server : better security control for public deployments (#9776) #461
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Nix CI | |
on: | |
workflow_dispatch: # allows manual triggering | |
push: | |
branches: | |
- master | |
pull_request: | |
types: [opened, synchronize, reopened] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref && github.ref || github.run_id }} | |
cancel-in-progress: true | |
# Fine-grant permission | |
# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token | |
permissions: | |
# https://github.com/DeterminateSystems/nix-installer-action?tab=readme-ov-file#with-flakehub | |
id-token: write | |
contents: read | |
jobs: | |
nix-eval: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-latest ] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install Nix | |
uses: DeterminateSystems/nix-installer-action@v9 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
extra-conf: | | |
extra-substituters = https://llama-cpp.cachix.org https://cuda-maintainers.cachix.org | |
extra-trusted-public-keys = llama-cpp.cachix.org-1:H75X+w83wUKTIPSO1KWy9ADUrzThyGs8P5tmAbkWhQc= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E= | |
- uses: DeterminateSystems/magic-nix-cache-action@v2 | |
with: | |
upstream-cache: https://${{ matrix.cachixName }}.cachix.org | |
- name: List all flake outputs | |
run: nix flake show --all-systems | |
- name: Show all output paths | |
run: > | |
nix run github:nix-community/nix-eval-jobs | |
-- --gc-roots-dir gcroot | |
--flake | |
".#packages.$(nix eval --raw --impure --expr builtins.currentSystem)" | |
nix-build: | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ ubuntu-latest, macos-latest ] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Install Nix | |
uses: DeterminateSystems/nix-installer-action@v9 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
extra-conf: | | |
extra-substituters = https://llama-cpp.cachix.org https://cuda-maintainers.cachix.org | |
extra-trusted-public-keys = llama-cpp.cachix.org-1:H75X+w83wUKTIPSO1KWy9ADUrzThyGs8P5tmAbkWhQc= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E= | |
- uses: DeterminateSystems/magic-nix-cache-action@v2 | |
with: | |
upstream-cache: https://${{ matrix.cachixName }}.cachix.org | |
- name: Set-up cachix to push the results to | |
uses: cachix/cachix-action@v13 | |
with: | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
name: llama-cpp | |
- name: Build | |
run: > | |
nix run github:Mic92/nix-fast-build | |
-- --skip-cached --no-nom | |
--flake | |
".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)" |