-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (117 loc) · 3.97 KB
/
pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Pull Request
on:
pull_request:
permissions:
pull-requests: write
jobs:
check:
name: "nix flake check"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install nix
uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- uses: cachix/cachix-action@v15
with:
name: tuckershea
skipPush: true
extraPullNames: nix-community
- name: Check flake
run: nix flake check
build:
if: github.event.pull_request.draft == false
name: "Build ${{ matrix.target }}"
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
target: elmira
- os: ubuntu-latest
target: marlon
- os: ubuntu-latest
target: roland
- os: ubuntu-latest
target: vic
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install nix
uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- uses: cachix/cachix-action@v15
with:
name: tuckershea
skipPush: true
extraPullNames: nix-community
- name: Build pr target
env:
TARGET: ".#top.${{ matrix.target }}"
run: |
set -o pipefail
nix build $TARGET --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-pr-build.log >&2)
- name: Output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-pr-build.log | grep -oE "/nix/store/.*.drv")
nix log $drv
echo $drv
exit 1
- name: Fetch current main and build it in a profile
env:
TARGET: "github:tuckershea/constellation#top.${{ matrix.target }}"
run: nix build $TARGET -v --log-format raw --profile ./profile
- name: Apply pr to profile
env:
TARGET: ".#top.${{ matrix.target }}"
run: nix build $TARGET -v --log-format raw --profile ./profile
- name: Diff profile
id: diff
run: |
diff="$(nix profile diff-closures --profile ./profile)"
echo "$diff"
diff="$(echo "$diff" | sed 's/\x1b\[[0-9;]*m//g')"
diff="${diff//'%'/'%25'}"
diff="${diff//$'\n'/'%0A'}"
diff="${diff//$'\r'/'%0D'}"
echo "::set-output name=diff::$diff"
- name: Scan for security issues
id: security
run: |
nix run nixpkgs#vulnix -- -w https://raw.githubusercontent.com/tuckershea/vulnix-whitelist/main/whitelist.toml ./profile | tee /tmp/security.txt
OUTPUT_SECURITY="$(cat /tmp/security.txt)"
OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
echo "$OUTPUT_SECURITY"
echo "::set-output name=security::$OUTPUT_SECURITY"
- name: Comment report in pr
uses: marocchino/sticky-pull-request-comment@v2
with:
header: ".#top.${{ matrix.target }}"
message: |
### Report for `${{ matrix.target }}`
Version changes:
```
${{ steps.diff.outputs.diff }}
```
<details>
<summary>
Security vulnerability report
</summary>
<br>
<pre>
${{ steps.security.outputs.security }}
</pre>
</details>
# Reference
# https://github.com/arianvp/nixos-stuff/blob/adec9e6/.github/workflows/pr.yml
# https://github.com/sandhose/nixconf/blob/055de30/.github/workflows/check-pr.yaml
# https://github.com/EdenEast/nyx/blob/7786a66554c5b8a888ca4b9b5c33129f06062eb7/.github/workflows/pr.yml