feat(ci): unify nf-update command for actions use

2026-02-09 04:19:19 -08:00 · 2024-03-16 13:09:20 -07:00 · 2024-03-16 13:09:20 -07:00 · 567022fa5a
commit 567022fa5a
parent f5ab8f6672
10 changed files with 204 additions and 67 deletions
--- a/.github/workflows/flake-update.yml
+++ b/.github/workflows/flake-update.yml
@ -43,6 +43,14 @@ jobs:
    - id: nix-install
      name: nix install
      uses: arcnmx/ci/actions/nix/install@v0.7
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+        NF_CONFIG_ROOT: ${{ github.workspace }}
+        NF_UPDATE_CACHIX_PUSH: '1'
+        NF_UPDATE_GIT_COMMIT: '1'
+      id: flake-update
+      name: flake update build
+      run: nix run .#nf-update
    - id: ci-dirty
      name: nix test dirty
      uses: arcnmx/ci/actions/nix/run@v0.7
--- a/.github/workflows/nodes.yml
+++ b/.github/workflows/nodes.yml
@ -181,6 +181,57 @@ jobs:
        command: ci-build-cache
        quiet: false
        stdin: ${{ runner.temp }}/ci.build.cache
+  keycloak:
+    name: nodes-keycloak
+    runs-on: ubuntu-latest
+    steps:
+    - id: checkout
+      name: git clone
+      uses: actions/checkout@v4
+      with:
+        submodules: false
+    - id: nix-install
+      name: nix install
+      uses: arcnmx/ci/actions/nix/install@v0.7
+    - id: ci-dirty
+      name: nix test dirty
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.keycloak.run.test
+        command: ci-build-dirty
+        quiet: false
+        stdout: ${{ runner.temp }}/ci.build.dirty
+    - id: ci-test
+      name: nix test build
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.keycloak.run.test
+        command: ci-build-realise
+        ignore-exit-code: true
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+    - env:
+        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
+      id: ci-summary
+      name: nix test results
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.keycloak.run.test
+        command: ci-build-summarise
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.dirty
+        stdout: ${{ runner.temp }}/ci.build.cache
+    - env:
+        CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+      id: ci-cache
+      if: always()
+      name: nix test cache
+      uses: arcnmx/ci/actions/nix/run@v0.7
+      with:
+        attrs: ci.job.keycloak.run.test
+        command: ci-build-cache
+        quiet: false
+        stdin: ${{ runner.temp }}/ci.build.cache
  litterbox:
    name: nodes-litterbox
    runs-on: ubuntu-latest
--- a/ci/actions-test.sh
+++ b/ci/actions-test.sh
@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -eu
+
+if [[ ${GITHUB_ACTIONS-} = true && ${RUNNER_NAME-} = "Github Actions"* ]]; then
+	# low disk space available on public runners...
+	echo "enabled GC between builds due to restricted disk space..." >&2
+	export NF_ACTIONS_TEST_GC=1
+fi
+
+NIX_BUILD_ARGS=(
+	--show-trace
+)
+
+for nfsystem in "${NF_NIX_SYSTEMS[@]}"; do
+	nfargs=(
+		"${NIX_BUILD_ARGS[@]}"
+	)
+	if [[ -n "${NF_ACTIONS_TEST_OUTLINK-}" || -n "${NF_UPDATE_CACHIX_PUSH-}" ]]; then
+		nfargs+=(
+			-o "${NF_ACTIONS_TEST_OUTLINK-result}-$nfsystem"
+		)
+	else
+		nfargs+=(
+			--no-link
+		)
+	fi
+
+	echo "building ${nfsystem}..." >&2
+
+	nix build \
+		"${NF_CONFIG_ROOT}#nixosConfigurations.${nfsystem}.config.system.build.toplevel" \
+		"${nfargs[@]}" \
+		"$@"
+
+	if [[ -n "${NF_ACTIONS_TEST_GC-}" ]]; then
+		if [[ -n "${NF_UPDATE_CACHIX_PUSH-}" ]]; then
+			cachix push gensokyo-infrastructure "./${NF_ACTIONS_TEST_OUTLINK-result}-$nfsystem"*/
+			rm -f "./${NF_ACTIONS_TEST_OUTLINK-result}-$nfsystem"*
+		fi
+		nix-collect-garbage -d
+	fi
+done
--- a/ci/flake-cron.nix
+++ b/ci/flake-cron.nix
@ -10,6 +10,7 @@ in {
  name = "flake-update";

  nixpkgs.args.localSystem = "x86_64-linux";
+  nixpkgs.args.config.checkMetaRecursively = false;

