From c75859eb756591526fa8a3026a3143fc1f35e560 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:12:55 -0400 Subject: [PATCH 01/18] Checks: don't do a slow, expensive, ineffective check of the binaries --- .github/workflows/build.yaml | 36 ------------------------------------ 1 file changed, 36 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 064dc37..73a2230 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -24,24 +24,6 @@ jobs: path: result/bin/nix-actions-cache retention-days: 1 - check-artifacts-macOS: - runs-on: macos-12 - needs: build-artifacts-macOS - steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 - with: - name: nix-actions-cache-macOS - path: cache-binary - - name: Make the binary executable - run: chmod +x ./cache-binary/nix-actions-cache - - uses: DeterminateSystems/nix-installer-action-cache@main - with: - cache-binary: ./cache-binary/nix-actions-cache - - - name: "Build something" - run: "nix build .# -L" - build-artifacts-Linux: runs-on: ubuntu-22.04 steps: @@ -59,21 +41,3 @@ jobs: name: nix-actions-cache-Linux path: result/bin/nix-actions-cache retention-days: 1 - - check-artifacts-Linux: - runs-on: ubuntu-22.04 - needs: build-artifacts-Linux - steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 - with: - name: nix-actions-cache-Linux - path: cache-binary - - name: Make the binary executable - run: chmod +x ./cache-binary/nix-actions-cache - - uses: DeterminateSystems/nix-installer-action-cache@main - with: - cache-binary: ./cache-binary/nix-actions-cache - - - name: "Build something" - run: "nix build .# -L" From e6c72f9c328b0aa9a64a048d25f45962d1731bb2 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:27:24 -0400 Subject: [PATCH 02/18] Release via install.determinate.systems --- .github/workflows/release-branches.yml | 49 +++++++++++++ .github/workflows/release-prs.yml | 49 +++++++++++++ .github/workflows/release-tags.yml | 53 ++++++++++++++ .github/workflows/upload_s3.sh | 98 ++++++++++++++++++++++++++ 4 files changed, 249 insertions(+) create mode 100644 .github/workflows/release-branches.yml create mode 100644 .github/workflows/release-prs.yml create mode 100644 .github/workflows/release-tags.yml create mode 100755 .github/workflows/upload_s3.sh diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml new file mode 100644 index 0000000..bb182f1 --- /dev/null +++ b/.github/workflows/release-branches.yml @@ -0,0 +1,49 @@ +name: Release Branch + +on: + workflow_run: + workflows: ["Build artifacts"] + branches: + # NOTE: make sure any branches here are also valid directory names, + # otherwise creating the directory and uploading to s3 will fail + - "main" + types: + - completed + +jobs: + release: + concurrency: release + runs-on: ubuntu-latest + permissions: + id-token: write # In order to request a JWT for AWS auth + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }} + aws-region: us-east-2 + + - name: Create the artifacts directory + run: rm -rf ./artifacts && mkdir ./artifacts + + - uses: actions/download-artifact@v3 + with: + name: nix-actions-cache-macOS + path: cache-binary-macOS + - name: Persist the cache binary + run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-macOS + + - uses: actions/download-artifact@v3 + with: + name: nix-actions-cache-Linux + path: cache-binary-Linux + - name: Persist the cache binary + run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-Linux + + - name: Publish Release (Branch) + env: + AWS_BUCKET: ${{ secrets.AWS_S3_UPLOAD_BUCKET }} + run: | + .github/workflows/upload_s3.sh branch "${{ github.ref_name }}" "$GITHUB_SHA" diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml new file mode 100644 index 0000000..c8d3c5e --- /dev/null +++ b/.github/workflows/release-prs.yml @@ -0,0 +1,49 @@ +name: Release PR + +on: + pull_request: + types: + - opened + - reopened + - synchronize + - labeled + +jobs: + release: + concurrency: release + # Only intra-repo PRs are allowed to have PR artifacts uploaded + if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-installer' && contains(github.event.pull_request.labels.