diff --git a/.github/workflows/push_build_devShells.yaml b/.github/workflows/push_build_devShells.yaml new file mode 100644 index 0000000..60e483d --- /dev/null +++ b/.github/workflows/push_build_devShells.yaml @@ -0,0 +1,134 @@ +--- +name: "push: build and cache devShells" +on: + pull_request: + push: + branches: + - main + +jobs: + artifacts: + runs-on: ubuntu-latest + timeout-minutes: 30 + + permissions: + id-token: write + contents: write + + strategy: + matrix: + platform: + - x86_64 + - aarch64 + fail-fast: true + + steps: + - name: "Check out repository" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure aws + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }} + aws-region: eu-central-1 + + - uses: nixbuild/nix-quick-install-action@v26 + with: + nix_version: 2.16.2 + nix_conf: | + experimental-features = nix-command flakes + sandbox = false + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50 + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }} + builders-use-substitutes = true + + - name: "Verify if we need to build" + id: verify-build + run: | + export build_dry_run_output=$(make build-dry-run ARCH=${{ matrix.platform }}) + export drvPath=$(echo "$build_dry_run_output" | grep -oE '"out":.*"' | awk -F\" '{ print $4 }') + nix store verify --store s3://nhost-nix-cache?region=eu-central-1 $drvPath \ + && export BUILD_NEEDED=no \ + || export BUILD_NEEDED=yes + echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT + + - name: "Setup nix-remote-builder" + uses: dbarrosop/nix-remote-builder-aws@v0.3.0 + id: nix-remote-builder + with: + name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }} + ami: ami-0a6fe6f4f55f8421a + instance-type: 't4g.xlarge' + region: "eu-central-1" + availability-zone: "eu-central-1c" + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + - name: "Setup nix-remote-builder in nix.conf" + run: | + echo "builders = ssh://${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf + if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + - name: Cache nix store + uses: actions/cache@v4 + with: + path: | + /nix/store/** + /nix/var/nix/*/* + /nix/var/nix/db/* + /nix/var/nix/db/*/** + !/nix/var/nix/daemon-socket/socket + !/nix/var/nix/userpool/* + !/nix/var/nix/gc.lock + !/nix/var/nix/db/big-lock + !/nix/var/nix/db/reserved + key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock', '${{ inputs.PROJECT }}/**.nix') }} + restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main + if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + - uses: docker/setup-qemu-action@v3 + if: ${{ ( matrix.platform == 'aarch64' ) }} + + - name: "Wait for remote builder to be ready" + run: | + set +e + max_attempts=6 + retry_interval=10 + + attempt=1 + while [ "$attempt" -le "$max_attempts" ]; do + echo "Checking SSH connection (attempt $attempt)..." + nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22 + if [ $? -eq 0 ]; then + echo "success" + break + else + echo "SSH connection failed." + if [ "$attempt" -lt "$max_attempts" ]; then + echo "Retrying in $retry_interval seconds..." + sleep "$retry_interval" + else + echo "Exceeded maximum connection attempts." + exit 1 + fi + fi + ((attempt++)) + done + if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }} + + - name: "Build" + run: | + make build ARCH=${{ matrix.platform }} + + - name: "Cache nix store on s3" + run: | + echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem + nix store sign --key-file cache-priv-key.pem --all + find /nix/store -maxdepth 1 -name "*-*" -type d | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1 + if: always() + + - run: rm cache-priv-key.pem || echo "file not found" + if: always() diff --git a/.github/workflows/schedule_update_deps.yaml b/.github/workflows/schedule_update_deps.yaml new file mode 100644 index 0000000..3a43b4e --- /dev/null +++ b/.github/workflows/schedule_update_deps.yaml @@ -0,0 +1,67 @@ +--- +name: "gen: update depenendencies" +on: + schedule: + - cron: '0 2 27 * *' + +jobs: + run: + runs-on: ubuntu-latest + + permissions: + id-token: write + contents: write + pull-requests: write + + steps: + - name: Check out repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure