From d712540206fb40d3c26809bdcdd0479a37072df9 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Fri, 21 Feb 2025 09:09:05 -0800 Subject: [PATCH 1/7] wip: delete unnecessary CI for now --- .github/workflows/ci.yml | 169 ---------------------------------- .github/workflows/labels.yml | 24 ----- .github/workflows/publish.yml | 23 ----- .github/workflows/test.yml | 21 ----- 4 files changed, 237 deletions(-) delete mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/labels.yml delete mode 100644 .github/workflows/publish.yml delete mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index c3a96704f..000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,169 +0,0 @@ -name: "CI" - -on: - pull_request: - push: - branches: - - detsys-main - - main - - master - merge_group: - -permissions: - id-token: "write" - contents: "read" - -jobs: - eval: - runs-on: blacksmith-32vcpu-ubuntu-2204 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - uses: DeterminateSystems/nix-installer-action@main - with: - flakehub: true - - run: nix flake show --all-systems --json - - build_x86_64-linux: - uses: ./.github/workflows/build.yml - with: - os: blacksmith-32vcpu-ubuntu-2204 - - build_aarch64-linux: - if: github.event_name == 'merge_group' - uses: ./.github/workflows/build.yml - with: - os: blacksmith-32vcpu-ubuntu-2204-arm - - build_x86_64-darwin: - if: github.event_name == 'merge_group' - uses: ./.github/workflows/build.yml - with: - os: macos-13 - - build_aarch64-darwin: - uses: ./.github/workflows/build.yml - with: - os: macos-latest - - test_x86_64-linux: - uses: ./.github/workflows/test.yml - needs: build_x86_64-linux - with: - os: blacksmith-32vcpu-ubuntu-2204 - - test_aarch64-linux: - if: github.event_name == 'merge_group' - uses: ./.github/workflows/test.yml - needs: build_aarch64-linux - with: - os: blacksmith-32vcpu-ubuntu-2204-arm - - test_x86_64-darwin: - if: github.event_name == 'merge_group' - uses: ./.github/workflows/test.yml - needs: build_aarch64-darwin - with: - os: macos-13 - - test_aarch64-darwin: - if: github.event_name == 'merge_group' - uses: ./.github/workflows/test.yml - needs: build_aarch64-darwin - with: - os: macos-latest - - vm_tests_smoke: - if: github.event_name != 'merge_group' - needs: build_x86_64-linux - runs-on: blacksmith-32vcpu-ubuntu-2204 - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - with: - flakehub: true - - uses: DeterminateSystems/flakehub-cache-action@main - - run: | - nix build -L \ - .#hydraJobs.tests.functional_user \ - .#hydraJobs.tests.githubFlakes \ - .#hydraJobs.tests.nix-docker \ - .#hydraJobs.tests.tarballFlakes \ - ; - - vm_tests_all: - if: github.event_name == 'merge_group' - needs: build_x86_64-linux - runs-on: blacksmith-32vcpu-ubuntu-2204 - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - with: - flakehub: true - - uses: DeterminateSystems/flakehub-cache-action@main - - run: | - nix build -L --keep-going \ - $(nix flake show --json \ - | jq -r ' - .hydraJobs.tests - | with_entries(select(.value.type == "derivation")) - | keys[] - | ".#hydraJobs.tests." + .' \ - | head -n5) # FIXME: for testing the merge queue - - flake_regressions: - if: github.event_name == 'merge_group' - needs: build_x86_64-linux - runs-on: blacksmith-32vcpu-ubuntu-2204 - steps: - - name: Checkout nix - uses: actions/checkout@v4 - - name: Checkout flake-regressions - uses: actions/checkout@v4 - with: - repository: DeterminateSystems/flake-regressions - path: flake-regressions - - name: Checkout flake-regressions-data - uses: actions/checkout@v4 - with: - repository: DeterminateSystems/flake-regressions-data - path: flake-regressions/tests - - uses: DeterminateSystems/nix-installer-action@main - with: - flakehub: true - - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=50 flake-regressions/eval-all.sh - - manual: - if: github.event_name != 'merge_group' - needs: build_x86_64-linux - runs-on: blacksmith - permissions: - id-token: "write" - contents: "read" - pull-requests: "write" - statuses: "write" - deployments: "write" - steps: - - name: Checkout nix - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - with: - flakehub: true - - uses: DeterminateSystems/flakehub-cache-action@main - - name: Build manual - run: nix build .