244 lines (204 loc) · 7.08 KB
/
CI.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
name: CI
on:
# Following https://github.com/orgs/community/discussions/26276
# to get builds on PRs and pushes to master but not double
# builds on PRs.
push:
branches:
- main
pull_request:
workflow_dispatch:
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0 # the check script below needs the whole history
- name: Setup Nix
uses: cachix/install-nix-action@v20
with:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
accept-flake-config = true
- name: Run checks
run: nix develop -c ./scripts/check.sh
build-repo:
runs-on: ubuntu-latest
steps:
- name: Setup Nix
uses: cachix/install-nix-action@v20
with:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
accept-flake-config = true
- name: Checkout main
uses: actions/checkout@v3
with:
ref: main
- uses: actions/cache@v3
with:
path: _cache
key: 1 # bump to refresh
- name: Unpack keys
env:
KEYS: ${{ secrets.KEYS }}
run: |
if [[ -z "$KEYS" ]]; then
echo "Could not access repository secret keys (PR is coming from a fork?)"
echo "Generating fresh keys for this run"
nix develop -c foliage create-keys
else
mkdir _keys
echo "$KEYS" | base64 -d | tar xvz -C _keys
fi
- name: Build repository (main)
# We don't need the metadata here, since we're just
# using this to compare the generated index
run: |
nix develop -c foliage build -j 0
mv _repo _repo-main
- name: Checkout tip commit
uses: actions/checkout@v3
with:
clean: false
- name: Build repository (tip)
run: |
nix develop -c foliage build -j 0 --write-metadata
- name: Copy static web assets
run: |
cp static/index.html _repo
cp README.md _repo
# Do this before the check, useful to have the artifact in case the
# check fails!
- name: Upload built repository
uses: actions/upload-artifact@v3
with:
name: built-repo
path: _repo
# Note: we use the check script from the tip so we pick up changes
# to the script from the PR itself.
- name: Check new index is an extension of the old index
run: |
echo "If this check failed because 'some entries only exist in the old index'"
echo "then you may need to update your branch.\n"
echo "If it failed because 'the last old entry is newer than the first new entry'"
echo "then you may need to update the timestamps in your new packages to be newer than those in main."
./scripts/check-archive-extension.sh _repo-main/01-index.tar _repo/01-index.tar
build-packages:
runs-on: ubuntu-latest
needs:
- build-repo
steps:
- name: Install Nix
uses: cachix/install-nix-action@v20
with:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
accept-flake-config = true
- name: Setup nixbuild.net
uses: nixbuild/nixbuild-action@biscuit
with:
nixbuild_token: ${{secrets.NIXBUILD_TOKEN}}
- uses: actions/checkout@v3
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
path: _repo
- name: Build checks
# The > is the "YAML folded string" marker, which replaces
# newlines with spaces, since the usual bash idiom of \
# doesn't work for some reason
#
# See https://github.com/nixbuild/feedback/issues/14 for
# why some of these options are here
run: >
nix flake check
-L
--override-input CHaP path:_repo
--eval-store auto
--store ssh-ng://eu.nixbuild.net
--max-jobs 2
--builders ""
deploy-check:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- build-repo
steps:
- uses: actions/checkout@v3
with:
path: src
- uses: actions/checkout@v3
with:
path: repo
ref: repo
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
path: built-repo
# This is meaningfully different to the check in 'build': that checks the repository
# built from main and from the PR tip, but that's not _actually_ the repository
# deployed in the repo branch. It should be the same, but it can't hurt to check
# against the thing that's actually deployed before we deploy.
- name: Check new index is an extension of the old index
run: |
./src/scripts/check-archive-extension.sh repo/01-index.tar built-repo/01-index.tar
deploy:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- check
- build-repo
- deploy-check
concurrency:
group: "pages"
cancel-in-progress: true
# Grant GITHUB_TOKEN the permissions required to make a Pages deployment
permissions:
contents: write
id-token: write
pages: write
# Deploy to the github-pages environment
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@v3
- name: Download built repository
uses: actions/download-artifact@v3
with:
name: built-repo
path: _repo
- name: Commit as branch
run: |
set -xe
# see https://github.com/orgs/community/discussions/26560 and https://github.com/actions/checkout/issues/13
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# Need --force because _repo is gitignore'd
git add --force _repo
treeId=$(git write-tree --prefix=_repo)
# the checkout action doesn't checkout all branches so we fetch
# the repo branch, if the remote doesn't have it, it's ok we do
# without
if git fetch --quiet origin repo; then
# add commit to branch
commitId=$(git commit-tree -p origin/repo -m "Update from ${{ github.sha }}" "$treeId")
else
# add commit with no parents
commitId=$(git commit-tree -m "Update from ${{ github.sha }}" "$treeId")
fi
git update-ref "refs/heads/repo" "$commitId"
git push origin repo
- name: Setup Pages
uses: actions/configure-pages@v1
- name: Upload pages artifact
uses: actions/upload-pages-artifact@v1
with:
path: _repo
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v1