Skip to content

Update flake.lock

Update flake.lock #41

# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
name: Run pre-push checks
on:
push:
branches:
- main
pull_request_target:
branches:
- main
jobs:
# Checks if the author of pull request is in our predefined list of authorized users
check-identity:
runs-on: ubuntu-latest
outputs:
authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user}}
environment: 'internal'
steps:
- name: Check identity
id: check-authorized-user
shell: bash
run: |
# AUTHORIZED_USERS is a newline separated list of usernames
if echo "${{ vars.AUTHORIZED_USERS }}" | tr -s '[:space:]' '\n' | grep -Fxq "${{ github.actor }}"; then
echo "User is authorized"
echo "authorized_user=True" >> "$GITHUB_OUTPUT"
else
echo "User not authorized"
echo "authorized_user=False" >> "$GITHUB_OUTPUT"
fi
# Authorization passes without approval if
# - the event is not a pull request (eg. push to main)
# - pull request comes from another branch in the same repo
# - author is in our predefined list of authorized users
# If none of these conditions are met, the workflow requires
# manual approval from a maintainer with write permissions to continue
authorize:
needs: [check-identity]
environment: ${{
( github.event_name != 'pull_request_target' ||
github.event.pull_request.head.repo.full_name == github.repository ||
needs.check-identity.outputs.authorized_user == 'True' )
&& 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- run: echo "Auth OK"
# Send a warning and fail this job if the workflow file was changed.
# Rest of the workflow continues as normal but the job failure will grab author's attention.
no-workflow-changes:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request_target' }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Check if workflow is modified
id: workflow-changed
uses: tj-actions/changed-files@v40
with:
files: .github/workflows/test-ghaf-infra.yml
- name: Send warning
run: |
if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then
echo "::error::"\
"This change edits workflow file '.github/workflows/test-ghaf-infra.yml'."\
"Raising this error to notify that the workflow change will only take impact after merge."\
"Therefore, you need to manually test the change (perhaps in a forked repo) "\
"before merging to make sure the change does not break anything."
exit 1
fi
tests:
# Don't run unless authorization was successful
needs: [authorize]
if: ${{ always() && needs.authorize.result == 'success' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- uses: cachix/install-nix-action@v27
with:
extra_nix_config: |
trusted-public-keys = cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
substituters = https://cache.vedenemo.dev https://cache.nixos.org
connect-timeout = 5
max-jobs = 4
system-features = nixos-test benchmark big-parallel kvm
builders-use-substitutes = true
builders = @/etc/nix/machines
- uses: cachix/cachix-action@v15
with:
name: ghaf-dev
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Configure remote builders
run: |
sudo sh -c "umask 377; echo '${{ secrets.BUILDER_SSH_KEY }}' >/etc/nix/id_builder_key"
sudo sh -c "echo 'hetzarm.vedenemo.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx4zU4gIkTY/1oKEOkf9gTJChdx/jR3lDgZ7p/c7LEK' >>/etc/ssh/ssh_known_hosts"
sudo sh -c "echo 'builder.vedenemo.dev ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHSI8s/wefXiD2h3I3mIRdK+d9yDGMn0qS5fpKDnSGqj' >>/etc/ssh/ssh_known_hosts"
sudo sh -c "echo 'ssh://[email protected] aarch64-linux /etc/nix/id_builder_key 40 1 nixos-test,benchmark,big-parallel,kvm - -' >/etc/nix/machines"
sudo sh -c "echo 'ssh://[email protected] x86_64-linux,i686-linux /etc/nix/id_builder_key 32 1 kvm,benchmark,big-parallel,nixos-test - -' >>/etc/nix/machines"
- name: Run ghaf-infra CI tests
run: nix develop --command inv pre-push