-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
88ed81f
commit 04fb958
Showing
1 changed file
with
152 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,152 @@ | ||
| name: 'Set up Nix environment with cache uploads by the runner' | ||
| description: -| | ||
| This action installs Nix in multi-user mode and configures it to | ||
| use a custom cache. It also uploads all the build results to the cache, | ||
| including intermediate packages built as part of a build activity. | ||
| The cache uploads are performed by the runner user in the post-build-hook, | ||
| this means that the runner user needs to have the proper credentials | ||
| configured to have write access to the cache. | ||
| inputs: | ||
| cache_url: | ||
| description: 'URL for the Nix cache' | ||
| required: true | ||
| signing_private_key: | ||
| description: The private (secret) key used for signing Nix store paths | ||
| required: true | ||
| by_root: | ||
| description: 'Use by-root strategy (requires aws action as well)' | ||
| required: false | ||
| default: false | ||
| aws_access_key_id: | ||
| description: "used for aws private bucket or root access" | ||
| required: false | ||
| default: "" | ||
| aws_secret_access_key: | ||
| description: "used for aws private bucket or root access" | ||
| required: false | ||
| default: "" | ||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Install Nix | ||
| uses: cachix/install-nix-action@v22 | ||
| with: | ||
| nix_path: nixpkgs=https://github.com/NixOS/nixpkgs/archive/23.05.tar.gz | ||
|
|
||
| - name: Set NIX_PATH | ||
| run: | | ||
| echo "NIX_PATH=nixpkgs=https://github.com/NixOS/nixpkgs/archive/23.05.tar.gz" >> $GITHUB_ENV | ||
| shell: bash | ||
|
|
||
| - run: | | ||
| echo $PATH | ||
| nix-build --version | ||
| shell: bash | ||
| ## Start of AWS actions | ||
| # used only with by-root strategy or private aws buckets | ||
| - name: Determine AWS root path | ||
| if: ${{ inputs.by_root }} | ||
| id: aws-root-path | ||
| shell: bash | ||
| run: | | ||
| if [[ "${{ runner.os }}" == "macOS" ]]; then | ||
| echo "path=/var/root/.aws" >> $GITHUB_OUTPUT | ||
| else | ||
| echo "path=/root/.aws" >> $GITHUB_OUTPUT | ||
| fi | ||
| - name: Copy aws credentials to root and clean up at the end | ||
| if: ${{ inputs.by_root }} | ||
| uses: pyTooling/Actions/with-post-step@v0.4.5 | ||
| env: | ||
| AWS_ROOT_PATH: ${{ steps.aws-root-path.outputs.path }} | ||
| AWS_ACCESS_KEY_ID: ${{ inputs.aws_access_key_id }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ inputs.aws_secret_access_key }} | ||
| with: | ||
| main: | | ||
| echo Copy aws credentials to $AWS_ROOT_PATH | ||
| sudo mkdir -p $AWS_ROOT_PATH | ||
| sudo sh -c "cat - > $AWS_ROOT_PATH/credentials" <<EOF | ||
| [default] | ||
| aws_access_key_id = $AWS_ACCESS_KEY_ID | ||
| aws_secret_access_key = $AWS_SECRET_ACCESS_KEY | ||
| EOF | ||
| post: | | ||
| sudo rm -rf $AWS_ROOT_PATH | ||
| ## End of AWS actions | ||
| # Main action here | ||
| - name: Populate the runner nix.conf with cache fields | ||
| shell: bash | ||
| run: | | ||
| TMP_DIR=$(mktemp -d) | ||
| echo "${{ inputs.signing_private_key }}" > "$TMP_DIR/key.private" | ||
| if [[ ${{ inputs.by_root }} ]] then | ||
| tee $TMP_DIR/post-build-hook.sh <<EOF | ||
| #!/usr/bin/env bash | ||
| set -euo pipefail | ||
| set -f # disable globbing | ||
| echo "Built paths:" \$OUT_PATHS | ||
| $(which nix) copy --to "${{ inputs.cache_url }}" \$OUT_PATHS 2>&1 | ||
| EOF | ||
| chmod a+x $TMP_DIR/post-build-hook.sh | ||
| else | ||
| tee $TMP_DIR/upload-paths.sh <<EOF | ||
| #!/usr/bin/env bash | ||
| read -r OUT_PATHS | ||
| export IFS=' ' | ||
| echo Uploading paths \$OUT_PATHS | ||
| nix copy --to "${{ inputs.cache_url }}" \$OUT_PATHS 2>&1 | ||
| EOF | ||
| chmod a+x $TMP_DIR/upload-paths.sh | ||
| NMAP=$(nix-build '<nixpkgs>' -A nmap --no-out-link) | ||
| $NMAP/bin/ncat -k -l 54321 -e $TMP_DIR/upload-paths.sh & | ||
|
|
||
| sleep 1 | ||
| echo $NMAP | nc localhost 54321 | ||
|
|
||
| tee $TMP_DIR/post-build-hook.sh <<EOF | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -euo pipefail | ||
| set -f # disable globbing | ||
| echo "Built paths:" \$OUT_PATHS | ||
| echo \$OUT_PATHS | nc localhost 54321 | ||
| EOF | ||
| chmod a+x $TMP_DIR/post-build-hook.sh | ||
|
|
||
| fi | ||
|
|
||
| CERTFILEOPT=$( [[ "$OSTYPE" =~ darwin ]] && echo "ssl-cert-file = /etc/ssl/cert.pem" || echo "" ) | ||
|
|
||
| sudo mkdir -p /etc/nix/ | ||
| sudo tee /etc/nix/nix.conf <<EOF | ||
| show-trace = true | ||
| max-jobs = auto | ||
| $CERTFILEOPT | ||
| trusted-users = root ${USER:-} | ||
| substituters = ${{ inputs.cache_url }} https://cache.nixos.org/ | ||
| trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= | ||
| secret-key-files = $TMP_DIR/key.private | ||
| post-build-hook = $TMP_DIR/post-build-hook.sh | ||
| experimental-features = nix-command fetch-closure flakes | ||
| EOF | ||
|
|
||
| - name: Restart the Nix daemon on MacOS | ||
| shell: bash | ||
| if: ${{ runner.os == 'macOS' }} | ||
| run: | | ||
| sudo launchctl stop org.nixos.nix-daemon | ||
| sudo launchctl start org.nixos.nix-daemon | ||
| while ! nix store ping 2>/dev/null; do | ||
| sleep 1 | ||
| done | ||
| - name: Restart the Nix daemon on Linux | ||
| shell: bash | ||
| if: ${{ runner.os == 'Linux' }} | ||
| run: | | ||
| sudo systemctl restart nix-daemon.service |