Use foliage like CHaP does #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
# Following https://github.com/orgs/community/discussions/26276 | |
# to get builds on PRs and pushes to master but not double | |
# builds on PRs. | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
env: | |
NIX_CONFIG: accept-flake-config = true | |
jobs: | |
check: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install Nix with good defaults | |
uses: cachix/install-nix-action@v20 | |
with: | |
extra_nix_config: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= | |
substituters = https://cache.iog.io/ https://cache.zw3rk.com/ https://cache.nixos.org/ | |
nix_path: nixpkgs=channel:nixos-unstable | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # the check script below needs the whole history | |
- name: Run checks | |
run: nix develop -c ./scripts/check.sh | |
build-repo: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install Nix with good defaults | |
uses: cachix/install-nix-action@v20 | |
with: | |
extra_nix_config: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= | |
substituters = https://cache.iog.io/ https://cache.zw3rk.com/ https://cache.nixos.org/ | |
nix_path: nixpkgs=channel:nixos-unstable | |
- name: Checkout main | |
uses: actions/checkout@v4 | |
with: | |
ref: main | |
# See https://github.com/actions/cache/pull/1231 | |
# Astonishingly, this simple bump is not merged and released yet | |
- uses: kbdharun/cache@8070854e57d983bdd2887b0a708ad985f77398ab | |
with: | |
path: _cache | |
key: 1 # bump to refresh | |
- name: Unpack keys | |
env: | |
KEYS: ${{ secrets.KEYS }} | |
run: | | |
if [[ -z "$KEYS" ]]; then | |
echo "Could not access repository secret keys (PR is coming from a fork?)" | |
echo "Generating fresh keys for this run" | |
nix develop -c foliage create-keys | |
else | |
mkdir _keys | |
echo "$KEYS" | base64 -d | tar xvz -C _keys | |
fi | |
- name: Build repository (main) | |
run: | | |
nix develop -c foliage build -j 0 --write-metadata | |
mv _repo _repo-main | |
cp _repo-main/foliage/packages.json packages-old.json | |
- name: Checkout tip commit | |
uses: actions/checkout@v4 | |
with: | |
clean: false | |
- name: Build repository (tip) | |
run: | | |
nix develop -c foliage build -j 0 --write-metadata | |
cp _repo/foliage/packages.json packages-new.json | |
- name: Copy static web assets | |
run: | | |
cp static/index.html _repo | |
cp README.md _repo | |
# See https://github.com/actions/upload-artifact/issues/36 | |
- name: Pack repository in a tar archive | |
run: tar cf _repo.tar -C _repo . | |
# Do this before the check, useful to have the artifact in case the | |
# check fails! | |
- name: Upload built repository | |
uses: actions/upload-artifact@v4 | |
with: | |
name: built-repo | |
path: _repo.tar | |
- name: Upload package metadata | |
uses: actions/upload-artifact@v4 | |
with: | |
name: package-metadata | |
path: | | |
packages-old.json | |
packages-new.json | |
# Note: we use the check script from the tip so we pick up changes | |
# to the script from the PR itself. | |
- name: Check new index is an extension of the old index | |
run: | | |
echo "If this check failed because 'some entries only exist in the old index'" | |
echo "then you may need to update your branch.\n" | |
echo "If it failed because 'the last old entry is newer than the first new entry'" | |
echo "then you may need to update the timestamps in your new packages to be newer than those in main." | |
./scripts/check-archive-extension.sh _repo-main/01-index.tar _repo/01-index.tar | |
build-packages: | |
runs-on: ubuntu-latest | |
needs: | |
- build-repo | |
steps: | |
- name: Install Nix with good defaults | |
uses: cachix/install-nix-action@v20 | |
with: | |
extra_nix_config: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= | |
substituters = https://cache.iog.io/ https://cache.zw3rk.com/ https://cache.nixos.org/ | |
nix_path: nixpkgs=channel:nixos-unstable | |
- uses: actions/checkout@v4 | |
- name: Download built repository | |
uses: actions/download-artifact@v4 | |
with: | |
name: built-repo | |
- name: Unpack built repository | |
run: | | |
mkdir _repo | |
tar xf _repo.tar -C _repo | |
- name: Build smoke test packages | |
# The > is the "YAML folded string" marker, which replaces | |
# newlines with spaces, since the usual bash idiom of \ | |
# doesn't work for some reason | |
run: > | |
nix build .#allSmokeTestPackages | |
-L | |
--override-input CHaP path:_repo | |
--show-trace | |
build-new-packages: | |
runs-on: ubuntu-latest | |
needs: | |
- build-repo | |
steps: | |
- name: Install Nix with good defaults | |
