CI #502
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jobs: | |
_1_init: | |
name: Initial Nix job | |
permissions: | |
actions: write | |
contents: write | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
- name: Install Nix | |
uses: nixbuild/nix-quick-install-action@v25 | |
with: | |
nix_conf: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
substituters = https://cache.nixos.org/ https://nix-community.cachix.org https://cache.iog.io https://deemp.cachix.org | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= deemp.cachix.org-1:9shDxyR2ANqEPQEEYDL/xIOnoPwxHot21L5fiZnFL18= | |
keep-outputs = true | |
- name: Restore and cache Nix store | |
uses: nix-community/cache-nix-action@v1 | |
with: | |
key: nix-ubuntu-22.04-init-${{ hashfiles('**/flake.nix', '**/flake.lock') }} | |
linux-gc-enabled: true | |
linux-max-store-size: 4500000000 | |
restore-keys: | | |
nix-ubuntu-22.04-init- | |
- name: Remove old cache profiles | |
run: rm -rf /nix/var/nix/profiles/cache | |
- name: Configure git for github-actions | |
run: | | |
git config --global user.name github-actions | |
git config --global user.email github-actions@github.com | |
- name: Update flake locks | |
run: |- | |
nix profile install .#updateLocks | |
nix run .#updateLocks | |
- name: Format Nix files | |
run: |- | |
nix profile install .#format | |
nix run .#format | |
- name: Run writers | |
run: |- | |
nix profile install .#writeAll | |
nix run .#writeAll | |
- name: Commit & Push | |
run: |- | |
git pull --rebase --autostash | |
git add . | |
git commit \ | |
-m "action" \ | |
-m "Update flake locks" \ | |
-m "Format Nix files" \ | |
-m "Run writers" \ | |
|| echo "commit failed!" | |
git push | |
- name: Purge cache | |
uses: deemp/purge-cache@v1 | |
with: | |
accessed: false | |
created: true | |
debug: true | |
max-age: 172800 | |
_2_cache: | |
name: Caching Nix | |
needs: | |
- _1_init | |
permissions: | |
actions: write | |
contents: write | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
- name: Install Nix | |
uses: nixbuild/nix-quick-install-action@v25 | |
with: | |
nix_conf: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
substituters = https://cache.nixos.org/ https://nix-community.cachix.org https://cache.iog.io https://deemp.cachix.org | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= deemp.cachix.org-1:9shDxyR2ANqEPQEEYDL/xIOnoPwxHot21L5fiZnFL18= | |
keep-outputs = true | |
- name: Restore and cache Nix store | |
uses: nix-community/cache-nix-action@v1 | |
with: | |
key: nix-${{ matrix.os }}-caching-${{ hashfiles('**/flake.nix', '**/flake.lock') }} | |
linux-gc-enabled: true | |
linux-max-store-size: 7500000000 | |
macos-gc-enabled: true | |
macos-max-store-size: 7000000000 | |
restore-keys: | | |
nix-${{ matrix.os }}-caching- | |
- name: Remove old cache profiles | |
run: rm -rf /nix/var/nix/profiles/cache | |
- env: | |
CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
CACHIX_CACHE: ${{ secrets.CACHIX_CACHE }} | |
name: Push flakes to Cachix | |
run: |- | |
nix profile install .#pushToCachix | |
nix run .#pushToCachix | |
- name: Purge cache | |
uses: deemp/purge-cache@v1 | |
with: | |
accessed: false | |
created: true | |
debug: true | |
max-age: 172800 | |
strategy: | |
matrix: | |
os: | |
- macos-11 | |
- macos-12 | |
- ubuntu-20.04 | |
- ubuntu-22.04 | |
_3_changed-files-app_purescript: | |
name: Check if app_purescript has any modified files | |
needs: | |
- _1_init | |
outputs: | |
app_purescript: ${{ steps.changed-files.outputs.any_modified }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- id: changed-files | |
name: Get changed files | |
uses: tj-actions/changed-files@v37 | |
with: | |
files: | | |
app_purescript/** | |
flake* | |
.github/** | |
sha: ${{ github.sha }} | |
- if: steps.changed-files.outputs.any_modified == 'true' | |
name: List changed files | |
run: echo "${{ steps.changed-files.outputs.all_changed_files }}" | |
_3_changed-files-app_python: | |
name: Check if app_python has any modified files | |
needs: | |
- _1_init | |
outputs: | |
app_python: ${{ steps.changed-files.outputs.any_modified }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- id: changed-files | |
name: Get changed files | |
uses: tj-actions/changed-files@v37 | |
with: | |
files: | | |
app_python/** | |
flake* | |
.github/** | |
sha: ${{ github.sha }} | |
- if: steps.changed-files.outputs.any_modified == 'true' | |
name: List changed files | |
run: echo "${{ steps.changed-files.outputs.all_changed_files }}" | |
_4_app-ci-app_purescript: | |
defaults: | |
run: | |
working-directory: app_purescript | |
if: needs._3_changed-files-app_purescript.outputs.app_purescript == 'true' | |
name: CI for app_purescript | |
needs: | |
- _3_changed-files-app_purescript | |
permissions: | |
actions: write | |
contents: write | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
- name: Install Nix | |
uses: nixbuild/nix-quick-install-action@v25 | |
with: | |
nix_conf: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
