name: Pull Request
permissions:
pull-requests: write
on:
pull_request:
paths:
- .github/workflows/**
- "**.nix"
- "flake.lock"
jobs:
build:
if: github.event.pull_request.draft == false
name: "Build ${{ matrix.target }}"
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-latest
target: citadel
- os: ubuntu-latest
target: rickenbacker
- os: ubuntu-latest
target: dns01
- os: ubuntu-latest
target: dns02
steps:
- name: Create nix mount point
if: contains(matrix.os, 'ubuntu')
run: sudo mkdir /nix
- name: Maximize build space
uses: easimon/maximize-build-space@v10
if: contains(matrix.os, 'ubuntu')
with:
root-reserve-mb: 512
swap-size-mb: 1024
build-mount-path: "/nix"
remove-dotnet: true
remove-android: true
remove-haskell: true
remove-docker-images: true
remove-codeql: true
overprovision-lvm: true
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install nix
uses: cachix/install-nix-action@v26
with:
extra_nix_config: |
experimental-features = nix-command flakes
extra-platforms = aarch64-linux
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Register binfmt
run: |
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Garbage collect build dependencies
run: nix-collect-garbage
- name: Fetch old system profile
run: nix build github:truxnell/nix-config#top.${{ matrix.target }} -v --log-format raw --profile ./profile
- name: Add new system to profile
run: |
set -o pipefail
nix build .#top.${{ matrix.target }} --profile ./profile --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Scan for security issues
id: security
run: |
nix run nixpkgs/nixos-unstable#vulnix -- -w https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml ./profile | tee /tmp/security.txt
OUTPUT_SECURITY="$(cat /tmp/security.txt)"
OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
echo "$OUTPUT_SECURITY"
delimiter="$(openssl rand -hex 16)"
echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
echo "$OUTPUT_SECURITY" >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: Comment report in pr
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ !startswith(github.ref, 'dependabot') }}
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
header: ".#top.${{ matrix.target }}"
message: |
### Report for `${{ matrix.target }}`
${{ steps.diff.outputs.diff }}
${{ steps.security.outputs.security }}