diff --git a/.github/workflows/push_build_artifacts.yaml b/.github/workflows/push_build_artifacts.yaml new file mode 100644 index 0000000..c6b0a28 --- /dev/null +++ b/.github/workflows/push_build_artifacts.yaml @@ -0,0 +1,121 @@ +--- +on: + pull_request: + push: + branches: + - main + +jobs: + artifacts: + runs-on: ubuntu-latest + timeout-minutes: 30 + + permissions: + id-token: write + contents: write + + strategy: + matrix: + platform: + - aarch64 + fail-fast: true + + steps: + - name: "Check out repository" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ inputs.GIT_REF }} + token: ${{ secrets.GIT_TOKEN }} + submodules: true + + - name: Configure aws + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }} + aws-region: eu-central-1 + + - uses: nixbuild/nix-quick-install-action@v26 + with: + nix_version: 2.16.2 + nix_conf: | + experimental-features = nix-command flakes + sandbox = false + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50 + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }} + builders-use-substitutes = true + + - name: "Setup nix-remote-builder" + uses: dbarrosop/nix-remote-builder-aws@v0.3.0 + id: nix-remote-builder + with: + name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }} + ami: ami-0a6fe6f4f55f8421a + instance-type: 't4g.xlarge' + region: "eu-central-1" + availability-zone: "eu-central-1c" + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + + - name: "Setup nix-remote-builder in nix.conf" + run: | + echo "builders = ssh://${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf + if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + - name: Cache nix store + uses: actions/cache@v4 + with: + path: | + /nix/store/** + /nix/var/nix/*/* + /nix/var/nix/db/* + /nix/var/nix/db/*/** + !/nix/var/nix/daemon-socket/socket + !/nix/var/nix/userpool/* + !/nix/var/nix/gc.lock + !/nix/var/nix/db/big-lock + !/nix/var/nix/db/reserved + key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock', '${{ inputs.PROJECT }}/**.nix') }} + restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main + if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + - uses: docker/setup-qemu-action@v3 + if: ${{ ( matrix.platform == 'aarch64' ) }} + + - name: "Wait for remote builder to be ready" + run: | + set +e + max_attempts=6 + retry_interval=10 + + attempt=1 + while [ "$attempt" -le "$max_attempts" ]; do + echo "Checking SSH connection (attempt $attempt)..." + nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22 + if [ $? -eq 0 ]; then + echo "success" + break + else + echo "SSH connection failed." + if [ "$attempt" -lt "$max_attempts" ]; then + echo "Retrying in $retry_interval seconds..." + sleep "$retry_interval" + else + echo "Exceeded maximum connection attempts." + exit 1 + fi + fi + ((attempt++)) + done + if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + + - name: "Cache nix store on s3" + run: | + echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem + nix build .\#devShells.${{ matrix.platform }}-linux.default + nix store sign --key-file cache-priv-key.pem --all + nix copy --to s3://nhost-nix-cache\?region=eu-central-1 .\#devShells.${{ matrix.platform }}-linux.default + + - run: rm cache-priv-key.pem || echo "file not found" + if: always() diff --git a/.github/workflows/gen_schedule_update_deps.yaml b/.github/workflows/schedule_update_deps.yaml similarity index 65% rename from .github/workflows/gen_schedule_update_deps.yaml rename to .github/workflows/schedule_update_deps.yaml index 3c0b024..95173f0 100644 --- a/.github/workflows/gen_schedule_update_deps.yaml +++ b/.github/workflows/schedule_update_deps.yaml @@ -42,27 +42,27 @@ jobs: path: /nix key: nix-update-deps-${{ hashFiles('flakes.nix', 'flake.lock') }} - - name: Update nix flakes - run: nix flake update + # - name: Update nix flakes + # run: nix flake update - - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: Update dependencies - committer: GitHub - author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> - signoff: false - branch: automated/update-deps - delete-branch: true - title: '[Scheduled] Update dependencies' - body: | - Dependencies updated + # - name: Create Pull Request + # uses: peter-evans/create-pull-request@v5 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # commit-message: Update dependencies + # committer: GitHub + # author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> + # signoff: false + # branch: automated/update-deps + # delete-branch: true + # title: '[Scheduled] Update dependencies' + # body: | + # Dependencies updated - Note - If you see this PR and the checks haven't run, close and reopen the PR. See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs - labels: | - dependencies - draft: false + # Note - If you see this PR and the checks haven't run, close and reopen the PR. See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs + # labels: | + # dependencies + # draft: false - name: "Cache nix store on s3" run: |