@@ -20,109 +20,61 @@ concurrency:
2020
2121jobs :
2222 nix-matrix :
23- runs-on : ubuntu-latest
23+ runs-on :
24+ group : self-hosted-runners-nix
25+ labels :
26+ - aarch64-darwin
2427 outputs :
2528 matrix : ${{ steps.set-matrix.outputs.matrix }}
2629 steps :
27- - uses : actions/checkout@v4
28- - uses : cachix/install-nix-action@v30
30+ - name : Checkout Repo
31+ uses : actions/checkout@v4
2932 - id : set-matrix
3033 name : Generate Nix Matrix
3134 run : |
3235 set -Eeu
33- matrix="$(nix eval --json '.#githubActions.matrix')"
34- echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
36+ echo matrix="$(nix eval --json '.#githubActions.matrix')" >> "$GITHUB_OUTPUT"
3537
3638build-run-image :
3739 name : ${{ matrix.name }} (${{ matrix.system }})
3840 needs : nix-matrix
39- runs-on : ${{ matrix.os }}
41+ runs-on :
42+ group : ${{ contains(matrix.os, 'blacksmith-32vcpu-ubuntu-2404') && '' || 'self-hosted-runners-nix' }}
43+ labels :
44+ - ${{ matrix.os }}
4045 strategy :
4146 fail-fast : false
4247 matrix : ${{fromJSON(needs.nix-matrix.outputs.matrix)}}
43- timeout-minutes : 180
4448 steps :
4549 - name : Checkout Repo
46- uses : supabase/postgres/.github/actions/shared-checkout@HEAD
50+ uses : actions/checkout@v4
51+ - name : aws-oidc
52+ uses :
aws-actions/[email protected] 53+ with :
54+ aws-region : us-east-2
55+ role-to-assume : arn:aws:iam::279559813984:role/supabase-github-oidc-role # Shared Services
56+ role-session-name : gha-oidc-${{ github.run_id }}
4757 - name : aws-creds
48- uses : aws-actions/configure-aws-credentials@v4
49- if : ${{ github.secret_source == 'Actions' }}
58+ uses :
aws-actions/[email protected] 5059 with :
51- role-to-assume : ${{ secrets.DEV_AWS_ROLE }}
52- aws-region : " us-east-1"
53- output-credentials : true
54- role-duration-seconds : 7200
55- - name : Setup AWS credentials for Nix
56- if : ${{ github.secret_source == 'Actions' }}
57- run : |
58- sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
59- sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
60- sudo -H aws configure set aws_session_token $AWS_SESSION_TOKEN
61- name : write secret key
62- # use python so we don't interpolate the secret into the workflow logs, in case of bugs
63- run : |
64- sudo mkdir -p /etc/nix
65- sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
66- env :
67- NIX_SIGN_SECRET_KEY : ${{ secrets.NIX_SIGN_SECRET_KEY }}
68- - name : Setup cache script
69- if : ${{ github.secret_source == 'Actions' }}
60+ disable-retry : true
61+ aws-region : us-east-2
62+ role-to-assume : arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
63+ role-session-name : gha-oidc-${{ github.run_id }}
64+ role-chaining : true
65+ role-skip-session-tagging : true
66+ role-duration-seconds : 900 # TODO: switch to 18000 (5 hours)
67+ - name : Write creds files
7068 run : |
71- cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
72- #!/usr/bin/env bash
73- set -euf
74- export IFS=' '
75- /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
69+ umask 006
70+ cat > /etc/nix/aws/nix-aws-credentials <<EOF
71+ [ci-uploader]
72+ aws_access_key_id = ${AWS_ACCESS_KEY_ID}
73+ aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
74+ aws_session_token = ${AWS_SESSION_TOKEN}
7675 EOF
77- sudo chmod +x /etc/nix/upload-to-cache.sh
78- name : Install nix
79- uses : cachix/install-nix-action@v27
80- if : ${{ github.secret_source == 'Actions' }}
81- with :
82- install_url : https://releases.nixos.org/nix/nix-2.29.1/install
83- extra_nix_config : |
84- substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
85- trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
86- post-build-hook = /etc/nix/upload-to-cache.sh
87- name : Install nix
88- uses : cachix/install-nix-action@v27
89- if : ${{ github.secret_source == 'None' }}
90- with :
91- install_url : https://releases.nixos.org/nix/nix-2.29.1/install
92- extra_nix_config : |
93- substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
94- trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
95- name : Aggressive disk cleanup for DuckDB build
96- if : matrix.runner == 'macos-latest-xlarge'
97- run : |
98- nix --version
99- echo "=== BEFORE CLEANUP ==="
100- df -h
101- # Remove major space consumers
102- sudo rm -rf /usr/share/dotnet || true
103- sudo rm -rf /usr/local/lib/android || true
104- sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform || true
105- sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/watchOS.platform || true
106- sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/tvOS.platform || true
107- # Clean everything possible
108- sudo rm -rf /opt/ghc || true
109- sudo rm -rf /usr/local/share/boost || true
110- sudo rm -rf /opt/homebrew || true
111- sudo xcrun simctl delete all 2>/dev/null || true
112- # Aggressive cache cleanup
113- sudo rm -rf /System/Library/Caches/* 2>/dev/null || true
114- sudo rm -rf /Library/Caches/* 2>/dev/null || true
115- sudo rm -rf ~/Library/Caches/* 2>/dev/null || true
116- sudo rm -rf /private/var/log/* 2>/dev/null || true
117- sudo rm -rf /tmp/* 2>/dev/null || true
118- echo "=== AFTER CLEANUP ==="
119- df -h
120- run : nix build -L '.#${{ matrix.attr }}'
121- env :
122- AWS_ACCESS_KEY_ID : ${{ env.AWS_ACCESS_KEY_ID }}
123- AWS_SECRET_ACCESS_KEY : ${{ env.AWS_SECRET_ACCESS_KEY }}
124- AWS_SESSION_TOKEN : ${{ env.AWS_SESSION_TOKEN }}
125-
76+ name : nix-fast-build
77+ run : nix build -L
12678 run-tests :
12779 needs : build-run-image
12880 if : ${{ success() }}
0 commit comments