build: pin MacOS build to macos-13
#245
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "ipso-cli" | |
on: | |
push: | |
branches: | |
- main | |
tags: | |
- "v*" | |
workflow_dispatch: | |
env: | |
NIX_PUBLIC_KEY: "ipso-binary-cache-1:UMRLNOKcCsb/a2dBhtcZhRZP4RN8yIDsSUwHTObu2w4=" | |
# Note: these values are duplicated in the `UPLOAD_TO_CACHE` script. | |
BINARY_CACHE_BUCKET: "ipso-binary-cache" | |
BINARY_CACHE_ENDPOINT: "7065dc7f7d1813a29036535b4c4f4014.r2.cloudflarestorage.com" | |
# Avoid [rate | |
# limiting](https://discourse.nixos.org/t/flakes-provide-github-api-token-for-rate-limiting/18609) | |
# by allowing Nix to make authenticated GitHub requests. | |
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}" | |
# The version of ipso to use for CI scripts that are written in the language. | |
CI_IPSO_VERSION: "v0.5" | |
jobs: | |
build-linux: | |
runs-on: ubuntu-latest | |
env: | |
POST_BUILD_HOOK: ".github/workflows/postBuildHook" | |
UPLOAD_TO_CACHE: ".github/workflows/uploadToCache" | |
steps: | |
- uses: actions/[email protected] | |
- uses: cachix/install-nix-action@v24 | |
# Used by `uploadToCache` to sign store paths. | |
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'" | |
# Grants the Nix daemon access to the bucket, which allows `nix build` to | |
# authenticate with the binary cache bucket and fetch cache items. | |
- run: sudo mkdir /root/.aws | |
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'" | |
# Grants the runner access to the bucket, which allows `pueue` to | |
# authenticate with the binary cache bucket when pushing signed cache items. | |
- run: sudo mkdir ~/.aws | |
- run: sudo chown runner ~/.aws | |
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials" | |
# Allow the Nix daemon to execute the post-build-hook script. | |
- run: "sudo chmod +x $POST_BUILD_HOOK" | |
# Used in `postBuildHook`. | |
- run: sudo cp $UPLOAD_TO_CACHE /run/uploadToCache | |
# See [note: installing Ipso binary] | |
- name: Install Ipso binary | |
run: | | |
mkdir -p $HOME/bin | |
curl -L \ | |
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \ | |
> $HOME/bin/ipso | |
chmod +x $HOME/bin/ipso | |
echo "$HOME/bin" >> $GITHUB_PATH | |
- run: nix profile install nixpkgs#pueue | |
# See [note: nix profile install not adding to PATH] | |
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH | |
- run: pueued -d | |
- run: > | |
nix build | |
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT" | |
--extra-trusted-public-keys "$NIX_PUBLIC_KEY" | |
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK" | |
-o result | |
- name: wait for uploads to finish | |
if: always() | |
run: pueue wait | |
- name: log all uploads | |
if: always() | |
run: pueue log --json | jq '.[].task.original_command' -r | |
- name: log failed uploads | |
if: always() | |
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log | |
- name: check uploads succeeded | |
if: always() | |
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]" | |
- run: cp result-bin/bin/ipso ipso-linux-x86_64 | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: ipso-linux-x86_64 | |
path: ipso-linux-x86_64 | |
build-macos: | |
# `macos-13` is the last CI runner that defaults to `x86_64`. Newer versions, including `macos-latest`, now use `aarch64`. | |
# | |
# See: https://github.com/actions/runner-images/issues/9741 | |
runs-on: macos-13 | |
env: | |
POST_BUILD_HOOK: ".github/workflows/postBuildHookMacos" | |
UPLOAD_TO_CACHE: ".github/workflows/uploadToCacheMacos" | |
steps: | |
- uses: actions/[email protected] | |
- uses: cachix/install-nix-action@v24 | |
# Used by `uploadToCache` to sign store paths. | |
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /var/run/nix-signing-key'" | |
# Grants the Nix daemon access to the bucket, which allows `nix build` to | |
# authenticate with the binary cache bucket and fetch cache items. | |
- run: sudo mkdir /var/root/.aws | |
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /var/root/.aws/credentials'" | |
# Grants the runner access to the bucket, which allows `pueue` to | |
# authenticate with the binary cache bucket when pushing signed cache items. | |
- run: sudo mkdir ~/.aws | |
