-
Notifications
You must be signed in to change notification settings - Fork 0
172 lines (153 loc) · 5.8 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: Upload Amazon Images
permissions:
contents: read
on:
pull_request:
merge_group:
push:
branches: [main]
jobs:
nix-checks:
name: Basic Nix checks
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: false
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Check Nix formatting
run: |
nix develop --command nixpkgs-fmt --check flake.nix
- name: nix flake check
run: |
nix flake check --all-systems
- name: Check external links in README
run: |
nix develop --command \
lychee README.md
- name: check image label
run: |
label="$(nix eval --raw .#nixosConfigurations.x86_64-linux.config.system.nixos.label)"
echo "checking label '$label'..."
set -x
echo "${label}" | grep -E '^[0-9][0-9]\.[0-9][0-9]\..*';
build-ami:
name: Upload NixOS AMI
runs-on: ${{ matrix.system.runner }}
environment: ${{ (github.event_name == 'push' && github.ref == 'refs/heads/main') && 'production' || '' }}
permissions:
contents: read
id-token: write
env:
s3-bucket: detsys-nixos-images-20240916205705854200000001
strategy:
matrix:
system:
- nix-system: x86_64-linux
runner: ubuntu-latest
- nix-system: aarch64-linux
runner: UbuntuLatest32Cores128GArm
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
with:
flakehub: true
extra-conf: |
extra-system-features = kvm
# note: no magic-nix-cache. The build is nearly trivial, except for the gigantic disk image at the end.
# No need to cache that monstrosity.
- id: build-disk-image
run: |
nix build -L .#"diskImages.${{ matrix.system.nix-system }}.aws"
suffix=$(readlink ./result | cut -d'/' -f4 | cut -d'-' -f1)
echo "suffix=$suffix" >> "$GITHUB_OUTPUT"
- uses: aws-actions/configure-aws-credentials@v4
if: github.event_name == 'merge_group' || github.event_name == 'push'
with:
role-to-assume: arn:aws:iam::535002876703:role/upload-ami
aws-region: us-east-2
- name: Upload Smoke test AMI
if: github.event_name == 'merge_group' || github.event_name == 'push'
id: upload-smoke-test-ami
run: |
epoch="$(nix eval --raw .#epoch)"
prefix="smoketest/epoch-${epoch}/"
image_ids=$(nix develop --command upload-ami \
--image-info "./result/nix-support/image-info.json" \
--prefix "${prefix}" \
--s3-bucket "${{ env.s3-bucket }}" \
--run-id '${{ steps.build-disk-image.outputs.suffix }}')
echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT"
- name: Smoke test
if: github.event_name == 'merge_group' || github.event_name == 'push'
id: smoke-test
# NOTE: make sure smoke test isn't cancelled so that the instance gets cleaned up
run: |
image_ids='${{ steps.upload-smoke-test-ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["us-east-2"]')
nix run .#smoke-test -- \
--image-id "$image_id" \
--run-id "${{ github.run_id }}-${{ github.run_attempt }}" \
--no-spot
- name: Clean up smoke test
# NOTE(colemickens): NixOS/amis#smoke-test has a finally to teardown instance, this is workflow-cancellation protection
if: ${{ cancelled() && (github.event_name == 'merge_group' || github.event_name == 'push') }}
run: |
image_ids='${{ steps.upload-smoke-test-ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["us-east-2"]')
nix run .#smoke-test -- \
--image-id "$image_id" \
--run-id "${{ github.run_id }}-${{ github.run_attempt }}" \
--cancel
- name: Upload AMIs to all available regions
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
run: |
epoch="$(nix eval --raw .#epoch)"
prefix="determinate/nixos/epoch-${epoch}/"
nix develop --command upload-ami \
--image-info "./result/nix-support/image-info.json" \
--prefix "${prefix}" \
--s3-bucket "detsys-nixos-images-20240916205705854200000001" \
--run-id "${{ github.run_id }}-${{ github.run_attempt }}" \
--copy-to-regions \
--public
cache-dev-environment:
name: Cache Nix development environment in FlakeHub Cache
runs-on: ${{ matrix.system.runner }}
permissions:
contents: read
id-token: write
strategy:
matrix:
system:
- nix-system: x86_64-linux
runner: ubuntu-latest
- nix-system: aarch64-linux
runner: UbuntuLatest32Cores128GArm
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
with:
flakehub: true
- uses: DeterminateSystems/magic-nix-cache-action@main
- run: |
nix build .#devShells.${{ matrix.system.nix-system }}.default
notify-for-update-prs:
name: Notify Discord for update_flake_lock_action PRs
runs-on: ubuntu-latest
needs:
- nix-checks
- build-ami
if: always() && github.head_ref == 'update_flake_lock_action'
steps:
- name: Notify
uses: rjstone/discord-webhook-notify@v1
with:
severity: info
details: NixOS AMIs Update - ${{ needs.build-ami.result }}
webhookUrl: ${{ secrets.DISCORD_WEBHOOK_URL }}