout@v3
with:
ref: main
- uses: actions/cache@v3
with:
path: _cache
key: 1 # bump to refresh
- name: Unpack keys
env:
KEYS: ${{ secrets.KEYS }}
run: |
if [[ -z "$KEYS" ]]; then
echo "Could not access repository secret keys (PR is coming from a fork?)"
echo "Generating fresh keys for this run"
nix develop -c foliage create-keys
else
mkdir _keys
echo "$KEYS" | base64 -d | tar xvz -C _keys
fi
- name: Build repository (main)
run: |
nix develop -c foliage build -j 0 --write-metadata
mv _repo _repo-main
cp _repo-main/foliage/packages.json packages-old.json
- name: Checkout tip commit
uses: actions/checkout@v3
with:
clean: false
- name: Build repository (tip)
run: |
nix develop -c foliage build -j 0 --write-metadata
cp _repo/foliage/packages.json packages-new.json
- name: Copy static web assets
run: |
cp static/index.html _repo
cp README.md _repo
# See https://github.com/actions/upload-artifact/issues/36
- name: Pack repository in a tar archive
run: tar cf _repo.tar -C _repo .
# Do this before the check, useful to have the artifact in case the
# check fails!
- name: Upload built repository
uses: actions/upload-artifact@v3
with:
name: built-repo
path: _repo.tar
- name: Upload package metadata
uses: actions/upload-artifact@v3
with:
name: package-metadata
path: |
packages-old.json
packages-new.json
# Note: we use the check script from the tip so we pick up changes
# to the script from the PR itself.
- name: Check new index is an extension of the old index
run: |
echo "If this check failed because 'some entries only exist in the old index'"
echo "then you may need to update your branch.\n"
echo "If it failed because 'the last old entry is newer than the first new entry'"
echo "then you may need to update the timestamps in your new packages to be newer than those in main."
./scripts/check-archive-extension.sh _repo-main/01-index.tar _repo/01-index.tar
build-packages:
runs-on: nixos
needs:
- build-repo
steps:
- uses: actions/checkout@v3
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir _repo
tar xf _repo.tar -C _repo
- name: Build smoke test packages
# The > is the "YAML folded string" marker, which replaces
# newlines with spaces, since the usual bash idiom of \
# doesn't work for some reason
run: >
nix build .#allSmokeTestPackages
-L
--override-input CHaP path:_repo
--show-trace
build-new-packages:
runs-on: nixos
needs:
- build-repo
steps:
- uses: actions/checkout@v3
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir _repo
tar xf _repo.tar -C _repo
- name: Download package metadata
uses: actions/download-artifact@v3
with:
name: package-metadata
path: .
# This is a bit of a hack: to build the newly added packages, we:
# 1. compute the packages.json that just contains the new pacakge-versions
# 2. overwrite the built repository's packages.json with the computed one
# 3. build "all the packages" which now means "the new packages"
#
# This avoids us having to do other complicated tricks to make the flake
# take the set of packages to build as an argument.
- name: Adjust repository metadata
run: |
scripts/compare-package-metadata.sh packages-old.json packages-new.json > packages-diff.json
echo "Newly added packages:"
cat packages-diff.json
mv -f packages-diff.json _repo/foliage/packages.json
- name: Build all newly added packages
run: >
nix build .#allPackages
-L
--override-input CHaP path:_repo
--show-trace
deploy-check:
runs-on: nixos
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- build-repo
steps:
- uses: actions/checkout@v3
with:
path: src
- uses: actions/checkout@v3
with:
path: repo
ref: repo
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir built-repo
tar xf _repo.tar -C built-repo
# This is meaningfully different to the check in 'build': that checks the repository
# built from main and from the PR tip, but that's not _actually_ the repository
# deployed in the repo branch. It should be the same, but it can't hurt to check
# against the thing that's actually deployed before we deploy.
- name: Check new index is an extension of the old index
run: |
./src/scripts/check-archive-extension.sh repo/01-index.tar built-repo/01-index.tar
deploy:
# This job is fine to run on GitHub provided (free) runners.
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- check
- build-repo
- deploy-check
concurrency:
group: "pages"
cancel-in-progress: true
# Grant GITHUB_TOKEN the permissions required to make a Pages deployment
permissions:
contents: write
id-token: write
pages: write
# Deploy to the github-pages environment
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@v3
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir _repo
tar xf _repo.tar -C _repo
- name: Commit as branch
run: |
set -xe
# see https://github.com/orgs/community/discussions/26560 and https://github.com/actions/checkout/issues/13
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# Need --force because _repo is gitignore'd
git add --force _repo
treeId=$(git write-tree --prefix=_repo)
# the checkout action doesn't checkout all branches so we fetch
# the repo branch, if the remote doesn't have it, it's ok we do
# without
if git fetch --quiet origin repo; then
# add commit to branch
commitId=$(git commit-tree -p origin/repo -m "Update from ${{ github.sha }}" "$treeId")
else
# add commit with no parents
commitId=$(git commit-tree -m "Update from ${{ github.sha }}" "$treeId")
fi
git update-ref "refs/heads/repo" "$commitId"
git push origin repo
- name: Setup Pages
uses: actions/configure-pages@v1
- name: Upload pages artifact
uses: actions/upload-pages-artifact@v1
with:
path: _repo
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v2