Recreate ghaf-coverity host #857
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors | |
# SPDX-License-Identifier: Apache-2.0 | |
name: Run pre-push checks | |
on: | |
push: | |
branches: | |
- main | |
pull_request_target: | |
branches: | |
- main | |
jobs: | |
# Checks if the author of pull request is in our predefined list of authorized users | |
check-identity: | |
runs-on: ubuntu-latest | |
outputs: | |
authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}} | |
environment: 'internal' | |
steps: | |
- name: Check identity | |
id: check-authorized-user | |
shell: bash | |
run: | | |
# AUTHORIZED_USERS is a newline separated list of usernames | |
if echo "${{ vars.AUTHORIZED_USERS }}" | tr -s '[:space:]' '\n' | grep -Fxq "${{ github.actor }}"; then | |
echo "User is authorized" | |
echo "authorized_user=True" >> "$GITHUB_OUTPUT" | |
else | |
echo "User not authorized" | |
echo "authorized_user=False" >> "$GITHUB_OUTPUT" | |
fi | |
# Authorization passes without approval if | |
# - the event is not a pull request (eg. push to main) | |
# - pull request comes from another branch in the same repo | |
# - author is in our predefined list of authorized users | |
# If none of these conditions are met, the workflow requires | |
# manual approval from a maintainer with write permissions to continue | |
authorize: | |
needs: [check-identity] | |
environment: ${{ | |
( github.event_name != 'pull_request_target' || | |
github.event.pull_request.head.repo.full_name == github.repository || | |
needs.check-identity.outputs.authorized_user == 'True' ) | |
&& 'internal' || 'external' }} | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Auth OK" | |
# Send a warning and fail this job if the workflow file was changed. | |
# Rest of the workflow continues as normal but the job failure will grab author's attention. | |
no-workflow-changes: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'pull_request_target' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
fetch-depth: 0 | |
- name: Check if workflow is modified | |
id: workflow-changed | |
uses: tj-actions/[email protected] | |
with: | |
files: .github/workflows/test-ghaf-infra.yml | |
- name: Send warning | |
run: | | |
if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then | |
echo "::error::"\ | |
"This change edits workflow file '.github/workflows/test-ghaf-infra.yml'."\ | |
"Raising this error to notify that the workflow change will only take impact after merge."\ | |
"Therefore, you need to manually test the change (perhaps in a forked repo) "\ | |
"before merging to make sure the change does not break anything." | |
exit 1 | |
fi | |
tests: | |
# Don't run unless authorization was successful | |
needs: [authorize] | |
if: ${{ always() && needs.authorize.result == 'success' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
fetch-depth: 0 | |
- uses: cachix/install-nix-action@v30 | |
with: | |
extra_nix_config: | | |
trusted-public-keys = prod-cache.vedenemo.dev~1:JcytRNMJJdYJVQCYwLNsrfVhct5dhCK2D3fa6O1WHOI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= | |
substituters = https://prod-cache.vedenemo.dev https://cache.nixos.org | |
connect-timeout = 5 | |
max-jobs = 4 | |
system-features = nixos-test benchmark big-parallel kvm | |
builders-use-substitutes = true | |
builders = @/etc/nix/machines | |
- uses: cachix/cachix-action@v15 | |
with: | |
name: ghaf-dev | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- name: Configure remote builders | |
run: | | |
sudo sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >/etc/nix/id_builder_key" | |
sudo sh -c "echo 'hetzarm.vedenemo.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx4zU4gIkTY/1oKEOkf9gTJChdx/jR3lDgZ7p/c7LEK' >>/etc/ssh/ssh_known_hosts" | |
sudo sh -c "echo 'build4.vedenemo.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSI8s/wefXiD2h3I3mIRdK+d9yDGMn0qS5fpKDnSGqj' >>/etc/ssh/ssh_known_hosts" | |
sudo sh -c "echo 'ssh://[email protected] aarch64-linux /etc/nix/id_builder_key 40 1 nixos-test,benchmark,big-parallel,kvm - -' >/etc/nix/machines" | |
sudo sh -c "echo 'ssh://[email protected] x86_64-linux,i686-linux /etc/nix/id_builder_key 32 1 kvm,benchmark,big-parallel,nixos-test - -' >>/etc/nix/machines" | |
- name: Run ghaf-infra CI tests | |
run: nix develop --command inv pre-push |