-
Notifications
You must be signed in to change notification settings - Fork 1
139 lines (115 loc) · 5.59 KB
/
tests.yml
File metadata and controls
139 lines (115 loc) · 5.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: "tests"
on:
# I don't think it's important for correctness to run the tests on main.
# I'm doing it to make GitHub Actions caches available across pull requests.
# See https://github.com/LightAndLight/ipso/issues/338
push:
branches:
- main
pull_request:
workflow_dispatch:
env:
NIX_PUBLIC_KEY: "ipso-binary-cache-1:UMRLNOKcCsb/a2dBhtcZhRZP4RN8yIDsSUwHTObu2w4="
# Note: these values are duplicated in the `UPLOAD_TO_CACHE` script.
BINARY_CACHE_BUCKET: "ipso-binary-cache"
BINARY_CACHE_ENDPOINT: "7065dc7f7d1813a29036535b4c4f4014.r2.cloudflarestorage.com"
# Avoid [rate
# limiting](https://discourse.nixos.org/t/flakes-provide-github-api-token-for-rate-limiting/18609)
# by allowing Nix to make authenticated GitHub requests.
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}"
# The version of ipso to use for CI scripts that are written in the language.
CI_IPSO_VERSION: "v0.5"
jobs:
tests:
runs-on: ubuntu-latest
env:
POST_BUILD_HOOK: ".github/workflows/postBuildHook"
steps:
- uses: actions/checkout@v2.4.0
with:
# `./scripts/recheck` uses `git diff` which accesses the repo's history. `fetch-depth: 0` fetches all branches and history.
fetch-depth: 0
- uses: cachix/install-nix-action@v24
# Used by `uploadToCache` to sign store paths.
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'"
# Grants the Nix daemon access to the bucket, which allows `nix build` to
# authenticate with the binary cache bucket and fetch cache items.
- run: sudo mkdir /root/.aws
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'"
# Grants the runner access to the bucket, which allows `pueue` to
# authenticate with the binary cache bucket when pushing signed cache items.
- run: sudo mkdir ~/.aws
- run: sudo chown runner ~/.aws
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials"
# Allow the Nix daemon to execute the post-build-hook script.
- run: "sudo chmod +x $POST_BUILD_HOOK"
# Used in `postBuildHook`.
- run: sudo cp .github/workflows/uploadToCache /run/uploadToCache
# [note: installing Ipso binary]
#
# Installing an Ipso release binary leads to more reliable Nix caching (versus using `nix
# profile install`). See <https://github.com/LightAndLight/ipso/issues/407>.
- name: Install Ipso binary
run: |
mkdir -p $HOME/bin
curl -L \
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \
> $HOME/bin/ipso
chmod +x $HOME/bin/ipso
echo "$HOME/bin" >> $GITHUB_PATH
- run: nix profile install nixpkgs#pueue
# [note: nix profile install not adding to PATH]
#
# `nix profile install nixpkgs#pueue` used to "just work", but on 2023-03-02 I started getting
# `pueued: command not found` errors. So add it to the path manually.
#
# [Docs for `GITHUB_PATH`](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path)
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH
- run: pueued -d
- name: cache .cargo
uses: actions/cache@v3
env:
cache-name: cache-crates-io-index
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/src
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('Cargo.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('Cargo.lock') }}
${{ runner.os }}-build-${{ env.cache-name }}-
- name: "tests"
if: github.event_name == 'pull_request'
run: >
nix develop .#tests
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-c ./scripts/recheck origin/$GITHUB_BASE_REF $GITHUB_REF_NAME
# `tests.yml` is currently set to run on pushes to `main`. When that happens, `$GITHUB_BASE_REF`
# isn't set because it's not a pull request. Instead we use the most recent commit before the
# push
# (https://docs.github.com/en/webhooks-and-events/webhooks/webhook-events-and-payloads#push)
# as the "old" commit for `./scripts/recheck`.
#
# If it's a force push (which it really shouldn't be for main) then we skip this step.
- name: "tests"
if: github.event_name == 'push' && !github.event.forced
run: >
nix develop .#tests
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-c ./scripts/recheck ${{ github.event.before }} $GITHUB_REF_NAME
- name: wait for uploads to finish
if: always()
run: pueue wait
- name: log all uploads
if: always()
run: pueue log --json | jq '.[].task.original_command' -r
- name: log failed uploads
if: always()
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log
- name: check uploads succeeded
if: always()
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]"