#hydraJobs.manual - - uses: nwtgck/actions-netlify@v3.0 - with: - publish-dir: './result/share/doc/nix/manual' - production-branch: detsys-main - github-token: ${{ secrets.GITHUB_TOKEN }} - deploy-message: "Deploy from GitHub Actions" - enable-pull-request-comment: true - enable-commit-comment: true - enable-commit-status: true - overwrites-pull-request-comment: true - env: - NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }} - NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }} diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml deleted file mode 100644 index 23a5d9e51..000000000 --- a/.github/workflows/labels.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: "Label PR" - -on: - pull_request_target: - types: [edited, opened, synchronize, reopened] - -# WARNING: -# When extending this action, be aware that $GITHUB_TOKEN allows some write -# access to the GitHub API. This means that it should not evaluate user input in -# a way that allows code injection. - -permissions: - contents: read - pull-requests: write - -jobs: - labels: - runs-on: ubuntu-24.04 - if: github.repository_owner == 'NixOS' - steps: - - uses: actions/labeler@v5 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - sync-labels: false diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 00ca3ec53..000000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Release - -on: - release: - types: - - released - -jobs: - publish: - if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/'))) - environment: ${{ github.event_name == 'release' && 'production' || '' }} - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: "DeterminateSystems/flakehub-push@main" - with: - rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - visibility: "private" - tag: "${{ github.ref_name }}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index e58827a9c..000000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,21 +0,0 @@ -on: - workflow_call: - inputs: - os: - required: true - type: string - -jobs: - - tests: - strategy: - fail-fast: false - runs-on: ${{ inputs.os }} - timeout-minutes: 60 - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - with: - flakehub: true - - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix flake check -L From 90581c9d66173ab1e1b92626a4177620a97f6cf2 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Thu, 20 Feb 2025 14:00:48 -0800 Subject: [PATCH 2/7] Setup uploading PRs, tags, and branches to IDS --- .github/workflows/build.yml | 9 +++- .github/workflows/release-branches.yml | 20 ++++++++ .github/workflows/release-prs.yml | 30 +++++++++++ .github/workflows/release-tags.yml | 18 +++++++ .github/workflows/upload-release.yml | 71 ++++++++++++++++++++++++++ flake.nix | 31 +++++++++++ 6 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/release-branches.yml create mode 100644 .github/workflows/release-prs.yml create mode 100644 .github/workflows/release-tags.yml create mode 100644 .github/workflows/upload-release.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7e3c9872d..f04126747 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,4 +18,11 @@ jobs: with: flakehub: true - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build . .#binaryTarball -L + - run: echo "system=$(nix eval --impure --raw --expr 'builtins.currentSystem')" >> "$GITHUB_OUTPUT" + id: system + - run: nix build .# .#binaryTarball --no-link -L + - run: nix build .#binaryTarball --out-link tarball + - uses: actions/upload-artifact@v4 + with: + name: ${{ steps.system.outputs.system }} + path: ./tarball/*.xz diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml new file mode 100644 index 000000000..38e4044ed --- /dev/null +++ b/.github/workflows/release-branches.yml @@ -0,0 +1,20 @@ +name: Release Branch + +concurrency: + group: release + +on: + push: + branches: + # NOTE: make sure any branches here are also valid directory names, + # otherwise creating the directory and uploading to s3 will fail + - "main" + +permissions: + id-token: "write" + contents: "read" + +jobs: + release-branch: + uses: ./.github/workflows/upload-release.yml + secrets: inherit diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml new file mode 100644 index 000000000..818083c68 --- /dev/null +++ b/.github/workflows/release-prs.yml @@ -0,0 +1,30 @@ +name: Release PR + +concurrency: + group: release + +on: + pull_request: + types: + - opened + - reopened + - synchronize + - labeled + +permissions: + id-token: "write" + contents: "read" + +jobs: + release-pr: + # Only intra-repo PRs are allowed to have PR artifacts uploaded + # We only want to trigger once the upload once in the case the upload label is added, not when any label is added + if: | + always() && !failure() && !cancelled() + && github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-priv' + && ( + (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') + || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) + ) + uses: ./.github/workflows/upload-release.yml + secrets: inherit diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml new file mode 100644 index 000000000..709fbb92a --- /dev/null +++ b/.github/workflows/release-tags.yml @@ -0,0 +1,18 @@ +name: Release Tags + +concurrency: + group: release + +on: + push: + tags: + - "v*.*.*" + +permissions: + contents: write # In order to upload artifacts to GitHub releases + id-token: write # In order to request a JWT for AWS auth + +jobs: + release-tag: + uses: ./.github/workflows/upload-release.yml + secrets: inherit diff --git a/.github/workflows/upload-release.yml b/.github/workflows/upload-release.yml new file mode 100644 index 000000000..bec5816be --- /dev/null +++ b/.github/workflows/upload-release.yml @@ -0,0 +1,71 @@ +name: Upload release + +concurrency: + group: upload-release + +on: + workflow_call: + +permissions: + id-token: "write" + contents: "read" + +jobs: + build-x86_64-linux: + uses: ./.github/workflows/build.yml + with: + os: blacksmith-32vcpu-ubuntu-2204 + build-aarch64-linux: + uses: ./.github/workflows/build.yml + with: + os: blacksmith-32vcpu-ubuntu-2204-arm + build-x86_64-darwin: + uses: ./.github/workflows/build.yml + with: + os: macos-13 + build-aarch64-darwin: + uses: ./.github/workflows/build.yml + with: + os: macos-latest + + release: + runs-on: ubuntu-latest + needs: + - build-x86_64-linux + - build-aarch64-linux + - build-x86_64-darwin + - build-aarch64-darwin + steps: + - name: Checkout + uses: actions/checkout@v4 + - uses: "DeterminateSystems/nix-installer-action@main" + with: + determinate: true + + - name: Create artifacts directory + run: mkdir -p ./artifacts + + - name: Fetch artifacts + uses: actions/download-artifact@v4 + with: + path: downloaded + - name: Move downloaded artifacts to artifacts directory + run: | + for dir in ./downloaded/*; do + arch="$(basename "$dir")" + mv "$dir"/*.xz ./artifacts/"${arch}" + done + + - name: Build fallback-paths.nix + run: | + nix build .#fallbackPathsNix --out-link fallback + cat fallback > ./artifacts/fallback-paths.nix + + - uses: DeterminateSystems/push-artifact-ids@main + with: + s3_upload_role: ${{ secrets.AWS_S3_UPLOAD_ROLE_ARN }} + bucket: ${{ secrets.AWS_S3_UPLOAD_BUCKET_NAME }} + directory: ./artifacts + ids_project_name: determinate-nix + ids_binary_prefix: determinate-nix + skip_acl: true diff --git a/flake.nix b/flake.nix index 29111b453..a499c0dcb 100644 --- a/flake.nix +++ b/flake.nix @@ -294,6 +294,37 @@ nix-manual = nixpkgsFor.${system}.native.nixComponents.nix-manual; nix-internal-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-internal-api-docs; nix-external-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-external-api-docs; + + fallbackPathsNix = + let + pkgs = nixpkgsFor.${system}.native; + + # NOTE(cole-h): discard string context so that it doesn't try to build, we just care about the outPaths + closures = forAllSystems (system: builtins.unsafeDiscardStringContext self.packages.${system}.default.outPath); + + closures_json = pkgs.runCommand "versions.json" + { + buildInputs = [ pkgs.jq ]; + passAsFile = [ "json" ]; + json = builtins.toJSON closures; + } '' + cat "$jsonPath" | jq . > $out + ''; + + closures_nix = pkgs.runCommand "versions.nix" + { + buildInputs = [ pkgs.jq ]; + passAsFile = [ "template" ]; + jsonPath = closures_json; + template = '' + builtins.fromJSON('''@closures@''') + ''; + } '' + export closures=$(cat "$jsonPath"); + substituteAll "$templatePath" "$out" + ''; + in + closures_nix; } # We need to flatten recursive attribute sets of derivations to pass `flake check`. // From 702bde8bf0577ebb4df9037d213225eae60155cb Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Fri, 