Merge pull request #33 from DeterminateSystems/graham/fh-870-ghacv2-make-fhca-a-composite-action-like-determinate-nix

Graham/fh 870 ghacv2 make fhca a composite action like determinate nix

Author: grahamc

.envrc

@@ -1,5 +1 @@
-if ! has nix_direnv_version || ! nix_direnv_version 2.1.1; then
-  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.1.1/direnvrc" "sha256-b6qJ4r34rbE23yWjMqbmu3ia2z4b2wIlZUksBke/ol0="
-fi
-
-use_flake
+use flake

.eslintrc.json

@@ -15,13 +15,8 @@ is_gh_throttled() {
 }
 
 # Check that the action initialized correctly.
-if [ "$EXPECT_FLAKEHUB" == "true" ]; then
-  grep 'FlakeHub cache is enabled' "${log}"
-  grep 'Using cache' "${log}"
-else
-  grep 'FlakeHub cache is disabled' "${log}" \
-  || grep 'FlakeHub: cache initialized failed' "${log}"
-fi
+grep 'FlakeHub cache is enabled' "${log}"
+grep 'Using cache' "${log}"
 
 if [ "$EXPECT_GITHUB_CACHE" == "true" ]; then
   grep 'GitHub Action cache is enabled' "${log}"
@@ -33,19 +28,17 @@ fi
 outpath=$(nix-build .github/workflows/cache-tester.nix --argstr seed "$seed")
 
 # Wait until it has been pushed succesfully.
-if [ "$EXPECT_FLAKEHUB" == "true" ]; then
-  found=
-  for ((i = 0; i < 60; i++)); do
-      sleep 1
-      if grep "✅ $(basename "${outpath}")" "${log}"; then
-          found=1
-          break
-      fi
-  done
-  if [[ -z $found ]]; then
-      echo "FlakeHub push did not happen." >&2
-      exit 1
-  fi
+found=
+for ((i = 0; i < 60; i++)); do
+    sleep 1
+    if grep "✅ $(basename "${outpath}")" "${log}"; then
+        found=1
+        break
+    fi
+done
+if [[ -z $found ]]; then
+    echo "FlakeHub push did not happen." >&2
+    exit 1
 fi
 
 if [ "$EXPECT_GITHUB_CACHE" == "true" ]; then
@@ -68,10 +61,8 @@ fi
 
 
 
-if [ "$EXPECT_FLAKEHUB" == "true" ]; then
-  # Check the FlakeHub binary cache to see if the path is really there.
-  nix path-info --store "${flakehub_binary_cache}" "${outpath}"
-fi
+# Check the FlakeHub binary cache to see if the path is really there.
+nix path-info --store "${flakehub_binary_cache}" "${outpath}"
 
 if [ "$EXPECT_GITHUB_CACHE" == "true" ] && ! is_gh_throttled; then
   # Check the GitHub binary cache to see if the path is really there.
@@ -91,16 +82,12 @@ echo "-------"
 echo "Trying to substitute the build again..."
 echo "if it fails, the cache is broken."
 
-if [ "$EXPECT_FLAKEHUB" == "true" ]; then
-  # Check the FlakeHub binary cache to see if the path is really there.
-  nix path-info --store "${flakehub_binary_cache}" "${outpath}"
-fi
+# Check the FlakeHub binary cache to see if the path is really there.
+nix path-info --store "${flakehub_binary_cache}" "${outpath}"
 
 if [ "$EXPECT_GITHUB_CACHE" == "true" ] && ! is_gh_throttled; then
   # Check the FlakeHub binary cache to see if the path is really there.
   nix path-info --store "${gha_binary_cache}" "${outpath}"
 fi
 
-if ([ "$EXPECT_GITHUB_CACHE" == "true" ] && ! is_gh_throttled) || [ "$EXPECT_FLAKEHUB" == "true" ]; then
-  nix-store --realize -vvvvvvvv "$outpath"
-fi
+nix-store --realize -vvvvvvvv "$outpath"