*.name, 'upload to s3') + runs-on: ubuntu-latest + permissions: + id-token: write # In order to request a JWT for AWS auth + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Create the artifacts directory + run: rm -rf ./artifacts && mkdir ./artifacts + + - uses: actions/download-artifact@v3 + with: + name: nix-actions-cache-macOS + path: cache-binary-macOS + - name: Persist the cache binary + run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-macOS + + - uses: actions/download-artifact@v3 + with: + name: nix-actions-cache-Linux + path: cache-binary-Linux + - name: Persist the cache binary + run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-Linux + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }} + aws-region: us-east-2 + - name: Publish Release (PR) + env: + AWS_BUCKET: ${{ secrets.AWS_S3_UPLOAD_BUCKET }} + run: | + .github/workflows/upload_s3.sh pr "${{ github.event.pull_request.number }}" "${{ github.event.pull_request.head.sha }}" diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml new file mode 100644 index 0000000..a8bfe43 --- /dev/null +++ b/.github/workflows/release-tags.yml @@ -0,0 +1,53 @@ +name: Release Tags + +on: + push: + tags: + - "v*.*.*" + +jobs: + release: + concurrency: release + runs-on: ubuntu-latest + permissions: + contents: write # In order to upload artifacts to GitHub releases + id-token: write # In order to request a JWT for AWS auth + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Create the artifacts directory + run: rm -rf ./artifacts && mkdir ./artifacts + + - uses: actions/download-artifact@v3 + with: + name: nix-actions-cache-macOS + path: cache-binary-macOS + - name: Persist the cache binary + run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-macOS + + - uses: actions/download-artifact@v3 + with: + name: nix-actions-cache-Linux + path: cache-binary-Linux + - name: Persist the cache binary + run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-Linux + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.AWS_S3_UPLOAD_ROLE }} + aws-region: us-east-2 + - name: Publish Release to S3 (Tag) + env: + AWS_BUCKET: ${{ secrets.AWS_S3_UPLOAD_BUCKET }} + run: | + ./upload_s3.sh "tag" "$GITHUB_REF_NAME" "$GITHUB_SHA" + - name: Publish Release to GitHub (Tag) + uses: softprops/action-gh-release@v1 + with: + fail_on_unmatched_files: true + draft: true + files: | + artifacts/** + nix-installer.sh diff --git a/.github/workflows/upload_s3.sh b/.github/workflows/upload_s3.sh new file mode 100755 index 0000000..4647f32 --- /dev/null +++ b/.github/workflows/upload_s3.sh @@ -0,0 +1,98 @@ +set -eu + +TYPE="$1" +TYPE_ID="$2" +GIT_ISH="$3" + +if [ "$TYPE" == "tag" ]; then + DEST="${TYPE_ID}" +else + DEST="${TYPE}_${TYPE_ID}" +fi + +is_tag() { + if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then + return 0 + else + return 1 + fi +} + +# If the revision directory has already been created in S3 somehow, we don't want to reupload +if aws s3 ls "$AWS_BUCKET"/"$GIT_ISH"/; then + # Only exit if it's not a tag (since we're tagging a commit previously pushed to main) + if ! is_tag; then + echo "Revision $GIT_ISH was already uploaded; exiting" + exit 1 + fi +fi + +sudo chown $USER: -R artifacts/ + +mkdir "$DEST" +mkdir "$GIT_ISH" + +for artifact in $(find artifacts/ -type f); do + chmod +x "$artifact" + cp "$artifact" "$DEST"/ + cp "$artifact" "$GIT_ISH"/ +done + +# If any artifact already exists in S3 and the hash is the same, we don't want to reupload +check_reupload() { + dest="$1" + + for file in $(find "$dest" -type f); do + artifact_path="$dest"/"$(basename "$artifact")" + md5="$(md5sum "$artifact" | cut -d' ' -f1)" + obj="$(aws s3api head-object --bucket "$AWS_BUCKET" --key "$artifact_path" || echo '{}')" + obj_md5="$(jq -r .ETag <<<"$obj" | jq -r)" # head-object call returns ETag quoted, so `jq -r` again to unquote it + + if [[ "$md5" == "$obj_md5" ]]; then + echo "Artifact $artifact was already uploaded; exiting" + # If we already uploaded to a tag, that's probably bad + is_tag && exit 1 || exit 0 + fi + done +} + +check_reupload "$DEST" +if ! is_tag; then + check_reupload "$GIT_ISH" +fi + +aws s3 sync "$DEST"/ s3://"$AWS_BUCKET"/"$DEST"/ --acl public-read +if ! is_tag; then + aws s3 sync "$GIT_ISH"/ s3://"$AWS_BUCKET"/"$GIT_ISH"/ --acl public-read +fi + + +cat <<-EOF >> $GITHUB_STEP_SUMMARY +This commit's nix-actions-cache binaries can