Skip to content

Autocreate signing KV #960

Autocreate signing KV

Autocreate signing KV #960

# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
name: Run pre-push checks
on:
push:
branches:
- main
pull_request_target:
branches:
- main
jobs:
# Checks if the author of pull request is in our predefined list of authorized users
check-identity:
runs-on: ubuntu-latest
outputs:
authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}}
environment: 'internal'
steps:
- name: Check identity
id: check-authorized-user
shell: bash
run: |
# AUTHORIZED_USERS is a newline separated list of usernames
if echo "${{ vars.AUTHORIZED_USERS }}" | tr -s '[:space:]' '\n' | grep -Fxq "${{ github.actor }}"; then
echo "User is authorized"
echo "authorized_user=True" >> "$GITHUB_OUTPUT"
else
echo "User not authorized"
echo "authorized_user=False" >> "$GITHUB_OUTPUT"
fi
# Authorization passes without approval if
# - the event is not a pull request (eg. push to main)
# - pull request comes from another branch in the same repo
# - author is in our predefined list of authorized users
# If none of these conditions are met, the workflow requires
# manual approval from a maintainer with write permissions to continue
authorize:
needs: [check-identity]
environment: ${{
( github.event_name != 'pull_request_target' ||
github.event.pull_request.head.repo.full_name == github.repository ||
needs.check-identity.outputs.authorized_user == 'True' )
&& 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- run: echo "Auth OK"
# Send a warning and fail this job if the workflow file was changed.
# Rest of the workflow continues as normal but the job failure will grab author's attention.
no-workflow-changes:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request_target' }}
steps:
- uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Check if workflow is modified
id: workflow-changed
uses: tj-actions/[email protected]
with:
files: .github/workflows/test-ghaf-infra.yml
- name: Send warning
run: |
if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then
echo "::error::"\
"This change edits workflow file '.github/workflows/test-ghaf-infra.yml'."\
"Raising this error to notify that the workflow change will only take impact after merge."\
"Therefore, you need to manually test the change (perhaps in a forked repo) "\
"before merging to make sure the change does not break anything."
exit 1
fi
build_matrix:
name: "build"
# Don't run unless authorization was successful
needs: [authorize]
runs-on: ubuntu-latest
timeout-minutes: 360
strategy:
matrix:
include:
- arch: x86_64-linux
- arch: aarch64-linux
if: ${{ always() && needs.authorize.result == 'success' }}
concurrency:
# Cancel any in-progress workflow runs from the same PR or branch,
# allowing matrix jobs to run concurrently:
group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }}
cancel-in-progress: true
steps:
- name: Checkout
uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Install nix
uses: cachix/install-nix-action@v30
- uses: cachix/cachix-action@v15
with:
name: ghaf-dev
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Prepare build
run: |
sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >builder_key"
- name: Build ${{ matrix.arch }}
run: |
if [ "${{ matrix.arch }}" == "x86_64-linux" ]; then
BUILDER='${{ vars.BUILDER_X86 }}'
TARGET='x86'
elif [ "${{ matrix.arch }}" == "aarch64-linux" ]; then
BUILDER='${{ vars.BUILDER_AARCH }}'
TARGET='aarch'
else
echo "::error::Unknown architecture: '${{ matrix.arch }}'"
exit 1
fi
OPTS="--remote $BUILDER --remote-ssh-option IdentityFile builder_key"
nix develop --command bash -c "./scripts/nix-fast-build.sh -t $TARGET -o '$OPTS'"