-
Notifications
You must be signed in to change notification settings - Fork 114
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: simplify CI and remove need for secrets
- Loading branch information
Showing
4 changed files
with
36 additions
and
233 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,60 +1,22 @@ | ||
--- | ||
name: "check and build" | ||
on: | ||
pull_request_target: | ||
pull_request: | ||
push: | ||
branches: | ||
- main | ||
|
||
jobs: | ||
check-permissions: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- run: | | ||
echo "github.event_name: ${{ github.event_name }}" | ||
echo "github.event.pull_request.author_association: ${{ github.event.pull_request.author_association }}" | ||
- name: "This task will run and fail if user has no permissions and label safe_to_test isn't pressent" | ||
if: "github.event_name == 'pull_request_target' && ! ( contains(github.event.pull_request.labels.*.name, 'safe_to_test') || contains(fromJson('[\"OWNER\", \"MEMBER\", \"COLLABORATOR\"]'), github.event.pull_request.author_association) )" | ||
run: | | ||
exit 1 | ||
tests: | ||
uses: ./.github/workflows/wf_check.yaml | ||
needs: | ||
- check-permissions | ||
with: | ||
NAME: hasura-auth | ||
GIT_REF: ${{ github.event.pull_request.head.sha }} | ||
secrets: | ||
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }} | ||
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }} | ||
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }} | ||
|
||
build_artifacts: | ||
uses: ./.github/workflows/wf_build_artifacts.yaml | ||
needs: | ||
- check-permissions | ||
with: | ||
NAME: hasura-auth | ||
VERSION: 0.0.0-dev # hardcoded to avoid rebuilding | ||
DOCKER: true | ||
GIT_REF: ${{ github.event.pull_request.head.sha }} | ||
secrets: | ||
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }} | ||
SSH_PRIVATE_KEY: ${{ secrets.NIX_REMOTE_BUILD_ARM_SSH_KEY }} | ||
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }} | ||
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }} | ||
NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }} | ||
NIX_REMOTE_BUILDER_SUBNET_ID: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }} | ||
|
||
remove_label: | ||
runs-on: ubuntu-latest | ||
needs: | ||
- check-permissions | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: actions-ecosystem/action-remove-labels@v1 | ||
with: | ||
labels: | | ||
safe_to_test | ||
if: contains(github.event.pull_request.labels.*.name, 'safe_to_test') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,177 +18,70 @@ on: | |
DOCKER: | ||
type: boolean | ||
required: true | ||
secrets: | ||
AWS_ACCOUNT_ID: | ||
required: true | ||
SSH_PRIVATE_KEY: | ||
required: true | ||
NIX_CACHE_PUB_KEY: | ||
required: true | ||
NIX_CACHE_PRIV_KEY: | ||
required: true | ||
NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: | ||
required: true | ||
NIX_REMOTE_BUILDER_SUBNET_ID: | ||
required: true | ||
|
||
jobs: | ||
artifacts: | ||
runs-on: ubuntu-latest | ||
timeout-minutes: 180 | ||
|
||
# These permissions are needed to interact with GitHub's OIDC Token endpoint. | ||
permissions: | ||
id-token: write | ||
contents: write | ||
|
||
strategy: | ||
matrix: | ||
platform: ["x86_64", "aarch64"] | ||
os: [ubuntu-22.04, ubuntu-arm64-22.04-2cores] | ||
fail-fast: true | ||
|
||
runs-on: ${{ matrix.os }} | ||
timeout-minutes: 180 | ||
|
||
steps: | ||
- name: "Check out repository" | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
ref: ${{ inputs.GIT_REF }} | ||
|
||
- name: Configure aws | ||
uses: aws-actions/configure-aws-credentials@v4 | ||
with: | ||
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }} | ||
aws-region: eu-central-1 | ||
|
||
- uses: nixbuild/nix-quick-install-action@v28 | ||
- uses: cachix/install-nix-action@v27 | ||
with: | ||
nix_version: 2.20.5 | ||
nix_conf: | | ||
install_url: "https://releases.nixos.org/nix/nix-2.20.5/install" | ||
install_options: "--no-daemon" | ||
extra_nix_config: | | ||
experimental-features = nix-command flakes | ||
sandbox = false | ||
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | ||
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50 | ||
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }} | ||
builders-use-substitutes = true | ||
substituters = https://cache.nixos.org/?priority=40 | ||
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= | ||
- uses: DeterminateSystems/magic-nix-cache-action@main | ||
with: | ||
diagnostic-endpoint: "" | ||
|
||
- name: Compute common env vars | ||
id: vars | ||
run: | | ||
