feat: maybe move to full github actions jobs instead of tasks

.github/workflows/flake-update.yml

@@ -3,6 +3,7 @@ env:
   CI_ALLOW_ROOT: '1'
   CI_CONFIG: ./ci/flake-cron.nix
   CI_PLATFORM: gh-actions
+  DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
 jobs:
   ci-check:
     name: flake-update check
@@ -45,6 +46,7 @@ jobs:
       uses: arcnmx/ci/actions/nix/install@v0.7
     - env:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
+        DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
         NF_CONFIG_ROOT: ${{ github.workspace }}
         NF_UPDATE_CACHIX_PUSH: '1'
         NF_UPDATE_GIT_COMMIT: '1'

.github/workflows/nodes.yml

@@ -1,7 +1,9 @@
 env:
+  CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
   CI_ALLOW_ROOT: '1'
   CI_CONFIG: ./ci/nodes.nix
   CI_PLATFORM: gh-actions
+  DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
 jobs:
   ci-check:
     name: nodes check
@@ -11,6 +13,7 @@ jobs:
       name: git clone
       uses: actions/checkout@v4
       with:
+        fetch-depth: 0
         submodules: false
     - id: nix-install
       name: nix install
@@ -29,209 +32,61 @@ jobs:
         attrs: nixpkgs.diffutils
         command: diff
   goliath:
-    name: nodes-goliath
+    name: goliath
     runs-on: ubuntu-latest
     steps:
-    - id: checkout
-      name: git clone
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - id: nix-install
-      name: nix install
-      uses: arcnmx/ci/actions/nix/install@v0.7
-    - id: ci-dirty
-      name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.goliath.run.test
-        command: ci-build-dirty
-        quiet: false
-        stdout: ${{ runner.temp }}/ci.build.dirty
-    - id: ci-test
-      name: nix test build
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.goliath.run.test
-        command: ci-build-realise
-        ignore-exit-code: true
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-    - env:
-        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
-      id: ci-summary
-      name: nix test results
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.goliath.run.test
-        command: ci-build-summarise
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-        stdout: ${{ runner.temp }}/ci.build.cache
     - env:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
-      id: ci-cache
+        DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
-      if: always()
+        NF_CONFIG_ROOT: ${{ github.workspace }}
-      name: nix test cache
+        NF_UPDATE_CACHIX_PUSH: '1'
-      uses: arcnmx/ci/actions/nix/run@v0.7
+        NF_UPDATE_GIT_COMMIT: '1'
-      with:
+      id: goliath
-        attrs: ci.job.goliath.run.test
+      name: Build goliath system closure
-        command: ci-build-cache
+      run: nix run .#nf-build-system -- nixosConfigurations.goliath.config.system.build.topLevel
-        quiet: false
+        goliath NixOS
-        stdin: ${{ runner.temp }}/ci.build.cache
   koishi:
-    name: nodes-koishi
+    name: koishi
     runs-on: ubuntu-latest
     steps:
-    - id: checkout
-      name: git clone
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - id: nix-install
-      name: nix install
-      uses: arcnmx/ci/actions/nix/install@v0.7
-    - id: ci-dirty
-      name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.koishi.run.test
-        command: ci-build-dirty
-        quiet: false
-        stdout: ${{ runner.temp }}/ci.build.dirty
-    - id: ci-test
-      name: nix test build
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.koishi.run.test
-        command: ci-build-realise
-        ignore-exit-code: true
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-    - env:
-        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
-      id: ci-summary
-      name: nix test results
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.koishi.run.test
-        command: ci-build-summarise
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-        stdout: ${{ runner.temp }}/ci.build.cache
     - env:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
-      id: ci-cache
+        DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
-      if: always()
+        NF_CONFIG_ROOT: ${{ github.workspace }}
-      name: nix test cache
+        NF_UPDATE_CACHIX_PUSH: '1'
-      uses: arcnmx/ci/actions/nix/run@v0.7
+        NF_UPDATE_GIT_COMMIT: '1'
-      with:
+      id: koishi
-        attrs: ci.job.koishi.run.test
+      name: Build koishi system closure
-        command: ci-build-cache
+      run: nix run .#nf-build-system -- nixosConfigurations.koishi.config.system.build.topLevel
-        quiet: false
+        koishi NixOS
-        stdin: ${{ runner.temp }}/ci.build.cache
   mai:
-    name: nodes-mai
+    name: mai
     runs-on: ubuntu-latest
     steps:
-    - id: checkout
-      name: git clone
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - id: nix-install
-      name: nix install
-      uses: arcnmx/ci/actions/nix/install@v0.7
-    - id: ci-dirty
-      name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.mai.run.test
-        command: ci-build-dirty
-        quiet: false
-        stdout: ${{ runner.temp }}/ci.build.dirty
-    - id: ci-test
-      name: nix test build