.gitattributes

@@ -1,80 +1,13 @@
-name: CI
-
 on:
   merge_group:
   pull_request:
   push:
     branches: [main]
 
 jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/flakehub-cache-action@main
-      - name: Check shell scripts
-        run: |
-          nix develop --command shellcheck ./.github/workflows/cache-test.sh
-      - uses: DeterminateSystems/nix-installer-action@main
-      - name: Install pnpm dependencies
-        run: nix develop --command pnpm install
-      - name: Check formatting
-        run: nix develop --command pnpm run check-fmt
-      - name: Lint
-        run: nix develop --command pnpm run lint
-      - name: Build
-        run: nix develop --command pnpm run build
-      - name: Package
-        run: nix develop --command pnpm run package
-      - run: git status --porcelain=v1
-      - run: git diff --exit-code
-
-  test-no-nix:
-    needs: build
-    name: "Test: Nix not installed"
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: "write"
-      contents: "read"
-    env:
-      ACTIONS_STEP_DEBUG: true
-    steps:
-      - uses: actions/checkout@v4
-      - name: Cache the store
-        uses: ./
-        with:
-          _internal-strict-mode: true
-
-  run-x86_64-linux-untrusted:
-    needs: build
-    name: Run x86_64-linux, Untrusted
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: "write"
-      contents: "read"
-    env:
-      ACTIONS_STEP_DEBUG: true
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-        with:
-          flakehub: true
-          extra-conf: |
-            narinfo-cache-negative-ttl = 0
-            trusted-users = root
-      - name: Cache the store
-        uses: ./
-        with:
-          _internal-strict-mode: true
-
   run-systems:
-    if: github.event_name == 'merge_group'
-    needs: build
-    name: "Test: ${{ matrix.systems.nix-system }} gha:${{matrix.use-gha-cache}},fhc:${{matrix.use-flakehub}},id:${{matrix.id-token}},determinate:${{matrix.determinate}}"
+    # if: github.event_name == 'merge_group'
+    name: "Test: ${{ matrix.systems.nix-system }}"
     runs-on: "${{ matrix.systems.runner }}"
     permissions:
       id-token: "write"
@@ -84,8 +17,6 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        determinate: [true, false]
-        id-token: ["write", "none"]
         systems:
           - nix-system: "aarch64-darwin"
             runner: "macos-latest"
@@ -98,27 +29,50 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Install Nix on ${{ matrix.systems.nix-system }} system
-        uses: DeterminateSystems/nix-installer-action@main
+        uses: DeterminateSystems/determinate-nix-action@main
         with:
-          _internal-obliterate-actions-id-token-request-variables: ${{ matrix.id-token == 'none' }}
-          determinate: ${{ matrix.determinate }}
           extra-conf: |
             narinfo-cache-negative-ttl = 0
       - name: Cache the store
         uses: ./
         with:
           _internal-strict-mode: true
-          _internal-obliterate-actions-id-token-request-variables: ${{ matrix.id-token == 'none' }}
       - name: Check the cache for liveness
         env:
-          EXPECT_FLAKEHUB: ${{ toJson(matrix.id-token == 'write') }}
           EXPECT_GITHUB_CACHE: ${{ toJson(false) }}
         run: |
           .github/workflows/cache-test.sh
 
+  lint:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: ./.
+      - run: nix develop -c typos
+        if: success() || failure()
+      - run: nix develop -c ruff check
+        if: success() || failure()
+      - run: nix develop -c ruff format --diff
+        if: success() || failure()
+      - run: nix develop -c shellcheck ./tools/*.sh
+        if: success() || failure()
+      - name: Regenerate the README to make sure it is unchanged
+        run: nix develop -c ./tools/generate.sh
+        if: success() || failure()
+      - name: Assert no changes were made
+        run: git diff --exit-code
+        if: success() || failure()
+
   success:
     runs-on: ubuntu-latest
-    needs: run-systems
+    needs:
+      - run-systems
+      - lint
     if: always()
     steps:
       - run: "true"

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,32 @@
+on:
+  workflow_dispatch:
+    inputs:
+      reference-id:
+        type: string
+        required: true
+      version:
+        type: string
+        required: true
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  propose-release:
+    uses: DeterminateSystems/propose-release/.github/workflows/workflow.yml@main
+    permissions:
+      id-token: "write"
+      contents: "write"
+      pull-requests: write
+    with:
+      reference-id: ${{ inputs.reference-id }}
+      version: ${{ inputs.version }}
+      extra-commands-early: |
+        nix develop -c ./tools/update-state.sh "v$VERSION"
+        git diff || true
+        git commit -m "Update the state.json for v$VERSION" ./tools/state.json
+        nix develop -c ./tools/generate.sh
+        git commit -m "Update README.md and action.yml for v$VERSION" README.md action.yml
+        echo "Checking there is no remaining diff..."
+        git diff --exit-code