- run: sudo chown runner ~/.aws | |
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials" | |
# Allow the Nix daemon to execute the post-build-hook script. | |
- run: "sudo chmod +x $POST_BUILD_HOOK" | |
# Used in `postBuildHookMacos`. | |
- run: sudo cp $UPLOAD_TO_CACHE /var/run/uploadToCache | |
# See [note: installing Ipso binary] | |
- name: Install Ipso binary | |
run: | | |
mkdir -p $HOME/bin | |
curl -L \ | |
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-macos-x86_64" \ | |
> $HOME/bin/ipso | |
chmod +x $HOME/bin/ipso | |
echo "$HOME/bin" >> $GITHUB_PATH | |
- run: nix profile install nixpkgs#pueue | |
# See [note: nix profile install not adding to PATH] | |
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH | |
- run: pueued -d | |
- run: > | |
nix build | |
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT" | |
--extra-trusted-public-keys "$NIX_PUBLIC_KEY" | |
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK" | |
-o result | |
- name: wait for uploads to finish | |
if: always() | |
run: pueue wait | |
- name: log all uploads | |
if: always() | |
run: pueue log --json | jq '.[].task.original_command' -r | |
- name: log failed uploads | |
if: always() | |
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log | |
- name: check uploads succeeded | |
if: always() | |
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]" | |
- run: cp result-bin/bin/ipso ipso-macos-x86_64 | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: ipso-macos-x86_64 | |
path: ipso-macos-x86_64 | |
release: | |
needs: [build-linux, build-macos] | |
if: startsWith(github.ref, 'refs/tags/v') && github.event_name == 'push' | |
runs-on: ubuntu-latest | |
env: | |
POST_BUILD_HOOK: ".github/workflows/postBuildHook" | |
UPLOAD_TO_CACHE: ".github/workflows/uploadToCache" | |
steps: | |
- uses: actions/[email protected] | |
# Nix setup | |
- uses: actions/[email protected] | |
- uses: cachix/install-nix-action@v24 | |
# Used by `uploadToCache` to sign store paths. | |
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'" | |
# Grants the Nix daemon access to the bucket, which allows `nix build` to | |
# authenticate with the binary cache bucket and fetch cache items. | |
- run: sudo mkdir /root/.aws | |
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'" | |
# Grants the runner access to the bucket, which allows `pueue` to | |
# authenticate with the binary cache bucket when pushing signed cache items. | |
- run: sudo mkdir ~/.aws | |
- run: sudo chown runner ~/.aws | |
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials" | |
# Allow the Nix daemon to execute the post-build-hook script. | |
- run: "sudo chmod +x $POST_BUILD_HOOK" | |
# Used in `postBuildHook`. | |
- run: sudo cp $UPLOAD_TO_CACHE /run/uploadToCache | |
# See [note: installing Ipso binary] | |
- name: Install Ipso binary | |
run: | | |
mkdir -p $HOME/bin | |
curl -L \ | |
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \ | |
> $HOME/bin/ipso | |
chmod +x $HOME/bin/ipso | |
echo "$HOME/bin" >> $GITHUB_PATH | |
- run: nix profile install nixpkgs#pueue | |
# See [note: nix profile install not adding to PATH] | |
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH | |
- run: pueued -d | |
- name: Check release version | |
run: > | |
nix shell | |
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT" | |
--extra-trusted-public-keys "$NIX_PUBLIC_KEY" | |
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK" | |
-c .github/workflows/checkReleaseVersion | |
- uses: actions/download-artifact@v4 | |
with: | |
name: ipso-linux-x86_64 | |
- uses: actions/download-artifact@v4 | |
with: | |
name: ipso-macos-x86_64 | |
- name: wait for uploads to finish | |
if: always() | |
run: pueue wait | |
- name: log all uploads | |
if: always() | |
run: pueue log --json | jq '.[].task.original_command' -r | |
- name: log failed uploads | |
if: always() | |
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log | |
- name: check uploads succeeded | |
if: always() | |
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]" | |
- uses: softprops/action-gh-release@v1 | |
with: | |
name: ${{ github.ref_name }} | |
files: | | |
ipso-linux-x86_64 | |
ipso-macos-x86_64 |