uses: cachix/install-nix-action@v20 | |
with: | |
extra_nix_config: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= | |
substituters = https://cache.iog.io/ https://cache.zw3rk.com/ https://cache.nixos.org/ | |
nix_path: nixpkgs=channel:nixos-unstable | |
- uses: actions/checkout@v4 | |
- name: Download built repository | |
uses: actions/download-artifact@v4 | |
with: | |
name: built-repo | |
- name: Unpack built repository | |
run: | | |
mkdir _repo | |
tar xf _repo.tar -C _repo | |
- name: Download package metadata | |
uses: actions/download-artifact@v4 | |
with: | |
name: package-metadata | |
path: . | |
# This is a bit of a hack: to build the newly added packages, we: | |
# 1. compute the packages.json that just contains the new pacakge-versions | |
# 2. overwrite the built repository's packages.json with the computed one | |
# 3. build "all the packages" which now means "the new packages" | |
# | |
# This avoids us having to do other complicated tricks to make the flake | |
# take the set of packages to build as an argument. | |
- name: Adjust repository metadata | |
run: | | |
scripts/compare-package-metadata.sh packages-old.json packages-new.json > packages-diff.json | |
echo "Newly added packages:" | |
cat packages-diff.json | |
mv -f packages-diff.json _repo/foliage/packages.json | |
- name: Build all newly added packages | |
run: > | |
nix build .#allPackages | |
-L | |
--override-input CHaP path:_repo | |
--show-trace | |
deploy-check: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
needs: | |
- build-repo | |
steps: | |
- name: Install Nix with good defaults | |
uses: cachix/install-nix-action@v20 | |
with: | |
extra_nix_config: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk= | |
substituters = https://cache.iog.io/ https://cache.zw3rk.com/ https://cache.nixos.org/ | |
nix_path: nixpkgs=channel:nixos-unstable | |
- uses: actions/checkout@v4 | |
with: | |
path: src | |
- uses: actions/checkout@v4 | |
with: | |
path: repo | |
ref: repo | |
- name: Download built repository | |
uses: actions/download-artifact@v4 | |
with: | |
name: built-repo | |
- name: Unpack built repository | |
run: | | |
mkdir built-repo | |
tar xf _repo.tar -C built-repo | |
# This is meaningfully different to the check in 'build': that checks the repository | |
# built from main and from the PR tip, but that's not _actually_ the repository | |
# deployed in the repo branch. It should be the same, but it can't hurt to check | |
# against the thing that's actually deployed before we deploy. | |
- name: Check new index is an extension of the old index | |
run: | | |
./src/scripts/check-archive-extension.sh repo/01-index.tar built-repo/01-index.tar | |
deploy: | |
# This job is fine to run on GitHub provided (free) runners. | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
needs: | |
- check | |
- build-repo | |
- deploy-check | |
concurrency: | |
group: "pages" | |
cancel-in-progress: true | |
# Grant GITHUB_TOKEN the permissions required to make a Pages deployment | |
permissions: | |
contents: write | |
id-token: write | |
pages: write | |
# Deploy to the github-pages environment | |
environment: | |
name: github-pages | |
url: ${{ steps.deployment.outputs.page_url }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download built repository | |
uses: actions/download-artifact@v4 | |
with: | |
name: built-repo | |
- name: Unpack built repository | |
run: | | |
mkdir _repo | |
tar xf _repo.tar -C _repo | |
- name: Commit as branch | |
run: | | |
set -xe | |
# see https://github.com/orgs/community/discussions/26560 and https://github.com/actions/checkout/issues/13 | |
git config user.name "github-actions[bot]" | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
# Need --force because _repo is gitignore'd | |
git add --force _repo | |
treeId=$(git write-tree --prefix=_repo) | |
# the checkout action doesn't checkout all branches so we fetch | |
# the repo branch, if the remote doesn't have it, it's ok we do | |
# without | |
if git fetch --quiet origin repo; then | |
# add commit to branch | |
commitId=$(git commit-tree -p origin/repo -m "Update from ${{ github.sha }}" "$treeId") | |
else | |
# add commit with no parents | |
commitId=$(git commit-tree -m "Update from ${{ github.sha }}" "$treeId") | |
fi | |
git update-ref "refs/heads/repo" "$commitId" | |
git push origin repo | |
- name: Setup Pages | |
uses: actions/configure-pages@v5 | |
- name: Upload pages artifact | |
uses: actions/upload-pages-artifact@v3 | |
with: | |
path: _repo | |
- name: Deploy to GitHub Pages | |
id: deployment | |
uses: actions/deploy-pages@v4 |