CI #49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2024 Google LLC | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# This workflow does double duty: it runs checks against PRs/pushes, and it | |
# updates flake.lock (run from a schedule or manually). | |
# | |
# This approach seems simpler than having a separate lockfile-updating workflow | |
# that creates a PR that gets the normal check workflow ran against it before | |
# merging, especially since (according to | |
# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does | |
# not run workflows against PRs created by a GitHub Action. | |
name: CI | |
on: | |
push: | |
pull_request: | |
workflow_dispatch: | |
inputs: | |
updateFlakeLock: | |
description: 'Update flake.lock' | |
default: false | |
type: boolean | |
schedule: | |
- cron: '23 8 * * *' # runs daily at a randomly selected time | |
jobs: | |
check: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: "write" | |
contents: "write" | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v4 | |
- name: Install Nix | |
uses: DeterminateSystems/nix-installer-action@main | |
- name: Enable Magic Nix Cache | |
uses: DeterminateSystems/magic-nix-cache-action@main | |
with: | |
use-flakehub: false | |
- name: Update flake.lock | |
if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock ) | |
run: | | |
git config user.email "github-actions[bot]@users.noreply.github.com" | |
git config user.name "github-actions[bot]" | |
nix flake update --commit-lock-file | |
- name: Check flake.lock | |
uses: DeterminateSystems/flake-checker-action@main | |
# Update the caches daily, flush the cache monthly. | |
- name: Set cache keys | |
id: cache-keys | |
run: | | |
{ | |
echo "key=$(date +'%Y-%m-%d')" | |
echo "restore=$(date +'%Y-%m-')" | |
} >> "$GITHUB_OUTPUT" | |
- name: Cache git checkouts | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/nix/gitv3 | |
key: nix-gitv3-cache-${{ steps.cache-keys.outputs.key }} | |
restore-keys: nix-gitv3-cache-${{ steps.cache-keys.outputs.restore }} | |
- name: Cache tarballs | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/nix/tarball-cache | |
key: nix-tarball-cache-${{ steps.cache-keys.outputs.key }} | |
restore-keys: nix-tarball-cache-${{ steps.cache-keys.outputs.restore }} | |
- name: nix flake check | |
run: nix flake check -L --show-trace | |
- name: Build packages for Cachix | |
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
run: nix build .#cachix-packages -L | |
# Intentionally install Cachix late: build artifacts are cached by Magic | |
# Nix Cache, only the runtime closure of cachix-packages goes to the | |
# public Cachix cache. | |
- name: Install Cachix | |
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
uses: cachix/cachix-action@v15 | |
with: | |
name: doom-emacs-unstraightened | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- name: Push to Cachix | |
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
run: readlink result | cachix push doom-emacs-unstraightened | |
- name: Push changes | |
if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock ) | |
run: git push | |
# `git push` only works because branch protection is not enabled. | |
# | |
# Currently branch protection is not effective anyway, since the only | |
# contributor (marienz) has admin permissions, and applying branch | |
# protection to administrators seems to be an "organization" feature. | |
# | |
# The supported path seems to be "create a PR and use the API to merge | |
# it", but that's more work to implement (see above): revisit later. | |
# TODO: try to improve caching. | |
# | |
# We spend a lot of time fetching sources. Caching all of ~/.cache/nix/gitv3 is | |
# not ideal: it is too large (3GiB) and we don't expire individual checkouts. | |
# https://github.com/DeterminateSystems/magic-nix-cache/issues/28 may help. | |
# | |
# The "magic" nix cache hits usage limits: | |
# | |
# 2024-05-18T06:45:19.165515Z ERROR magic_nix_cache::gha: Upload of path '/nix/store/fpq1vaw8vr88a67lc2jspskf2fa7zbvj-emacs-treepy-20230715.2154' failed: GitHub API error: API error (429 Too Many Requests): StructuredApiError { message: "Request was blocked due to exceeding usage of resource 'Count' in namespace ''." } | |
# | |
# This might get better as the cache populates, as long as I don't hit size | |
# limits. |