Skip to content

Commit

Permalink
chore: simplify CI and remove need for secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
@dbarrosop
dbarrosop committed Aug 29, 2024
1 parent 36837b1 commit cbf212b
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 233 deletions.
40 changes: 1 addition & 39 deletions .github/workflows/checks.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,60 +1,22 @@
---
name: "check and build"
on:
pull_request_target:
pull_request:
push:
branches:
- main

jobs:
check-permissions:
runs-on: ubuntu-latest
steps:
- run: |
echo "github.event_name: ${{ github.event_name }}"
echo "github.event.pull_request.author_association: ${{ github.event.pull_request.author_association }}"
- name: "This task will run and fail if user has no permissions and label safe_to_test isn't pressent"
if: "github.event_name == 'pull_request_target' && ! ( contains(github.event.pull_request.labels.*.name, 'safe_to_test') || contains(fromJson('[\"OWNER\", \"MEMBER\", \"COLLABORATOR\"]'), github.event.pull_request.author_association) )"
run: |
exit 1
tests:
uses: ./.github/workflows/wf_check.yaml
needs:
- check-permissions
with:
NAME: hasura-auth
GIT_REF: ${{ github.event.pull_request.head.sha }}
secrets:
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}

build_artifacts:
uses: ./.github/workflows/wf_build_artifacts.yaml
needs:
- check-permissions
with:
NAME: hasura-auth
VERSION: 0.0.0-dev # hardcoded to avoid rebuilding
DOCKER: true
GIT_REF: ${{ github.event.pull_request.head.sha }}
secrets:
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
SSH_PRIVATE_KEY: ${{ secrets.NIX_REMOTE_BUILD_ARM_SSH_KEY }}
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }}
NIX_REMOTE_BUILDER_SUBNET_ID: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }}

remove_label:
runs-on: ubuntu-latest
needs:
- check-permissions
steps:
- uses: actions/checkout@v4
- uses: actions-ecosystem/action-remove-labels@v1
with:
labels: |
safe_to_test
if: contains(github.event.pull_request.labels.*.name, 'safe_to_test')
12 changes: 0 additions & 12 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,13 @@ jobs:
uses: ./.github/workflows/wf_check.yaml
with:
NAME: hasura-auth
secrets:
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}


build_artifacts:
uses: ./.github/workflows/wf_build_artifacts.yaml
with:
NAME: hasura-auth
VERSION: ${{ github.ref_name }}
DOCKER: true
secrets:
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
SSH_PRIVATE_KEY: ${{ secrets.NIX_REMOTE_BUILD_ARM_SSH_KEY }}
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
NIX_REMOTE_BUILDER_SECURITY_GROUP_ID: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }}
NIX_REMOTE_BUILDER_SUBNET_ID: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }}

push_docker_image:
uses: ./.github/workflows/wf_docker_push_image.yaml
Expand Down
145 changes: 19 additions & 126 deletions .github/workflows/wf_build_artifacts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,177 +18,70 @@ on:
DOCKER:
type: boolean
required: true
secrets:
AWS_ACCOUNT_ID:
required: true
SSH_PRIVATE_KEY:
required: true
NIX_CACHE_PUB_KEY:
required: true
NIX_CACHE_PRIV_KEY:
required: true
NIX_REMOTE_BUILDER_SECURITY_GROUP_ID:
required: true
NIX_REMOTE_BUILDER_SUBNET_ID:
required: true

jobs:
artifacts:
runs-on: ubuntu-latest
timeout-minutes: 180

# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: write

strategy:
matrix:
platform: ["x86_64", "aarch64"]
os: [ubuntu-22.04, ubuntu-arm64-22.04-2cores]
fail-fast: true

runs-on: ${{ matrix.os }}
timeout-minutes: 180

steps:
- name: "Check out repository"
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ inputs.GIT_REF }}

- name: Configure aws
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
aws-region: eu-central-1

- uses: nixbuild/nix-quick-install-action@v28
- uses: cachix/install-nix-action@v27
with:
nix_version: 2.20.5
nix_conf: |
install_url: "https://releases.nixos.org/nix/nix-2.20.5/install"
install_options: "--no-daemon"
extra_nix_config: |
experimental-features = nix-command flakes
sandbox = false
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
builders-use-substitutes = true
substituters = https://cache.nixos.org/?priority=40
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
- uses: DeterminateSystems/magic-nix-cache-action@main
with:
diagnostic-endpoint: ""

