Autocreate signing KV #960
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors | |
# SPDX-License-Identifier: Apache-2.0 | |
name: Run pre-push checks | |
on: | |
push: | |
branches: | |
- main | |
pull_request_target: | |
branches: | |
- main | |
jobs: | |
# Checks if the author of pull request is in our predefined list of authorized users | |
check-identity: | |
runs-on: ubuntu-latest | |
outputs: | |
authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}} | |
environment: 'internal' | |
steps: | |
- name: Check identity | |
id: check-authorized-user | |
shell: bash | |
run: | | |
# AUTHORIZED_USERS is a newline separated list of usernames | |
if echo "${{ vars.AUTHORIZED_USERS }}" | tr -s '[:space:]' '\n' | grep -Fxq "${{ github.actor }}"; then | |
echo "User is authorized" | |
echo "authorized_user=True" >> "$GITHUB_OUTPUT" | |
else | |
echo "User not authorized" | |
echo "authorized_user=False" >> "$GITHUB_OUTPUT" | |
fi | |
# Authorization passes without approval if | |
# - the event is not a pull request (eg. push to main) | |
# - pull request comes from another branch in the same repo | |
# - author is in our predefined list of authorized users | |
# If none of these conditions are met, the workflow requires | |
# manual approval from a maintainer with write permissions to continue | |
authorize: | |
needs: [check-identity] | |
environment: ${{ | |
( github.event_name != 'pull_request_target' || | |
github.event.pull_request.head.repo.full_name == github.repository || | |
needs.check-identity.outputs.authorized_user == 'True' ) | |
&& 'internal' || 'external' }} | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "Auth OK" | |
# Send a warning and fail this job if the workflow file was changed. | |
# Rest of the workflow continues as normal but the job failure will grab author's attention. | |
no-workflow-changes: | |
runs-on: ubuntu-latest | |
if: ${{ github.event_name == 'pull_request_target' }} | |
steps: | |
- uses: actions/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
fetch-depth: 0 | |
- name: Check if workflow is modified | |
id: workflow-changed | |
uses: tj-actions/[email protected] | |
with: | |
files: .github/workflows/test-ghaf-infra.yml | |
- name: Send warning | |
run: | | |
if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then | |
echo "::error::"\ | |
"This change edits workflow file '.github/workflows/test-ghaf-infra.yml'."\ | |
"Raising this error to notify that the workflow change will only take impact after merge."\ | |
"Therefore, you need to manually test the change (perhaps in a forked repo) "\ | |
"before merging to make sure the change does not break anything." | |
exit 1 | |
fi | |
build_matrix: | |
name: "build" | |
# Don't run unless authorization was successful | |
needs: [authorize] | |
runs-on: ubuntu-latest | |
timeout-minutes: 360 | |
strategy: | |
matrix: | |
include: | |
- arch: x86_64-linux | |
- arch: aarch64-linux | |
if: ${{ always() && needs.authorize.result == 'success' }} | |
concurrency: | |
# Cancel any in-progress workflow runs from the same PR or branch, | |
# allowing matrix jobs to run concurrently: | |
group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }} | |
cancel-in-progress: true | |
steps: | |
- name: Checkout | |
uses: actions/[email protected] | |
with: | |
ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
fetch-depth: 0 | |
- name: Install nix | |
uses: cachix/install-nix-action@v30 | |
- uses: cachix/cachix-action@v15 | |
with: | |
name: ghaf-dev | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- name: Prepare build | |
run: | | |
sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >builder_key" | |
- name: Build ${{ matrix.arch }} | |
run: | | |
if [ "${{ matrix.arch }}" == "x86_64-linux" ]; then | |
BUILDER='${{ vars.BUILDER_X86 }}' | |
TARGET='x86' | |
elif [ "${{ matrix.arch }}" == "aarch64-linux" ]; then | |
BUILDER='${{ vars.BUILDER_AARCH }}' | |
TARGET='aarch' | |
else | |
echo "::error::Unknown architecture: '${{ matrix.arch }}'" | |
exit 1 | |
fi | |
OPTS="--remote $BUILDER --remote-ssh-option IdentityFile builder_key" | |
nix develop --command bash -c "./scripts/nix-fast-build.sh -t $TARGET -o '$OPTS'" |