Make release #71
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Make release | |
on: | |
workflow_dispatch: | |
inputs: | |
holo-nixpkgs-tag: | |
description: "The holo-nixpkgs tag to build from" | |
required: true | |
default: "develop" | |
type: string | |
skip-upload-binary: | |
description: "skip the upload-binary job" | |
required: true | |
default: true | |
type: boolean | |
skip-update-sources: | |
description: "skip the update-sources job" | |
required: true | |
default: true | |
type: boolean | |
env: | |
NIX_GITHUB_PRIVATE_USERNAME: ${{ secrets.NIX_GITHUB_PRIVATE_USERNAME }} | |
NIX_GITHUB_PRIVATE_PASSWORD: ${{ secrets.NIX_GITHUB_PRIVATE_PASSWORD }} | |
jobs: | |
build: | |
runs-on: ${{ matrix.build-config.runner }} | |
outputs: | |
nixpkgs-revision: ${{ steps.nixpkgs-revision.outputs.nixpkgs-revision }} | |
rust-overlay-revision: ${{ steps.rust-overlay-revision.outputs.rust-overlay-revision }} | |
rust-version: ${{ steps.rust-version.outputs.rust-version }} | |
build-deps: ${{ steps.build-deps.outputs.build-deps }} | |
strategy: | |
matrix: | |
build-config: | |
- { system: x86_64-linux, runner: "ubuntu-latest", native: true } | |
- { system: aarch64-linux, runner: "ubuntu-latest", native: false } | |
- { system: aarch64-darwin, runner: "macos-latest", native: true } | |
permissions: | |
contents: read | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: DeterminateSystems/nix-installer-action@main | |
with: | |
github-token: ${{ secrets.HOLO_HOST_ORG_READ_ONLY_ACCESS }} | |
extra-conf: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= | |
substituters = https://cache.nixos.org/ | |
- uses: DeterminateSystems/magic-nix-cache-action@main | |
- name: Configure nix with github credentials | |
run: | | |
set -xu | |
if type systemctl; then | |
sudo mkdir -p /etc/systemd/system/nix-daemon.service.d/ | |
sudo dd of=/etc/systemd/system/nix-daemon.service.d/github-credentials.conf <<EOF | |
[Service] | |
Environment=NIX_GITHUB_PRIVATE_USERNAME=$NIX_GITHUB_PRIVATE_USERNAME | |
Environment=NIX_GITHUB_PRIVATE_PASSWORD=$NIX_GITHUB_PRIVATE_PASSWORD | |
EOF | |
sudo systemctl daemon-reload | |
sudo systemctl restart nix-daemon.service | |
elif type launchctl; then | |
sudo launchctl debug system/org.nixos.nix-daemon --environment NIX_GITHUB_PRIVATE_USERNAME=$NIX_GITHUB_PRIVATE_USERNAME NIX_GITHUB_PRIVATE_PASSWORD=$NIX_GITHUB_PRIVATE_PASSWORD | |
# debug whether the nix-daemon PID changes before and after as a restart of it is required for the changes to take effect | |
( | |
set +eE +o pipefail | |
set -x | |
sudo pgrep nix-daemon | |
sudo launchctl stop system/org.nixos.nix-daemon | |
sudo pkill -9 nix-daemon | |
sudo launchctl start system/org.nixos.nix-daemon | |
while ! sudo pgrep nix-daemon; do | |
echo waiting for nix-daemon | |
sleep 1 | |
done | |
exit 0 | |
) | |
else | |
echo Unsupported system | |
exit 1 | |
fi | |
echo all good | |
- name: "download holo-nixpkgs tag" | |
run: | | |
set -eou pipefail | |
nix flake update holo-nixpkgs --override-input holo-nixpkgs github:holo-host/holo-nixpkgs/${{ inputs.holo-nixpkgs-tag }} | |
- name: "build holo-dev-server" | |
if: ${{ matrix.build-config.native }} | |
run: | | |
nix build -vL \ | |
--out-link holo-dev-server \ | |
'.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin' | |
- name: "build holo-dev-server" | |
if: ${{ ! matrix.build-config.native }} | |
run: | | |
sudo apt-get update | |
sudo apt-get install binfmt-support qemu-user-static | |
nix build -vL \ | |
--option extra-platforms aarch64-linux \ | |
--option extra-sandbox-paths "/usr/libexec/qemu-binfmt /usr/bin/qemu-aarch64-static /usr/bin/qemu-aarch64-static /usr/bin/qemu-arm-static" \ | |
--out-link holo-dev-server \ | |
'.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin' | |
- name: get nixpkgs revision | |
