2024-03-26 05:52:02 -05:00
name : Pull Request
permissions :
pull-requests : write
on :
pull_request :
paths :
- .github/workflows/**
- "**.nix"
- "flake.lock"
jobs :
build :
if : github.event.pull_request.draft == false
name : "Build ${{ matrix.target }}"
runs-on : ${{ matrix.os }}
strategy :
fail-fast : false
matrix :
include :
- os : ubuntu-latest
2024-03-26 07:08:44 -05:00
target : citadel
2024-03-26 05:52:02 -05:00
- os : ubuntu-latest
2024-03-26 07:08:44 -05:00
target : rickenbacker
2024-03-26 05:52:02 -05:00
- os : ubuntu-latest
2024-03-26 07:08:44 -05:00
target : dns01
2024-03-26 05:52:02 -05:00
steps :
- name : Create nix mount point
if : contains(matrix.os, 'ubuntu')
run : sudo mkdir /nix
- name : Maximize build space
uses : easimon/maximize-build-space@v10
if : contains(matrix.os, 'ubuntu')
with :
root-reserve-mb : 512
swap-size-mb : 1024
build-mount-path : "/nix"
remove-dotnet : true
remove-android : true
remove-haskell : true
remove-docker-images : true
remove-codeql : true
overprovision-lvm : true
- uses : actions/checkout@v4
with :
fetch-depth : 0
- name : Install nix
2024-03-26 06:47:46 -05:00
uses : cachix/install-nix-action@v26
2024-03-26 05:52:02 -05:00
with :
extra_nix_config : |
experimental-features = nix-command flakes
2024-03-26 07:31:41 -05:00
extra-platforms = aarch64-linux
- name : Register binfmt
run : |
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
2024-03-26 07:08:44 -05:00
2024-03-26 05:52:02 -05:00
- name : Garbage collect build dependencies
run : nix-collect-garbage
- name : Fetch old system profile
2024-03-26 16:17:24 -05:00
run : nix build github:truxnell/nix-config#top.${{ matrix.target }} -v --dry-run --log-format raw --profile ./profile
2024-03-26 05:52:02 -05:00
- name : Add new system to profile
run : |
set -o pipefail
2024-03-26 16:17:24 -05:00
nix build .#top.${{ matrix.target }} --dry-run --profile ./profile --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
2024-03-26 05:52:02 -05:00
- name : Output build failure
if : failure()
run : |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name : Diff profile
id : diff
run : |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name : Scan for security issues
id : security
run : |
nix run nixpkgs/nixos-unstable#vulnix -- -w https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml ./profile | tee /tmp/security.txt
OUTPUT_SECURITY="$(cat /tmp/security.txt)"
OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
echo "$OUTPUT_SECURITY"
delimiter="$(openssl rand -hex 16)"
echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
echo "$OUTPUT_SECURITY" >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name : Comment report in pr
uses : marocchino/sticky-pull-request-comment@v2
if : ${{ !startswith(github.ref, 'dependabot') }}
with :
GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
header : ".#top.${{ matrix.target }}"
message : |
### Report for `${{ matrix.target }}`
<summary> Version changes </summary> <br>
<pre> ${{ steps.diff.outputs.diff }} </pre>
<details>
<summary> Security vulnerability report </summary> <br>
<pre> ${{ steps.security.outputs.security }} </pre>
</details>
# Liberated from edeneast's github