21 Feb 2025 13:02:04 -0800 Subject: [PATCH 3/7] Revert "wip: delete unnecessary CI for now" This reverts commit d712540206fb40d3c26809bdcdd0479a37072df9. --- .github/workflows/ci.yml | 169 ++++++++++++++++++++++++++++++++++ .github/workflows/labels.yml | 24 +++++ .github/workflows/publish.yml | 23 +++++ .github/workflows/test.yml | 21 +++++ 4 files changed, 237 insertions(+) create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/labels.yml create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..c3a96704f --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,169 @@ +name: "CI" + +on: + pull_request: + push: + branches: + - detsys-main + - main + - master + merge_group: + +permissions: + id-token: "write" + contents: "read" + +jobs: + eval: + runs-on: blacksmith-32vcpu-ubuntu-2204 + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: DeterminateSystems/nix-installer-action@main + with: + flakehub: true + - run: nix flake show --all-systems --json + + build_x86_64-linux: + uses: ./.github/workflows/build.yml + with: + os: blacksmith-32vcpu-ubuntu-2204 + + build_aarch64-linux: + if: github.event_name == 'merge_group' + uses: ./.github/workflows/build.yml + with: + os: blacksmith-32vcpu-ubuntu-2204-arm + + build_x86_64-darwin: + if: github.event_name == 'merge_group' + uses: ./.github/workflows/build.yml + with: + os: macos-13 + + build_aarch64-darwin: + uses: ./.github/workflows/build.yml + with: + os: macos-latest + + test_x86_64-linux: + uses: ./.github/workflows/test.yml + needs: build_x86_64-linux + with: + os: blacksmith-32vcpu-ubuntu-2204 + + test_aarch64-linux: + if: github.event_name == 'merge_group' + uses: ./.github/workflows/test.yml + needs: build_aarch64-linux + with: + os: blacksmith-32vcpu-ubuntu-2204-arm + + test_x86_64-darwin: + if: github.event_name == 'merge_group' + uses: ./.github/workflows/test.yml + needs: build_aarch64-darwin + with: + os: macos-13 + + test_aarch64-darwin: + if: github.event_name == 'merge_group' + uses: ./.github/workflows/test.yml + needs: build_aarch64-darwin + with: + os: macos-latest + + vm_tests_smoke: + if: github.event_name != 'merge_group' + needs: build_x86_64-linux + runs-on: blacksmith-32vcpu-ubuntu-2204 + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + with: + flakehub: true + - uses: DeterminateSystems/flakehub-cache-action@main + - run: | + nix build -L \ + .#hydraJobs.tests.functional_user \ + .#hydraJobs.tests.githubFlakes \ + .#hydraJobs.tests.nix-docker \ + .#hydraJobs.tests.tarballFlakes \ + ; + + vm_tests_all: + if: github.event_name == 'merge_group' + needs: build_x86_64-linux + runs-on: blacksmith-32vcpu-ubuntu-2204 + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + with: + flakehub: true + - uses: DeterminateSystems/flakehub-cache-action@main + - run: | + nix build -L --keep-going \ + $(nix flake show --json \ + | jq -r ' + .hydraJobs.tests + | with_entries(select(.value.type == "derivation")) + | keys[] + | ".#hydraJobs.tests." + .' \ + | head -n5) # FIXME: for testing the merge queue + + flake_regressions: + if: github.event_name == 'merge_group' + needs: build_x86_64-linux + runs-on: blacksmith-32vcpu-ubuntu-2204 + steps: + - name: Checkout nix + uses: actions/checkout@v4 + - name: Checkout flake-regressions + uses: actions/checkout@v4 + with: + repository: DeterminateSystems/flake-regressions + path: flake-regressions + - name: Checkout flake-regressions-data + uses: actions/checkout@v4 + with: + repository: DeterminateSystems/flake-regressions-data + path: flake-regressions/tests + - uses: DeterminateSystems/nix-installer-action@main + with: + flakehub: true + - uses: DeterminateSystems/flakehub-cache-action@main + - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=50 flake-regressions/eval-all.sh + + manual: + if: github.event_name != 'merge_group' + needs: build_x86_64-linux + runs-on: blacksmith + permissions: + id-token: "write" + contents: "read" + pull-requests: "write" + statuses: "write" + deployments: "write" + steps: + - name: Checkout nix + uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + with: + flakehub: true + - uses: DeterminateSystems/flakehub-cache-action@main + - name: Build manual + run: nix build .