-
Notifications
You must be signed in to change notification settings - Fork 10
131 lines (114 loc) · 4.3 KB
/
pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Pull Request
permissions:
pull-requests: write
on:
pull_request:
paths:
- .github/workflows/**
- "**.nix"
- "flake.lock"
jobs:
build:
if: github.event.pull_request.draft == false
name: "Build ${{ matrix.target }}"
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
target: pride
- os: ubuntu-latest
target: sloth
- os: ubuntu-latest
target: eden
- os: macos-13
target: theman
steps:
- name: Create nix mount point
if: contains(matrix.os, 'ubuntu')
run: sudo mkdir /nix
- name: Maximize build space
uses: easimon/maximize-build-space@v9
if: contains(matrix.os, 'ubuntu')
with:
root-reserve-mb: 512
swap-size-mb: 1024
build-mount-path: "/nix"
remove-dotnet: true
remove-android: true
remove-haskell: true
remove-docker-images: true
remove-codeql: true
overprovision-lvm: true
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install nix
uses: cachix/install-nix-action@v24
with:
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- uses: cachix/cachix-action@v13
with:
name: edeneast
skipPush: true
extraPullNames: nix-community
- name: Garbage collect build dependencies
run: nix-collect-garbage
- name: Fetch old system profile
run: nix build github:EdenEast/nyx#top.${{ matrix.target }} -v --log-format raw --profile ./profile
- name: Add new system to profile
run: |
set -o pipefail
nix build .#top.${{ matrix.target }} --profile ./profile --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: | # https://stackoverflow.com/a/74232400
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Scan for security issues
id: security
run: | # https://stackoverflow.com/a/74232400
nix run nixpkgs/nixos-unstable#vulnix -- -w https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml ./profile | tee /tmp/security.txt
OUTPUT_SECURITY="$(cat /tmp/security.txt)"
OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
echo "$OUTPUT_SECURITY"
delimiter="$(openssl rand -hex 16)"
echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
echo "$OUTPUT_SECURITY" >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Comment report in pr
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ !startswith(github.ref, 'dependabot') }}
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: ".#top.${{ matrix.target }}"
message: |
### Report for `${{ matrix.target }}`
<details>
<summary> Version changes </summary> <br>
<pre> ${{ steps.diff.outputs.diff }} </pre>
</details>
<details>
<summary> Security vulnerability report </summary> <br>
<pre> ${{ steps.security.outputs.security }} </pre>
</details>
# Idea reference
# https://github.com/arianvp/nixos-stuff/blob/adec9e6/.github/workflows/pr.yml
# https://github.com/sandhose/nixconf/blob/055de30/.github/workflows/check-pr.yaml