  ci = {
    version = "v0.7";
@ -21,7 +22,6 @@ in {
  gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";

  nix.config = {
-    accept-flake-config = true;
    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
  };
@ -47,6 +47,20 @@ in {
      ];
      workflow_dispatch = {};
    };
+    jobs.flake-update = {
+      # TODO: split this up into two phases, then push at the end so other CI tests can run first
+      step.flake-update = {
+        name = "flake update build";
+        order = 500;
+        run = "nix run .#nf-update";
+        env = {
+          CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+          NF_UPDATE_GIT_COMMIT = "1";
+          NF_UPDATE_CACHIX_PUSH = "1";
+          NF_CONFIG_ROOT = "\${{ github.workspace }}";
+        };
+      };
+    };
  };

  channels = {
@ -55,50 +69,6 @@ in {
  };

  jobs.flake-update = {
-    tasks.flake-build.inputs = with channels.cipkgs;
-      ci.command {
-        name = "flake-update-build";
-        allowSubstitutes = false;
-        cache = {
-          enable = false;
-        };
-        displayName = "flake update build";
-        environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"];
-        command = let
-          filteredHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "mediabox"];
-          gcBetweenHosts = false;
-          nodeBuildString = concatMapStringsSep " && " (node: "nix build --show-trace -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts;
-          hostPath = builtins.getEnv "PATH";
-        in ''
-          # ${toString builtins.currentTime}
-          export PATH="${hostPath}:$PATH"
-          export NIX_CONFIG="$(printf '%s\naccept-flake-config = true\n' "''${NIX_CONFIG-}")"
-          nix flake update
-
-          if git status --porcelain | grep -qF flake.lock; then
-            git -P diff flake.lock
-            echo "checking that nodes still build..." >&2
-            if ${nodeBuildString}; then
-              if [[ -n $CACHIX_SIGNING_KEY ]]; then
-                cachix push gensokyo-infrastructure result*/ &
-                CACHIX_PUSH=$!
-              fi
-              git add flake.lock
-              export GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch
-              export GIT_{COMMITTER,AUTHOR}_NAME="flake cron job"
-              git commit --message="ci: flake update"
-              if [[ $GITHUB_REF = refs/heads/${gitBranch} ]]; then
-                git push origin HEAD:${gitBranch}
-              fi
-
-              wait ''${CACHIX_PUSH-}
-            fi
-          else
-            echo "no source changes" >&2
-          fi
-        '';
-        impure = true;
-      };
  };

  ci.gh-actions.checkoutOptions = {
--- a/ci/generate.sh
+++ b/ci/generate.sh
@ -4,3 +4,8 @@ set -eu
 for node in reisen; do
 	nix eval --json "${NF_CONFIG_ROOT}#lib.generate.$node.users" | jq -M . > "$NF_CONFIG_ROOT/systems/$node/users.json"
 done
+
+for ciconfig in "${NF_CONFIG_FILES[@]}"; do
+	echo "processing ${ciconfig}..." >&2
+	nix run --argstr config "$NF_CONFIG_ROOT/ci/$ciconfig" -f "$NF_INPUT_CI" run.gh-actions-generate
+done
--- a/ci/nix.nix
+++ b/ci/nix.nix
@ -0,0 +1,17 @@
+{
+  ci = {
+    workflowConfigs = [
+      "nodes.nix"
+      "flake-cron.nix"
+    ];
+    nixosSystems = [
+      "hakurei"
+      "reimu"
+      "aya"
+      "tei"
+      "litterbox"
+      "keycloak"
+      "mediabox"
+    ];
+  };
+}
--- a/ci/nodes.nix
+++ b/ci/nodes.nix
@ -9,6 +9,7 @@ with lib; {
  name = "nodes";

  nixpkgs.args.localSystem = "x86_64-linux";
+  nixpkgs.args.config.checkMetaRecursively = false;

  ci = {
    version = "v0.7";
@ -19,13 +20,12 @@ with lib; {
  channels.nixfiles.path = ../.;

  nix.config = {
-    accept-flake-config = true;
    extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"];
    #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"];
  };