be fetched from: + +Intel macOS: + +``` +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/macOS/rev/$GIT_ISH +``` + +x86_64 Linux: + +``` +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/Linux/rev/$GIT_ISH +``` + +Or generally from this ${TYPE}: + +Intel macOS: + +``` +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/macOS/${TYPE}/${DEST} +``` + +x86_64 Linux: + +``` +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/Linux/${TYPE}/${DEST} +``` +EOF From bff88ada04063acb48eb3e174140c49fae529c2c Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:34:54 -0400 Subject: [PATCH 03/18] setup needs relationships --- .github/workflows/release-branches.yml | 3 +++ .github/workflows/release-prs.yml | 5 ++++- .github/workflows/release-tags.yml | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index bb182f1..29268ad 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -12,6 +12,9 @@ on: jobs: release: + needs: + - build-artifacts-macOS + - build-artifacts-Linux concurrency: release runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index c8d3c5e..58928d1 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -10,9 +10,12 @@ on: jobs: release: + needs: + - build-artifacts-macOS + - build-artifacts-Linux concurrency: release # Only intra-repo PRs are allowed to have PR artifacts uploaded - if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-installer' && contains(github.event.pull_request.labels.*.name, 'upload to s3') + if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' && contains(github.event.pull_request.labels.*.name, 'upload to s3') runs-on: ubuntu-latest permissions: id-token: write # In order to request a JWT for AWS auth diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml index a8bfe43..bf3a86d 100644 --- a/.github/workflows/release-tags.yml +++ b/.github/workflows/release-tags.yml @@ -7,6 +7,9 @@ on: jobs: release: + needs: + - build-artifacts-macOS + - build-artifacts-Linux concurrency: release runs-on: ubuntu-latest permissions: From 472f6957870e8903bfa331ef9f417320389ba9f9 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:42:39 -0400 Subject: [PATCH 04/18] pretty sure this won't work --- .github/workflows/release-prs.yml | 11 ++++++++--- .github/workflows/release-tags.yml | 11 ++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 58928d1..2027427 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -1,6 +1,14 @@ name: Release PR on: + workflow_run: + workflows: ["Build artifacts"] + branches: + # NOTE: make sure any branches here are also valid directory names, + # otherwise creating the directory and uploading to s3 will fail + - "main" + types: + - completed pull_request: types: - opened @@ -10,9 +18,6 @@ on: jobs: release: - needs: - - build-artifacts-macOS - - build-artifacts-Linux concurrency: release # Only intra-repo PRs are allowed to have PR artifacts uploaded if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' && contains(github.event.pull_request.labels.*.name, 'upload to s3') diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml index bf3a86d..6128620 100644 --- a/.github/workflows/release-tags.yml +++ b/.github/workflows/release-tags.yml @@ -1,15 +1,20 @@ name: Release Tags on: + workflow_run: + workflows: ["Build artifacts"] + branches: + # NOTE: make sure any branches here are also valid directory names, + # otherwise creating the directory and uploading to s3 will fail + - "main" + types: + - completed push: tags: - "v*.*.*" jobs: release: - needs: - - build-artifacts-macOS - - build-artifacts-Linux concurrency: release runs-on: ubuntu-latest permissions: From baec1b19f6735ad06b8cde9b14335511c14f09c5 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:56:58 -0400 Subject: [PATCH 05/18] ??? --- .github/workflows/build.yaml | 1 + .github/workflows/release-branches.yml | 4 ++++ .github/workflows/release-prs.yml | 7 +++++++ .github/workflows/release-tags.yml | 7 +++++++ 4 files changed, 19 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 73a2230..9a6111f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -4,6 +4,7 @@ on: pull_request: push: workflow_dispatch: + workflow_call: jobs: build-artifacts-macOS: diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index 29268ad..dba0797 