-
Notifications
You must be signed in to change notification settings - Fork 1
158 lines (142 loc) · 6.25 KB
/
validate.yml
File metadata and controls
158 lines (142 loc) · 6.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: "Nix Configuration Validation"
on:
push:
branches:
- "main"
paths-ignore:
- "README.md"
pull_request:
branches:
- "main"
jobs:
security-check:
name: GitGuardian Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: GitGuardian scan
uses: GitGuardian/ggshield/actions/secret@v1.49.0
env:
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }}
GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
lint:
name: Statix Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
extra-conf: |
extra-experimental-features = nix-command flakes external-builders
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Run statix linter
run: |
echo "Linting Flake..."
nix run nixpkgs#statix -- check .
nix run nixpkgs#deadnix -- -eq .
detect-configs:
name: Detect Configurations
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v6
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v22
with:
extra-conf: |
extra-experimental-features = nix-command flakes external-builders
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Generate Configuration Matrix
id: set-matrix
shell: bash
env:
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}"
run: |
# Use nix eval to get configurations directly from the flake
echo "Detecting NixOS configurations..."
NIXOS_CONFIGS=$(nix eval --impure --json .#nixosConfigurations --apply builtins.attrNames)
echo "Detecting Darwin configurations..."
DARWIN_CONFIGS=$(nix eval --impure --json .#darwinConfigurations --apply builtins.attrNames 2>/dev/null || echo "[]")
# Debug output
echo "Detected NixOS configs: $NIXOS_CONFIGS"
echo "Detected Darwin configs: $DARWIN_CONFIGS"
# Create a simpler matrix JSON formation approach
echo "Building matrix JSON..."
MATRIX_JSON='{"include":['
# Process NixOS configs
NIXOS_ARRAY=$(echo "$NIXOS_CONFIGS" | jq -c .)
if [ "$NIXOS_ARRAY" != "[]" ]; then
for config in $(echo "$NIXOS_CONFIGS" | jq -r '.[]'); do
MATRIX_JSON+="{"
MATRIX_JSON+="\"name\":\"$config\","
MATRIX_JSON+="\"os\":\"ubuntu-latest\","
MATRIX_JSON+="\"type\":\"nixos\","
MATRIX_JSON+="\"cmd\":\"os\","
MATRIX_JSON+="\"config\":\"nixosConfigurations.$config.config.system.build.toplevel\""
MATRIX_JSON+="},"
done
fi
# Process Darwin configs
DARWIN_ARRAY=$(echo "$DARWIN_CONFIGS" | jq -c .)
if [ "$DARWIN_ARRAY" != "[]" ]; then
for config in $(echo "$DARWIN_CONFIGS" | jq -r '.[]'); do
MATRIX_JSON+="{"
MATRIX_JSON+="\"name\":\"$config\","
MATRIX_JSON+="\"os\":\"macos-latest\","
MATRIX_JSON+="\"type\":\"darwin\","
MATRIX_JSON+="\"cmd\":\"darwin\","
MATRIX_JSON+="\"config\":\"darwinConfigurations.$config.system\""
MATRIX_JSON+="},"
done
fi
# Remove trailing comma if it exists
MATRIX_JSON=${MATRIX_JSON%,}
MATRIX_JSON+="]}"
echo "Matrix JSON: $MATRIX_JSON"
echo "matrix=$MATRIX_JSON" >> "$GITHUB_OUTPUT"
test-configurations:
name: Test Nix Configurations
needs: [security-check, lint, detect-configs]
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix: ${{fromJson(needs.detect-configs.outputs.matrix)}}
steps:
- uses: actions/checkout@v6
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v22
with:
extra-conf: |
extra-experimental-features = nix-command flakes external-builders
substituters = https://cache.nixos.org https://frostplexx.cachix.org https://nvf.cachix.org https://nix-community.cachix.org
extra-substituters = https://install.determinate.systems
trusted-substituters = https://cache.nixos.org https://frostplexx.cachix.org https://nvf.cachix.org https://nix-community.cachix.org
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= frostplexx.cachix.org-1:kjkhnGNSkUvf5Mx8OEfhzaR830CUkDRglaKduAcr3UQ= nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= sorbet.cachix.org-1:p1+jtoj8v75vhRut7fGY5jL7k4BNMFvMBcQSDKbF3Aw=
extra-trusted-public-keys = cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Setup Cachix Auth
uses: cachix/cachix-action@v17
with:
name: sorbet
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
- uses: DeterminateSystems/flake-checker-action@main
- name: Check flake
env:
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}"
run: nix flake check
- name: Build Configuration
env:
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
NIX_CONFIG: "access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}"
run: |
echo "Building configuration for ${{ matrix.name }} (${{ matrix.type }}) with command ${{matrix.cmd}}"
# nix build .#${{ matrix.config }} --accept-flake-config --impure --extra-experimental-features flakes --extra-experimental-features nix-command --dry-run
nix run nixpkgs#nh -- ${{ matrix.cmd }} build --no-nom -H ${{ matrix.name }} .