build: use self-hosted runner for tests #354
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "tests" | |
on: | |
# I don't think it's important for correctness to run the tests on main. | |
# I'm doing it to make GitHub Actions caches available across pull requests. | |
# See https://github.com/LightAndLight/ipso/issues/338 | |
push: | |
branches: | |
- main | |
pull_request: | |
workflow_dispatch: | |
env: | |
NIX_PUBLIC_KEY: "ipso-binary-cache-1:UMRLNOKcCsb/a2dBhtcZhRZP4RN8yIDsSUwHTObu2w4=" | |
# Note: these values are duplicated in the `UPLOAD_TO_CACHE` script. | |
BINARY_CACHE_BUCKET: "ipso-binary-cache" | |
BINARY_CACHE_ENDPOINT: "7065dc7f7d1813a29036535b4c4f4014.r2.cloudflarestorage.com" | |
# Avoid [rate | |
# limiting](https://discourse.nixos.org/t/flakes-provide-github-api-token-for-rate-limiting/18609) | |
# by allowing Nix to make authenticated GitHub requests. | |
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}" | |
# The version of ipso to use for CI scripts that are written in the language. | |
CI_IPSO_VERSION: "v0.5" | |
jobs: | |
tests: | |
runs-on: nixos | |
env: | |
POST_BUILD_HOOK: ".github/workflows/postBuildHook" | |
steps: | |
- uses: actions/[email protected] | |
with: | |
# `./scripts/recheck` uses `git diff` which accesses the repo's history. `fetch-depth: 0` fetches all branches and history. | |
fetch-depth: 0 | |
# Used by `uploadToCache` to sign store paths. | |
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'" | |
# Grants the Nix daemon access to the bucket, which allows `nix build` to | |
# authenticate with the binary cache bucket and fetch cache items. | |
- run: sudo mkdir /root/.aws | |
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'" | |
# Grants the runner access to the bucket, which allows `pueue` to | |
# authenticate with the binary cache bucket when pushing signed cache items. | |
- run: sudo mkdir ~/.aws | |
- run: sudo chown runner ~/.aws | |
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials" | |
# Allow the Nix daemon to execute the post-build-hook script. | |
- run: "sudo chmod +x $POST_BUILD_HOOK" | |
# Used in `postBuildHook`. | |
- run: sudo cp .github/workflows/uploadToCache /run/uploadToCache | |
# [note: installing Ipso binary] | |
# | |
# Installing an Ipso release binary leads to more reliable Nix caching (versus using `nix | |
# profile install`). See <https://github.com/LightAndLight/ipso/issues/407>. | |
- name: Install Ipso binary | |
run: | | |
mkdir -p $HOME/bin | |
curl -L \ | |
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \ | |
> $HOME/bin/ipso | |
chmod +x $HOME/bin/ipso | |
echo "$HOME/bin" >> $GITHUB_PATH | |
- run: nix profile install nixpkgs#pueue | |
# [note: nix profile install not adding to PATH] | |
# | |
# `nix profile install nixpkgs#pueue` used to "just work", but on 2023-03-02 I started getting | |
# `pueued: command not found` errors. So add it to the path manually. | |
# | |
# [Docs for `GITHUB_PATH`](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path) | |
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH | |
- run: pueued -d | |
- name: "tests" | |
if: github.event_name == 'pull_request' | |
run: > | |
nix develop .#tests | |
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT" | |
--extra-trusted-public-keys "$NIX_PUBLIC_KEY" | |
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK" | |
-c ./scripts/recheck origin/$GITHUB_BASE_REF $GITHUB_REF_NAME | |
# `tests.yml` is currently set to run on pushes to `main`. When that happens, `$GITHUB_BASE_REF` | |
# isn't set because it's not a pull request. Instead we use the most recent commit before the | |
# push | |
# (https://docs.github.com/en/webhooks-and-events/webhooks/webhook-events-and-payloads#push) | |
# as the "old" commit for `./scripts/recheck`. | |
# | |
# If it's a force push (which it really shouldn't be for main) then we skip this step. | |
- name: "tests" | |
if: github.event_name == 'push' && !github.event.forced | |
run: > | |
nix develop .#tests | |
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT" | |
--extra-trusted-public-keys "$NIX_PUBLIC_KEY" | |
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK" | |
-c ./scripts/recheck ${{ github.event.before }} $GITHUB_REF_NAME | |
- name: wait for uploads to finish | |
if: always() | |
run: pueue wait | |
- name: log all uploads | |
if: always() | |
run: pueue log --json | jq '.[].task.original_command' -r | |
- name: log failed uploads | |
if: always() | |
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log | |
- name: check uploads succeeded | |
if: always() | |
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]" |