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -11,10 +11,14 @@ on: - completed jobs: + build: + uses: ./.github/workflows/build.yaml + release: needs: - build-artifacts-macOS - build-artifacts-Linux + concurrency: release runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 2027427..14f36e4 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -17,7 +17,14 @@ on: - labeled jobs: + build: + uses: ./.github/workflows/build.yaml + release: + needs: + - build-artifacts-macOS + - build-artifacts-Linux + concurrency: release # Only intra-repo PRs are allowed to have PR artifacts uploaded if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' && contains(github.event.pull_request.labels.*.name, 'upload to s3') diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml index 6128620..1af42b4 100644 --- a/.github/workflows/release-tags.yml +++ b/.github/workflows/release-tags.yml @@ -14,7 +14,14 @@ on: - "v*.*.*" jobs: + build: + uses: ./.github/workflows/build.yaml + release: + needs: + - build-artifacts-macOS + - build-artifacts-Linux + concurrency: release runs-on: ubuntu-latest permissions: From f8927525eee3cec02ecb3100a80f5e4b5ab82fb0 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:57:53 -0400 Subject: [PATCH 06/18] ? --- .github/workflows/release-prs.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 14f36e4..3415d28 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -21,10 +21,6 @@ jobs: uses: ./.github/workflows/build.yaml release: - needs: - - build-artifacts-macOS - - build-artifacts-Linux - concurrency: release # Only intra-repo PRs are allowed to have PR artifacts uploaded if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' && contains(github.event.pull_request.labels.*.name, 'upload to s3') From 804f27c3f149f16343cb42d7db332a8b607ba2ad Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 20:59:13 -0400 Subject: [PATCH 07/18] ... --- .github/workflows/release-branches.yml | 4 +--- .github/workflows/release-prs.yml | 2 ++ .github/workflows/release-tags.yml | 4 +--- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index dba0797..7c29338 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -15,9 +15,7 @@ jobs: uses: ./.github/workflows/build.yaml release: - needs: - - build-artifacts-macOS - - build-artifacts-Linux + needs: build concurrency: release runs-on: ubuntu-latest diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 3415d28..b71a6af 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -21,6 +21,8 @@ jobs: uses: ./.github/workflows/build.yaml release: + needs: build + concurrency: release # Only intra-repo PRs are allowed to have PR artifacts uploaded if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' && contains(github.event.pull_request.labels.*.name, 'upload to s3') diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml index 1af42b4..2eef44e 100644 --- a/.github/workflows/release-tags.yml +++ b/.github/workflows/release-tags.yml @@ -18,9 +18,7 @@ jobs: uses: ./.github/workflows/build.yaml release: - needs: - - build-artifacts-macOS - - build-artifacts-Linux + needs: build concurrency: release runs-on: ubuntu-latest From 29d8f15b215199c7a46e6f372f2d0e35df286187 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 21:25:28 -0400 Subject: [PATCH 08/18] Try read perms on the repo contents --- .github/workflows/release-prs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index b71a6af..0b8921d 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -29,6 +29,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write # In order to request a JWT for AWS auth + contents: read steps: - name: Checkout uses: actions/checkout@v3 From cb917258248e34a96f2e506dfab5c392b8fe66d8 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sun, 21 May 2023 21:41:21 -0400 Subject: [PATCH 09/18] =?UTF-8?q?Don=E2=80=99t=20run=20the=20curl=20comman?= =?UTF-8?q?ds=20lol?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/upload_s3.