Skip to content

flake.lock: Update #3141

flake.lock: Update

flake.lock: Update #3141

Workflow file for this run

name: CI
on:
# Following https://github.com/orgs/community/discussions/26276
# to get builds on PRs and pushes to master but not double
# builds on PRs.
push:
branches:
- main
pull_request:
workflow_dispatch:
env:
NIX_CONFIG: accept-flake-config = true
jobs:
shellcheck:
runs-on: nixos
steps:
- uses: actions/checkout@v4
- name: Run shellcheck on scripts/*.sh
run: nix-shell -I nixpkgs=https://github.com/nixos/nixpkgs/archive/release-23.05.tar.gz -p shellcheck --run 'shellcheck scripts/*.sh'
check:
runs-on: nixos
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # the check script below needs the whole history
- name: Run checks
run: nix develop -c ./scripts/check.sh
build-repo:
runs-on: nixos
steps:
- name: Checkout main
uses: actions/checkout@v4
with:
ref: main
# See https://github.com/actions/cache/pull/1231
# Astonishingly, this simple bump is not merged and released yet
- uses: kbdharun/cache@8070854e57d983bdd2887b0a708ad985f77398ab
with:
path: _cache
key: 1 # bump to refresh
- name: Unpack keys
env:
KEYS: ${{ secrets.KEYS }}
run: |
if [[ -z "$KEYS" ]]; then
echo "Could not access repository secret keys (PR is coming from a fork?)"
echo "Generating fresh keys for this run"
nix develop -c foliage create-keys
else
mkdir _keys
echo "$KEYS" | base64 -d | tar xvz -C _keys
fi
- name: Build repository (main)
run: |
nix develop -c foliage build -j 0 --write-metadata
mv _repo _repo-main
cp _repo-main/foliage/packages.json packages-old.json
- name: Checkout tip commit
uses: actions/checkout@v4
with:
clean: false
- name: Build repository (tip)
run: |
nix develop -c foliage build -j 0 --write-metadata
cp _repo/foliage/packages.json packages-new.json
- name: Copy static web assets
run: |
cp static/index.html _repo
cp README.md _repo
# See https://github.com/actions/upload-artifact/issues/36
- name: Pack repository in a tar archive
run: tar cf _repo.tar -C _repo .
# Do this before the check, useful to have the artifact in case the
# check fails!
- name: Upload built repository
uses: actions/upload-artifact@v4
with:
name: built-repo
path: _repo.tar
- name: Upload package metadata
uses: actions/upload-artifact@v4
with:
name: package-metadata
path: |
packages-old.json
packages-new.json
# Note: we use the check script from the tip so we pick up changes
# to the script from the PR itself.
- name: Check new index is an extension of the old index
run: |
echo "If this check failed because 'some entries only exist in the old index'"
echo "then you may need to update your branch.\n"
echo "If it failed because 'the last old entry is newer than the first new entry'"
echo "then you may need to update the timestamps in your new packages to be newer than those in main."
./scripts/check-archive-extension.sh _repo-main/01-index.tar _repo/01-index.tar
build-packages:
runs-on: nixos
needs:
- build-repo
steps:
- uses: actions/checkout@v4
- name: Download built repository
uses: actions/download-artifact@v4
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir _repo
tar xf _repo.tar -C _repo
- name: Build smoke test packages
# The > is the "YAML folded string" marker, which replaces
# newlines with spaces, since the usual bash idiom of \
# doesn't work for some reason
run: >
nix build .#allSmokeTestPackages
-L
--override-input CHaP path:_repo
--show-trace
build-new-packages:
runs-on: nixos
needs:
- build-repo
steps:
- uses: actions/checkout@v4
- name: Download built repository
uses: actions/download-artifact@v4
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir _repo
tar xf _repo.tar -C _repo
- name: Download package metadata
uses: actions/download-artifact@v4
with:
name: package-metadata
path: .
# This is a bit of a hack: to build the newly added packages, we:
# 1. compute the packages.json that just contains the new pacakge-versions
# 2. overwrite the built repository's packages.json with the computed one
# 3. build "all the packages" which now means "the new packages"
#
# This avoids us having to do other complicated tricks to make the flake
# take the set of packages to build as an argument.
- name: Adjust repository metadata
run: |
scripts/compare-package-metadata.sh packages-old.json packages-new.json > packages-diff.json
echo "Newly added packages:"
cat packages-diff.json
mv -f packages-diff.json _repo/foliage/packages.json
- name: Build all newly added packages
run: >
nix build .#allPackages
-L
--override-input CHaP path:_repo
--show-trace
deploy-check:
runs-on: nixos
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- build-repo
steps:
- uses: actions/checkout@v4
with:
path: src
- uses: actions/checkout@v4
with:
path: repo
ref: repo
- name: Download built repository
uses: actions/download-artifact@v4
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir built-repo
tar xf _repo.tar -C built-repo
# This is meaningfully different to the check in 'build': that checks the repository
# built from main and from the PR tip, but that's not _actually_ the repository
# deployed in the repo branch. It should be the same, but it can't hurt to check
# against the thing that's actually deployed before we deploy.
- name: Check new index is an extension of the old index
run: |
./src/scripts/check-archive-extension.sh repo/01-index.tar built-repo/01-index.tar
deploy:
# This job is fine to run on GitHub provided (free) runners.
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs:
- check
- build-repo
- deploy-check
concurrency:
group: "pages"
cancel-in-progress: true
# Grant GITHUB_TOKEN the permissions required to make a Pages deployment
permissions:
contents: write
id-token: write
pages: write
# Deploy to the github-pages environment
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@v4
- name: Download built repository
uses: actions/download-artifact@v4
with:
name: built-repo
- name: Unpack built repository
run: |
mkdir _repo
tar xf _repo.tar -C _repo
- name: Commit as branch
run: |
set -xe
# see https://github.com/orgs/community/discussions/26560 and https://github.com/actions/checkout/issues/13
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# Need --force because _repo is gitignore'd
git add --force _repo
treeId=$(git write-tree --prefix=_repo)
# the checkout action doesn't checkout all branches so we fetch
# the repo branch, if the remote doesn't have it, it's ok we do
# without
if git fetch --quiet origin repo; then
# add commit to branch
commitId=$(git commit-tree -p origin/repo -m "Update from ${{ github.sha }}" "$treeId")
else
# add commit with no parents
commitId=$(git commit-tree -m "Update from ${{ github.sha }}" "$treeId")
fi
git update-ref "refs/heads/repo" "$commitId"
git push origin repo
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Upload pages artifact
uses: actions/upload-pages-artifact@v3
with:
path: _repo
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4