diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 4aac3761..73153c83 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -1,60 +1,22 @@ --- name: "check and build" on: - pull_request_target: + pull_request: push: branches: - main jobs: - check-permissions: - runs-on: ubuntu-latest - steps: - - run: | - echo "github.event_name: ${{ github.event_name }}" - echo "github.event.pull_request.author_association: ${{ github.event.pull_request.author_association }}" - - name: "This task will run and fail if user has no permissions and label safe_to_test isn't pressent" - if: "github.event_name == 'pull_request_target' && ! ( contains(github.event.pull_request.labels.*.name, 'safe_to_test') || contains(fromJson('[\"OWNER\", \"MEMBER\", \"COLLABORATOR\"]'), github.event.pull_request.author_association) )" - run: | - exit 1 - tests: uses: ./.github/workflows/wf_check.yaml - needs: - - check-permissions with: NAME: hasura-auth GIT_REF: ${{ github.event.pull_request.head.sha }} - secrets: - AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }} - NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }} - NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }} build_artifacts: uses: ./.github/workflows/wf_build_artifacts.yaml - needs: - - check-permissions with: NAME: hasura-auth VERSION: 0.0.0-dev # hardcoded to avoid rebuilding DOCKER: true GIT_REF: ${{ github.event.pull_request.head.sha }} - secrets: - AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }} - SSH_PRIVATE_KEY: ${{ secrets.NIX_REMOTE_BUILD_ARM_SSH_KEY }} - NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }} - NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }} - NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }} - NIX_REMOTE_BUILDER_SUBNET_ID: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }} - - remove_label: - runs-on: ubuntu-latest - needs: - - check-permissions - steps: - - uses: actions/checkout@v4 - - uses: actions-ecosystem/action-remove-labels@v1 - with: - labels: | - safe_to_test - if: contains(github.event.pull_request.labels.*.name, 'safe_to_test') diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index aed42989..6d21a9b5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,11 +9,6 @@ jobs: uses: ./.github/workflows/wf_check.yaml with: NAME: hasura-auth - secrets: - AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }} - NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }} - NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }} - build_artifacts: uses: ./.github/workflows/wf_build_artifacts.yaml @@ -21,13 +16,6 @@ jobs: NAME: hasura-auth VERSION: ${{ github.ref_name }} DOCKER: true - secrets: - AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }} - SSH_PRIVATE_KEY: ${{ secrets.NIX_REMOTE_BUILD_ARM_SSH_KEY }} - NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }} - NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }} - NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }} - NIX_REMOTE_BUILDER_SUBNET_ID: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }} push_docker_image: uses: ./.github/workflows/wf_docker_push_image.yaml diff --git a/.github/workflows/wf_build_artifacts.yaml b/.github/workflows/wf_build_artifacts.yaml index 7107127e..5e80899b 100644 --- a/.github/workflows/wf_build_artifacts.yaml +++ b/.github/workflows/wf_build_artifacts.yaml @@ -18,34 +18,18 @@ on: DOCKER: type: boolean required: true - secrets: - AWS_ACCOUNT_ID: - required: true - SSH_PRIVATE_KEY: - required: true - NIX_CACHE_PUB_KEY: - required: true - NIX_CACHE_PRIV_KEY: - required: true - NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: - required: true - NIX_REMOTE_BUILDER_SUBNET_ID: - required: true jobs: artifacts: - runs-on: ubuntu-latest - timeout-minutes: 180 - - permissions: - id-token: write - contents: write strategy: matrix: - platform: ["x86_64", "aarch64"] + os: [ubuntu-22.04, ubuntu-arm64-22.04-2cores] fail-fast: true + runs-on: ${{ matrix.os }} + timeout-minutes: 180 + steps: - name: "Check out repository" uses: actions/checkout@v4 @@ -53,22 +37,20 @@ jobs: fetch-depth: 0 ref: ${{ inputs.GIT_REF }} - - name: Configure aws - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }} - aws-region: eu-central-1 - - - uses: nixbuild/nix-quick-install-action@v28 + - uses: cachix/install-nix-action@v27 with: - nix_version: 2.20.5 - nix_conf: | + install_url: "https://releases.nixos.org/nix/nix-2.20.5/install" + install_options: "--no-daemon" + extra_nix_config: | experimental-features = nix-command flakes sandbox = false access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50 - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }} - builders-use-substitutes = true + substituters = https://cache.nixos.org/?priority=40 + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + + - uses: DeterminateSystems/magic-nix-cache-action@main + with: + diagnostic-endpoint: "" - name: Compute common env vars id: vars @@ -85,74 +67,9 @@ jobs: || export BUILD_NEEDED=yes echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT - - name: "Setup nix-remote-builder" - uses: dbarrosop/nix-remote-builder-aws@v0.5.0 - id: nix-remote-builder - with: - name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }} - ami: " ami-034dac72b37504107" - instance-type: 't4g.xlarge' - region: "eu-central-1" - ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} - security-group-id: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }} - subnet-id: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }} - if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - - name: "Setup nix-remote-builder in nix.conf" - run: | - echo "builders = ssh://ec2-user@${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf - if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - - name: Cache nix store - uses: actions/cache@v4 - with: - path: | - /nix/store/** - /nix/var/nix/*/* - /nix/var/nix/db/* - /nix/var/nix/db/*/** - !