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/upload_s3.sh b/.github/workflows/upload_s3.sh index 4647f32..14e4aed 100755 --- a/.github/workflows/upload_s3.sh +++ b/.github/workflows/upload_s3.sh @@ -72,27 +72,27 @@ This commit's nix-actions-cache binaries can be fetched from: Intel macOS: -``` +\`\`\` curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/macOS/rev/$GIT_ISH -``` +\`\`\` x86_64 Linux: -``` +\`\`\` curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/Linux/rev/$GIT_ISH -``` +\`\`\` Or generally from this ${TYPE}: Intel macOS: -``` +\`\`\` curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/macOS/${TYPE}/${DEST} -``` +\`\`\` x86_64 Linux: -``` +\`\`\` curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/Linux/${TYPE}/${DEST} -``` +\`\`\` EOF From 346330fda1f40cff562ef41f82bd80ea0a15e4ac Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 09:12:21 -0400 Subject: [PATCH 10/18] Don't build on push --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9a6111f..a104049 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,7 +2,6 @@ name: Build artifacts on: pull_request: - push: workflow_dispatch: workflow_call: From cef074e3b321018cb1dfc6828757eecb4453119d Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 09:36:36 -0400 Subject: [PATCH 11/18] Don't run build.yaml ever, let the release-* jobs trigger it --- .github/workflows/build.yaml | 1 - .github/workflows/release-branches.yml | 4 ++-- .github/workflows/release-tags.yml | 8 -------- 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a104049..9d6581f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,6 @@ name: Build artifacts on: - pull_request: workflow_dispatch: workflow_call: diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index 7c29338..7ccb9af 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -1,8 +1,7 @@ name: Release Branch on: - workflow_run: - workflows: ["Build artifacts"] + push: branches: # NOTE: make sure any branches here are also valid directory names, # otherwise creating the directory and uploading to s3 will fail @@ -20,6 +19,7 @@ jobs: concurrency: release runs-on: ubuntu-latest permissions: + contents: read id-token: write # In order to request a JWT for AWS auth steps: - name: Checkout diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml index 2eef44e..1afb1c9 100644 --- a/.github/workflows/release-tags.yml +++ b/.github/workflows/release-tags.yml @@ -1,14 +1,6 @@ name: Release Tags on: - workflow_run: - workflows: ["Build artifacts"] - branches: - # NOTE: make sure any branches here are also valid directory names, - # otherwise creating the directory and uploading to s3 will fail - - "main" - types: - - completed push: tags: - "v*.*.*" From 3597849148a665033dee70bd8c46babc40e28fd1 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 15:45:55 -0400 Subject: [PATCH 12/18] Add an architecture prefix to the OS Co-authored-by: Cole Helbling --- .github/workflows/build.yaml | 14 ++++++++++---- .github/workflows/release-branches.yml | 12 ++++++------ .github/workflows/release-prs.yml | 12 ++++++------ .github/workflows/release-tags.yml | 12 ++++++------ .github/workflows/upload_s3.sh | 8 ++++---- 5 files changed, 32 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9d6581f..9ed6044 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -5,13 +5,16 @@ on: workflow_call: jobs: - build-artifacts-macOS: + build-artifacts-X64-macOS: runs-on: macos-12 steps: - uses: actions/checkout@v3 - uses: DeterminateSystems/nix-installer-action-cache@main + - name: Print the arch-os + run: "echo $RUNNER_ARCH-$RUNNER_OS" + - name: Build package run: "nix build .# -L" @@ -19,17 +22,20 @@ jobs: uses: actions/upload-artifact@v3.1.2 with: # Artifact name - name: nix-actions-cache-macOS + name: nix-actions-cache-X64-macOS path: result/bin/nix-actions-cache retention-days: 1 - build-artifacts-Linux: + build-artifacts-X64-Linux: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v3 - uses: DeterminateSystems/nix-installer-action-cache@main + - name: Print the arch-os + run: "echo $RUNNER_ARCH-$RUNNER_OS" + - name: Build package run: "nix build .