capkgs/.github/workflows/update.yml at main · input-output-hk/capkgs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Update
run-name: ${{github.actor}} is updating capkgs

on:
  workflow_dispatch:
    inputs:
      pr_number:
        description: Optional PR number, for maintainer use
        required: false

  push:
    branches:
      - main

  pull_request:

  schedule:
    - cron: "14 14 * * 1-5"

permissions:
  contents: write
  pull-requests: read

concurrency:
  group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
  cancel-in-progress: true

jobs:
  update:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      # This step allows for maintainer workflow dispatch of forked PRs with a
      # declared PR input number.
      - name: Detect PR context
        id: detect-pr
        uses: ./.github/actions/detect-pr

      # For PRs, checkout a merge base, including for forked PRs.
      - name: Checkout and merge PR
        uses: ./.github/actions/checkout-merge
        with:
          base_ref: ${{ steps.detect-pr.outputs.base_ref }}
          head_ref: ${{ steps.detect-pr.outputs.head_ref }}
          pr_number: ${{ steps.detect-pr.outputs.pr_number }}

      - name: Exit early if untrusted
        if: steps.detect-pr.outputs.is_trusted == 'false'
        run: |
          echo "Exiting early due to an untrusted fork PR."
          echo "A maintainer can optionally run this via workflow dispatch with a declared PR input number."
          exit

      - name: Free up disk space
        if: steps.detect-pr.outputs.is_trusted == 'true'
        run: |
          pwd
          df -h
          sudo rm -rf \
            /usr/share/dotnet \
            /usr/share/swift \
            /usr/local/lib/android \
            /opt/hostedtoolcache \
            /opt/ghc \
            /opt/az
          sudo docker image prune --all --force
          df -h

      - name: Install Nix
        if: steps.detect-pr.outputs.is_trusted == 'true'
        uses: cachix/install-nix-action@v30
        with:
          extra_nix_config: |
            trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
            substituters = https://cache.iog.io https://cache.nixos.org/
            min-free = 1073741824
            max-free = 2147483648
            secret-key-files = /home/runner/work/capkgs/capkgs/hydra_key
            experimental-features = fetch-closure flakes nix-command

      - name: CI eval, build, cache push and commit
        if: steps.detect-pr.outputs.is_trusted == 'true'
        run: |
          set -e
          git config --local user.name "GitHub Actions"
          git config --local user.email "actions@github.com"
          echo "${{ secrets.NIX_SIGNING_KEY }}" > hydra_key
          echo "${{ secrets.IOHK_DEVOPS_NETRC_FILE }}" > .netrc
          chmod 600 .netrc
          export NETRC_FILE="$(pwd)/.netrc"
          echo "Current api rate limit status:"
          curl --netrc -s https://api.github.com/rate_limit | jq .rate
          nix develop \
          --ignore-environment \
          --keep AWS_ACCESS_KEY_ID \
          --keep AWS_SECRET_ACCESS_KEY \
          --keep CI \
          --keep LOG_LEVEL \
          --keep S3_ENDPOINT \
          --keep NETRC_FILE \
          --command just ci
        env:
          AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
          AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
          LOG_LEVEL: "debug"
          NIX_SIGNING_KEY_FILE: "/home/runner/work/capkgs/capkgs/hydra_key"
          S3_ENDPOINT: "${{ secrets.S3_ENDPOINT }}"