forked from NixOS/nix
-
Notifications
You must be signed in to change notification settings - Fork 11
170 lines (157 loc) · 5.47 KB
/
ci.yml
File metadata and controls
170 lines (157 loc) · 5.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
name: "CI"
on:
pull_request:
push:
branches:
# NOTE: make sure any branches here are also valid directory names,
# otherwise creating the directory and uploading to s3 will fail
- main
- master
merge_group:
release:
types:
- published
permissions:
id-token: "write"
contents: "read"
pull-requests: "write"
statuses: "write"
deployments: "write"
jobs:
eval:
runs-on: UbuntuLatest32Cores128G
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: DeterminateSystems/determinate-nix-action@main
- run: nix flake show --all-systems --json
build_x86_64-linux:
uses: ./.github/workflows/build.yml
with:
system: x86_64-linux
runner: namespace-profile-linuxamd32c64g-cache
runner_for_virt: UbuntuLatest32Cores128G
runner_small: ubuntu-latest
run_tests: true
run_vm_tests: true
run_regression_tests: true
publish_manual: true
secrets:
manual_netlify_auth_token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
manual_netlify_site_id: ${{ secrets.NETLIFY_SITE_ID }}
sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
sentry_org: ${{ secrets.SENTRY_ORG }}
sentry_project: ${{ secrets.SENTRY_PROJECT }}
build_aarch64-linux:
uses: ./.github/workflows/build.yml
with:
if: ${{
github.event_name != 'pull_request'
|| (
github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src'
&& (
(github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
|| (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
)
)
}}
system: aarch64-linux
runner: UbuntuLatest32Cores128GArm
runner_for_virt: UbuntuLatest32Cores128GArm
runner_small: UbuntuLatest32Cores128GArm
secrets:
sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
sentry_org: ${{ secrets.SENTRY_ORG }}
sentry_project: ${{ secrets.SENTRY_PROJECT }}
build_aarch64-darwin:
uses: ./.github/workflows/build.yml
with:
system: aarch64-darwin
runner: namespace-profile-mac-m2-12c28g
runner_for_virt: namespace-profile-mac-m2-12c28g
runner_small: macos-latest-xlarge
secrets:
sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
sentry_org: ${{ secrets.SENTRY_ORG }}
sentry_project: ${{ secrets.SENTRY_PROJECT }}
success:
runs-on: ubuntu-latest
needs:
- eval
- build_x86_64-linux
- build_aarch64-linux
- build_aarch64-darwin
if: ${{ always() }}
steps:
- run: "true"
- run: |
echo "A dependent in the build matrix failed:"
echo "$needs"
exit 1
env:
needs: ${{ toJSON(needs) }}
if: |
contains(needs.*.result, 'failure') ||
contains(needs.*.result, 'cancelled')
- uses: actions/checkout@v4
- uses: DeterminateSystems/determinate-nix-action@main
- name: Create artifacts directory
run: mkdir -p ./artifacts
- name: Fetch artifacts
uses: actions/download-artifact@v7
with:
path: downloaded
- name: Move downloaded artifacts to artifacts directory
run: |
for dir in ./downloaded/*; do
arch="$(basename "$dir")"
mv "$dir"/*.xz ./artifacts/"${arch}"
done
- name: Build fallback-paths.nix
if: ${{
github.event_name != 'pull_request'
|| (
github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src'
&& (
(github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
|| (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
)
)
}}
run: |
nix build .#fallbackPathsNix --out-link fallback
cat fallback > ./artifacts/fallback-paths.nix
- uses: DeterminateSystems/push-artifact-ids@main
with:
s3_upload_role: ${{ secrets.AWS_S3_UPLOAD_ROLE_ARN }}
bucket: ${{ secrets.AWS_S3_UPLOAD_BUCKET_NAME }}
directory: ./artifacts
ids_project_name: determinate-nix
ids_binary_prefix: determinate-nix
skip_acl: true
allowed_branches: '["main"]'
publish:
needs:
- success
if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/')))
environment: ${{ github.event_name == 'release' && 'production' || '' }}
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-push@main
with:
rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
visibility: "public"
tag: "${{ github.ref_name }}"
- name: Update the release notes
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ github.ref_name }}
run: |
gh release edit "$TAG_NAME" --notes-file doc/manual/source/release-notes-determinate/"$TAG_NAME".md || true