Skip to content

build: pin MacOS build to macos-13 #245

build: pin MacOS build to macos-13

build: pin MacOS build to macos-13 #245

Workflow file for this run

name: "ipso-cli"
on:
push:
branches:
- main
tags:
- "v*"
workflow_dispatch:
env:
NIX_PUBLIC_KEY: "ipso-binary-cache-1:UMRLNOKcCsb/a2dBhtcZhRZP4RN8yIDsSUwHTObu2w4="
# Note: these values are duplicated in the `UPLOAD_TO_CACHE` script.
BINARY_CACHE_BUCKET: "ipso-binary-cache"
BINARY_CACHE_ENDPOINT: "7065dc7f7d1813a29036535b4c4f4014.r2.cloudflarestorage.com"
# Avoid [rate
# limiting](https://discourse.nixos.org/t/flakes-provide-github-api-token-for-rate-limiting/18609)
# by allowing Nix to make authenticated GitHub requests.
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}"
# The version of ipso to use for CI scripts that are written in the language.
CI_IPSO_VERSION: "v0.5"
jobs:
build-linux:
runs-on: ubuntu-latest
env:
POST_BUILD_HOOK: ".github/workflows/postBuildHook"
UPLOAD_TO_CACHE: ".github/workflows/uploadToCache"
steps:
- uses: actions/[email protected]
- uses: cachix/install-nix-action@v24
# Used by `uploadToCache` to sign store paths.
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'"
# Grants the Nix daemon access to the bucket, which allows `nix build` to
# authenticate with the binary cache bucket and fetch cache items.
- run: sudo mkdir /root/.aws
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'"
# Grants the runner access to the bucket, which allows `pueue` to
# authenticate with the binary cache bucket when pushing signed cache items.
- run: sudo mkdir ~/.aws
- run: sudo chown runner ~/.aws
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials"
# Allow the Nix daemon to execute the post-build-hook script.
- run: "sudo chmod +x $POST_BUILD_HOOK"
# Used in `postBuildHook`.
- run: sudo cp $UPLOAD_TO_CACHE /run/uploadToCache
# See [note: installing Ipso binary]
- name: Install Ipso binary
run: |
mkdir -p $HOME/bin
curl -L \
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \
> $HOME/bin/ipso
chmod +x $HOME/bin/ipso
echo "$HOME/bin" >> $GITHUB_PATH
- run: nix profile install nixpkgs#pueue
# See [note: nix profile install not adding to PATH]
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH
- run: pueued -d
- run: >
nix build
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-o result
- name: wait for uploads to finish
if: always()
run: pueue wait
- name: log all uploads
if: always()
run: pueue log --json | jq '.[].task.original_command' -r
- name: log failed uploads
if: always()
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log
- name: check uploads succeeded
if: always()
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]"
- run: cp result-bin/bin/ipso ipso-linux-x86_64
- uses: actions/upload-artifact@v3
with:
name: ipso-linux-x86_64
path: ipso-linux-x86_64
build-macos:
# `macos-13` is the last CI runner that defaults to `x86_64`. Newer versions, including `macos-latest`, now use `aarch64`.
#
# See: https://github.com/actions/runner-images/issues/9741
runs-on: macos-13
env:
POST_BUILD_HOOK: ".github/workflows/postBuildHookMacos"
UPLOAD_TO_CACHE: ".github/workflows/uploadToCacheMacos"
steps:
- uses: actions/[email protected]
- uses: cachix/install-nix-action@v24
# Used by `uploadToCache` to sign store paths.
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /var/run/nix-signing-key'"
# Grants the Nix daemon access to the bucket, which allows `nix build` to
# authenticate with the binary cache bucket and fetch cache items.
- run: sudo mkdir /var/root/.aws
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /var/root/.aws/credentials'"
# Grants the runner access to the bucket, which allows `pueue` to
# authenticate with the binary cache bucket when pushing signed cache items.
- run: sudo mkdir ~/.aws
- run: sudo chown runner ~/.aws
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials"
# Allow the Nix daemon to execute the post-build-hook script.
- run: "sudo chmod +x $POST_BUILD_HOOK"
# Used in `postBuildHookMacos`.
- run: sudo cp $UPLOAD_TO_CACHE /var/run/uploadToCache
# See [note: installing Ipso binary]
- name: Install Ipso binary
run: |
mkdir -p $HOME/bin
curl -L \
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-macos-x86_64" \
> $HOME/bin/ipso
chmod +x $HOME/bin/ipso
echo "$HOME/bin" >> $GITHUB_PATH
- run: nix profile install nixpkgs#pueue
# See [note: nix profile install not adding to PATH]
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH
- run: pueued -d
- run: >
nix build
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-o result
- name: wait for uploads to finish
if: always()
run: pueue wait
- name: log all uploads
if: always()
run: pueue log --json | jq '.[].task.original_command' -r
- name: log failed uploads
if: always()
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log
- name: check uploads succeeded
if: always()
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]"
- run: cp result-bin/bin/ipso ipso-macos-x86_64
- uses: actions/upload-artifact@v3
with:
name: ipso-macos-x86_64
path: ipso-macos-x86_64
release:
needs: [build-linux, build-macos]
if: startsWith(github.ref, 'refs/tags/v') && github.event_name == 'push'
runs-on: ubuntu-latest
env:
POST_BUILD_HOOK: ".github/workflows/postBuildHook"
UPLOAD_TO_CACHE: ".github/workflows/uploadToCache"
steps:
- uses: actions/[email protected]
# Nix setup
- uses: actions/[email protected]
- uses: cachix/install-nix-action@v24
# Used by `uploadToCache` to sign store paths.
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'"
# Grants the Nix daemon access to the bucket, which allows `nix build` to
# authenticate with the binary cache bucket and fetch cache items.
- run: sudo mkdir /root/.aws
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'"
# Grants the runner access to the bucket, which allows `pueue` to
# authenticate with the binary cache bucket when pushing signed cache items.
- run: sudo mkdir ~/.aws
- run: sudo chown runner ~/.aws
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials"
# Allow the Nix daemon to execute the post-build-hook script.
- run: "sudo chmod +x $POST_BUILD_HOOK"
# Used in `postBuildHook`.
- run: sudo cp $UPLOAD_TO_CACHE /run/uploadToCache
# See [note: installing Ipso binary]
- name: Install Ipso binary
run: |
mkdir -p $HOME/bin
curl -L \
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \
> $HOME/bin/ipso
chmod +x $HOME/bin/ipso
echo "$HOME/bin" >> $GITHUB_PATH
- run: nix profile install nixpkgs#pueue
# See [note: nix profile install not adding to PATH]
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH
- run: pueued -d
- name: Check release version
run: >
nix shell
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-c .github/workflows/checkReleaseVersion
- uses: actions/download-artifact@v4
with:
name: ipso-linux-x86_64
- uses: actions/download-artifact@v4
with:
name: ipso-macos-x86_64
- name: wait for uploads to finish
if: always()
run: pueue wait
- name: log all uploads
if: always()
run: pueue log --json | jq '.[].task.original_command' -r
- name: log failed uploads
if: always()
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log
- name: check uploads succeeded
if: always()
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]"
- uses: softprops/action-gh-release@v1
with:
name: ${{ github.ref_name }}
files: |
ipso-linux-x86_64
ipso-macos-x86_64