CI: Build and cache artifacts on flake lock update

Initial CI building and cache pushing. It only covers flake updates, so any time changes are pushed to the repo the workflow will need to be triggered with "CI_FORCE_REFRESH" and there will be a delay in cached objects being available. Regardless, perfect is the enemy of good and this is good; this will serve as a point to start advancing the CI tooling. Tailscale is in use due to GitHub not having IPv6 connectivity... ARM runners are only for "Organisations" only.
nakato · Aug 27, 2024 · 08f44ab · 08f44ab
1 parent 42bef1d
commit 08f44ab
Show file tree

Hide file tree

Showing 3 changed files with 110 additions and 0 deletions.
diff --git a/.github/workflows/lockAndCache.yaml b/.github/workflows/lockAndCache.yaml
@@ -0,0 +1,46 @@
+name: Update lock and Cache
+
+on:
+  schedule:
+    # 16:17:00 UTC -> 02:17:00 AEST 03:17:00 AEDT
+    - cron: '17 16 * * *'
+  workflow_dispatch:
+    inputs:
+      forcerefresh:
+        description: 'Force Refresh'
+        required: false
+        type: boolean
+
+jobs:
+  ciUpdate:
+    name: Update and Cache
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@v12
+        with:
+          extra-conf: |
+            trusted-users = root build
+            substituters = https://nixos-sbc.cachix.org/ https://cache.nixos.org/
+            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixos-sbc.cachix.org-1:XMK0HnQmmGIt1lYy1y+JsxLpHVaSTRRWvd6T6cU+I2M=
+            builders = ssh-ng://builder@hourai.kangaroo-tetra.ts.net aarch64-linux /home/runner/.ssh/githubci 1 1 benchmark,big-parallel,gccarch-armv8-a,kvm,nixos-test - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSVBhOUxMTjdHTWhLVDkySGtyT1RFYjVjMmdvazVhOFE1Yzk2SWV3cERvcGcgcm9vdEBob3VyYWkK
+      # Direct reachability is only available over IPv6.
+      - name: Tailscale
+        uses: tailscale/github-action@v2
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:srht-build
+          version: 1.70.0
+      - name: Update and Cache
+        env:
+          CI_FORCE_REFRESH: ${{ inputs.forcerefresh }}
+          CI_GIT_EMAIL: ${{ vars.CI_GIT_EMAIL }}
+          CACHIX_REPO: ${{ vars.CACHIX_REPO }}
+        run: |
+          (umask 0066; mkdir -p $HOME/.ssh)
+          (umask 0077; echo "${{ secrets.NIX_BUILDER_SSH_KEY }}" > $HOME/.ssh/githubci)
+          nix run 'nixpkgs#cachix' -- authtoken "${{ secrets.CACHIX_AUTH_TOKEN }}"
+          bash ./lib/flake-ci/check-update-changes.sh
diff --git a/lib/flake-ci/check-update-changes.sh b/lib/flake-ci/check-update-changes.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+set -x
+
+CI_FORCE_REFRESH="${CI_FORCE_REFRESH:-false}"
+
+SCRIPT_PATH="$(readlink -f $0)"
+SCRIPT_DIR="$(dirname ${SCRIPT_PATH})"
+
+export GIT_AUTHOR_EMAIL="${CI_GIT_EMAIL}"
+export GIT_AUTHOR_NAME="SBC-CI"
+
+git config --global user.email "${GIT_AUTHOR_EMAIL}"
+git config --global user.name "${GIT_AUTHOR_NAME}"
+
+if [[ ${CI_FORCE_REFRESH} != true ]]; then
+  PREV_ATTRSET="$(nix eval '.#_lib.builders.buildTargets.aarch64-linux' --apply 'drv: builtins.mapAttrs (k: v: {prev = v.drvPath;}) drv')"
+
+  nix flake update --commit-lock-file
+
+  NEXT_ATTRSET="$(nix eval '.#_lib.builders.buildTargets.aarch64-linux' --apply 'drv: builtins.mapAttrs (k: v: {next = v.drvPath;}) drv')"
+
+  NEEDS_REFRESH="$(nix eval --impure --expr "import ${SCRIPT_DIR}/compareDrvs.nix ${PREV_ATTRSET} ${NEXT_ATTRSET}" --apply "as: as.needsRefresh")"
+else
+  # Skip updating lockfile on force-refresh.
+  echo "Refresh has been forced"
+  NEEDS_REFRESH="true"
+fi
+
+if [[ ${NEEDS_REFRESH} = false ]]; then
+  echo "No derivations need refreshed, not updating lockfile and not rebuilding"
+  exit 0
+fi
+
+echo "Derivations need to be built and pushed to cache"
+
+TARGETS=($(nix eval --raw .#_lib.builders.buildTargets.aarch64-linux --apply 'f: builtins.concatStringsSep " " (builtins.attrNames f)'))
+
+for TARGET in ${TARGETS[@]}; do
+  echo "Building target: $TARGET"
+  nix build ".#_lib.builders.buildTargets.aarch64-linux.${TARGET}"
+done
+
+for TARGET in ${TARGETS[@]}; do
+  echo "Pushing artifacts for: $TARGET"
+  nix eval --json ".#_lib.builders.buildTargets.aarch64-linux.${TARGET}" --apply 'drv: builtins.map (n: drv.${n}) drv.outputs' | jq -r '.[]' | nix run 'nixpkgs#cachix' -- push "$CACHIX_REPO"
+done
+
+git push
diff --git a/lib/flake-ci/compareDrvs.nix b/lib/flake-ci/compareDrvs.nix
@@ -0,0 +1,13 @@
+let
+  pkgs = import <nixpkgs> {};
+  lib = pkgs.lib;
+  joinAttrsets = prev: next: lib.attrsets.recursiveUpdate prev next;
+  isAdded = as: (as ? prev) == false && (as ? next) == true;
+  isRemoved = as: (as ? prev) == true && (as ? next) == false;
+  isUpdated = as: (as.prev or "") != (as.next or as.prev);
+  mapUpdateFlags = as: builtins.mapAttrs (k: v: v // { added = isAdded v; removed = isRemoved v; updated = isUpdated v; }) as;
+  checkNeedsRefresh = as: builtins.any (k: as.${k}.added || as.${k}.updated) (builtins.attrNames as);
+  mapRefreshFlag = as: as // { needsRefresh = (checkNeedsRefresh as); };
+in
+prev: next:
+mapRefreshFlag (mapUpdateFlags (joinAttrsets prev next))