Merge pull request #19 from boinkor-net/nix-ci

nix: Add a nix.yml & add a task that checks the .sri is up to date
boinkor-net · Aug 11, 2023 · d2a0f93 · d2a0f93
2 parents c01bfa1 + 2b18f9a
commit d2a0f93
Show file tree

Hide file tree

Showing 6 changed files with 107 additions and 26 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,7 @@
     "if": "always() && github.event_name != 'merge_group'"
     "needs":
     - "ci_go"
+    - "nix"
     "permissions":
       "actions": "read"
     "runs-on": "ubuntu-latest"
@@ -22,6 +23,7 @@
     "needs":
     - "ci_go"
     - "docker-publish"
+    - "nix"
     "permissions":
       "actions": "read"
     "runs-on": "ubuntu-latest"
@@ -44,6 +46,9 @@
   "docker-publish":
     "secrets": "inherit"
     "uses": "./.github/workflows/docker-publish.yml"
+  "nix":
+    "secrets": "inherit"
+    "uses": "./.github/workflows/nix.yml"
 "name": "CI"
 "on":
   "merge_group": {}
@@ -57,3 +62,4 @@
   "contents": "read"
   "id-token": "write"
   "packages": "write"
+  "pull-requests": "write"
diff --git a/.github/workflows/dispatch_update_sri.yml b/.github/workflows/dispatch_update_sri.yml
@@ -5,8 +5,13 @@ on:
 jobs:
   update_sri_hash:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v3.5.3
+        with:
+          token: ${{secrets.REPO_CONTENT_UPDATE_TOKEN}}
+          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
       - name: Cache install Nix packages
         uses: mtoohey31/cache-flake-attrs@v2
         with:
@@ -15,8 +20,8 @@ jobs:
       - name: re-generate SRI
         run: "nix --extra-experimental-features nix-command --extra-experimental-features flakes run .#regenSRI"
       - name: Commit & Push updated SRI
-        uses: actions-js/push@master
+        uses: actions-js/push@v1.4
         with:
           message: "chore: Update SRI hashes"
-          branch: ${{env.GITHUB_REF}}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          branch: ${{github.ref_name}}
+          github_token: ${{secrets.REPO_CONTENT_UPDATE_TOKEN}}
diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
@@ -0,0 +1,59 @@
+name: "CI/nix"
+on:
+  workflow_call:
+
+jobs:
+  flake_build:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3.5.3
+      - uses: cachix/install-nix-action@v22
+      - run: nix build --no-link path:.#
+
+  flake_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3.5.3
+      - uses: cachix/install-nix-action@v22
+      - run: nix flake check path:.
+
+  # less expensive than running a full flake package build, but
+  # validates the thing we care about:
+  sri_check:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v3.5.3
+      - name: Cache install Nix packages
+        uses: mtoohey31/cache-flake-attrs@v2
+        with:
+          key: ${{ runner.os }}-nix-${{ hashFiles('./flake.nix') }}
+          flake_paths: ".#regenSRI"
+      - name: re-generate SRI
+        run: "nix --extra-experimental-features nix-command --extra-experimental-features flakes run .#regenSRI"
+      - run: git diff --exit-code
+        id: up_to_date
+      - run: '(echo "diff<<EOF" ; git diff ; echo EOF) >> $GITHUB_OUTPUT'
+        if: always() && steps.up_to_date.outcome == 'failure'
+        id: diff
+      - name: Leave a PR comment
+        uses: thollander/actions-comment-pull-request@v2
+        if: always()
+        with:
+          message: |
+            # SRI tag needs updating
+
+            It looks like the generated SRI hash on the go modules in this repo is outdated. This usually happens when the go module structure / version changes, and will break the build of nix packages. Here's the diff:
+
+            ```diff
+            ${{steps.diff.outputs.diff}}
+            ```
+
+            To update the SRI hash easily, a repo admin can run the [`Update SRI hash` action](https://github.com/boinkor-net/tsnsrv/actions/workflows/dispatch_update_sri.yml) on this branch, or you can invoke `regenSRI` on the nix dev shell and commit & push.
+          comment_tag: execution
+          mode: "${{ steps.up_to_date.outcome == 'failure' && 'upsert' || 'delete' }}"
+          GITHUB_TOKEN: ${{ github.token }}
diff --git a/flake.nix b/flake.nix
@@ -27,6 +27,7 @@
         };
 