echo "VERSION=$(make get-version VER=${{ inputs.VERSION }})" >> $GITHUB_OUTPUT | ||
- name: "Verify if we need to build" | ||
id: verify-build | ||
run: | | ||
export build_dry_run_output=$(make build-dry-run ARCH=${{ matrix.platform }}) | ||
export drvPath=$(echo "$build_dry_run_output" | grep -oE '"out":.*"' | awk -F\" '{ print $4 }') | ||
nix store verify --store s3://nhost-nix-cache?region=eu-central-1 $drvPath \ | ||
&& export BUILD_NEEDED=no \ | ||
|| export BUILD_NEEDED=yes | ||
echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT | ||
- name: "Setup nix-remote-builder" | ||
uses: dbarrosop/[email protected] | ||
id: nix-remote-builder | ||
with: | ||
name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }} | ||
ami: " ami-034dac72b37504107" | ||
instance-type: 't4g.xlarge' | ||
region: "eu-central-1" | ||
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} | ||
security-group-id: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }} | ||
subnet-id: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }} | ||
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} | ||
|
||
- name: "Setup nix-remote-builder in nix.conf" | ||
run: | | ||
echo "builders = ssh://ec2-user@${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf | ||
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} | ||
|
||
- name: Cache nix store | ||
uses: actions/cache@v4 | ||
with: | ||
path: | | ||
/nix/store/** | ||
/nix/var/nix/*/* | ||
/nix/var/nix/db/* | ||
/nix/var/nix/db/*/** | ||
!/nix/var/nix/daemon-socket/socket | ||
!/nix/var/nix/userpool/* | ||
!/nix/var/nix/gc.lock | ||
!/nix/var/nix/db/big-lock | ||
!/nix/var/nix/db/reserved | ||
key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock') }} | ||
restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main | ||
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} | ||
|
||
- uses: docker/setup-qemu-action@v3 | ||
if: ${{ ( matrix.platform == 'aarch64' ) }} | ||
|
||
- name: "Wait for remote builder to be ready" | ||
run: | | ||
set +e | ||
max_attempts=6 | ||
retry_interval=10 | ||
attempt=1 | ||
while [ "$attempt" -le "$max_attempts" ]; do | ||
echo "Checking SSH connection (attempt $attempt)..." | ||
nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22 | ||
if [ $? -eq 0 ]; then | ||
echo "success" | ||
break | ||
else | ||
echo "SSH connection failed." | ||
if [ "$attempt" -lt "$max_attempts" ]; then | ||
echo "Retrying in $retry_interval seconds..." | ||
sleep "$retry_interval" | ||
else | ||
echo "Exceeded maximum connection attempts." | ||
exit 1 | ||
fi | ||
fi | ||
((attempt++)) | ||
done | ||
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} | ||
|
||
- name: "Build artifact" | ||
run: | | ||
nix build .\#packages.${{ matrix.platform }}-linux.hasura-auth | ||
make build | ||
zip -r result.zip result | ||
- name: "Push artifact to artifact repository" | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ${{ inputs.NAME }}-artifact-${{ matrix.platform }}-${{ steps.vars.outputs.VERSION }} | ||
name: ${{ inputs.NAME }}-artifact-${{ matrix.os }}-${{ steps.vars.outputs.VERSION }} | ||
path: result/bin/hasura-auth | ||
retention-days: 7 | ||
|
||
- name: "Build docker image" | ||
run: | | ||
make build-docker-image ARCH=${{ matrix.platform }} | ||
nix build .\#packages.${{ matrix.platform }}-linux.docker-image | ||
make build-docker-image | ||
if: ${{ ( inputs.DOCKER ) }} | ||
|
||
- name: "Push docker image to artifact repository" | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ${{ inputs.NAME }}-docker-image-${{ matrix.platform }}-${{ steps.vars.outputs.VERSION }} | ||
name: ${{ inputs.NAME }}-docker-image-${{ matrix.os }}-${{ steps.vars.outputs.VERSION }} | ||
path: result | ||
retention-days: 7 | ||
if: ${{ ( inputs.DOCKER ) }} | ||
|
||
- name: "Cache nix store on s3" | ||
run: | | ||
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem | ||
nix store sign --key-file cache-priv-key.pem --all | ||
find /nix/store -maxdepth 1 -name "*-*" -type d | grep -v source | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1 | ||
if: always() | ||
|
||
- name: "Cache nix store on s3 (docker-image)" | ||
run: | | ||
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem | ||
nix store sign --key-file cache-priv-key.pem --all | ||
nix copy --to s3://nhost-nix-cache\?region=eu-central-1 .\#packages.${{ matrix.platform }}-linux.docker-image | ||
if: ${{ ( inputs.DOCKER ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} | ||
|
||
- run: rm cache-priv-key.pem || echo "file not found" | ||
if: always() |
Oops, something went wrong.