DGNum/infrastructure
11
6
Fork 2
Code Issues 20 Pull requests 13 Projects 1 Releases Packages Wiki Activity Actions

feat(workflows): Switch to a nix-based definition of workflows
Some checks failed
Build all the nodes / bridge01 (push) Failing after 13s
Details
Build all the nodes / compute01 (push) Failing after 13s
Details
Build all the nodes / geo02 (push) Failing after 12s
Details
Build all the nodes / geo01 (push) Failing after 13s
Details
Build all the nodes / rescue01 (push) Failing after 12s
Details
Build all the nodes / storage01 (push) Failing after 12s
Details
Build all the nodes / web01 (push) Failing after 12s
Details
Build all the nodes / web02 (push) Failing after 12s
Details
Build all the nodes / vault01 (push) Failing after 12s
Details
Check workflows / check_workflows (push) Failing after 32s
Details
Build all the nodes / web03 (push) Failing after 12s
Details
Run pre-commit on all files / check (push) Successful in 22s
Details

Browse source
This commit is contained in:
Tom Hubrecht 2024-11-11 17:52:23 +01:00
parent d8f90dd940
commit 5f1436e4bf
Signed by: thubrecht
SSH key fingerprint: SHA256:r+nK/SIcWlJ0zFZJGHtlAoRwq1Rm+WcKAm5ADYMoQPc
16 changed files with 351 additions and 315 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.envrc
View file

@ -1 +1,2 @@
watch_file workflows/*
use nix use nix

38
.forgejo/workflows/check-meta.yaml
View file

@ -1,25 +1,21 @@
name: Check meta
on:
pull_request:
branches:
- main
push:
paths:
- 'meta/*'
jobs: jobs:
check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
check_dns: check_dns:
runs-on: nix runs-on: nix
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Check the validity of the DNS configuration
- name: Check the validity of the DNS configuration run: nix-build meta/verify.nix -A dns --no-out-link
run: nix-build meta/verify.nix -A dns --no-out-link check_meta:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check the validity of meta options
run: nix-build meta/verify.nix -A meta
name: Check meta
'on':
pull_request:
branches:
- main
push:
paths:
- meta/*

15
.forgejo/workflows/check-workflows.yaml Normal file
View file

@ -0,0 +1,15 @@
jobs:
check_workflows:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Check that the workflows are up to date
run: nix-shell --run '[ $(git status --porcelain) -eq 0 ]'
name: Check workflows
'on':
pull_request:
branches:
- main
push:
paths:
- workflows/*

56
.forgejo/workflows/ds-fr.yaml
View file

@ -1,56 +0,0 @@
name: ds-fr update
on:
schedule:
- cron: "26 18 * * wed"
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update DS and open PR if necessary
run: |
# Fetch the latest release tag
VERSION=$(curl -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
| jq -r '.tag_name')
# Move to the ds-fr directory
cd machines/compute01/ds-fr/package
# Run the update script
./update.sh -v "$VERSION"
if [ ! -z "$(git diff --name-only)" ]; then
echo "[+] Changes detected, pushing updates."
git switch -C ds-update
git add .
git config user.name "DGNum Chores"
git config user.email "tech@dgnum.eu"
git commit --message "chore(ds-fr): Update"
git push --set-upstream origin ds-update --force
# Connect to the server with the cli
tea login add \
-n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-u https://git.dgnum.eu
# Create a pull request if needed
# i.e. no PR with the same title exists
if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
tea pr create \
--description "Automatic ds-fr update" \
--title "chore(ds-fr): Update" \
--head ds-update
fi
fi

119
.forgejo/workflows/eval-nodes.yaml Normal file
View file

@ -0,0 +1,119 @@
jobs:
bridge01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: bridge01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache bridge01
run: nix-shell --run cache-node
compute01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: compute01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache compute01
run: nix-shell --run cache-node
geo01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: geo01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo01
run: nix-shell --run cache-node
geo02:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: geo02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache geo02
run: nix-shell --run cache-node
rescue01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: rescue01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache rescue01
run: nix-shell --run cache-node
storage01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: storage01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache storage01
run: nix-shell --run cache-node
vault01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: vault01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache vault01
run: nix-shell --run cache-node
web01:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: web01
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web01
run: nix-shell --run cache-node
web02:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: web02
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web02
run: nix-shell --run cache-node
web03:
runs-on: nix
steps:
- uses: actions/checkous@v3
- env:
BUILD_NODE: web03
STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
STORE_USER: admin
name: Build and cache web03
run: nix-shell --run cache-node
name: Build all the nodes
'on':
pull_request:
branches:
- main
push:
branches:
- main