id: nixpkgs-revision | |
run: | | |
echo "nixpkgs-revision=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.nixpkgs-revision')" >> ${GITHUB_OUTPUT} | |
- name: get rust-overlay revision | |
id: rust-overlay-revision | |
run: | | |
echo "rust-overlay-revision=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.rust-overlay-revision')" >> ${GITHUB_OUTPUT} | |
- name: get rust version | |
id: rust-version | |
run: | | |
echo "rust-version=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.rust-version')" >> ${GITHUB_OUTPUT} | |
- name: get build deps | |
id: build-deps | |
run: | | |
echo "build-deps=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.propagatedBuildInputs')" >> ${GITHUB_OUTPUT} | |
- name: upload artifact | |
if: ${{ inputs.skip-upload-binary == false }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-${{ matrix.build-config.system }} | |
path: | | |
holo-dev-server | |
if-no-files-found: error | |
- name: Setup upterm session | |
if: ${{ failure() && ! cancelled() }} | |
uses: owenthereal/action-upterm@v1 | |
with: | |
limit-access-to-actor: true # Restrict to the user who triggered the workflow | |
limit-access-to-users: steveej # Specific authorized users only | |
## If no one connects after 5 minutes, shut down server. | |
wait-timeout-minutes: 5 | |
upload-binary: | |
if: ${{ inputs.skip-upload-binary == false }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
needs: build | |
outputs: | |
release_name: ${{ steps.make_release.outputs.release }} | |
tag_name: ${{ steps.date.outputs.date }} | |
steps: | |
- name: download x86_64-linux artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-x86_64-linux | |
path: holo-dev-server | |
- name: "Create the x86_64-linux tarball" | |
run: | | |
chmod +x holo-dev-server/bin/holo-dev-server | |
tar -czf holo-dev-server-x86_64-linux.tar.gz holo-dev-server | |
rm -rf holo-dev-server | |
- name: download aarch64-linux artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-aarch64-linux | |
path: holo-dev-server | |
- name: "Create the aarch64-linux tarball" | |
run: | | |
chmod +x holo-dev-server/bin/holo-dev-server | |
tar -czf holo-dev-server-aarch64-linux.tar.gz holo-dev-server | |
rm -rf holo-dev-server | |
- name: download aarch64-darwin artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-aarch64-darwin | |
path: holo-dev-server | |
- name: "Create the aarch64-darwin tarball" | |
run: | | |
chmod +x holo-dev-server/bin/holo-dev-server | |
tar -czf holo-dev-server-aarch64-darwin.tar.gz holo-dev-server | |
rm -rf holo-dev-server | |
- name: Get current date | |
id: date | |
run: echo "date=$(date +'%Y-%m-%d-%H%M%S')" >> ${GITHUB_OUTPUT} | |
- name: Create draft release | |
id: make_release | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: |- | |
release=$( | |
gh release create --draft ${{ steps.date.outputs.date }} \ | |
--repo ${{ github.repository }} \ | |
--title "Version ${{ steps.date.outputs.date }}" \ | |
"holo-dev-server-x86_64-linux.tar.gz" \ | |
"holo-dev-server-aarch64-linux.tar.gz" \ | |
"holo-dev-server-aarch64-darwin.tar.gz" | |
) | |
echo "release=${release}" >> ${GITHUB_OUTPUT} | |
update-sources: | |
if: ${{ inputs.skip-update-sources == false }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
needs: | |
- build | |
- upload-binary | |
steps: | |
- uses: actions/checkout@v4 | |
- name: "install nix" | |
uses: "cachix/install-nix-action@v22" | |
with: | |
github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
extra_nix_config: | | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE= cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ= | |
substituters = https://cache.holo.host https://cache.nixos.org/ | |
- name: prefetch nixpkgs | |
id: prefetch-nixpkgs | |
run: | | |
