feat(ci): unify nf-update command for actions use

2026-02-09 12:29:19 -08:00 · 2024-03-16 13:09:20 -07:00 · 2024-03-16 13:09:20 -07:00 · 567022fa5a
commit 567022fa5a
parent f5ab8f6672
10 changed files with 204 additions and 67 deletions
--- a/ci/actions-test.sh
+++ b/ci/actions-test.sh
@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -eu
+
+if [[ ${GITHUB_ACTIONS-} = true && ${RUNNER_NAME-} = "Github Actions"* ]]; then
+	# low disk space available on public runners...
+	echo "enabled GC between builds due to restricted disk space..." >&2
+	export NF_ACTIONS_TEST_GC=1
+fi
+
+NIX_BUILD_ARGS=(
+	--show-trace
+)
+
+for nfsystem in "${NF_NIX_SYSTEMS[@]}"; do
+	nfargs=(
+		"${NIX_BUILD_ARGS[@]}"
+	)
+	if [[ -n "${NF_ACTIONS_TEST_OUTLINK-}" || -n "${NF_UPDATE_CACHIX_PUSH-}" ]]; then
+		nfargs+=(
+			-o "${NF_ACTIONS_TEST_OUTLINK-result}-$nfsystem"
+		)
+	else
+		nfargs+=(
+			--no-link
+		)
+	fi
+
+	echo "building ${nfsystem}..." >&2
+
+	nix build \
+		"${NF_CONFIG_ROOT}#nixosConfigurations.${nfsystem}.config.system.build.toplevel" \
+		"${nfargs[@]}" \
+		"$@"
+
+	if [[ -n "${NF_ACTIONS_TEST_GC-}" ]]; then
+		if [[ -n "${NF_UPDATE_CACHIX_PUSH-}" ]]; then
+			cachix push gensokyo-infrastructure "./${NF_ACTIONS_TEST_OUTLINK-result}-$nfsystem"*/
+			rm -f "./${NF_ACTIONS_TEST_OUTLINK-result}-$nfsystem"*
+		fi
+		nix-collect-garbage -d
+	fi
+done
--- a/ci/flake-cron.nix
+++ b/ci/flake-cron.nix
@ -10,6 +10,7 @@ in {
  name = "flake-update";

  nixpkgs.args.localSystem = "x86_64-linux";
+  nixpkgs.args.config.checkMetaRecursively = false;

  ci = {
    version = "v0.7";
@ -21,7 +22,6 @@ in {
  gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";

  nix.config = {
-    accept-flake-config = true;
    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
  };
@ -47,6 +47,20 @@ in {
      ];
      workflow_dispatch = {};
    };
+    jobs.flake-update = {
+      # TODO: split this up into two phases, then push at the end so other CI tests can run first
+      step.flake-update = {
+        name = "flake update build";
+        order = 500;
+        run = "nix run .#nf-update";
+        env = {
+          CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+          NF_UPDATE_GIT_COMMIT = "1";
+          NF_UPDATE_CACHIX_PUSH = "1";
+          NF_CONFIG_ROOT = "\${{ github.workspace }}";
+        };
+      };
+    };
  };

  channels = {
@ -55,50 +69,6 @@ in {
  };

  jobs.flake-update = {
-    tasks.flake-build.inputs = with channels.cipkgs;
-      ci.command {
-        name = "flake-update-build";
-        allowSubstitutes = false;
-        cache = {
-          enable = false;
-        };
-        displayName = "flake update build";
-        environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"];
-        command = let
-          filteredHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "mediabox"];
-          gcBetweenHosts = false;
-          nodeBuildString = concatMapStringsSep " && " (node: "nix build --show-trace -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts;
-          hostPath = builtins.getEnv "PATH";
-        in ''
-          # ${toString builtins.currentTime}
-          export PATH="${hostPath}:$PATH"
-          export NIX_CONFIG="$(printf '%s\naccept-flake-config = true\n' "''${NIX_CONFIG-}")"
-          nix flake update
-
-          if git status --porcelain | grep -qF flake.lock; then
-            git -P diff flake.lock
-            echo "checking that nodes still build..." >&2
-            if ${nodeBuildString}; then
-              if [[ -n $CACHIX_SIGNING_KEY ]]; then
-                cachix push gensokyo-infrastructure result*/ &
-                CACHIX_PUSH=$!
-              fi
-              git add flake.lock
-              export GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch
-              export GIT_{COMMITTER,AUTHOR}_NAME="flake cron job"
-              git commit --message="ci: flake update"
-              if [[ $GITHUB_REF = refs/heads/${gitBranch} ]]; then
-                git push origin HEAD:${gitBranch}
-              fi
-
-              wait ''${CACHIX_PUSH-}
-            fi
-          else
-            echo "no source changes" >&2
-          fi
-        '';
-        impure = true;
-      };
  };