- name: Compute common env vars
id: vars
run: |
echo "VERSION=$(make get-version VER=${{ inputs.VERSION }})" >> $GITHUB_OUTPUT
- name: "Verify if we need to build"
id: verify-build
run: |
export build_dry_run_output=$(make build-dry-run ARCH=${{ matrix.platform }})
export drvPath=$(echo "$build_dry_run_output" | grep -oE '"out":.*"' | awk -F\" '{ print $4 }')
nix store verify --store s3://nhost-nix-cache?region=eu-central-1 $drvPath \
&& export BUILD_NEEDED=no \
|| export BUILD_NEEDED=yes
echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT
- name: "Setup nix-remote-builder"
uses: dbarrosop/nix-remote-builder-aws@v0.5.0
id: nix-remote-builder
with:
name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }}
ami: " ami-034dac72b37504107"
instance-type: 't4g.xlarge'
region: "eu-central-1"
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
security-group-id: ${{ secrets.NIX_REMOTE_BUILDER_SECURITY_GROUP_ID }}
subnet-id: ${{ secrets.NIX_REMOTE_BUILDER_SUBNET_ID }}
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}

- name: "Setup nix-remote-builder in nix.conf"
run: |
echo "builders = ssh://ec2-user@${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}

- name: Cache nix store
uses: actions/cache@v4
with:
path: |
/nix/store/**
/nix/var/nix/*/*
/nix/var/nix/db/*
/nix/var/nix/db/*/**
!/nix/var/nix/daemon-socket/socket
!/nix/var/nix/userpool/*
!/nix/var/nix/gc.lock
!/nix/var/nix/db/big-lock
!/nix/var/nix/db/reserved
key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock') }}
restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}

- uses: docker/setup-qemu-action@v3
if: ${{ ( matrix.platform == 'aarch64' ) }}

- name: "Wait for remote builder to be ready"
run: |
set +e
max_attempts=6
retry_interval=10
attempt=1
while [ "$attempt" -le "$max_attempts" ]; do
echo "Checking SSH connection (attempt $attempt)..."
nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22
if [ $? -eq 0 ]; then
echo "success"
break
else
echo "SSH connection failed."
if [ "$attempt" -lt "$max_attempts" ]; then
echo "Retrying in $retry_interval seconds..."
sleep "$retry_interval"
else
echo "Exceeded maximum connection attempts."
exit 1
fi
fi
((attempt++))
done
if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}

- name: "Build artifact"
run: |
nix build .\#packages.${{ matrix.platform }}-linux.hasura-auth
make build
zip -r result.zip result
- name: "Push artifact to artifact repository"
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.NAME }}-artifact-${{ matrix.platform }}-${{ steps.vars.outputs.VERSION }}
name: ${{ inputs.NAME }}-artifact-${{ matrix.os }}-${{ steps.vars.outputs.VERSION }}
path: result/bin/hasura-auth
retention-days: 7

- name: "Build docker image"
run: |
make build-docker-image ARCH=${{ matrix.platform }}
nix build .\#packages.${{ matrix.platform }}-linux.docker-image
make build-docker-image
if: ${{ ( inputs.DOCKER ) }}

- name: "Push docker image to artifact repository"
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.NAME }}-docker-image-${{ matrix.platform }}-${{ steps.vars.outputs.VERSION }}
name: ${{ inputs.NAME }}-docker-image-${{ matrix.os }}-${{ steps.vars.outputs.VERSION }}
path: result
retention-days: 7
if: ${{ ( inputs.DOCKER ) }}

- name: "Cache nix store on s3"
run: |
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem
nix store sign --key-file cache-priv-key.pem --all
find /nix/store -maxdepth 1 -name "*-*" -type d | grep -v source | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1
if: always()

- name: "Cache nix store on s3 (docker-image)"
run: |
echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem
nix store sign --key-file cache-priv-key.pem --all
nix copy --to s3://nhost-nix-cache\?region=eu-central-1 .\#packages.${{ matrix.platform }}-linux.docker-image
if: ${{ ( inputs.DOCKER ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}

- run: rm cache-priv-key.pem || echo "file not found"
if: always()
Loading

0 comments on commit cbf212b

Please sign in to comment.