Merge pull request #615 from elopez/fix-release-build

Release workflow improvements
ethereum · Dec 12, 2024 · 502b77c · 502b77c
2 parents 2583457 + 8124c67
commit 502b77c
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 29 deletions.
diff --git a/.github/workflows/bitwuzla-windows.yml b/.github/workflows/bitwuzla-windows.yml
@@ -40,6 +40,7 @@ jobs:
           ref: ${{ env.BITWUZLA_VERSION }}
           path: bitwuzla
           submodules: "recursive"
+          persist-credentials: false
 
       - name: Wrap
         if: steps.cache-bitwuzla.outputs.cache-hit != 'true'

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -28,6 +28,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: build hevm
@@ -49,6 +51,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       # cabal complains if we don't do this...
@@ -74,6 +78,8 @@ jobs:
         shell: msys2 {0}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: foundry-rs/foundry-toolchain@v1
         with:
           # Pinning to a version in June 2024, so in case a build fails, our CI doesn't fail
@@ -181,17 +187,20 @@ jobs:
           repository: ethereum/solidity
           ref: 8a97fa7a1db1ec509221ead6fea6802c684ee887
           path: ethereum-solidity
+          persist-credentials: false
 
       - uses: actions/checkout@v4
         with:
           repository: ethereum/tests
           ref: v13
           path: ethereum-tests
+          persist-credentials: false
 
       - uses: actions/checkout@v4
         with:
           repository: foundry-rs/forge-std
           path: forge-std
+          persist-credentials: false
 
       - name: download bitwuzla
         uses: actions/download-artifact@v4
@@ -241,6 +250,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: run cabal check

diff --git a/.github/workflows/check-dependencies.yml b/.github/workflows/check-dependencies.yml
@@ -13,6 +13,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: lookup nix versions
@@ -34,15 +36,22 @@ jobs:
           { echo "libff=$LIBFF_REV"; echo "libsecp256k1=$LIBSECP256K1_REV"; echo "bitwuzla=$BITWUZLA_REV"; } >> "$GITHUB_OUTPUT"
       - name: compare versions
         run: |
-          if [ "${{ steps.nixpkgs.outputs.libff }}" != "${{ steps.local.outputs.libff }}" ]; then
-            echo "libff versions do not match! nix=${{ steps.nixpkgs.outputs.libff }} local=${{ steps.local.outputs.libff }}"
+          if [ "$LIBFF_NIXPKGS" != "$LIBFF_LOCAL" ]; then
+            echo "libff versions do not match! nix=$LIBFF_NIXPKGS local=$LIBFF_LOCAL"
             exit 1
           fi
-          if [ "${{ steps.nixpkgs.outputs.libsecp256k1 }}" != "${{ steps.local.outputs.libsecp256k1 }}" ]; then
-            echo "libsecp256k1 versions do not match! nix=${{ steps.nixpkgs.outputs.libsecp256k1 }} local=${{ steps.local.outputs.libsecp256k1 }}"
+          if [ "$LIBSECP256K1_NIXPKGS" != "$LIBSECP256K1_LOCAL" ]; then
+            echo "libsecp256k1 versions do not match! nix=$LIBSECP256K1_NIXPKGS local=$LIBSECP256K1_LOCAL"
             exit 1
           fi
-          if [ "${{ steps.nixpkgs.outputs.bitwuzla }}" != "${{ steps.local.outputs.bitwuzla }}" ]; then
-            echo "bitwuzla versions do not match! nix=${{ steps.nixpkgs.outputs.bitwuzla }} local=${{ steps.local.outputs.bitwuzla }}"
+          if [ "$BITWUZLA_NIXPKGS" != "$BITWUZLA_LOCAL" ]; then
+            echo "bitwuzla versions do not match! nix=$BITWUZLA_NIXPKGS local=$BITWUZLA_LOCAL"
             exit 1
           fi
+        env:
+          LIBFF_NIXPKGS: ${{ steps.nixpkgs.outputs.libff }}
+          LIBFF_LOCAL: ${{ steps.local.outputs.libff }}
+          LIBSECP256K1_NIXPKGS: ${{ steps.nixpkgs.outputs.libsecp256k1 }}
+          LIBSECP256K1_LOCAL: ${{ steps.local.outputs.libsecp256k1 }}
+          BITWUZLA_NIXPKGS: ${{ steps.nixpkgs.outputs.bitwuzla }}
+          BITWUZLA_LOCAL: ${{ steps.local.outputs.bitwuzla }}
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -9,6 +9,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,8 @@
 name: "Release"
 on:
+  workflow_dispatch:
+  schedule:
+    - cron: '30 5 * * 1' # At 05:30 AM, only on Monday
   push:
     tags:
       - 'release/[0-9]+.[0-9]+.[0-9]+'
@@ -22,6 +25,8 @@ jobs:
     runs-on: ${{ matrix.os  }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: build hevm
@@ -37,14 +42,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: download binaries
         uses: actions/download-artifact@v4
         with:
           merge-multiple: true
       - name: create github release & upload binaries
-        uses: softprops/[email protected]
+        uses: softprops/[email protected]
+        # scheduled/manual runs should not create a release
+        if: github.event_name == 'push'
         with:
           fail_on_unmatched_files: true
           files: |
@@ -53,10 +62,14 @@ jobs:
             ./hevm-arm64-macos
       - name: prepare hackage artifacts
         run: |
-          nix-shell --command "cabal sdist --builddir=${{ runner.temp }}/packages"
-          nix-shell --command "cabal haddock lib:hevm --builddir=${{ runner.temp }}/docs --haddock-for-hackage --haddock-option=--hyperlinked-source"
+          # cabal complains if we don't do this...
+          nix develop --command bash -c "cabal update"
+          nix develop --command bash -c "cabal sdist --builddir='$RUNNER_TEMP/packages'"
+          nix develop --command bash -c "cabal haddock lib:hevm --builddir='$RUNNER_TEMP/docs' --haddock-for-hackage --haddock-option=--hyperlinked-source"
       - name: publish to hackage
         uses: haskell-actions/hackage-publish@v1
+        # scheduled/manual runs should not publish anything
+        if: github.event_name == 'push'
         with:
           hackageToken: ${{ secrets.HACKAGE_AUTH_TOKEN }}
           packagesPath: ${{ runner.temp }}/packages/sdist

diff --git a/default.nix b/default.nix
diff --git a/shell.nix b/shell.nix