-
Notifications
You must be signed in to change notification settings - Fork 5
92 lines (87 loc) · 3.77 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This workflow does double duty: it runs checks against PRs/pushes, and it
# updates flake.lock (run from a schedule or manually).
#
# This approach seems simpler than having a separate lockfile-updating workflow
# that creates a PR that gets the normal check workflow ran against it before
# merging, especially since (according to
# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does
# not run workflows against PRs created by a GitHub Action.
name: CI
on:
push:
pull_request:
workflow_dispatch:
inputs:
updateFlakeLock:
description: 'Update flake.lock'
default: false
type: boolean
schedule:
- cron: '23 8 * * *' # runs daily at a randomly selected time
jobs:
check:
runs-on: ubuntu-latest
permissions:
id-token: "write"
contents: "write"
steps:
- name: Check out repository
uses: actions/checkout@v4
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
- name: Enable Magic Nix Cache
uses: DeterminateSystems/magic-nix-cache-action@main
- name: Update flake.lock
if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
run: |
git config user.email "github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
nix flake update --commit-lock-file
- name: Check flake.lock
uses: DeterminateSystems/flake-checker-action@main
with:
nixpkgs-keys: "" # TODO: check nixpkgs used for cached builds
- name: Cache git checkouts
uses: actions/cache@v4
with:
path: ~/.cache/nix/gitv3
key: nix-gitv3-cache-${{ hashFiles('flake.lock') }}
restore-keys: nix-gitv3-cache-
- name: nix flake check
run: nix flake check -L --show-trace
- name: Push changes
if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
run: git push
# `git push` only works because branch protection is not enabled.
#
# Currently branch protection is not effective anyway, since the only
# contributor (marienz) has admin permissions, and applying branch
# protection to administrators seems to be an "organization" feature.
#
# The supported path seems to be "create a PR and use the API to merge
# it", but that's more work to implement (see above): revisit later.
# TODO: try to improve caching.
#
# We spend a lot of time fetching sources. Caching all of ~/.cache/nix/gitv3 is
# not ideal: it is too large (3GiB) and we don't expire individual checkouts.
# https://github.com/DeterminateSystems/magic-nix-cache/issues/28 may help.
#
# The "magic" nix cache hits usage limits:
#
# 2024-05-18T06:45:19.165515Z ERROR magic_nix_cache::gha: Upload of path '/nix/store/fpq1vaw8vr88a67lc2jspskf2fa7zbvj-emacs-treepy-20230715.2154' failed: GitHub API error: API error (429 Too Many Requests): StructuredApiError { message: "Request was blocked due to exceeding usage of resource 'Count' in namespace ''." }
#
# This might get better as the cache populates, as long as I don't hit size
# limits.