Skip to content

[Scheduled] Update dependencies (#10) #36

[Scheduled] Update dependencies (#10)

[Scheduled] Update dependencies (#10) #36

---
name: "push: build and cache devShells"
on:
pull_request:
push:
branches:
- main
jobs:
artifacts:
runs-on: ubuntu-latest
timeout-minutes: 240
permissions:
id-token: write
contents: write
strategy:
matrix:
platform:
- x86_64
- aarch64
fail-fast: true
steps:
- name: "Check out repository"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure aws
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
aws-region: eu-central-1
role-duration-seconds: 10800
- uses: nixbuild/nix-quick-install-action@v26
with:
nix_version: 2.16.2
nix_conf: |
experimental-features = nix-command flakes
sandbox = false
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
builders-use-substitutes = true
- name: "Verify if we need to build"
id: verify-build
run: |
export build_dry_run_output=$(make build-dry-run ARCH=${{ matrix.platform }})
export drvPath=$(echo "$build_dry_run_output" | grep -oE '"out":.*"' | awk -F\" '{ print $4 }')
nix store verify --store s3://nhost-nix-cache?region=eu-central-1 $drvPath \
&& export BUILD_NEEDED=no \
|| export BUILD_NEEDED=yes
echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT
- name: "Setup nix-remote-builder"
uses: dbarrosop/[email protected]
id: nix-remote-builder
with:
name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }}
ami: "ami-034dac72b37504107"
instance-type: 't4g.xlarge'
region: "eu-central-1"
availability-zone: "eu-central-1c"
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
valid-hours: 4
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- name: "Setup nix-remote-builder in nix.conf"
run: |
echo "builders = ssh://${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- name: Cache nix store
uses: actions/cache@v4
with:
path: |
/nix/store/**
/nix/var/nix/*/*
/nix/var/nix/db/*
/nix/var/nix/db/*/**
!/nix/var/nix/daemon-socket/socket
!/nix/var/nix/userpool/*
!/nix/var/nix/gc.lock
!/nix/var/nix/db/big-lock
!/nix/var/nix/db/reserved
key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock', '${{ inputs.PROJECT }}/**.nix') }}
restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- uses: docker/setup-qemu-action@v3
if: ${{ ( matrix.platform == 'aarch64' ) }}
- name: "Wait for remote builder to be ready"
run: |
set +e
max_attempts=6
retry_interval=10
attempt=1
while [ "$attempt" -le "$max_attempts" ]; do
echo "Checking SSH connection (attempt $attempt)..."
nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22
if [ $? -eq 0 ]; then
echo "success"
break
else
echo "SSH connection failed."
if [ "$attempt" -lt "$max_attempts" ]; then
echo "Retrying in $retry_interval seconds..."
sleep "$retry_interval"
else
echo "Exceeded maximum connection attempts."
exit 1
fi
fi
((attempt++))
done
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- name: "Build"
run: |
make build ARCH=${{ matrix.platform }}
- name: "Cache nix store on s3"
run: |
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem
nix store sign --key-file cache-priv-key.pem --all
find /nix/store -maxdepth 1 -name "*-*" -type d | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1
if: always()
- run: rm cache-priv-key.pem || echo "file not found"
if: always()