-
Notifications
You must be signed in to change notification settings - Fork 5
227 lines (217 loc) · 9.3 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
name: "Build"
on:
pull_request:
merge_group:
push:
branches:
- master
jobs:
changes:
runs-on: ubuntu-latest
permissions:
pull-requests: read
outputs:
package-lock-json: ${{ steps.filter.outputs.package-lock-json }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: filter
with:
filters: |
package-lock-json:
- 'frontend/package-lock.json'
build-agent:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: build thymis-agent
uses: ./.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
nix build .#thymis-agent --print-build-logs
build-agent-aarch64:
runs-on: ubuntu-22.04-arm
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: build thymis-agent-aarch64
uses: ./.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
nix build .#thymis-agent --print-build-logs
build-thymis-controller:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
path: thymis
- uses: ./thymis/.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: Build thymis-frontend
uses: ./thymis/.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
cd thymis
nix build .#thymis-frontend --print-build-logs 2>&1 | tee build.log
sleep 1
- name: Get Thymis App Token
id: generate-token
if: failure()
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.THYMIS_APP_ID }}
private-key: ${{ secrets.THYMIS_APP_PRIVATE_KEY }}
- uses: actions/checkout@v4
if: failure()
with:
token: ${{ steps.generate-token.outputs.token }}
path: thymis-2
ref: ${{ github.head_ref || github.ref_name }}
- name: check if failed because of frontend hash failure, in that case, commit the new hash
if: failure()
env:
GH_TOKEN: ${{ steps.generate-token.outputs.token }}
BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
run: |
if grep -q -e "hash mismatch in fixed-output derivation" -e "npmDepsHash is out of date" thymis/build.log; then
cd thymis-2
echo "frontendHashFailure detected, committing new hash"
# git config --global user.name github-actions[bot]
# git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
USER_NAME=${{ steps.generate-token.outputs.app-slug }}[bot]
USER_ID=$(gh api "/users/${USER_NAME}" --jq '.id')
USER_EMAIL="${USER_ID}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com"
git config user.email $USER_EMAIL
git config user.name $USER_NAME
# > To fix the issue:
# > 1. Use `lib.fakeHash` as the npmDepsHash value
# > 2. Build the derivation and wait for it to fail with a hash mismatch
# > 3. Copy the 'got: sha256-' value back into the npmDepsHash field
# okay
# first use sed
# file is in ./frontend/default.nix
# line loops like
# npmDepsHash = "sha256-<hash>";
# we want to replace the hash to lib.fakeHash at first
(cd frontend && nix develop .#ci --command npm install)
git add ./frontend/package-lock.json
sed -i 's/npmDepsHash = "sha256-.*";/npmDepsHash = lib.fakeHash;/' ./frontend/default.nix
# and then build the derivation again
nix build .#thymis-frontend --print-build-logs 2>&1 | tee build.log
# now checkout the head_ref branch
git fetch --all
git checkout $BRANCH_NAME
# look for line "got: sha256-<hash>"
# and replace the hash in the file
newHash=$(grep -oP 'got: sha256-\K[0-9a-zA-Z/+=]+' build.log)
sed -i "s@npmDepsHash = lib.fakeHash;@npmDepsHash = \"sha256-$newHash\";@" ./frontend/default.nix
git add ./frontend/default.nix
# if this is a renovate PR (identify by the branch name, "renovate/" prefix)
# then amend the commit instead of creating a new one, so that renovate does not panic
# we need to force push in this case
# additional condition: only if the last commits author is "renovate[bot]"
lastCommitAuthor=$(git log -1 --pretty=format:'%an')
echo "last commit author: '$lastCommitAuthor'"
# only push if no changes were made to the branch since this added
if [[ ${{ github.event.pull_request.head.sha || github.sha }} == $(git rev-parse HEAD) ]]; then
git commit -m "chore(nix,automation): update npmDepsHash in ./frontend/default.nix"
git push
else
echo "Changes were made to the branch since the last commit, not pushing"
fi
fi
- name: build thymis-controller
uses: ./thymis/.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
cd thymis
nix build .#thymis-controller --print-build-logs
build-thymis-controller-pi-3-sd-image:
runs-on: ubuntu-22.04-arm
needs: changes
if: ${{ ! (needs.changes.outputs.package-lock-json == 'true' && github.actor == 'renovate[bot]' && github.event_name == 'pull_request') }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: run command with nix cache upload
uses: ./.github/actions/run-command-with-nix-cache-upload
with:
script: |
nix build .#thymis-controller-pi-3-sd-image --print-build-logs
- uses: ./.github/actions/assemble-image-and-assert-existence
build-thymis-controller-pi-4-sd-image:
runs-on: ubuntu-22.04-arm
needs: changes
if: ${{ ! (needs.changes.outputs.package-lock-json == 'true' && github.actor == 'renovate[bot]' && github.event_name == 'pull_request') }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: build thymis-controller-pi-4-sd-image
uses: ./.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
nix build .#thymis-controller-pi-4-sd-image --print-build-logs
- uses: ./.github/actions/assemble-image-and-assert-existence
build-thymis-controller-pi-5-sd-image:
runs-on: ubuntu-22.04-arm
needs: changes
if: ${{ ! (needs.changes.outputs.package-lock-json == 'true' && github.actor == 'renovate[bot]' && github.event_name == 'pull_request') }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: build thymis-controller-pi-5-sd-image
uses: ./.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
nix build .#thymis-controller-pi-5-sd-image --print-build-logs
- uses: ./.github/actions/assemble-image-and-assert-existence
build-generic-x86_64-image:
runs-on: ubuntu-latest
needs: changes
if: ${{ ! (needs.changes.outputs.package-lock-json == 'true' && github.actor == 'renovate[bot]' && github.event_name == 'pull_request') }}
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-nix
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
- name: pin nixpkgs
run: nix registry add nixpkgs github:NixOS/nixpkgs/nixos-24.11
- name: build thymis-controller-generic-x86_64-image
uses: ./.github/actions/run-command-with-nix-cache-upload
with:
attic_token: ${{ secrets.ATTIC_TOKEN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
script: |
nix build .#thymis-controller-generic-x86_64-image --print-build-logs
- uses: ./.github/actions/assemble-image-and-assert-existence