Merge pull request #50 from DeterminateSystems/cole/fh-630-update-the-nix-ci-to-push-to-ids-on-prs-with-label-tags-and

Setup uploading PRs, tags, and branches to IDS

.github/workflows/build.yml

@@ -18,4 +18,11 @@ jobs:
         with:
           flakehub: true
       - uses: DeterminateSystems/flakehub-cache-action@main
-      - run: nix build . .#binaryTarball -L
+      - run: echo "system=$(nix eval --impure --raw --expr 'builtins.currentSystem')" >> "$GITHUB_OUTPUT"
+        id: system
+      - run: nix build .# .#binaryTarball --no-link -L
+      - run: nix build .#binaryTarball --out-link tarball
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.system.outputs.system }}
+          path: ./tarball/*.xz

.github/workflows/publish.yml

@@ -1,23 +0,0 @@
-name: Release
-
-on:
-  release:
-    types:
-      - released
-
-jobs:
-  publish:
-    if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/')))
-    environment: ${{ github.event_name == 'release' && 'production' || '' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: "DeterminateSystems/flakehub-push@main"
-        with:
-          rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
-          visibility: "private"
-          tag: "${{ github.ref_name }}"

.github/workflows/upload-release.yml

@@ -0,0 +1,103 @@
+name: Upload release
+
+concurrency:
+  group: upload-release
+
+on:
+  workflow_call:
+  push:
+    branches:
+      # NOTE: make sure any branches here are also valid directory names,
+      # otherwise creating the directory and uploading to s3 will fail
+      - "main"
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+  release:
+    types:
+      - released
+
+permissions:
+  id-token: "write"
+  contents: "read"
+
+jobs:
+  build-x86_64-linux:
+    uses: ./.github/workflows/build.yml
+    with:
+      os: blacksmith-32vcpu-ubuntu-2204
+  build-aarch64-linux:
+    uses: ./.github/workflows/build.yml
+    with:
+      os: blacksmith-32vcpu-ubuntu-2204-arm
+  build-x86_64-darwin:
+    uses: ./.github/workflows/build.yml
+    with:
+      os: macos-13
+  build-aarch64-darwin:
+    uses: ./.github/workflows/build.yml
+    with:
+      os: macos-latest
+
+  release:
+    runs-on: ubuntu-latest
+    needs:
+      - build-x86_64-linux
+      - build-aarch64-linux
+      - build-x86_64-darwin
+      - build-aarch64-darwin
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: "DeterminateSystems/nix-installer-action@main"
+        with:
+          determinate: true
+
+      - name: Create artifacts directory
+        run: mkdir -p ./artifacts
+
+      - name: Fetch artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: downloaded
+      - name: Move downloaded artifacts to artifacts directory
+        run: |
+          for dir in ./downloaded/*; do
+            arch="$(basename "$dir")"
+            mv "$dir"/*.xz ./artifacts/"${arch}"
+          done
+
+      - name: Build fallback-paths.nix
+        run: |
+          nix build .#fallbackPathsNix --out-link fallback
+          cat fallback > ./artifacts/fallback-paths.nix
+
+      - uses: DeterminateSystems/push-artifact-ids@main
+        with:
+          s3_upload_role: ${{ secrets.AWS_S3_UPLOAD_ROLE_ARN }}
+          bucket: ${{ secrets.AWS_S3_UPLOAD_BUCKET_NAME }}
+          directory: ./artifacts
+          ids_project_name: determinate-nix
+          ids_binary_prefix: determinate-nix
+          skip_acl: true
+
+  publish:
+    needs:
+      - release
+    if: (!github.repository.fork && (github.ref == format('refs/heads/{0}', github.event.repository.default_branch) || startsWith(github.ref, 'refs/tags/')))
+    environment: ${{ github.event_name == 'release' && 'production' || '' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: "DeterminateSystems/flakehub-push@main"
+        with:
+          rolling: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+          visibility: "private"
+          tag: "${{ github.ref_name }}"

flake.nix

@@ -294,6 +294,36 @@
           nix-manual = nixpkgsFor.${system}.native.nixComponents.nix-manual;
           nix-internal-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-internal-api-docs;
           nix-external-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-external-api-docs;
+
+          fallbackPathsNix =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+
+              closures = forAllSystems (system: self.packages.${system}.default.outPath);
+
+              closures_json = pkgs.runCommand "versions.json"
+                {
+                  buildInputs = [ pkgs.jq ];
+                  passAsFile = [ "json" ];
+                  json = builtins.toJSON closures;
+                } ''
+                cat "$jsonPath" | jq . > $out
+              '';
+
+              closures_nix = pkgs.runCommand "versions.nix"
+                {
+                  buildInputs = [ pkgs.jq ];
+                  passAsFile = [ "template" ];
+                  jsonPath = closures_json;
+                  template = ''
+                    builtins.fromJSON('''@closures@''')
+                  '';
+                } ''
+                export closures=$(cat "$jsonPath");
+                substituteAll "$templatePath" "$out"
+              '';
+            in
+            closures_nix;
         }
         # We need to flatten recursive attribute sets of derivations to pass `flake check`.
         //