Skip to content

Nix CI

Nix CI #1

Workflow file for this run

name: Nix CI
on:
push:
branches:
- develop
- release/*
pull_request:
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
build-run-image:
strategy:
fail-fast: false
matrix:
include:
- runner: larger-runner-4cpu
arch: amd64
- runner: arm-runner
arch: arm64
- runner: macos-latest
arch: arm64
- runner: macos-13
arch: amd64
runs-on: ${{ matrix.runner }}
timeout-minutes: 180
steps:
- name: Check out code
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref || github.ref }}
fetch-depth: 0
fetch-tags: true
- name: aws-creds
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
aws-region: "us-east-1"
output-credentials: true
role-duration-seconds: 7200
- name: write secret key
# use python so we don't interpolate the secret into the workflow logs, in case of bugs
run: |
python -c "import os; file = open('nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
env:
NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
- name: Log in to Docker Hub
if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build psql bundle with nix
if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
run: docker build -t base_nix -f docker/nix/Dockerfile .
- name: Run build psql bundle
if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
run: |
docker run -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} \
-e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} \
-e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} \
base_nix bash -c "./workspace/docker/nix/build_nix.sh"
- name: Build psql bundle on macos
if: matrix.runner == 'macos-latest' || matrix.runner == 'macos-13'
run: |
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
--extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \
--extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
cp ./docker/nix/build_nix.sh ./build_nix.sh
sed -i '' '1s|^#!/bin/env bash|#!/usr/bin/env bash|' ./build_nix.sh
chmod +x ./build_nix.sh
./build_nix.sh
env:
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
name: build psql bundle on ${{ matrix.arch }}