Lock file maintenance #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request | |
| on: | |
| pull_request: | |
| permissions: | |
| pull-requests: write | |
| jobs: | |
| build: | |
| if: github.event.pull_request.draft == false | |
| name: "Build ${{ matrix.target }}" | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: macos-latest | |
| target: elmira | |
| - os: ubuntu-latest | |
| target: marlon | |
| - os: ubuntu-latest | |
| target: roland | |
| - os: ubuntu-latest | |
| target: vic | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install nix | |
| uses: cachix/install-nix-action@v27 | |
| with: | |
| extra_nix_config: | | |
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | |
| - uses: cachix/cachix-action@v15 | |
| with: | |
| name: tuckershea | |
| skipPush: true | |
| extraPullNames: nix-community | |
| - name: Build pr target | |
| env: | |
| TARGET: ".#top.${{ matrix.target }}" | |
| run: | | |
| set -o pipefail | |
| nix build $TARGET --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-pr-build.log >&2) | |
| - name: Output build failure | |
| if: failure() | |
| run: | | |
| drv=$(grep "For full logs, run" /tmp/nix-pr-build.log | grep -oE "/nix/store/.*.drv") | |
| nix log $drv | |
| echo $drv | |
| exit 1 | |
| - name: Fetch current main and build it in a profile | |
| env: | |
| TARGET: "github:tuckershea/constellation#top.${{ matrix.target }}" | |
| run: nix build $TARGET -v --log-format raw --profile ./profile | |
| - name: Apply pr to profile | |
| env: | |
| TARGET: ".#top.${{ matrix.target }}" | |
| run: nix build $TARGET -v --log-format raw --profile ./profile | |
| - name: Diff profile | |
| id: diff | |
| run: | | |
| diff="$(nix profile diff-closures --profile ./profile)" | |
| echo "$diff" | |
| diff="$(echo "$diff" | sed 's/\x1b\[[0-9;]*m//g')" | |
| diff="${diff//'%'/'%25'}" | |
| diff="${diff//$'\n'/'%0A'}" | |
| diff="${diff//$'\r'/'%0D'}" | |
| echo "::set-output name=diff::$diff" | |
| - name: Scan for security issues | |
| id: security | |
| run: | | |
| nix run nixpkgs#vulnix -- -w https://raw.githubusercontent.com/tuckershea/vulnix-whitelist/main/whitelist.toml ./profile | tee /tmp/security.txt | |
| OUTPUT_SECURITY="$(cat /tmp/security.txt)" | |
| OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}" | |
| OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}" | |
| OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}" | |
| echo "$OUTPUT_SECURITY" | |
| echo "::set-output name=security::$OUTPUT_SECURITY" | |
| - name: Comment report in pr | |
| uses: marocchino/sticky-pull-request-comment@v2 | |
| with: | |
| header: ".#top.${{ matrix.target }}" | |
| message: | | |
| ### Report for `${{ matrix.target }}` | |
| Version changes: | |
| ``` | |
| ${{ steps.diff.outputs.diff }} | |
| ``` | |
| <details> | |
| <summary> | |
| Security vulnerability report | |
| </summary> | |
| <br> | |
| <pre> | |
| ${{ steps.security.outputs.security }} | |
| </pre> | |
| </details> | |
| # Reference | |
| # https://github.com/arianvp/nixos-stuff/blob/adec9e6/.github/workflows/pr.yml | |
| # https://github.com/sandhose/nixconf/blob/055de30/.github/workflows/check-pr.yaml | |
| # https://github.com/EdenEast/nyx/blob/7786a66554c5b8a888ca4b9b5c33129f06062eb7/.github/workflows/pr.yml |