Skip to content
.github/workflows/push-based-deploy.yml

GitHub based deploy #10

Sign in to view logs

GitHub based deploy

GitHub based deploy #10

Workflow file for this run

.github/workflows/push-based-deploy.yml at 4a3beff
on:
push:
branches: [main]
pull_request:
jobs:
build-and-deploy:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
id: aws
with:
role-to-assume: "${{ vars.DEPLOY_ROLE_ARN }}"
aws-region: eu-central-1
output-credentials: true
- name: Set up aws credentials for root user
run: |
sudo aws configure set aws_access_key_id ${{ steps.aws.outputs.aws-access-key-id }}
sudo aws configure set aws_secret_access_key ${{ steps.aws.outputs.aws-secret-access-key }}
sudo aws configure set aws_session_token ${{ steps.aws.outputs.aws-session-token }}
sudo aws configure set region eu-central-1
- run: nix store ping --store "${{ vars.CACHE_BUCKET }}"
- id: build
run: |
nix build .#nixosConfigurations.web-push.config.system.build.toplevel --extra-substituters '${{ vars.CACHE_BUCKET }}' --extra-trusted-public-keys '${{ vars.CACHE_PUBLIC_KEY }}'
out_path=$(readlink ./result)
echo "out_path=$out_path" >> "$GITHUB_OUTPUT"
- id: sign
run: |
echo "$CACHE_SECRET_KEY" > cache-secret-key
nix store sign --recursive --key-file cache-secret-key ${{ steps.build.outputs.out_path }}
env:
CACHE_SECRET_KEY: ${{ secrets.CACHE_SECRET_KEY }}
- id: copy
run: |
nix copy --to "${{ vars.CACHE_BUCKET }}" ${{ steps.build.outputs.out_path }}
- id: deploy
run: |
aws ssm send-command \
--document-name NixOS-deploy \
--targets 'Key=tag:Name,Values=web-push' \
--parameters "installable=${{ steps.build.outputs.out_path }},substituters=${{ vars.CACHE_BUCKET }},publicKeys=${{ vars.CACHE_PUBLIC_KEY }}"
- id: wait-for-deploy
run: |
echo "TODO: Implement"
echo "Deployed successfully"