aws + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }} + aws-region: eu-central-1 + + - uses: nixbuild/nix-quick-install-action@v26 + with: + nix_version: 2.16.2 + nix_conf: | + experimental-features = nix-command flakes + sandbox = false + access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} + substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50 + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }} + + - name: Cache nix store + uses: actions/cache@v4 + with: + path: /nix + key: nix-update-deps-${{ hashFiles('flakes.nix', 'flake.lock') }} + + - name: Update nix flakes + run: nix flake update + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: Update dependencies + committer: GitHub + author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> + signoff: false + branch: automated/update-deps + delete-branch: true + title: '[Scheduled] Update dependencies' + body: | + Dependencies updated + + Note - If you see this PR and the checks haven't run, close and reopen the PR. See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs + labels: | + dependencies + draft: false + + - run: rm cache-priv-key.pem + if: always() diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..6b357b1 --- /dev/null +++ b/Makefile @@ -0,0 +1,30 @@ +ifeq ($(shell uname -m),x86_64) + ARCH?=x86_64 +else ifeq ($(shell uname -m),arm64) + ARCH?=aarch64 +endif + +ifeq ($(shell uname -o),Darwin) + OS?=darwin +else + OS?=linux +endif + +ifeq ($(CI),true) + build-options=--option system $(ARCH)-linux --extra-platforms ${ARCH}-linux +endif + +.PHONY: build +build: ## Build application and places the binary under ./result/bin + nix build $(build-options) \ + --print-build-logs \ + .\#devShells.$(ARCH)-$(OS).default + + +.PHONY: build-dry-run +build-dry-run: ## Run nix flake check + nix build $(build-options) \ + --dry-run \ + --json \ + --print-build-logs \ + .\#devShells.$(ARCH)-$(OS).default diff --git a/flake.nix b/flake.nix index aff3e16..ac26de0 100644 --- a/flake.nix +++ b/flake.nix @@ -48,7 +48,7 @@ gqlgenc oapi-codegen nhost-cli - postgresql_146 + # postgresql_146 postgresql_146-client ]; }; diff --git a/lib/go/example/flake.lock b/lib/go/example/flake.lock index fa2e7d9..ded6263 100644 --- a/lib/go/example/flake.lock +++ b/lib/go/example/flake.lock @@ -41,12 +41,12 @@ }, "locked": { "lastModified": 0, - "narHash": "sha256-SfFzLdA2CQgwVF0BMKVfTP0RlZ6nkWp1sKQWIdOzaqU=", - "path": "/nix/store/xphp9yws1aipy2aw8x4xv9fpn8aibvz3-source", + "narHash": "sha256-kRUgIl71CRlGFwlLJXsgU2oMYL7iA2TFmuo1n0zPcOo=", + "path": "/nix/store/9yz2hy1kr82f6z03krk2095cynz5ikvl-source", "type": "path" }, "original": { - "path": "/nix/store/xphp9yws1aipy2aw8x4xv9fpn8aibvz3-source", + "path": "/nix/store/9yz2hy1kr82f6z03krk2095cynz5ikvl-source", "type": "path" } }, diff --git a/overlays/nhost-cli.nix b/overlays/nhost-cli.nix index 18b57d2..336a87a 100644 --- a/overlays/nhost-cli.nix +++ b/overlays/nhost-cli.nix @@ -6,6 +6,14 @@ let url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-darwin-arm64.tar.gz"; sha256 = "0g7zq4qc2jvkj1kd9kd2y1j1hjbpcylg7p8v8v3nhnyvk9li0vgn"; }; + x86_64-darwin = rec { + url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-darwin-amd64.tar.gz"; + sha256 = "0kh593iby5sfsdki2g52f3clkcmhaa3jcxiq3b0a47cw89vrnxic"; + }; + aarch64-linux = rec { + url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-linux-arm64.tar.gz"; + sha256 = "0nr3wnkl4id4xzzypz9k5l52i221cv91310d2swd4a7ifn39v42q"; + }; x86_64-linux = rec { url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-linux-amd64.tar.gz"; sha256 = "13fr478klqbdbkdw3dwv1yhpz57zcj7jr2lp39cvac81187lgrz7"; diff --git a/overlays/nhost-cli.sh b/overlays/nhost-cli.sh new file mode 100755 index 0000000..6188597 --- /dev/null +++ b/overlays/nhost-cli.sh @@ -0,0 +1,12 @@ +#1/usr/bin/env bash + +set -eou pipefail + + +version="$1" +echo "version: $version" + +nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-darwin-arm64.tar.gz +nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-darwin-amd64.tar.gz +nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-linux-arm64.tar.gz +nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-linux-amd64.tar.gz