/nix/var/nix/daemon-socket/socket - !/nix/var/nix/userpool/* - !/nix/var/nix/gc.lock - !/nix/var/nix/db/big-lock - !/nix/var/nix/db/reserved - key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock') }} - restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main - if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - - uses: docker/setup-qemu-action@v3 - if: ${{ ( matrix.platform == 'aarch64' ) }} - - - name: "Wait for remote builder to be ready" - run: | - set +e - max_attempts=6 - retry_interval=10 - - attempt=1 - while [ "$attempt" -le "$max_attempts" ]; do - echo "Checking SSH connection (attempt $attempt)..." - nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22 - if [ $? -eq 0 ]; then - echo "success" - break - else - echo "SSH connection failed." - if [ "$attempt" -lt "$max_attempts" ]; then - echo "Retrying in $retry_interval seconds..." - sleep "$retry_interval" - else - echo "Exceeded maximum connection attempts." - exit 1 - fi - fi - ((attempt++)) - done - if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - name: "Build artifact" run: | - nix build .\#packages.${{ matrix.platform }}-linux.hasura-auth + make build zip -r result.zip result - name: "Push artifact to artifact repository" @@ -164,8 +81,7 @@ jobs: - name: "Build docker image" run: | - make build-docker-image ARCH=${{ matrix.platform }} - nix build .\#packages.${{ matrix.platform }}-linux.docker-image + make build-docker-image if: ${{ ( inputs.DOCKER ) }} - name: "Push docker image to artifact repository" @@ -175,20 +91,3 @@ jobs: path: result retention-days: 7 if: ${{ ( inputs.DOCKER ) }} - - - name: "Cache nix store on s3" - run: | - echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem - nix store sign --key-file cache-priv-key.pem --all - find /nix/store -maxdepth 1 -name "*-*" -type d | grep -v source | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1 - if: always() - - - name: "Cache nix store on s3 (docker-image)" - run: | - echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem - nix store sign --key-file cache-priv-key.pem --all - nix copy --to s3://nhost-nix-cache\?region=eu-central-1 .\#packages.${{ matrix.platform }}-linux.docker-image - if: ${{ ( inputs.DOCKER ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - - run: rm cache-priv-key.pem || echo "file not found" - if: always() diff --git a/.github/workflows/wf_check.yaml b/.github/workflows/wf_check.yaml index ec63ba9f..e9c7d429 100644 --- a/.github/workflows/wf_check.yaml +++ b/.github/workflows/wf_check.yaml @@ -8,24 +8,12 @@ on: GIT_REF: type: string required: false - secrets: - AWS_ACCOUNT_ID: - required: true - NIX_CACHE_PUB_KEY: - required: true - NIX_CACHE_PRIV_KEY: - required: true jobs: tests: runs-on: ubuntu-22.04 timeout-minutes: 180 - # These permissions are needed to interact with GitHub's OIDC Token endpoint. - permissions: - id-token: write - contents: write - steps: - name: "Check out repository" uses: actions/checkout@v4 @@ -33,27 +21,20 @@ jobs: fetch-depth: 0 ref: ${{ inputs.GIT_REF }} - - name: Configure aws - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }} - aws-region: eu-central-1 - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 - with: - mask-password: 'true' - - - uses: nixbuild/nix-quick-install-action@v28 + - uses: cachix/install-nix-action@v27 with: - nix_version: 2.20.5 - nix_conf: | + install_url: "https://releases.nixos.org/nix/nix-2.20.5/install" + install_options: "--no-daemon" + extra_nix_config: | experimental-features = nix-command flakes sandbox = false access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50 - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }} + substituters = https://cache.nixos.org/?priority=40 + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + + - uses: DeterminateSystems/magic-nix-cache-action@main + with: + diagnostic-endpoint: "" - name: "Verify if we need to build" id: verify-build @@ -74,23 +55,6 @@ jobs: echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT - - name: Cache nix store - uses: actions/cache@v4 - with: - path: | - /nix/store/** - /nix/var/nix/*/* - /nix/var/nix/db/* - /nix/var/nix/db/*/** - !/nix/var/nix/daemon-socket/socket - !/nix/var/nix/userpool/* - !/nix/var/nix/gc.lock - !/nix/var/nix/db/big-lock - !/nix/var/nix/db/reserved - key: nix-${{ inputs.NAME }}-${{ runner.os }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock', '${{ inputs.PROJECT }}/**.nix') }} - restore-keys: nix-${{ inputs.NAME }}-${{ runner.OS }}-main - if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - name: "Start containters for integration tests" run: | make build-docker-image @@ -100,13 +64,3 @@ jobs: - name: "Run checks" run: make check if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} - - - name: "Cache nix store on s3" - run: | - echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem - nix store sign --key-file cache-priv-key.pem --all - find /nix/store -maxdepth 1 -name "*-*" -type d | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1 - if: always() - - - run: rm cache-priv-key.pem - if: always()