         packages = {
+          default = config.packages.tsnsrv;
           tsnsrv = pkgs.buildGoModule {
             pname = "tsnsrv";
             version = "0.0.0";
@@ -36,25 +37,38 @@
           };
 
           # To provide a smoother dev experience:
-          nardump = pkgs.buildGoModule rec {
-            pname = "nardump";
-            version = "1.38.4";
-            src = pkgs.fetchFromGitHub {
-              owner = "tailscale";
-              repo = "tailscale";
-              rev = "v${version}";
-              sha256 = "sha256-HjN8VzysxQvx5spXgbgbItH3y1bLbfHO+udNQMuyhAk=";
+          regenSRI = let
+            nardump = pkgs.buildGoModule rec {
+              pname = "nardump";
+              version = "1.38.4";
+              src = pkgs.fetchFromGitHub {
+                owner = "tailscale";
+                repo = "tailscale";
+                rev = "v${version}";
+                sha256 = "sha256-HjN8VzysxQvx5spXgbgbItH3y1bLbfHO+udNQMuyhAk=";
+              };
+              vendorSha256 = "sha256-LIvaxSo+4LuHUk8DIZ27IaRQwaDnjW6Jwm5AEc/V95A=";
+
+              subPackages = ["cmd/nardump"];
             };
-            vendorSha256 = "sha256-LIvaxSo+4LuHUk8DIZ27IaRQwaDnjW6Jwm5AEc/V95A=";
+          in
+            pkgs.writeShellApplication {
+              name = "regenSRI";
+              text = ''
+                set -eu -o pipefail
 
-            subPackages = ["cmd/nardump"];
-          };
-          default = config.packages.tsnsrv;
+                src="$(pwd)"
+                temp="$(mktemp -d)"
+                trap 'rm -rf "$temp"' EXIT
+                go mod vendor -o "$temp"
+                ${nardump}/bin/nardump -sri "$temp" >"$src/tsnsrv.sri"
+              '';
+            };
         };
 
         apps = {
-          tsnsrv.program = config.packages.tsnsrv;
           default = config.apps.tsnsrv;
+          tsnsrv.program = config.packages.tsnsrv;
         };
         formatter = pkgs.alejandra;
 
@@ -64,15 +78,7 @@
               name = "regenSRI";
               category = "dev";
               help = "Regenerate tsnsrv.sri in case the module SRI hash should change";
-              command = ''
-                set -eu -o pipefail
-
-                src="$(pwd)"
-                temp="$(mktemp -d)"
-                trap "rm -rf $temp" EXIT
-                go mod vendor -o "$temp"
-                ${config.packages.nardump}/bin/nardump -sri $temp >"$src/tsnsrv.sri"
-              '';
+              command = "${config.packages.regenSRI}/bin/regenSRI";
             }
           ];
           packages = [

diff --git a/nix/dev-packages/nardump.nix b/nix/dev-packages/nardump.nix
@@ -0,0 +1,5 @@
+let
+  flakeCompat = import ./../..;
+in [
+  flakeCompat.packages.nardump
+]
diff --git a/tsnsrv.sri b/tsnsrv.sri
@@ -1 +1 @@
-sha256-xeOWZquQlDrJ0Nfsv3j4nd0kMooAVC+4YlyCaxwc5z4=
+sha256-1AvQpFoBFMVY1vYutJdVSCry+KLSeRJAeJIA8d9sAZQ=