generated from JetBrains/intellij-platform-plugin-template
-
Notifications
You must be signed in to change notification settings - Fork 1
75 lines (73 loc) · 3.16 KB
/
nix-verify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Compare with Garnix artifact
on:
check_run:
types: [completed]
jobs:
verifyReproducible:
name: Compare with Garnix artifact
if: >-
github.event.check_run.app.name == 'Garnix CI'
&& contains(github.event.check_run.name, 'package default')
runs-on: ubuntu-latest
steps:
- uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4
with:
ref: ${{github.event.check_run.head_sha}}
check-name: 'Build'
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Sleep
run: sleep 15s
shell: bash
- name: Fetch Sources
uses: actions/checkout@v4
- uses: dawidd6/action-download-artifact@v7
with:
workflow: build.yml
commit: ${{github.event.check_run.head_sha}}
name: ".+[Ss]urveyor-\\d.+"
name_is_regexp: true
path: gha-artifact
- uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
extra-substituters = https://cache.garnix.io
extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=
- run: |
set -o errexit -o nounset -o pipefail -o xtrace
if cat <<- 'EOF' | grep --perl-regexp --only-matching '\/nix\/store\/\K\S+(?=-gradleBuild)' | tail --lines=1 | curl "https://cache.garnix.io/$(cat).narinfo" | tee _narinfo; then
${{ github.event.check_run.output.text }}
EOF
curl --output _artifact.nar "https://cache.garnix.io/$(grep --perl-regexp --only-matching 'URL:\s*\K\S+' <_narinfo)"
nix-store --restore ./artifact <_artifact.nar && rm _*
if [[ -f ./artifact ]]; then
# Received a .drv file instead of an out artifact directory
grep --perl-regexp --only-matching '\/nix\/store\/\K\S+(?=-gradleBuild)' <./artifact | tail --lines=1 | curl "https://cache.garnix.io/$(cat).narinfo" | tee _narinfo
curl --verbose --output _artifact.nar "https://cache.garnix.io/$(grep --perl-regexp --only-matching 'URL:\s*\K\S+' <_narinfo)"
rm ./artifact
nix-store --restore ./artifact <_artifact.nar && rm _*
fi
else
# Failed to get a valid NAR URL, so trying the long way for getting an artifact
nix build --max-jobs 0 --print-build-logs .#default
# upload-artifact doesn't accept links
cp --dereference --recursive ./result ./artifact
fi
ls --almost-all --format=long --recursive .
[[ -d ./artifact ]]
- name: Compute sha256sum for the artifact from Garnix
run: |
echo 'sha256sum of the artifact built in Garnix:'
find artifact/* -type f -exec sha256sum -b {} +
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: artifact-from-garnix
path: ./artifact/*
- name: Verify same (i.e. reproducible)
run: |
cmp -b gha-artifact/*/*.zip artifact/*.zip
pushd ci/generated/project/
for f in *.kt; do \
cmp -b "$f" "$GITHUB_WORKSPACE/artifact/$f";
done;
popd