diff --git a/.github/workflows/nix-ci.yaml b/.github/workflows/nix-ci.yaml new file mode 100644 index 0000000..7d3cfb6 --- /dev/null +++ b/.github/workflows/nix-ci.yaml @@ -0,0 +1,113 @@ +name: Nix CI +on: + pull_request: + workflow_dispatch: + workflow_call: + secrets: + GIT_HUB_TOKEN: + required: true + CACHIX_AUTH_TOKEN: + required: false + push: + branches: + - main + - prod + tags: + - '**' + +env: + CI_NIXOS_HOSTNAMES: worldcoin-hil-munich-0 worldcoin-hil-munich-1 + +jobs: + fmt: + name: Format + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + with: + token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27 + with: + github_access_token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15 + continue-on-error: true + with: + name: worldcoin + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Print environment + run: | + uname -a + nix develop -c env + + - name: Check Nix formatting + run: | + nix develop -c \ + nixpkgs-fmt --check . + + nixos: + name: Build NixOS Machines + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + with: + token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27 + with: + github_access_token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15 + continue-on-error: true + with: + name: worldcoin + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Authorize private git repos + run: git config --global url."https://${{ secrets.GIT_HUB_TOKEN }}@github.com".insteadOf https://github.com + + - name: Build NixOS configurations + run: | + set -Eeux -o pipefail + # TODO: Build *all* configurations. + for hostname in ${CI_NIXOS_HOSTNAMES}; do + nix build .#nixosConfigurations.${hostname}.config.system.build.toplevel + done + + liveusb: + name: Build NixOS Installer + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + with: + token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # pin@v27 + with: + github_access_token: ${{ secrets.GIT_HUB_TOKEN }} + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # pin@v15 + continue-on-error: true + with: + name: worldcoin + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + - name: Authorize private git repos + run: git config --global url."https://${{ secrets.GIT_HUB_TOKEN }}@github.com".insteadOf https://github.com + + - name: Build liveusb + run: | + set -Eeux -o pipefail + nix build .#packages.x86_64-linux.liveusb + ls -alh result/ + - name: Compress artifact + run: | + set -Eeuxo pipefail + mkdir -p artifacts + zstd --compress result/nixos.img -o artifacts/nixos.img.zst + ls -aRsh artifacts + + - name: Upload Artifacts + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # pin@v4.3.3 + if: github.event_name == 'workflow_dispatch' || format('refs/heads/{0}', github.event.repository.default_branch) == github.ref + with: + # upload v4 doesn't support writing multiple times to the same artifact name. + # so its important that we name it after the workflow and not something + # general like "artifacts" + name: nix + path: artifacts + if-no-files-found: error + retention-days: 14 diff --git a/.github/workflows/rust-ci.yaml b/.github/workflows/rust-ci.yaml index e964ee4..02e134a 100644 --- a/.github/workflows/rust-ci.yaml +++ b/.github/workflows/rust-ci.yaml @@ -38,10 +38,6 @@ jobs: - name: Check Rust formatting run: cargo fmt --check --all - - name: Check Nix formatting - run: | - nix develop -c \ - nixpkgs-fmt --check flake.nix clippy: name: Clippy