#hydraJobs.manual + - uses: nwtgck/actions-netlify@v3.0 + with: + publish-dir: './result/share/doc/nix/manual' + production-branch: detsys-main + github-token: ${{ secrets.GITHUB_TOKEN }} + deploy-message: "Deploy from GitHub Actions" + enable-pull-request-comment: true + enable-commit-comment: true + enable-commit-status: true + overwrites-pull-request-comment: true + env: + NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }} + NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }} diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml new file mode 100644 index 000000000..23a5d9e51 --- /dev/null +++ b/.github/workflows/labels.yml @@ -0,0 +1,24 @@ +name: "Label PR" + +on: + pull_request_target: + types: [edited, opened, synchronize, reopened] + +# WARNING: +# When extending this action, be aware that $GITHUB_TOKEN allows some write +# access to the GitHub API. This means that it should not evaluate user input in +# a way that allows code injection. + +permissions: + contents: read + pull-requests: write + +jobs: + labels: + runs-on: ubuntu-24.04 + if: github.repository_owner == 'NixOS' + steps: + - uses: actions/labeler@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + sync-labels: false diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 000000000..00ca3ec53 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,23 @@ +name: Release + +on: + release: + types: + - released + +jobs: + publish: + if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/'))) + environment: ${{ github.event_name == 'release' && 'production' || '' }} + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: "DeterminateSystems/flakehub-push@main" + with: + rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + visibility: "private" + tag: "${{ github.ref_name }}" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..e58827a9c --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,21 @@ +on: + workflow_call: + inputs: + os: + required: true + type: string + +jobs: + + tests: + strategy: + fail-fast: false + runs-on: ${{ inputs.os }} + timeout-minutes: 60 + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + with: + flakehub: true + - uses: DeterminateSystems/flakehub-cache-action@main + - run: nix flake check -L From dee23a0c1412aa5fb5b1ed35cd7824705c947344 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Fri, 21 Feb 2025 13:29:34 -0800 Subject: [PATCH 4/7] Fold the release things into one workflow --- .github/workflows/release-branches.yml | 20 ----------------- .github/workflows/release-prs.yml | 30 -------------------------- .github/workflows/release-tags.yml | 18 ---------------- .github/workflows/upload-release.yml | 13 +++++++++++ 4 files changed, 13 insertions(+), 68 deletions(-) delete mode 100644 .github/workflows/release-branches.yml delete mode 100644 .github/workflows/release-prs.yml delete mode 100644 .github/workflows/release-tags.yml diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml deleted file mode 100644 index 38e4044ed..000000000 --- a/.github/workflows/release-branches.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Release Branch - -concurrency: - group: release - -on: - push: - branches: - # NOTE: make sure any branches here are also valid directory names, - # otherwise creating the directory and uploading to s3 will fail - - "main" - -permissions: - id-token: "write" - contents: "read" - -jobs: - release-branch: - uses: ./.github/workflows/upload-release.yml - secrets: inherit diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml deleted file mode 100644 index 818083c68..000000000 --- a/.github/workflows/release-prs.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Release PR - -concurrency: - group: release - -on: - pull_request: - types: - - opened - - reopened - - synchronize - - labeled - -permissions: - id-token: "write" - contents: "read" - -jobs: - release-pr: - # Only intra-repo PRs are allowed to have PR artifacts uploaded - # We only want to trigger once the upload once in the case the upload label is added, not when any label is added - if: | - always() && !failure() && !cancelled() - && github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-priv' - && ( - (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') - || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) - ) - uses: ./.github/workflows/upload-release.yml - secrets: inherit diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml deleted file mode 100644 index 709fbb92a..000000000 --- a/.github/workflows/release-tags.