From 3916c985f1ab9a54b3f59509a880051fd5a69acd Mon Sep 17 00:00:00 2001 From: sunziping2016 <8998546+sunziping2016@users.noreply.github.com> Date: Mon, 28 Apr 2025 18:36:13 +0800 Subject: [PATCH 1/2] chore(deps): update flake.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/ca27b88c88948d96feeee9ed814cbd34f53d0d70?narHash=sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8%3D' (2025-04-24) → 'github:nix-community/disko/d0c543d740fad42fe2c035b43c9d41127e073c78?narHash=sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm%2Bg%3D' (2025-04-28) • Updated input 'home-manager': 'github:nix-community/home-manager/542078066b1a99cdc5d5fce1365f98b847ca0b5a?narHash=sha256-Rq5qNnUWuhQTqzXDcminu7Z1FPSB1wUaKIEfPTyZkAs%3D' (2025-04-25) → 'github:nix-community/home-manager/be7cf1709b469a2a2c62169172a167d1fed3509f?narHash=sha256-WfnYH/i7DFzn4SESQfWviXiNUZjohZhzODqLwKYHIPI%3D' (2025-04-28) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7?narHash=sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo%3D' (2025-04-23) → 'github:NixOS/nixpkgs/f771eb401a46846c1aebd20552521b233dd7e18b?narHash=sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA%3D' (2025-04-24) • Updated input 'nv2nix': 'github:adisbladis/uv2nix/bcadc56a1e90d89bf32cc4ac308d8252e2adf855?narHash=sha256-ykgcOadiU9Z67P2MOjB0r06r35cQu65t0fzDeYR1uzc%3D' (2025-04-22) → 'github:adisbladis/uv2nix/cb6508484d534dafd097713b575f2aebc3417de0?narHash=sha256-r4A/fkiCenEapHkjJWPiNUZEfviuXMCr6mRozJ5dC4o%3D' (2025-04-26) • Updated input 'pyproject-nix': 'github:nix-community/pyproject.nix/8063ec98edc459571d042a640b1c5e334ecfca1e?narHash=sha256-1GSaoubGtvsLRwoYwHjeKYq40tLwvuFFVhGrG8J9Oek%3D' (2025-03-31) → 'github:nix-community/pyproject.nix/2db2d95ddbc4ff5e29730cb82fdba6647be258a7?narHash=sha256-c/mqxgOVDcwrdcY3FqG22MwLPGY5rCz5gte1sxISKnM%3D' (2025-04-27) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/8d404a69efe76146368885110f29a2ca3700bee6?narHash=sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI%3D' (2025-04-18) → 'github:numtide/treefmt-nix/d1863f30d9ca67f679f9c2583d7adf674b5d9b8a?narHash=sha256-aRkV0ZpfT/ERgRlGrbgjHFRcEWdseltSO%2BwPnpdPYKg%3D' (2025-04-28) --- flake.lock | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/flake.lock b/flake.lock index f9896b9..ed08b51 100644 --- a/flake.lock +++ b/flake.lock @@ -68,11 +68,11 @@ ] }, "locked": { - "lastModified": 1745502102, - "narHash": "sha256-LqhRwzvIVPEjH0TaPgwzqpyhW6DtCrvz7FnUJDoUZh8=", + "lastModified": 1745812220, + "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", "owner": "nix-community", "repo": "disko", - "rev": "ca27b88c88948d96feeee9ed814cbd34f53d0d70", + "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", "type": "github" }, "original": { @@ -236,11 +236,11 @@ ] }, "locked": { - "lastModified": 1745593878, - "narHash": "sha256-Rq5qNnUWuhQTqzXDcminu7Z1FPSB1wUaKIEfPTyZkAs=", + "lastModified": 1745810134, + "narHash": "sha256-WfnYH/i7DFzn4SESQfWviXiNUZjohZhzODqLwKYHIPI=", "owner": "nix-community", "repo": "home-manager", - "rev": "542078066b1a99cdc5d5fce1365f98b847ca0b5a", + "rev": "be7cf1709b469a2a2c62169172a167d1fed3509f", "type": "github" }, "original": { @@ -318,11 +318,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1745526057, + "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "f771eb401a46846c1aebd20552521b233dd7e18b", "type": "github" }, "original": { @@ -342,11 +342,11 @@ ] }, "locked": { - "lastModified": 