substituters = https://cache.nixos.org/ https://nix-community.cachix.org https://cache.iog.io https://deemp.cachix.org | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= deemp.cachix.org-1:9shDxyR2ANqEPQEEYDL/xIOnoPwxHot21L5fiZnFL18= | |
keep-outputs = true | |
- name: Restore and cache Nix store | |
uses: nix-community/cache-nix-action@v1 | |
with: | |
key: nix-${{ matrix.os }}-app-${{ hashfiles('**/flake.nix', '**/flake.lock') }} | |
linux-gc-enabled: true | |
linux-max-store-size: 2000000000 | |
macos-gc-enabled: true | |
macos-max-store-size: 2000000000 | |
restore-keys: | | |
nix-${{ matrix.os }}-app- | |
- name: Remove old cache profiles | |
run: rm -rf /nix/var/nix/profiles/cache | |
- uses: actions/cache@v3 | |
with: | |
key: ${{ runner.os }}-front-${{ hashFiles('**/*.dhall') }} | |
path: | | |
~/.npm | |
./app_purescript/.spago | |
restore-keys: ${{ runner.os }}-front- | |
- name: Build app | |
run: |- | |
nix profile install .#build | |
nix run .#build | |
- env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
name: Run Snyk to check for vulnerabilities (Node.js) | |
run: |- | |
nix profile install .#snykTest | |
nix run .#snykTest | |
- name: Test app | |
run: |- | |
nix profile install .#test | |
nix run .#test | |
- name: Purge cache | |
uses: deemp/purge-cache@v1 | |
with: | |
accessed: false | |
created: true | |
debug: true | |
max-age: 172800 | |
strategy: | |
matrix: | |
os: | |
- ubuntu-22.04 | |
- macos-12 | |
_4_app-ci-app_python: | |
defaults: | |
run: | |
working-directory: app_python | |
if: needs._3_changed-files-app_python.outputs.app_python == 'true' | |
name: CI for app_python | |
needs: | |
- _3_changed-files-app_python | |
permissions: | |
actions: write | |
contents: write | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
- name: Install Nix | |
uses: nixbuild/nix-quick-install-action@v25 | |
with: | |
nix_conf: | | |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
substituters = https://cache.nixos.org/ https://nix-community.cachix.org https://cache.iog.io https://deemp.cachix.org | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= deemp.cachix.org-1:9shDxyR2ANqEPQEEYDL/xIOnoPwxHot21L5fiZnFL18= | |
keep-outputs = true | |
- name: Restore and cache Nix store | |
uses: nix-community/cache-nix-action@v1 | |
with: | |
key: nix-${{ matrix.os }}-app-${{ hashfiles('**/flake.nix', '**/flake.lock') }} | |
linux-gc-enabled: true | |
linux-max-store-size: 2000000000 | |
macos-gc-enabled: true | |
macos-max-store-size: 2000000000 | |
restore-keys: | | |
nix-${{ matrix.os }}-app- | |
- name: Remove old cache profiles | |
run: rm -rf /nix/var/nix/profiles/cache | |
- name: Lint app | |
run: |- | |
nix profile install .#lint | |
nix run .#lint | |
- env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
name: Run Snyk to check for vulnerabilities (Python) | |
run: |- | |
nix profile install .#snykTest | |
nix run .#snykTest | |
- name: Test app | |
run: |- | |
nix profile install .#test | |
nix run .#test | |
- name: Purge cache | |
uses: deemp/purge-cache@v1 | |
with: | |
accessed: false | |
created: true | |
debug: true | |
max-age: 172800 | |
strategy: | |
matrix: | |
os: | |
- ubuntu-22.04 | |
- macos-12 | |
_5_push-to-docker-hub-app_purescript: | |
name: Push 'app_purescript' to Docker Hub | |
needs: | |
- _4_app-ci-app_purescript | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
- name: Pull latest repo changes | |
run: git pull --rebase --autostash | |
- name: Hadolint Action | |
uses: hadolint/hadolint-action@v2.0.0 | |
with: | |
dockerfile: app_purescript/Dockerfile | |
no-fail: true | |
verbose: true | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
password: ${{ secrets.DOCKER_HUB_PAT }} | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
- env: | |
DOCKER_NAME: ${{ secrets.DOCKER_HUB_USERNAME }} | |
name: Build and push | |
uses: docker/build-push-action@v3 | |
with: | |
context: app_purescript | |
push: true | |
tags: ${{ secrets.DOCKER_HUB_USERNAME }}/app_purescript:latest | |
_5_push-to-docker-hub-app_python: | |
name: Push 'app_python' to Docker Hub | |
needs: | |
- _4_app-ci-app_python | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
- name: Pull latest repo changes | |
run: git pull --rebase --autostash | |
- name: Hadolint Action | |
uses: hadolint/hadolint-action@v2.0.0 | |
with: | |
dockerfile: app_python/Dockerfile | |
no-fail: true | |
verbose: true | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Log in to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
password: ${{ secrets.DOCKER_HUB_PAT }} | |
username: ${{ secrets.DOCKER_HUB_USERNAME }} | |
- env: | |
DOCKER_NAME: ${{ secrets.DOCKER_HUB_USERNAME }} | |
name: Build and push | |
uses: docker/build-push-action@v3 | |
with: | |
context: app_python | |
push: true | |
tags: ${{ secrets.DOCKER_HUB_USERNAME }}/app_python:latest | |
name: CI | |
"on": | |
pull_request: {} | |
push: {} | |
schedule: | |
- cron: 0 0 * * * | |
workflow_dispatch: {} |