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.mai.run.test
-        command: ci-build-realise
-        ignore-exit-code: true
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-    - env:
-        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
-      id: ci-summary
-      name: nix test results
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.mai.run.test
-        command: ci-build-summarise
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-        stdout: ${{ runner.temp }}/ci.build.cache
     - env:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
-      id: ci-cache
+        DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
-      if: always()
+        NF_CONFIG_ROOT: ${{ github.workspace }}
-      name: nix test cache
+        NF_UPDATE_CACHIX_PUSH: '1'
-      uses: arcnmx/ci/actions/nix/run@v0.7
+        NF_UPDATE_GIT_COMMIT: '1'
-      with:
+      id: mai
-        attrs: ci.job.mai.run.test
+      name: Build mai system closure
-        command: ci-build-cache
+      run: nix run .#nf-build-system -- nixosConfigurations.mai.config.system.build.topLevel
-        quiet: false
+        mai NixOS
-        stdin: ${{ runner.temp }}/ci.build.cache
   mei:
-    name: nodes-mei
+    name: mei
     runs-on: ubuntu-latest
     steps:
-    - id: checkout
-      name: git clone
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - id: nix-install
-      name: nix install
-      uses: arcnmx/ci/actions/nix/install@v0.7
-    - id: ci-dirty
-      name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.mei.run.test
-        command: ci-build-dirty
-        quiet: false
-        stdout: ${{ runner.temp }}/ci.build.dirty
-    - id: ci-test
-      name: nix test build
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.mei.run.test
-        command: ci-build-realise
-        ignore-exit-code: true
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-    - env:
-        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
-      id: ci-summary
-      name: nix test results
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.mei.run.test
-        command: ci-build-summarise
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-        stdout: ${{ runner.temp }}/ci.build.cache
     - env:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
-      id: ci-cache
+        DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
-      if: always()
+        NF_CONFIG_ROOT: ${{ github.workspace }}
-      name: nix test cache
+        NF_UPDATE_CACHIX_PUSH: '1'
-      uses: arcnmx/ci/actions/nix/run@v0.7
+        NF_UPDATE_GIT_COMMIT: '1'
-      with:
+      id: mei
-        attrs: ci.job.mei.run.test
+      name: Build mei system closure
-        command: ci-build-cache
+      run: nix run .#nf-build-system -- nixosConfigurations.mei.config.system.build.topLevel
-        quiet: false
+        mei NixOS
-        stdin: ${{ runner.temp }}/ci.build.cache
   packages:
     name: nodes-packages
     runs-on: ubuntu-latest
@@ -240,6 +95,7 @@ jobs:
       name: git clone
       uses: actions/checkout@v4
       with:
+        fetch-depth: 0
         submodules: false
     - id: nix-install
       name: nix install
@@ -284,57 +140,25 @@ jobs:
         quiet: false
         stdin: ${{ runner.temp }}/ci.build.cache
   yukari:
-    name: nodes-yukari
+    name: yukari
     runs-on: ubuntu-latest
     steps:
-    - id: checkout
-      name: git clone
-      uses: actions/checkout@v4
-      with:
-        submodules: false
-    - id: nix-install
-      name: nix install
-      uses: arcnmx/ci/actions/nix/install@v0.7
-    - id: ci-dirty
-      name: nix test dirty
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.yukari.run.test
-        command: ci-build-dirty
-        quiet: false
-        stdout: ${{ runner.temp }}/ci.build.dirty
-    - id: ci-test
-      name: nix test build
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.yukari.run.test
-        command: ci-build-realise
-        ignore-exit-code: true
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-    - env:
-        CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
-      id: ci-summary
-      name: nix test results
-      uses: arcnmx/ci/actions/nix/run@v0.7
-      with:
-        attrs: ci.job.yukari.run.test
-        command: ci-build-summarise
-        quiet: false
-        stdin: ${{ runner.temp }}/ci.build.dirty
-        stdout: ${{ runner.temp }}/ci.build.cache
     - env:
         CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
-      id: ci-cache
+        DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }}
-      if: always()
+        NF_CONFIG_ROOT: ${{ github.workspace }}
-      name: nix test cache
+        NF_UPDATE_CACHIX_PUSH: '1'
-      uses: arcnmx/ci/actions/nix/run@v0.7
+        NF_UPDATE_GIT_COMMIT: '1'
-      with:
+      id: yukari
-        attrs: ci.job.yukari.run.test
+      name: Build yukari system closure
-        command: ci-build-cache
+      run: nix run .#nf-build-system -- nixosConfigurations.yukari.config.system.build.topLevel
-        quiet: false
+        yukari NixOS
-        stdin: ${{ runner.temp }}/ci.build.cache
 name: nodes
 'on':
-- push
+  pull_request:
-- pull_request
+    paths:
+    - '*'
+  push:
+    paths:
+    - '*'
+  workflow_dispatch: {}

