From 8c7b188ae5a5e62b88f568c256242a2c2cafd704 Mon Sep 17 00:00:00 2001 From: Marien Zwart Date: Sat, 22 Jun 2024 20:48:03 +1000 Subject: [PATCH] CI: break up "CI" workflow Break the single job into four stages: `nix flake update`, checks, cachix, push to main. The benefit is that checks and cachix can use a matrix strategy in the future (to test / build for different OSes and nixpkgs releases). Also, the cachix build can run in parallel with checks. The downside is that we need to push to a temporary branch before we can run checks. Do that the simplest possible way (just hardcode the branch name). --- .github/workflows/ci.yml | 79 +++++-------------------- .github/workflows/flake-update.yml | 3 +- .github/workflows/push-flake-update.yml | 40 +++++++++++++ 3 files changed, 56 insertions(+), 66 deletions(-) create mode 100644 .github/workflows/push-flake-update.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b56c24e..ab4e1a8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,80 +12,29 @@ # See the License for the specific language governing permissions and # limitations under the License. -# This workflow does double duty: it runs checks against PRs/pushes, and it -# updates flake.lock (run from a schedule or manually). -# -# This approach seems simpler than having a separate lockfile-updating workflow -# that creates a PR that gets the normal check workflow ran against it before -# merging, especially since (according to -# https://github.com/DeterminateSystems/update-flake-lock) GitHub Actions does -# not run workflows against PRs created by a GitHub Action. - name: CI on: workflow_dispatch: - inputs: - updateFlakeLock: - description: 'Update flake.lock' - default: false - type: boolean schedule: - cron: '23 8 * * *' # runs daily at a randomly selected time jobs: + flake-update: + uses: ./.github/workflows/flake-update.yml check: - runs-on: ubuntu-latest - permissions: - id-token: "write" - contents: "write" - steps: - - name: Check out repository - uses: actions/checkout@v4 - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@main - - name: Enable Magic Nix Cache - uses: DeterminateSystems/magic-nix-cache-action@main - with: - use-flakehub: false - - name: Update flake.lock - if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock ) - run: | - git config user.email "github-actions[bot]@users.noreply.github.com" - git config user.name "github-actions[bot]" - nix flake update --commit-lock-file - - name: Check flake.lock - uses: DeterminateSystems/flake-checker-action@main - - name: Cache downloads - uses: ./.github/actions/cache-downloads - - name: nix flake check - run: nix flake check -L --show-trace - - name: Build packages for Cachix - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - run: nix build .#cachix-packages -L - # Intentionally install Cachix late: build artifacts are cached by Magic - # Nix Cache, only the runtime closure of cachix-packages goes to the - # public Cachix cache. - - name: Install Cachix - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - uses: cachix/cachix-action@v15 - with: - name: doom-emacs-unstraightened - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - - name: Push to Cachix - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - run: readlink result | cachix push doom-emacs-unstraightened - - name: Push changes - if: github.event_name == 'schedule' || ( github.event_name == 'workflow_dispatch' && inputs.updateFlakeLock ) - run: git push - # `git push` only works because branch protection is not enabled. - # - # Currently branch protection is not effective anyway, since the only - # contributor (marienz) has admin permissions, and applying branch - # protection to administrators seems to be an "organization" feature. - # - # The supported path seems to be "create a PR and use the API to merge - # it", but that's more work to implement (see above): revisit later. + uses: ./.github/workflows/check.yml + with: + ref: flake-update + needs: [flake-update] + cachix: + uses: ./.github/workflows/cachix.yml + with: + ref: flake-update + needs: [flake-update] + push: + uses: ./.github/workflows/push-flake-update.yml + needs: [check, cachix] # TODO: try to improve caching. # diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml index 9b44465..3564ce4 100644 --- a/.github/workflows/flake-update.yml +++ b/.github/workflows/flake-update.yml @@ -16,9 +16,10 @@ name: nix flake update on: workflow_dispatch: + workflow_call: jobs: - check: + update: runs-on: ubuntu-latest permissions: contents: "write" diff --git a/.github/workflows/push-flake-update.yml b/.github/workflows/push-flake-update.yml new file mode 100644 index 0000000..fedbf26 --- /dev/null +++ b/.github/workflows/push-flake-update.yml @@ -0,0 +1,40 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: Push flake-update + +on: + workflow_dispatch: + workflow_call: + +jobs: + commit: + runs-on: ubuntu-latest + permissions: + contents: "write" + steps: + - name: Check out repository + uses: actions/checkout@v4 + with: + ref: flake-update + - name: Push changes + run: git push origin HEAD:main + # `git push` only works because branch protection is not enabled. + # + # Currently branch protection is not effective anyway, since the only + # contributor (marienz) has admin permissions, and applying branch + # protection to administrators seems to be an "organization" feature. + # + # The supported path seems to be "create a PR and use the API to merge + # it", but that's more work to implement: revisit later if needed.