Merge pull request #11589 from NixOS/mergify/bp/2.21-maintenance/pr-1… #12584
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "CI" | |
on: | |
pull_request: | |
push: | |
permissions: read-all | |
jobs: | |
tests: | |
needs: [check_secrets] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest] | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 60 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: cachix/install-nix-action@v25 | |
with: | |
# The sandbox would otherwise be disabled by default on Darwin | |
extra_nix_config: "sandbox = true" | |
- run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV | |
- uses: cachix/cachix-action@v14 | |
if: needs.check_secrets.outputs.cachix == 'true' | |
with: | |
name: '${{ env.CACHIX_NAME }}' | |
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- run: nix --experimental-features 'nix-command flakes' flake check -L | |
check_secrets: | |
permissions: | |
contents: none | |
name: Check Cachix and Docker secrets present for installer tests | |
runs-on: ubuntu-latest | |
outputs: | |
cachix: ${{ steps.secret.outputs.cachix }} | |
docker: ${{ steps.secret.outputs.docker }} | |
steps: | |
- name: Check for secrets | |
id: secret | |
env: | |
_CACHIX_SECRETS: ${{ secrets.CACHIX_SIGNING_KEY }}${{ secrets.CACHIX_AUTH_TOKEN }} | |
_DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }} | |
run: | | |
echo "::set-output name=cachix::${{ env._CACHIX_SECRETS != '' }}" | |
echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}" | |
installer: | |
needs: [tests, check_secrets] | |
if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true' | |
runs-on: ubuntu-latest | |
outputs: | |
installerURL: ${{ steps.prepare-installer.outputs.installerURL }} | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV | |
- uses: cachix/install-nix-action@v25 | |
with: | |
install_url: https://releases.nixos.org/nix/nix-2.20.3/install | |
- uses: cachix/cachix-action@v14 | |
with: | |
name: '${{ env.CACHIX_NAME }}' | |
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- id: prepare-installer | |
run: scripts/prepare-installer-for-github-actions | |
installer_test: | |
needs: [installer, check_secrets] | |
if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true' | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV | |
- uses: cachix/install-nix-action@v25 | |
with: | |
install_url: '${{needs.installer.outputs.installerURL}}' | |
install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve" | |
- run: sudo apt install fish zsh | |
if: matrix.os == 'ubuntu-latest' | |
- run: brew install fish | |
if: matrix.os == 'macos-latest' | |
- run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval" | |
- run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval" | |
- run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval" | |
- run: exec fish -c "nix-instantiate -E 'builtins.currentTime' --eval" | |
- run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs" | |
- run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello" | |
docker_push_image: | |
needs: [check_secrets, tests] | |
permissions: | |
contents: read | |
packages: write | |
if: >- | |
github.event_name == 'push' && | |
github.ref_name == 'master' && | |
needs.check_secrets.outputs.cachix == 'true' && | |
needs.check_secrets.outputs.docker == 'true' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- uses: cachix/install-nix-action@v25 | |
with: | |
install_url: https://releases.nixos.org/nix/nix-2.20.3/install | |
- run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV | |
- run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#default.version | tr -d \")" >> $GITHUB_ENV | |
- uses: cachix/cachix-action@v14 | |
if: needs.check_secrets.outputs.cachix == 'true' | |
with: | |
name: '${{ env.CACHIX_NAME }}' | |
signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
- run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L | |
- run: docker load -i ./result/image.tar.gz | |
- run: docker tag nix:$NIX_VERSION nixos/nix:$NIX_VERSION | |
- run: docker tag nix:$NIX_VERSION nixos/nix:master | |
# We'll deploy the newly built image to both Docker Hub and Github Container Registry. | |
# | |
# Push to Docker Hub first | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- run: docker push nixos/nix:$NIX_VERSION | |
- run: docker push nixos/nix:master | |
# Push to GitHub Container Registry as well | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push image | |
run: | | |
IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix | |
# Change all uppercase to lowercase | |
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') | |
docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION | |
docker tag nix:$NIX_VERSION $IMAGE_ID:latest | |
docker push $IMAGE_ID:$NIX_VERSION | |
docker push $IMAGE_ID:latest | |
# deprecated 2024-02-24 | |
docker tag nix:$NIX_VERSION $IMAGE_ID:master | |
docker push $IMAGE_ID:master |