1745328266, - "narHash": "sha256-ykgcOadiU9Z67P2MOjB0r06r35cQu65t0fzDeYR1uzc=", + "lastModified": 1745697651, + "narHash": "sha256-r4A/fkiCenEapHkjJWPiNUZEfviuXMCr6mRozJ5dC4o=", "owner": "adisbladis", "repo": "uv2nix", - "rev": "bcadc56a1e90d89bf32cc4ac308d8252e2adf855", + "rev": "cb6508484d534dafd097713b575f2aebc3417de0", "type": "github" }, "original": { @@ -362,11 +362,11 @@ ] }, "locked": { - "lastModified": 1743438845, - "narHash": "sha256-1GSaoubGtvsLRwoYwHjeKYq40tLwvuFFVhGrG8J9Oek=", + "lastModified": 1745782090, + "narHash": "sha256-c/mqxgOVDcwrdcY3FqG22MwLPGY5rCz5gte1sxISKnM=", "owner": "nix-community", "repo": "pyproject.nix", - "rev": "8063ec98edc459571d042a640b1c5e334ecfca1e", + "rev": "2db2d95ddbc4ff5e29730cb82fdba6647be258a7", "type": "github" }, "original": { @@ -443,11 +443,11 @@ ] }, "locked": { - "lastModified": 1744961264, - "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=", + "lastModified": 1745829891, + "narHash": "sha256-aRkV0ZpfT/ERgRlGrbgjHFRcEWdseltSO+wPnpdPYKg=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "8d404a69efe76146368885110f29a2ca3700bee6", + "rev": "d1863f30d9ca67f679f9c2583d7adf674b5d9b8a", "type": "github" }, "original": { From 8b11c41638f34ffb15e6e4f50545bef5ed222fd7 Mon Sep 17 00:00:00 2001 From: Ziping Sun Date: Mon, 28 Apr 2025 22:33:38 +0800 Subject: [PATCH 2/2] feat(ci): diff host closures on PR --- .github/actions/terragrunt-plan/action.yaml | 22 +++++- .github/workflows/build.yaml | 76 ++++++++++++++++++++- terraform/modules/nixos_deploy/create.sh | 2 +- 3 files changed, 95 insertions(+), 5 deletions(-) diff --git a/.github/actions/terragrunt-plan/action.yaml b/.github/actions/terragrunt-plan/action.yaml index 7ba72a2..bab63ef 100644 --- a/.github/actions/terragrunt-plan/action.yaml +++ b/.github/actions/terragrunt-plan/action.yaml @@ -16,6 +16,9 @@ outputs: diff: description: "Whether the plan is out of sync" value: ${{ steps.plan.outputs.diff }} + diff-hosts: + description: "The hosts that are out of sync" + value: ${{ steps.plan.outputs.diff-hosts }} runs: using: "composite" @@ -30,12 +33,24 @@ runs: >(sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' >> "$GITHUB_OUTPUT") echo "$delimiter" >> "$GITHUB_OUTPUT" - diff="$(terragrunt run-all show -json | jq -s ' + diff_file="$(mktemp)" + trap 'rm -f "$diff_file"' EXIT + terragrunt run-all show -json > "$diff_file" + + diff="$(jq -s ' [.[].resource_changes[]?.change.actions[]?] + [.[].output_changes[]?.actions[]?] | any(. != "no-op") - ')" + ' < "$diff_file")" + diff_hosts="$(jq -sc ' + [.[].resource_changes[]? + | select([.change.actions[]?] | any(. != "no-op")) + | .address + | capture("^module\\.nixos_deploy\\[\"(?\\w+)\"\\].shell_script.deploy$") + | .host] + ' < "$diff_file")" echo "diff=$diff" >> "$GITHUB_OUTPUT" + echo "diff-hosts=$diff_hosts" >> "$GITHUB_OUTPUT" working-directory: ${{ inputs.working-directory }} env: TG_OUT_DIR: ${{ github.workspace }}/.data/tfplans @@ -46,7 +61,7 @@ runs: ### Terragrunt Plan :memo:
- Terragrunt Log/summary> + Terragrunt Plan Log ```text ${{ steps.plan.outputs.plan }} @@ -55,6 +70,7 @@ runs:
