Skip to content

build: use self-hosted runner for tests #354

build: use self-hosted runner for tests

build: use self-hosted runner for tests #354

Workflow file for this run

name: "tests"
on:
# I don't think it's important for correctness to run the tests on main.
# I'm doing it to make GitHub Actions caches available across pull requests.
# See https://github.com/LightAndLight/ipso/issues/338
push:
branches:
- main
pull_request:
workflow_dispatch:
env:
NIX_PUBLIC_KEY: "ipso-binary-cache-1:UMRLNOKcCsb/a2dBhtcZhRZP4RN8yIDsSUwHTObu2w4="
# Note: these values are duplicated in the `UPLOAD_TO_CACHE` script.
BINARY_CACHE_BUCKET: "ipso-binary-cache"
BINARY_CACHE_ENDPOINT: "7065dc7f7d1813a29036535b4c4f4014.r2.cloudflarestorage.com"
# Avoid [rate
# limiting](https://discourse.nixos.org/t/flakes-provide-github-api-token-for-rate-limiting/18609)
# by allowing Nix to make authenticated GitHub requests.
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}"
# The version of ipso to use for CI scripts that are written in the language.
CI_IPSO_VERSION: "v0.5"
jobs:
tests:
runs-on: nixos
env:
POST_BUILD_HOOK: ".github/workflows/postBuildHook"
steps:
- uses: actions/[email protected]
with:
# `./scripts/recheck` uses `git diff` which accesses the repo's history. `fetch-depth: 0` fetches all branches and history.
fetch-depth: 0
# Used by `uploadToCache` to sign store paths.
- run: "sudo bash -c 'echo \"${{ secrets.NIX_SIGNING_KEY }}\" > /run/nix-signing-key'"
# Grants the Nix daemon access to the bucket, which allows `nix build` to
# authenticate with the binary cache bucket and fetch cache items.
- run: sudo mkdir /root/.aws
- run: "sudo bash -c 'echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > /root/.aws/credentials'"
# Grants the runner access to the bucket, which allows `pueue` to
# authenticate with the binary cache bucket when pushing signed cache items.
- run: sudo mkdir ~/.aws
- run: sudo chown runner ~/.aws
- run: "echo -e \"[default]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID}}\naws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}\" > ~/.aws/credentials"
# Allow the Nix daemon to execute the post-build-hook script.
- run: "sudo chmod +x $POST_BUILD_HOOK"
# Used in `postBuildHook`.
- run: sudo cp .github/workflows/uploadToCache /run/uploadToCache
# [note: installing Ipso binary]
#
# Installing an Ipso release binary leads to more reliable Nix caching (versus using `nix
# profile install`). See <https://github.com/LightAndLight/ipso/issues/407>.
- name: Install Ipso binary
run: |
mkdir -p $HOME/bin
curl -L \
"https://github.com/LightAndLight/ipso/releases/download/$CI_IPSO_VERSION/ipso-linux-x86_64" \
> $HOME/bin/ipso
chmod +x $HOME/bin/ipso
echo "$HOME/bin" >> $GITHUB_PATH
- run: nix profile install nixpkgs#pueue
# [note: nix profile install not adding to PATH]
#
# `nix profile install nixpkgs#pueue` used to "just work", but on 2023-03-02 I started getting
# `pueued: command not found` errors. So add it to the path manually.
#
# [Docs for `GITHUB_PATH`](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path)
- run: echo "$(readlink ~/.nix-profile)/bin" >> $GITHUB_PATH
- run: pueued -d
- name: "tests"
if: github.event_name == 'pull_request'
run: >
nix develop .#tests
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-c ./scripts/recheck origin/$GITHUB_BASE_REF $GITHUB_REF_NAME
# `tests.yml` is currently set to run on pushes to `main`. When that happens, `$GITHUB_BASE_REF`
# isn't set because it's not a pull request. Instead we use the most recent commit before the
# push
# (https://docs.github.com/en/webhooks-and-events/webhooks/webhook-events-and-payloads#push)
# as the "old" commit for `./scripts/recheck`.
#
# If it's a force push (which it really shouldn't be for main) then we skip this step.
- name: "tests"
if: github.event_name == 'push' && !github.event.forced
run: >
nix develop .#tests
--extra-substituters "s3://$BINARY_CACHE_BUCKET?scheme=https&endpoint=$BINARY_CACHE_ENDPOINT"
--extra-trusted-public-keys "$NIX_PUBLIC_KEY"
--post-build-hook "$GITHUB_WORKSPACE/$POST_BUILD_HOOK"
-c ./scripts/recheck ${{ github.event.before }} $GITHUB_REF_NAME
- name: wait for uploads to finish
if: always()
run: pueue wait
- name: log all uploads
if: always()
run: pueue log --json | jq '.[].task.original_command' -r
- name: log failed uploads
if: always()
run: pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != "Success") | .key' -r | xargs -r pueue log
- name: check uploads succeeded
if: always()
run: "[ \"$(pueue log --json | jq 'to_entries[] | select(.value.task.status.Done != \"Success\") | .key' -r)\" == \"\" ]"