  jobs = let
-    enabledHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "mediabox" "ct"];
+    enabledHosts = ["hakurei" "reimu" "aya" "tei" "litterbox" "keycloak" "mediabox" "ct"];
  in
    mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: {
      tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel;
--- a/ci/update.sh
+++ b/ci/update.sh
@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -eu
+
+if [[ -n ${CACHIX_SIGNING_KEY-} ]]; then
+	export NF_UPDATE_CACHIX_PUSH=1
+fi
+
+cd "$NF_CONFIG_ROOT"
+
+nix flake update "$@"
+
+if [[ -n $(git status --porcelain ./flake.lock) ]]; then
+	git -P diff ./flake.lock
+else
+	echo "no source changes" >&2
+	exit
+fi
+
+echo "checking that nodes still build..." >&2
+if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
+	export NF_ACTIONS_TEST_OUTLINK=${NF_ACTIONS_TEST_OUTLINK-result}
+fi
+nf-actions-test
+
+if [[ -n ${NF_UPDATE_CACHIX_PUSH-} ]]; then
+	cachix push gensokyo-infrastructure "./${NF_ACTIONS_TEST_OUTLINK}"*/ &
+	CACHIX_PUSH=$!
+fi
+
+if [[ -z ${NF_UPDATE_GIT_COMMIT-} ]]; then
+	exit
+fi
+
+if [[ -n $(git diff --staged) ]]; then
+	echo "git working tree dirty, refusing to commit..." >&2
+	exit 1
+fi
+
+git add flake.lock
+env \
+	GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch \
+	GIT_{COMMITTER,AUTHOR}_NAME="flake cron job" \
+git commit --message="ci: flake update"
+
+if [[ ${GITHUB_REF-} = refs/heads/${NF_UPDATE_BRANCH-main} ]]; then
+	git push origin HEAD:${NF_UPDATE_BRANCH-main}
+fi
+
+wait ${CACHIX_PUSH-}
--- a/devShells.nix
+++ b/devShells.nix
@ -23,23 +23,6 @@
      ${optionalString (subdir != null) ''cd "$NF_CONFIG_ROOT${subdir}"''}
      exec nix ${subcommand} ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#${attr}" ${exeArg} "$@"
    '';
-  nf-actions = pkgs.writeShellScriptBin "nf-actions" ''
-    NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix)
-    for f in "''${NF_CONFIG_FILES[@]}"; do
-      echo $f
-      nix run --argstr config "$f" -f '${inputs.ci}' run.gh-actions-generate
-    done
-  '';
-  nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
-    set -eu
-    for host in hakurei reimu aya tei litterbox mediabox ct; do
-      echo testing $host...
-      nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test
-    done
-  '';
-  nf-update = pkgs.writeShellScriptBin "nf-update" ''
-    exec nix flake update "$@"
-  '';
  nf-tf = pkgs.writeShellScriptBin "nf-tf" ''
    cd "$NF_CONFIG_ROOT/tf"
    if [[ $# -eq 0 ]]; then
@ -52,10 +35,9 @@
    nativeBuildInputs = with pkgs; [
      inetutils
      sops
-      nf-actions
-      nf-actions-test
-      nf-update
      nf-tf
+      (mkWrapper {name = "nf-update";})
+      (mkWrapper {name = "nf-actions-test";})
      (mkWrapper {name = "nf-docs";})
      (mkWrapper {name = "nf-generate";})
      (mkWrapper {name = "nf-setup-node";})
--- a/packages/default.nix
+++ b/packages/default.nix
@ -8,6 +8,7 @@
  packages = inputs.self.packages.${system};
  inherit (inputs.self.legacyPackages.${system}) pkgs;
  fmt = import ../ci/fmt.nix;
+  inherit (import ../ci/nix.nix) ci;
  exports = ''
    export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ../.}}
  '';
@ -65,6 +66,16 @@
        )
        source ${../ci/setup.sh}
      '';
+    nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" ''
+      ${exports}
+      NF_NIX_SYSTEMS=(${string.concatMapSep " " string.escapeShellArg ci.nixosSystems})
+      source ${../ci/actions-test.sh}
+    '';
+    nf-update = pkgs.writeShellScriptBin "nf-update" ''
+      ${exports}
+      export PATH="${makeBinPath [packages.nf-actions-test pkgs.cachix]}:$PATH"
+      source ${../ci/update.sh}
+    '';
    nf-hostname = pkgs.writeShellScriptBin "nf-hostname" ''
      ${exports}
      source ${../ci/hostname.sh}
@ -101,6 +112,8 @@
    nf-generate = pkgs.writeShellScriptBin "nf-generate" ''
      ${exports}
      export PATH="$PATH:${makeBinPath [pkgs.jq]}"
+      NF_INPUT_CI=${string.escapeShellArg inputs.ci}
+      NF_CONFIG_FILES=(${string.concatMapSep " " string.escapeShellArg ci.workflowConfigs})
      source ${../ci/generate.sh}
    '';
    nf-statix = pkgs.writeShellScriptBin "nf-statix" ''