chore(deps): update nixpkgs digest to 975dad1 (#955) #3369
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #NOTE: looks interesting https://github.com/DeterminateSystems/ci | |
| name: "Nix Configuration Validation" | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| pull_request: | |
| branches: | |
| - "main" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| security-check: | |
| name: GitGuardian Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: GitGuardian scan | |
| uses: GitGuardian/ggshield/actions/secret@3ff83341cab96f0ac0dddc1faffcd7ba9d1886ed # v1.49.0 | |
| env: | |
| GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
| GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
| GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| lint: | |
| name: Statix Lint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install Nix | |
| uses: DeterminateSystems/determinate-nix-action@v3.17.3 | |
| - uses: DeterminateSystems/magic-nix-cache-action@main | |
| with: | |
| use-flakehub: false | |
| - name: Re-authenticate with FlakeHub token | |
| run: | | |
| echo "${{ secrets.FLAKEHUB_TOKEN }}" | determinate-nixd auth login token --token-file /dev/stdin | |
| - name: Install Just | |
| uses: extractions/setup-just@v4 | |
| with: | |
| just-version: "1.40.0" | |
| - name: Run statix linter | |
| run: | | |
| echo "Linting Flake..." | |
| if just lint; then | |
| echo "success=true" >> $GITHUB_ENV | |
| else | |
| echo "Lint failed, listing flake.lock for debugging:" | |
| cat flake.lock | |
| echo "success=false" >> $GITHUB_ENV | |
| exit 1 | |
| fi | |
| build-linux-packages: | |
| # FIX: workaround this: https://github.com/actions/runner-images/issues/13505 | |
| # by caching the linux package first and then hopefully macos uses the | |
| # cached pkg and doesn't need to use nested virtualization | |
| name: Build Linux Packages | |
| needs: [security-check, lint] | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| packages: &linux_packages ".#kubectl-debug" | |
| - os: "ubuntu-24.04-arm" | |
| packages: | |
| - *linux_packages | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install Nix | |
| uses: DeterminateSystems/determinate-nix-action@v3.17.3 | |
| with: &nix-extra-conf | |
| extra-conf: | | |
| extra-experimental-features = nix-command flakes external-builders | |
| substituters = https://cache.nixos.org https://ojsef39.cachix.org https://nvf.cachix.org https://nix-community.cachix.org | |
| trusted-substituters = https://cache.nixos.org https://ojsef39.cachix.org https://nvf.cachix.org https://nix-community.cachix.org | |
| trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ojsef39.cachix.org-1:Pe8zOhPVMt4fa/2HYlquHkTnGX3EH7lC9xMyCA2zM3Y= nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= | |
| - name: Setup Cachix Auth | |
| uses: cachix/cachix-action@v17 | |
| with: | |
| name: ojsef39 | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| - name: Build packages | |
| run: | | |
| for pkg in ${{ join(matrix.packages, ' ') }}; do | |
| nix build --inputs-from . $pkg | |
| done | |
| test-configurations: | |
| name: Test Nix Configurations | |
| needs: [security-check, lint, build-linux-packages] | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| include: | |
| - os: macos-latest | |
| nix_cmd: "darwin" | |
| nix_host: "mac" | |
| - os: ubuntu-latest | |
| nix_cmd: "os" | |
| nix_host: "josef-nd1-gpu0" | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Install Nix | |
| uses: DeterminateSystems/determinate-nix-action@v3.17.3 | |
| with: *nix-extra-conf | |
| - name: Re-authenticate with FlakeHub token | |
| run: | | |
| echo "${{ secrets.FLAKEHUB_TOKEN }}" | determinate-nixd auth login token --token-file /dev/stdin | |
| - name: Configure Determinate Linux Builder | |
| if: matrix.os == 'macos-latest' | |
| run: | | |
| sudo mkdir -p /etc/determinate | |
| echo '{"builder":{"state":"enabled","cpuCount":2,"memoryBytes":4294967296}}' | sudo tee /etc/determinate/config.json | |
| sudo launchctl kickstart -k system/systems.determinate.nix-daemon | |
| sleep 2 | |
| - name: Install Just | |
| uses: extractions/setup-just@v4 | |
| - name: Setup Cachix Auth | |
| uses: cachix/cachix-action@v17 | |
| with: | |
| name: ojsef39 | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| - uses: DeterminateSystems/flake-checker-action@main | |
| - run: nix flake check | |
| - name: Check Configuration | |
| env: | |
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| run: | | |
| nix run nixpkgs#nh -- ${{ matrix.nix_cmd }} build --no-nom -H ${{ matrix.nix_host }} . |