**Status**: ${{ steps.plan.outputs.diff == 'true' && 'out of sync :warning:' || 'no changes :ok_hand:' }} + **Hosts to deploy**: ${{ join(fromJSON(steps.plan.outputs.diff-hosts), ', ') }} EOF - name: Pack tfplans if: steps.plan.outputs.diff == 'true' && inputs.skip-upload != 'true' diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ee2cfce..aae6cab 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -48,6 +48,8 @@ jobs: permissions: id-token: write # for AWS and Aliyun OIDC federation pull-requests: write # for updating the PR comment + outputs: + diff-hosts: ${{ steps.plan.outputs.diff-hosts }} steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup @@ -63,7 +65,6 @@ jobs: id: plan with: skip-upload: "true" - # Update the comment - uses: peter-evans/find-comment@v3 id: find-comment with: @@ -77,10 +78,83 @@ jobs: body: | ### Terragrunt Plan :memo: +
+ Terragrunt Plan Logs + ```text ${{ steps.plan.outputs.plan }} ``` +
+ **Status**: ${{ steps.plan.outputs.diff == 'true' && 'out of sync :warning:' || 'no changes :ok_hand:' }} + **Hosts to deploy**: ${{ join(fromJSON(steps.plan.outputs.diff-hosts), ', ') }} + token: ${{ secrets.GITHUB_TOKEN }} + edit-mode: replace + + diff: + runs-on: nixos-x86_64-linux + needs: plan + strategy: + matrix: + host: ${{ fromJson(needs.plan.outputs.diff-hosts) }} + permissions: + pull-requests: write # for updating the PR comment + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/setup + with: + components: api-token,attic,ssh,devshell + api-token: ${{ secrets.GITHUB_TOKEN }} + attic-token: ${{ secrets.ATTIC_TOKEN }} + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + - name: Push and diff "${{ matrix.host }}" + shell: bash + id: diff + run: | + deployment=$(nix eval ".#deploy" --impure --json --apply 'd: + (n: n // { profiles = null; } // n.profiles.system) + (d // { nodes = null; } // d.nodes."${builtins.getEnv "HOST"}")') + deploy --ssh-opts "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \ + --skip-checks --debug-logs --dry-activate ".#$HOST" + readarray -d '' ssh_opts < <( + jq --raw-output0 '.sshOpts[]?, "\(.sshUser // "root")@\(.hostname)"' <<<"$deployment") + new_system=$(nix derivation show ".#nixosConfigurations.$HOST.config.system.build.toplevel" | + jq -rc '.[].outputs.out.path') + delimiter="$({ tr -dc A-Za-z0-9 > "$GITHUB_OUTPUT" + ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "${ssh_opts[@]}" -- \ + nix store diff-closures /run/current-system "$new_system" |& tee \ + >(sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' >> "$GITHUB_OUTPUT") + echo "$delimiter" >> "$GITHUB_OUTPUT" + env: + HOST: ${{ matrix.host }} + - name: Summarize diff + shell: bash + run: | + cat <<'EOF' >> "$GITHUB_STEP_SUMMARY" + ### Changes for Host ${{ matrix.host }} :rocket: + + ```text + ${{ steps.diff.outputs.diff }} + ``` + EOF + - uses: peter-evans/find-comment@v3 + id: find-comment + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: "github-actions[bot]" + body-includes: "### Changes for Host ${{ matrix.host }}" + - uses: peter-evans/create-or-update-comment@v4 + with: + comment-id: ${{ steps.find-comment.outputs.comment-id }} + issue-number: ${{ github.event.pull_request.number }} + body: | + ### Changes for Host ${{ matrix.host }} :rocket: + + ```text + ${{ steps.diff.outputs.diff }} + ``` token: ${{ secrets.GITHUB_TOKEN }} edit-mode: replace diff --git a/terraform/modules/nixos_deploy/create.sh b/terraform/modules/nixos_deploy/create.sh index 7aaafcd..c1fc86e 100755 --- a/terraform/modules/nixos_deploy/create.sh +++ b/terraform/modules/nixos_deploy/create.sh @@ -3,5 +3,5 @@ set -euo pipefail cd "$WORKING_DIRECTORY" deploy --ssh-opts "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \ - --skip-checks --auto-rollback false "$FLAKE#$NODE" -- --print-build-logs + --skip-checks --debug-logs --auto-rollback false "$FLAKE#$NODE" echo -n '{"done": true}'