ci/nodes.nix

@@ -9,11 +9,34 @@ with lib; {
   imports = [ ./common.nix ];
   config = {
     name = "nodes";
+    gh-actions = {
+      env = {
+          CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}";
+          DISCORD_WEBHOOK_LINK = "\${{ secrets.DISCORD_WEBHOOK_LINK }}";
+      };
+      on = let
+        paths = [
+          "*"
+/*
+          "default.nix"
+          "ci/.nix"
+          config.ci.gh-actions.path
+*/
+        ];
+      in {
+        push = {
+          inherit paths;
+        };
+        pull_request = {
+          inherit paths;
+        };
+        workflow_dispatch = {};
+      };
 
     jobs = let
       enabledNixOSSystems = filterAttrs (_: system: system.config.ci.enable) channels.nixfiles.systems;
       mkNixOSSystemJob = name: system: nameValuePair "${name}" {
-        step.build-system-wrapper = {
+        step.${name} = {
           name = "Build ${name} system closure";
           order = 500;
           run = "nix run .#nf-build-system -- nixosConfigurations.${name}.config.system.build.topLevel ${name} NixOS";
@@ -25,18 +48,18 @@ with lib; {
             NF_CONFIG_ROOT = "\${{ github.workspace }}";
           };
         };
-        tasks = {
-            system = {
-              inputs = channels.nixfiles.nixosConfigurations.${name}.config.system.build.toplevel;
-              warn = system.config.ci.allowFailure;
-            };
-        };
       };
       nixOSSystemJobs = mapAttrs' mkNixOSSystemJob enabledNixOSSystems;
-    in {
+    in nixOSSystemJobs;
+  };
+    jobs = {
       packages = { ... }: {
         imports = [ ./packages.nix ];
       };
-    } // nixOSSystemJobs;
+    };
+
+    ci.gh-actions.checkoutOptions = {
+      fetch-depth = 0;
+    };
   };
 }

packages/nf-build-system/default.nix

@@ -7,6 +7,7 @@ wrapShellScriptBin "nf-build-system" ./build-system.sh {
     git
     cachix
     jq
+    nix
     curl
   ];
 }

shells/repo.nix

@@ -11,7 +11,9 @@ with pkgs; let
   repoShell = mkShell {
     nativeBuildInputs =
       [
+        nf-build-system
         nf-update
+        nix
         fd # fd, better fine!
         ripgrep # rg, better grep!
         sops