tar -xzf <(curl --location https://github.com/nixos/nixpkgs/archive/${{ needs.build.outputs.nixpkgs-revision }}.tar.gz) | |
echo "hash=$(nix hash path --base32 nixpkgs-${{ needs.build.outputs.nixpkgs-revision }}/)" >> ${GITHUB_OUTPUT} | |
- name: prefetch rust-overlay | |
id: prefetch-rust-overlay | |
run: | | |
tar -xzf <(curl --location https://github.com/oxalica/rust-overlay/archive/${{ needs.build.outputs.rust-overlay-revision }}.tar.gz) | |
echo "hash=$(nix hash path --base32 rust-overlay-${{ needs.build.outputs.rust-overlay-revision }}/)" >> ${GITHUB_OUTPUT} | |
- name: prefetch release binaries | |
id: prefetch-binaries | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
gh release download ${{ needs.upload-binary.outputs.tag_name }} | |
tar -xzf holo-dev-server-x86_64-linux.tar.gz | |
echo "hash_x86_64_linux=$(nix hash path --base32 holo-dev-server/)" >> ${GITHUB_OUTPUT} | |
rm -rf holo-dev-server | |
tar -xzf holo-dev-server-aarch64-linux.tar.gz | |
echo "hash_aarch64_linux=$(nix hash path --base32 holo-dev-server/)" >> ${GITHUB_OUTPUT} | |
rm -rf holo-dev-server | |
tar -xzf holo-dev-server-aarch64-darwin.tar.gz | |
echo "hash_aarch64_darwin=$(nix hash path --base32 holo-dev-server/)" >> ${GITHUB_OUTPUT} | |
rm -rf holo-dev-server | |
- name: overwrite sources.nix | |
run: | | |
cat > sources.nix << EOF | |
# this file is autogenerated by .github/workflows/build-hds.yml | |
{ | |
nixpkgs = builtins.fetchTarball { | |
url = "https://github.com/nixos/nixpkgs/archive/${{ needs.build.outputs.nixpkgs-revision }}.tar.gz"; | |
sha256 = "${{ steps.prefetch-nixpkgs.outputs.hash }}"; | |
}; | |
rust-overlay = builtins.fetchTarball { | |
url = "https://github.com/oxalica/rust-overlay/archive/${{ needs.build.outputs.rust-overlay-revision }}.tar.gz"; | |
sha256 = "${{ steps.prefetch-rust-overlay.outputs.hash }}"; | |
}; | |
rust-version = "${{ needs.build.outputs.rust-version }}"; | |
x86_64-linux.holo-dev-server-bin = builtins.fetchTarball { | |
url = "https://github.com/${{ github.repository }}/releases/download/${{ needs.upload-binary.outputs.tag_name }}/holo-dev-server-x86_64-linux.tar.gz"; | |
sha256 = "${{ steps.prefetch-binaries.outputs.hash_x86_64_linux }}"; | |
}; | |
aarch64-linux.holo-dev-server-bin = builtins.fetchTarball { | |
url = "https://github.com/${{ github.repository }}/releases/download/${{ needs.upload-binary.outputs.tag_name }}/holo-dev-server-aarch64-linux.tar.gz"; | |
sha256 = "${{ steps.prefetch-binaries.outputs.hash_aarch64_linux }}"; | |
}; | |
aarch64-darwin.holo-dev-server-bin = builtins.fetchTarball { | |
url = "https://github.com/${{ github.repository }}/releases/download/${{ needs.upload-binary.outputs.tag_name }}/holo-dev-server-aarch64-darwin.tar.gz"; | |
sha256 = "${{ steps.prefetch-binaries.outputs.hash_aarch64_darwin }}"; | |
}; | |
} | |
EOF | |
- name: overwrite holo-dev-server.deps.json | |
run: | | |
cat > holo-dev-server.deps.json << EOF | |
${{ needs.build.outputs.build-deps }} | |
EOF | |
- name: commit and push sources.nix | |
run: | | |
if [[ "$(git status --porcelain)" != "" ]]; then | |
git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
git config --local user.name "github-actions[bot]" | |
git add sources.nix holo-dev-server.deps.json | |
git commit -m "update to release ${{ needs.upload-binary.outputs.tag_name }}" | |
git push origin HEAD:refs/heads/main | |
fi | |
- name: update and undraft release | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: |- | |
gh release edit --draft=false ${{ needs.upload-binary.outputs.tag_name }} | |
# Unfortunately we cannot do this earlier, since the release artifacts are | |
# only public after the release was undrafted. | |
# TODO: can we make a prerelease first, then test, then make the real release? | |
- name: test if flake works | |
run: | | |
nix flake show --all-systems | |
nix flake check -L |