-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (120 loc) · 4.72 KB
/
push_build_devShells.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
---
name: "push: build and cache devShells"
on:
pull_request:
push:
branches:
- main
jobs:
artifacts:
runs-on: ubuntu-latest
timeout-minutes: 240
permissions:
id-token: write
contents: write
strategy:
matrix:
platform:
- x86_64
- aarch64
fail-fast: true
steps:
- name: "Check out repository"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure aws
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
aws-region: eu-central-1
role-duration-seconds: 10800
- uses: nixbuild/nix-quick-install-action@v26
with:
nix_version: 2.16.2
nix_conf: |
experimental-features = nix-command flakes
sandbox = false
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
builders-use-substitutes = true
- name: "Verify if we need to build"
id: verify-build
run: |
export build_dry_run_output=$(make build-dry-run ARCH=${{ matrix.platform }})
export drvPath=$(echo "$build_dry_run_output" | grep -oE '"out":.*"' | awk -F\" '{ print $4 }')
nix store verify --store s3://nhost-nix-cache?region=eu-central-1 $drvPath \
&& export BUILD_NEEDED=no \
|| export BUILD_NEEDED=yes
echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT
- name: "Setup nix-remote-builder"
uses: dbarrosop/[email protected]
id: nix-remote-builder
with:
name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }}
ami: "ami-034dac72b37504107"
instance-type: 't4g.xlarge'
region: "eu-central-1"
availability-zone: "eu-central-1c"
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
valid-hours: 4
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- name: "Setup nix-remote-builder in nix.conf"
run: |
echo "builders = ssh://${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- name: Cache nix store
uses: actions/cache@v4
with:
path: |
/nix/store/**
/nix/var/nix/*/*
/nix/var/nix/db/*
/nix/var/nix/db/*/**
!/nix/var/nix/daemon-socket/socket
!/nix/var/nix/userpool/*
!/nix/var/nix/gc.lock
!/nix/var/nix/db/big-lock
!/nix/var/nix/db/reserved
key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock', '${{ inputs.PROJECT }}/**.nix') }}
restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- uses: docker/setup-qemu-action@v3
if: ${{ ( matrix.platform == 'aarch64' ) }}
- name: "Wait for remote builder to be ready"
run: |
set +e
max_attempts=6
retry_interval=10
attempt=1
while [ "$attempt" -le "$max_attempts" ]; do
echo "Checking SSH connection (attempt $attempt)..."
nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22
if [ $? -eq 0 ]; then
echo "success"
break
else
echo "SSH connection failed."
if [ "$attempt" -lt "$max_attempts" ]; then
echo "Retrying in $retry_interval seconds..."
sleep "$retry_interval"
else
echo "Exceeded maximum connection attempts."
exit 1
fi
fi
((attempt++))
done
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
- name: "Build"
run: |
make build ARCH=${{ matrix.platform }}
- name: "Cache nix store on s3"
run: |
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem
nix store sign --key-file cache-priv-key.pem --all
find /nix/store -maxdepth 1 -name "*-*" -type d | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1
if: always()
- run: rm cache-priv-key.pem || echo "file not found"
if: always()