CI: add nix flake update and commit steps

And rename the workflow as it no longer runs just checks.
2024-05-18 21:57:06 +10:00 · 2024-05-18 21:57:06 +10:00 · 6aad68a612
commit 6aad68a612
parent db62bca56c
1 changed files with 28 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -0,0 +1,82 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This workflow does double duty: it runs checks against PRs/pushes, and it
+# updates flake.lock (run from a schedule or manually).
+#
+# This approach seems simpler than having a separate lockfile-updating workflow
+# that creates a PR that gets the normal check workflow ran against it before
+# merging, especially since (according to
+# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does
+# not run workflows against PRs created by a GitHub Action.
+
+name: CI
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      updateFlakeLock:
+        description: 'Update flake.lock'
+        default: false
+        type: boolean
+# To enable once confirmed working.
+# schedule:
+#   - cron: '23 8 * * *' # runs daily at a randomly selected time
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Enable Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
+      - name: Update flake.lock
+        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
+        run: nix flake update --commit-lock-file
+      - name: Check flake.lock
+        uses: DeterminateSystems/flake-checker-action@main
+        with:
+          nixpkgs-keys: ""  # TODO: check nixpkgs used for cached builds
+      - name: Cache git checkouts
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/nix/gitv3
+          key: nix-gitv3-cache-${{ hashFiles('flake.lock') }}
+          restore-keys: nix-gitv3-cache-
+      - name: nix flake check
+        run: nix flake check -L --show-trace
+      - name: Push changes
+        if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock )
+        run: git push
+
+# TODO: try to improve caching.
+#
+# We spend a lot of time fetching sources. Caching all of ~/.cache/nix/gitv3 is
+# not ideal: it is too large (3GiB) and we don't expire individual checkouts.
+# https://github.com/DeterminateSystems/magic-nix-cache/issues/28 may help.
+#
+# The "magic" nix cache hits usage limits:
+#
+#   2024-05-18T06:45:19.165515Z ERROR magic_nix_cache::gha: Upload of path '/nix/store/fpq1vaw8vr88a67lc2jspskf2fa7zbvj-emacs-treepy-20230715.2154' failed: GitHub API error: API error (429 Too Many Requests): StructuredApiError { message: "Request was blocked due to exceeding usage of resource 'Count' in namespace ''." }
+#
+# This might get better as the cache populates, as long as I don't hit size
+# limits.