name: Pull Request permissions: pull-requests: write on: pull_request: paths: - .github/workflows/** - "**.nix" - "flake.lock" jobs: build: if: github.event.pull_request.draft == false name: "Build ${{ matrix.target }}" runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: include: - os: ubuntu-latest target: citadel - os: ubuntu-latest target: rickenbacker - os: ubuntu-latest target: dns01 - os: ubuntu-latest target: dns02 steps: - name: Create nix mount point if: contains(matrix.os, 'ubuntu') run: sudo mkdir /nix - name: Maximize build space uses: easimon/maximize-build-space@v10 if: contains(matrix.os, 'ubuntu') with: root-reserve-mb: 512 swap-size-mb: 1024 build-mount-path: "/nix" remove-dotnet: true remove-android: true remove-haskell: true remove-docker-images: true remove-codeql: true overprovision-lvm: true - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install nix uses: cachix/install-nix-action@v26 with: extra_nix_config: | experimental-features = nix-command flakes extra-platforms = aarch64-linux - uses: DeterminateSystems/magic-nix-cache-action@main - name: Register binfmt run: | docker run --rm --privileged multiarch/qemu-user-static --reset -p yes - name: Garbage collect build dependencies run: nix-collect-garbage - name: Fetch old system profile run: nix build github:truxnell/nix-config#top.${{ matrix.target }} -v --log-format raw --profile ./profile - name: Add new system to profile run: | set -o pipefail nix build .#top.${{ matrix.target }} --profile ./profile --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2) - name: Output build failure if: failure() run: | drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv") if [ -n $drv ]; then nix log $drv echo $drv fi exit 1 - name: Diff profile id: diff run: | nix profile diff-closures --profile ./profile delimiter="$(openssl rand -hex 16)" echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}" nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}" echo "${delimiter}" >> "${GITHUB_OUTPUT}" - name: Scan for security issues id: security run: | nix run nixpkgs/nixos-unstable#vulnix -- -w https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml ./profile | tee /tmp/security.txt OUTPUT_SECURITY="$(cat /tmp/security.txt)" OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}" OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}" OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}" echo "$OUTPUT_SECURITY" delimiter="$(openssl rand -hex 16)" echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}" echo "$OUTPUT_SECURITY" >> "${GITHUB_OUTPUT}" echo "${delimiter}" >> "${GITHUB_OUTPUT}" - name: Comment report in pr uses: marocchino/sticky-pull-request-comment@v2 if: ${{ !startswith(github.ref, 'dependabot') }} with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} header: ".#top.${{ matrix.target }}" message: | ### Report for `${{ matrix.target }}` Version changes
 ${{ steps.diff.outputs.diff }} 
Security vulnerability report
 ${{ steps.security.outputs.security }} 
# Liberated from edeneast's github