diff --git a/.github/workflows/bitwuzla-windows.yml b/.github/workflows/bitwuzla-windows.yml index 70f5c77c8..37b5d2b94 100644 --- a/.github/workflows/bitwuzla-windows.yml +++ b/.github/workflows/bitwuzla-windows.yml @@ -40,6 +40,7 @@ jobs: ref: ${{ env.BITWUZLA_VERSION }} path: bitwuzla submodules: "recursive" + persist-credentials: false - name: Wrap if: steps.cache-bitwuzla.outputs.cache-hit != 'true' diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 78fb3f491..e143b39cc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,6 +28,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - name: build hevm @@ -49,6 +51,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main # cabal complains if we don't do this... @@ -74,6 +78,8 @@ jobs: shell: msys2 {0} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: foundry-rs/foundry-toolchain@v1 with: # Pinning to a version in June 2024, so in case a build fails, our CI doesn't fail @@ -181,17 +187,20 @@ jobs: repository: ethereum/solidity ref: 8a97fa7a1db1ec509221ead6fea6802c684ee887 path: ethereum-solidity + persist-credentials: false - uses: actions/checkout@v4 with: repository: ethereum/tests ref: v13 path: ethereum-tests + persist-credentials: false - uses: actions/checkout@v4 with: repository: foundry-rs/forge-std path: forge-std + persist-credentials: false - name: download bitwuzla uses: actions/download-artifact@v4 @@ -241,6 +250,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - name: run cabal check diff --git a/.github/workflows/check-dependencies.yml b/.github/workflows/check-dependencies.yml index 36215d978..4e97cc42a 100644 --- a/.github/workflows/check-dependencies.yml +++ b/.github/workflows/check-dependencies.yml @@ -13,6 +13,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - name: lookup nix versions @@ -34,15 +36,22 @@ jobs: { echo "libff=$LIBFF_REV"; echo "libsecp256k1=$LIBSECP256K1_REV"; echo "bitwuzla=$BITWUZLA_REV"; } >> "$GITHUB_OUTPUT" - name: compare versions run: | - if [ "${{ steps.nixpkgs.outputs.libff }}" != "${{ steps.local.outputs.libff }}" ]; then - echo "libff versions do not match! nix=${{ steps.nixpkgs.outputs.libff }} local=${{ steps.local.outputs.libff }}" + if [ "$LIBFF_NIXPKGS" != "$LIBFF_LOCAL" ]; then + echo "libff versions do not match! nix=$LIBFF_NIXPKGS local=$LIBFF_LOCAL" exit 1 fi - if [ "${{ steps.nixpkgs.outputs.libsecp256k1 }}" != "${{ steps.local.outputs.libsecp256k1 }}" ]; then - echo "libsecp256k1 versions do not match! nix=${{ steps.nixpkgs.outputs.libsecp256k1 }} local=${{ steps.local.outputs.libsecp256k1 }}" + if [ "$LIBSECP256K1_NIXPKGS" != "$LIBSECP256K1_LOCAL" ]; then + echo "libsecp256k1 versions do not match! nix=$LIBSECP256K1_NIXPKGS local=$LIBSECP256K1_LOCAL" exit 1 fi - if [ "${{ steps.nixpkgs.outputs.bitwuzla }}" != "${{ steps.local.outputs.bitwuzla }}" ]; then - echo "bitwuzla versions do not match! nix=${{ steps.nixpkgs.outputs.bitwuzla }} local=${{ steps.local.outputs.bitwuzla }}" + if [ "$BITWUZLA_NIXPKGS" != "$BITWUZLA_LOCAL" ]; then + echo "bitwuzla versions do not match! nix=$BITWUZLA_NIXPKGS local=$BITWUZLA_LOCAL" exit 1 fi + env: + LIBFF_NIXPKGS: ${{ steps.nixpkgs.outputs.libff }} + LIBFF_LOCAL: ${{ steps.local.outputs.libff }} + LIBSECP256K1_NIXPKGS: ${{ steps.nixpkgs.outputs.libsecp256k1 }} + LIBSECP256K1_LOCAL: ${{ steps.local.outputs.libsecp256k1 }} + BITWUZLA_NIXPKGS: ${{ steps.nixpkgs.outputs.bitwuzla }} + BITWUZLA_LOCAL: ${{ steps.local.outputs.bitwuzla }} diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 8b1f78cb8..d0a884415 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -9,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4b7384512..1619be4b5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,8 @@ name: "Release" on: + workflow_dispatch: + schedule: + - cron: '30 5 * * 1' # At 05:30 AM, only on Monday push: tags: - 'release/[0-9]+.[0-9]+.[0-9]+' @@ -22,6 +25,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - name: build hevm @@ -37,6 +42,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/magic-nix-cache-action@main - name: download binaries @@ -44,7 +51,9 @@ jobs: with: merge-multiple: true - name: create github release & upload binaries - uses: softprops/action-gh-release@v2.0.4 + uses: softprops/action-gh-release@v2.2.0 + # scheduled/manual runs should not create a release + if: github.event_name == 'push' with: fail_on_unmatched_files: true files: | @@ -53,10 +62,14 @@ jobs: ./hevm-arm64-macos - name: prepare hackage artifacts run: | - nix-shell --command "cabal sdist --builddir=${{ runner.temp }}/packages" - nix-shell --command "cabal haddock lib:hevm --builddir=${{ runner.temp }}/docs --haddock-for-hackage --haddock-option=--hyperlinked-source" + # cabal complains if we don't do this... + nix develop --command bash -c "cabal update" + nix develop --command bash -c "cabal sdist --builddir='$RUNNER_TEMP/packages'" + nix develop --command bash -c "cabal haddock lib:hevm --builddir='$RUNNER_TEMP/docs' --haddock-for-hackage --haddock-option=--hyperlinked-source" - name: publish to hackage uses: haskell-actions/hackage-publish@v1 + # scheduled/manual runs should not publish anything + if: github.event_name == 'push' with: hackageToken: ${{ secrets.HACKAGE_AUTH_TOKEN }} packagesPath: ${{ runner.temp }}/packages/sdist diff --git a/default.nix b/default.nix deleted file mode 100644 index 2cccff28d..000000000 --- a/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -(import - ( - let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in - fetchTarball { - url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - } - ) - { src = ./.; } -).defaultNix diff --git a/shell.nix b/shell.nix deleted file mode 100644 index 6234bb4d6..000000000 --- a/shell.nix +++ /dev/null @@ -1,10 +0,0 @@ -(import - ( - let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in - fetchTarball { - url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - } - ) - { src = ./.; } -).shellNix