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: Release Tags - -concurrency: - group: release - -on: - push: - tags: - - "v*.*.*" - -permissions: - contents: write # In order to upload artifacts to GitHub releases - id-token: write # In order to request a JWT for AWS auth - -jobs: - release-tag: - uses: ./.github/workflows/upload-release.yml - secrets: inherit diff --git a/.github/workflows/upload-release.yml b/.github/workflows/upload-release.yml index bec5816be..cffbb315e 100644 --- a/.github/workflows/upload-release.yml +++ b/.github/workflows/upload-release.yml @@ -5,6 +5,19 @@ concurrency: on: workflow_call: + push: + branches: + # NOTE: make sure any branches here are also valid directory names, + # otherwise creating the directory and uploading to s3 will fail + - "main" + tags: + - "v*.*.*" + pull_request: + types: + - opened + - reopened + - synchronize + - labeled permissions: id-token: "write" From 14818b0d8817ce50145967768c8b2ade08f9b931 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Fri, 21 Feb 2025 13:31:58 -0800 Subject: [PATCH 5/7] fixup: use release not tags --- .github/workflows/upload-release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-release.yml b/.github/workflows/upload-release.yml index cffbb315e..6fbf33420 100644 --- a/.github/workflows/upload-release.yml +++ b/.github/workflows/upload-release.yml @@ -10,14 +10,15 @@ on: # NOTE: make sure any branches here are also valid directory names, # otherwise creating the directory and uploading to s3 will fail - "main" - tags: - - "v*.*.*" pull_request: types: - opened - reopened - synchronize - labeled + release: + types: + - released permissions: id-token: "write" From a341be4d9b8ed69322a281613c2ef7135d9d4578 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Fri, 21 Feb 2025 13:33:56 -0800 Subject: [PATCH 6/7] fixup: fold publish.yml into upload-release.yml --- .github/workflows/publish.yml | 23 ----------------------- .github/workflows/upload-release.yml | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 23 deletions(-) delete mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index 00ca3ec53..000000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Release - -on: - release: - types: - - released - -jobs: - publish: - if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/'))) - environment: ${{ github.event_name == 'release' && 'production' || '' }} - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - steps: - - uses: actions/checkout@v4 - - uses: DeterminateSystems/nix-installer-action@main - - uses: "DeterminateSystems/flakehub-push@main" - with: - rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} - visibility: "private" - tag: "${{ github.ref_name }}" diff --git a/.github/workflows/upload-release.yml b/.github/workflows/upload-release.yml index 6fbf33420..5e09c010c 100644 --- a/.github/workflows/upload-release.yml +++ b/.github/workflows/upload-release.yml @@ -83,3 +83,21 @@ jobs: ids_project_name: determinate-nix ids_binary_prefix: determinate-nix skip_acl: true + + publish: + needs: + - release + if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/'))) + environment: ${{ github.event_name == 'release' && 'production' || '' }} + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + - uses: "DeterminateSystems/flakehub-push@main" + with: + rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} + visibility: "private" + tag: "${{ github.ref_name }}" From a4e9b65c3a065941167bb5567203e4d406d076fb Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Fri, 21 Feb 2025 13:50:29 -0800 Subject: [PATCH 7/7] fixup: remove unsafeDiscardStringContext? --- flake.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index a499c0dcb..04f3e4d87 100644 --- a/flake.nix +++ b/flake.nix @@ -299,8 +299,7 @@ let pkgs = nixpkgsFor.${system}.native; - # NOTE(cole-h): discard string context so that it doesn't try to build, we just care about the outPaths - closures = forAllSystems (system: builtins.unsafeDiscardStringContext self.packages.${system}.default.outPath); + closures = forAllSystems (system: self.packages.${system}.default.outPath); closures_json = pkgs.runCommand "versions.json" {