# -L" @@ -37,6 +43,6 @@ jobs: uses: actions/upload-artifact@v3.1.2 with: # Artifact name - name: nix-actions-cache-Linux + name: nix-actions-cache-X64-Linux path: result/bin/nix-actions-cache retention-days: 1 diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index 7ccb9af..b205ac2 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -35,17 +35,17 @@ jobs: - uses: actions/download-artifact@v3 with: - name: nix-actions-cache-macOS - path: cache-binary-macOS + name: nix-actions-cache-X64-macOS + path: cache-binary-X64-macOS - name: Persist the cache binary - run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-macOS + run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-X64-macOS - uses: actions/download-artifact@v3 with: - name: nix-actions-cache-Linux - path: cache-binary-Linux + name: nix-actions-cache-X64-Linux + path: cache-binary-X64-Linux - name: Persist the cache binary - run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-Linux + run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-X64-Linux - name: Publish Release (Branch) env: diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 0b8921d..7b50ffa 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -39,17 +39,17 @@ jobs: - uses: actions/download-artifact@v3 with: - name: nix-actions-cache-macOS - path: cache-binary-macOS + name: nix-actions-cache-X64-macOS + path: cache-binary-X64-macOS - name: Persist the cache binary - run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-macOS + run: cp ./cache-binary-X64-macOS/nix-actions-cache ./artifacts/nix-actions-cache-X64-macOS - uses: actions/download-artifact@v3 with: - name: nix-actions-cache-Linux - path: cache-binary-Linux + name: nix-actions-cache-X64-Linux + path: cache-binary-X64-Linux - name: Persist the cache binary - run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-Linux + run: cp ./cache-binary-X64-Linux/nix-actions-cache ./artifacts/nix-actions-cache-X64-Linux - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 diff --git a/.github/workflows/release-tags.yml b/.github/workflows/release-tags.yml index 1afb1c9..a9dbd24 100644 --- a/.github/workflows/release-tags.yml +++ b/.github/workflows/release-tags.yml @@ -26,17 +26,17 @@ jobs: - uses: actions/download-artifact@v3 with: - name: nix-actions-cache-macOS - path: cache-binary-macOS + name: nix-actions-cache-X64-macOS + path: cache-binary-X64-macOS - name: Persist the cache binary - run: cp ./cache-binary-macOS/nix-actions-cache ./artifacts/nix-actions-cache-macOS + run: cp ./cache-binary-X64-macOS/nix-actions-cache ./artifacts/nix-actions-cache-X64-macOS - uses: actions/download-artifact@v3 with: - name: nix-actions-cache-Linux - path: cache-binary-Linux + name: nix-actions-cache-X64-Linux + path: cache-binary-X64-Linux - name: Persist the cache binary - run: cp ./cache-binary-Linux/nix-actions-cache ./artifacts/nix-actions-cache-Linux + run: cp ./cache-binary-X64-Linux/nix-actions-cache ./artifacts/nix-actions-cache-X64-Linux - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v2 diff --git a/.github/workflows/upload_s3.sh b/.github/workflows/upload_s3.sh index 14e4aed..6d2bbdd 100755 --- a/.github/workflows/upload_s3.sh +++ b/.github/workflows/upload_s3.sh @@ -73,13 +73,13 @@ This commit's nix-actions-cache binaries can be fetched from: Intel macOS: \`\`\` -curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/macOS/rev/$GIT_ISH +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/rev/$GIT_ISH/X64-macOS \`\`\` x86_64 Linux: \`\`\` -curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/Linux/rev/$GIT_ISH +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/rev/$GIT_ISH/X64-Linux \`\`\` Or generally from this ${TYPE}: @@ -87,12 +87,12 @@ Or generally from this ${TYPE}: Intel macOS: \`\`\` -curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/macOS/${TYPE}/${DEST} +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/${TYPE}/${DEST}/X64-macOS \`\`\` x86_64 Linux: \`\`\` -curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/Linux/${TYPE}/${DEST} +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/${TYPE}/${DEST}/X64-Linux \`\`\` EOF From ea4ce1da82e933c7880bf48856e5390bfcc604a2 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 15:47:20 -0400 Subject: [PATCH 13/18] drop goop --- .github/workflows/release-branches.yml | 2 -- .github/workflows/release-prs.yml | 8 -------- 2 files changed, 10 deletions(-) diff --git a/.github/workflows/release-branches.yml b/.github/workflows/release-branches.yml index b205ac2..c27540b 100644 --- a/.github/workflows/release-branches.yml +++ b/.github/workflows/release-branches.yml @@ -6,8 +6,6 @@ on: # NOTE: make sure any branches here are also valid directory names, # otherwise creating the directory and uploading to s3 will fail - "main" - types: - - completed jobs: build: diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 7b50ffa..1d5a231 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -1,14 +1,6 @@ name: Release PR on: - workflow_run: - workflows: ["Build artifacts"] - branches: - # NOTE: make sure any branches here are also valid directory names, - # otherwise creating the directory and uploading to s3 will fail - - "main" - types: - - completed pull_request: types: - opened From 3d372eef04e4ed8eed7800d8587b9b5d4f064923 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 16:00:53 -0400 Subject: [PATCH 14/18] Fixup PR-based links --- .github/workflows/upload_s3.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload_s3.sh b/.github/workflows/upload_s3.sh index 6d2bbdd..b0f61ae 100755 --- a/.github/workflows/upload_s3.sh +++ b/.github/workflows/upload_s3.sh @@ -87,12 +87,12 @@ Or generally from this ${TYPE}: Intel macOS: \`\`\` -curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/${TYPE}/${DEST}/X64-macOS +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/${TYPE}/${TYPE_ID}/X64-macOS \`\`\` x86_64 Linux: \`\`\` -curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/${TYPE}/${DEST}/X64-Linux +curl --output nix-actions-cache --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix-actions-cache/${TYPE}/${TYPE_ID}/X64-Linux \`\`\` EOF From 6f8baf43453aa1ab44b283680fec857b2db588f0 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 16:05:39 -0400 Subject: [PATCH 15/18] Update .github/workflows/upload_s3.sh Co-authored-by: Cole Helbling --- .github/workflows/upload_s3.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/upload_s3.sh b/.github/workflows/upload_s3.sh index b0f61ae..37358d0 100755 --- a/.github/workflows/upload_s3.sh +++ b/.github/workflows/upload_s3.sh @@ -27,8 +27,6 @@ if aws s3 ls "$AWS_BUCKET"/"$GIT_ISH"/; then fi fi -sudo chown $USER: -R artifacts/ - mkdir "$DEST" mkdir "$GIT_ISH" From bbaeca10a8aad2a01afc3f253d48c9e704240eab Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 16:06:24 -0400 Subject: [PATCH 16/18] Update .github/workflows/release-prs.yml --- .github/workflows/release-prs.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml index 1d5a231..f17205d 100644 --- a/.github/workflows/release-prs.yml +++ b/.github/workflows/release-prs.yml @@ -17,7 +17,13 @@ jobs: concurrency: release # Only intra-repo PRs are allowed to have PR artifacts uploaded - if: github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' && contains(github.event.pull_request.labels.*.name, 'upload to s3') + # We only want to trigger once the upload once in the case the upload label is added, not when any label is added + if: | + github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-actions-cache' + && ( + (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') + || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) + ) runs-on: ubuntu-latest permissions: id-token: write # In order to request a JWT for AWS auth From 2b56c6586cd14ba82da52e5bc54c80956fc38b8c Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 16:08:32 -0400 Subject: [PATCH 17/18] Update .github/workflows/build.yaml Co-authored-by: Cole Helbling --- .github/workflows/build.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9ed6044..808f0dc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -33,9 +33,6 @@ jobs: - uses: DeterminateSystems/nix-installer-action-cache@main - - name: Print the arch-os - run: "echo $RUNNER_ARCH-$RUNNER_OS" - - name: Build package run: "nix build .# -L" From d6bf578707404ac16844ba9847898c6b9a281446 Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Mon, 22 May 2023 16:08:40 -0400 Subject: [PATCH 18/18] Update .github/workflows/build.yaml Co-authored-by: Cole Helbling --- .github/workflows/build.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 808f0dc..ed6d911 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -12,9 +12,6 @@ jobs: - uses: DeterminateSystems/nix-installer-action-cache@main - - name: Print the arch-os - run: "echo $RUNNER_ARCH-$RUNNER_OS" - - name: Build package run: "nix build .# -L"