implement liveusb artifact builds

.github/workflows/nix-ci.yaml

@@ -0,0 +1,104 @@
+name: Nix CI
+on:
+  pull_request:
+  workflow_dispatch:
+  workflow_call:
+    secrets:
+      GIT_HUB_TOKEN:
+        required: true
+      CACHIX_AUTH_TOKEN:
+        required: false
+  push:
+    branches:
+      - main
+      - prod
+    tags:
+      - '**'
+
+env: 
+  CI_NIXOS_HOSTNAMES: worldcoin-hil-munich-0 worldcoin-hil-munich-1
+
+jobs:
+  fmt:
+    name: Format
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+        with:
+          token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27
+        with:
+          github_access_token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
+        continue-on-error: true
+        with:
+          name: worldcoin
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Print environment
+        run: |
+          uname -a
+          nix develop -c env
+
+      - name: Check Nix formatting
+        run: |
+          nix develop -c \
+            nixpkgs-fmt --check .
+
+  liveusb:
+    name: Build Nix Targets
+    runs-on: public-ubuntu-22.04-32core
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+        with:
+          token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27
+        with:
+          github_access_token: ${{ secrets.GIT_HUB_TOKEN }}
+      - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15
+        continue-on-error: true
+        with:
+          name: worldcoin
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Authorize private git repos
+        run: git config --global url."https://${{ secrets.GIT_HUB_TOKEN }}@github.com".insteadOf https://github.com
+
+      - name: Build liveusb
+        run: |
+          set -Eeux -o pipefail
+          nix build .#packages.x86_64-linux.liveusb
+          ls -alh result/
+          mkdir -p artifacts/liveusb
+          cp result/nixos.img artifacts/liveusb/nixos-liveusb.img
+
+      - name: Build NixOS configurations
+        run: |
+          set -Eeux -o pipefail
+          # TODO: Build *all* configurations.
+          for hostname in ${CI_NIXOS_HOSTNAMES}; do
+            nix build .#nixosConfigurations.${hostname}.config.system.build.toplevel
+          done
+
+      - name: Bundle artifacts
+        run: |
+          set -Eeuxo pipefail
+          mkdir artifacts_bundled
+          for b in artifacts/*; do
+            b="$(basename ${b})"
+            # We make sure that the tarball is idempotent:
+            # https://stackoverflow.com/a/54908072
+            tar --sort=name --owner=root:0 --group=root:0 --mtime='@0' \
+              -vahcf artifacts_bundled/${b}.tar.zst -C artifacts_linux/${b} .
+          done
+          ls -aRsh artifacts_bundled
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # [email protected]
+        if: github.event_name == 'workflow_dispatch' || format('refs/heads/{0}', github.event.repository.default_branch) == github.ref
+        with:
+          # upload v4 doesn't support writing multiple times to the same artifact name.
+          # so its important that we name it after the workflow and not something
+          # general like "artifacts"
+          name: nix
+          path: artifacts_bundled
+          if-no-files-found: error
+          retention-days: 14

.github/workflows/rust-ci.yaml

@@ -38,10 +38,6 @@ jobs:
 
       - name: Check Rust formatting
         run: cargo fmt --check --all
-      - name: Check Nix formatting
-        run: |
-          nix develop -c \
-            nixpkgs-fmt --check flake.nix
 
   clippy:
     name: Clippy