  ci.gh-actions.checkoutOptions = {
--- a/ci/generate.sh
+++ b/ci/generate.sh
@ -4,3 +4,8 @@ set -eu
 for node in reisen; do
 	nix eval --json "${NF_CONFIG_ROOT}#lib.generate.$node.users" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/users.json"
 done
+
+for ciconfig in "${NF_CONFIG_FILES[@]}"; do
+	echo "processing ${ciconfig}..." >&2
+	nix run --argstr config "$NF_CONFIG_ROOT/ci/$ciconfig" -f "$NF_INPUT_CI" run.gh-actions-generate
+done
--- a/ci/nix.nix
+++ b/ci/nix.nix
@ -0,0 +1,17 @@
+{
+  ci = {
+    workflowConfigs = [
+      "nodes.nix"
+      "flake-cron.nix"
+    ];
+    nixosSystems = [
+      "hakurei"
+      "reimu"
+      "aya"
+      "tei"
+      "litterbox"
+      "keycloak"
+      "mediabox"
+    ];
+  };
+}
--- a/ci/nodes.nix
+++ b/ci/nodes.nix
@ -9,6 +9,7 @@ with lib; {
  name = "nodes";

  nixpkgs.args.localSystem = "x86_64-linux";
+  nixpkgs.args.config.checkMetaRecursively = false;

  ci = {
    version = "v0.7";
@ -19,13 +20,12 @@ with lib; {
  channels.nixfiles.path = ../.;

  nix.config = {
-    accept-flake-config = true;
    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
  };

  jobs = let
-    enabledHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "mediabox" "ct"];
+    enabledHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "keycloak" "mediabox" "ct"];
  in
    mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: {
      tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel;
--- a/ci/update.sh
+++ b/ci/update.sh
@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -eu
+
+if [[ -n ${CACHIX_SIGNING_KEY-} ]]; then
+	export NF_UPDATE_CACHIX_PUSH=1
+fi
+
+cd "$NF_CONFIG_ROOT"
+
+nix flake update "$@"
+
+if [[ -n $(git status --porcelain ./flake.lock) ]]; then
+	git -P diff ./flake.lock
+else
+	echo "no source changes" >&2
+	exit
+fi
+
+echo "checking that nodes still build..." >&2
+if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
+	export NF_ACTIONS_TEST_OUTLINK=${NF_ACTIONS_TEST_OUTLINK-result}
+fi
+nf-actions-test
+
+if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
+	cachix push gensokyo-infrastructure "./${NF_ACTIONS_TEST_OUTLINK}"*/ &
+	CACHIX_PUSH=$!
+fi
+
+if [[ -z ${NF_UPDATE_GIT_COMMIT-} ]]; then
+	exit
+fi
+
+if [[ -n $(git diff --staged) ]]; then
+	echo "git working tree dirty, refusing to commit..." >&2
+	exit 1
+fi
+
+git add flake.lock
+env \
+	GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch \
+	GIT_{COMMITTER,AUTHOR}_NAME="flake cron job" \
+git commit --message="ci: flake update"
+
+if [[ ${GITHUB_REF-} = refs/heads/${NF_UPDATE_BRANCH-main} ]]; then
+	git push origin HEAD:${NF_UPDATE_BRANCH-main}
+fi
+
+wait ${CACHIX_PUSH-}