From 5da8bd22217d741e124aa8aa9d2065832949f765 Mon Sep 17 00:00:00 2001 From: kat witch Date: Mon, 17 May 2021 06:43:47 +0100 Subject: [PATCH] ci: Moved niv-cron from trusted. --- .github/workflows/niv-update.yml | 92 ++++++++++++++++++++++++++++++++ ci/niv-cron.nix | 62 +++++++++++++++++++++ shell.nix | 8 +-- 3 files changed, 158 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/niv-update.yml create mode 100644 ci/niv-cron.nix diff --git a/.github/workflows/niv-update.yml b/.github/workflows/niv-update.yml new file mode 100644 index 00000000..611257c3 --- /dev/null +++ b/.github/workflows/niv-update.yml @@ -0,0 +1,92 @@ +env: + CI_ALLOW_ROOT: '1' + CI_CONFIG: ./ci/niv-cron.nix + CI_PLATFORM: gh-actions + OPENSSH_PRIVATE_KEY: ${{ secrets.OPENSSH_PRIVATE_KEY }} +jobs: + ci-check: + name: niv-update check + runs-on: ubuntu-latest + steps: + - id: checkout + name: git clone + uses: actions/checkout@v1 + with: + submodules: false + - id: nix-install + name: nix install + uses: arcnmx/ci/actions/nix/install@master + - id: ci-action-build + name: nix build ci.gh-actions.configFile + uses: arcnmx/ci/actions/nix/build@master + with: + attrs: ci.gh-actions.configFile + out-link: .ci/workflow.yml + - id: ci-action-compare + name: gh-actions compare + uses: arcnmx/ci/actions/nix/run@master + with: + args: -u .github/workflows/niv-update.yml .ci/workflow.yml + attrs: nixpkgs.diffutils + command: diff + niv-update: + name: niv-update + runs-on: ubuntu-latest + steps: + - id: checkout + name: git clone + uses: actions/checkout@v1 + with: + submodules: false + - id: nix-install + name: nix install + uses: arcnmx/ci/actions/nix/install@master + - id: ci-setup + name: nix setup + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.niv-update.run.bootstrap + quiet: false + - id: ci-dirty + name: nix test dirty + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.niv-update.run.test + command: ci-build-dirty + quiet: false + stdout: ${{ runner.temp }}/ci.build.dirty + - id: ci-test + name: nix test build + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.niv-update.run.test + command: ci-build-realise + ignore-exit-code: true + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + - env: + CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} + id: ci-summary + name: nix test results + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.niv-update.run.test + command: ci-build-summarise + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + stdout: ${{ runner.temp }}/ci.build.cache + - env: + CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} + id: ci-cache + if: always() + name: nix test cache + uses: arcnmx/ci/actions/nix/run@master + with: + attrs: ci.job.niv-update.run.test + command: ci-build-cache + quiet: false + stdin: ${{ runner.temp }}/ci.build.cache +name: niv-update +'on': + schedule: + - cron: 0 0 * * * diff --git a/ci/niv-cron.nix b/ci/niv-cron.nix new file mode 100644 index 00000000..6c92c210 --- /dev/null +++ b/ci/niv-cron.nix @@ -0,0 +1,62 @@ +{ lib, channels, ... }: +with lib; { + name = "niv-update"; + ci.gh-actions.enable = true; + ci.gh-actions.export = true; + + gh-actions.env.OPENSSH_PRIVATE_KEY = "\${{ secrets.OPENSSH_PRIVATE_KEY }}"; + + gh-actions = { + on = { + schedule = [ { + cron = "0 0 * * *"; + } ]; + }; + }; + + jobs.niv-update = { + tasks.niv-build.inputs = with channels.cipkgs; + ci.command { + name = "niv-update-build"; + displayName = "niv update build"; + nativeBuildInputs = [ nix ]; + environment = [ "OPENSSH_PRIVATE_KEY" ]; + command = '' + mkdir ~/.ssh + echo "$OPENSSH_PRIVATE_KEY" > ~/.ssh/id_rsa + chmod 0600 ~/.ssh/id_rsa + GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" git clone ssh://gitea@git.kittywit.ch:62954/kat/nixfiles.git + rmdir nixfiles/trusted + ln -s $PWD nixfiles/trusted + cd nixfiles + nix run -f . pkgs.niv -c niv update + if git status --porcelain | grep -qF nix/sources.json ; then + if nix build -Lf . hosts.{athame,yule,samhain}.config.system.build.toplevel; then + git add nix/sources.json + export GIT_{COMMITTER,AUTHOR}_EMAIL=kat@kittywit.ch + export GIT_{COMMITTER,AUTHOR}_NAME=kat witch + git commit --message="ci-trusted: niv update" + GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" git push + fi + fi + ''; + impure = true; + }; + }; + + ci.gh-actions.checkoutOptions.submodules = false; + + cache.cachix = { + arc = { + enable = true; + publicKey = "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY="; + signingKey = null; + }; + kittywitch = { + enable = true; + publicKey = + "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="; + signingKey = "mewp"; + }; + }; +} diff --git a/shell.nix b/shell.nix index 8e94f63c..342a8e6b 100644 --- a/shell.nix +++ b/shell.nix @@ -6,14 +6,14 @@ export START_DIR="$PWD" cd ${toString ./.} export NF_CONFIG_ROOT=${toString ./.}/ci - NF_CONFIG_FILES=($NF_CONFIG_ROOT/hosts.nix) + NF_CONFIG_FILES=($NF_CONFIG_ROOT/{hosts,niv-cron}.nix) for f in "''${NF_CONFIG_FILES[@]}"; do echo $f nix run --arg config $f ci.run.gh-actions-generate done cd ${toString ./trusted} export TRUSTED_CONFIG_ROOT=${toString ./trusted}/ci - TRUSTED_CONFIG_FILES=($TRUSTED_CONFIG_ROOT/{hosts,niv-cron}.nix) + TRUSTED_CONFIG_FILES=($TRUSTED_CONFIG_ROOT/hosts.nix) for f in "''${TRUSTED_CONFIG_FILES[@]}"; do echo $f nix run --arg config $f ci.run.gh-actions-generate @@ -24,14 +24,14 @@ export START_DIR="$PWD" cd ${toString ./.} export NF_CONFIG_ROOT=${toString ./.}/ci - NF_CONFIG_FILES=($NF_CONFIG_ROOT/hosts.nix) + NF_CONFIG_FILES=($NF_CONFIG_ROOT/{hosts,niv-cron}.nix) for f in "''${NF_CONFIG_FILES[@]}"; do echo $f nix run --arg config $f ci.test done cd ${toString ./trusted} export TRUSTED_CONFIG_ROOT=${toString ./trusted}/ci - TRUSTED_CONFIG_FILES=($TRUSTED_CONFIG_ROOT/{hosts,niv-cron}.nix) + TRUSTED_CONFIG_FILES=($TRUSTED_CONFIG_ROOT/hosts.nix) for f in "''${TRUSTED_CONFIG_FILES[@]}"; do echo $f nix run --arg config $f ci.test