200
.forgejo/workflows/eval.yaml
View file

@ -1,200 +0,0 @@
name: build configuration
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- main
push:
branches:
- main
jobs:
build_and_cache_compute01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "compute01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_compute01
path: paths.txt
build_and_cache_storage01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "storage01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_storage01
path: paths.txt
build_and_cache_rescue01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "rescue01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_rescue01
path: paths.txt
build_and_cache_geo01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo01
path: paths.txt
build_and_cache_geo02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "geo02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_geo02
path: paths.txt
build_and_cache_vault01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "vault01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_vault01
path: paths.txt
build_and_cache_web01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web01
path: paths.txt
build_and_cache_web02:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web02"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_web03:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "web03"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt
build_and_cache_bridge01:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Build and cache the node
run: nix-shell --run cache-node
env:
STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
STORE_USER: "admin"
STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
BUILD_NODE: "bridge01"
- uses: actions/upload-artifact@v3
if: always()
with:
name: outputs_web02
path: paths.txt

11
.forgejo/workflows/lint.yaml
View file

@ -1,11 +0,0 @@
name: lint
on: [push, pull_request]
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

25
.forgejo/workflows/npins-update.yaml Normal file
View file

@ -0,0 +1,25 @@
jobs:
npins_update:
runs-on: nix
steps:
- uses: actions/checkout@v3
with:
depth: 0
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
- name: Update dependencies and open PR if necessary
run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n echo\
\ \"[+] Changes detected, pushing updates.\"\n\n git switch -C npins-update\n\
\n git add npins\n\n git config user.name \"DGNum Chores\"\n git config\
\ user.email \"tech@dgnum.eu\"\n\n git commit --message \"chore(npins): Update\"\
\n git push --set-upstream origin npins-update --force\n\n # Connect to\
\ the server with the cli\n tea login add \\\n -n dgnum-chores \\\n \
\ -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n -u https://git.dgnum.eu\n\
\n # Create a pull request if needed\n # i.e. no PR with the same title\
\ exists\n if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):\
\ Update dgnum-chores')\" ]; then\n tea pr create \\\n --description\
\ \"Automatic npins update\" \\\n --title \"chore(npins): Update\" \\\
\n --head npins-update\n fi\nfi\n"
name: npins update
'on':
schedule:
- cron: 25 15 * * *

12
.forgejo/workflows/pre-commit.yaml Normal file
View file

@ -0,0 +1,12 @@
jobs:
check:
runs-on: nix
steps:
- uses: actions/checkout@v3
- name: Run pre-commit on all files
run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'
-A shells.pre-commit ./.
name: Run pre-commit on all files
'on':
- push
- pull_request

24
default.nix
View file

@ -41,7 +41,14 @@
}: }:
let let
git-checks = (import (builtins.storePath sources.git-hooks)).run { inherit (pkgs.lib)
isFunction
mapAttrs'
nameValuePair
removeSuffix
;
git-checks = (import sources.git-hooks).run {
src = ./.; src = ./.;
hooks = { hooks = {
@ -67,6 +74,20 @@ let
commitizen.enable = true; commitizen.enable = true;
}; };
}; };
workflows = (import sources.nix-actions { inherit pkgs; }).install {
src = ./.;
workflows = mapAttrs' (
name: _:
nameValuePair (removeSuffix ".nix" name) (
let
w = import ./workflows/${name};
in
if isFunction w then w { inherit (pkgs) lib; } else w
)
) (builtins.readDir ./workflows);
};
in in
{ {
@ -97,6 +118,7 @@ in
shellHook = '' shellHook = ''
${git-checks.shellHook} ${git-checks.shellHook}
${workflows.shellHook}
''; '';
preferLocalBuild = true; preferLocalBuild = true;

14
npins/sources.json
View file

@ -194,6 +194,20 @@
"url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz", "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
"hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy" "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
}, },
"nix-actions": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://git.dgnum.eu/DGNum/nix-actions.git"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v0.2.1",
"revision": "36a74f5ff6d8cb07c5e198baec715fc27a795f8a",
"url": null,
"hash": "10dc607x3yy1k10nzfgij3qjn6v585yj5dnmnk71zsbmczvx52yb"
},
"nix-modules": { "nix-modules": {
"type": "Git", "type": "Git",
"repository": { "repository": {

31
workflows/check-meta.nix Normal file
View file

@ -0,0 +1,31 @@
{
name = "Check meta";
on = {
pull_request.branches = [ "main" ];
push.paths = [ "meta/*" ];
};
jobs = {
check_meta = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check the validity of meta options";
run = "nix-build meta/verify.nix -A meta";
}
];
};
check_dns = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check the validity of the DNS configuration";
run = "nix-build meta/verify.nix -A dns --no-out-link";
}
];
};
};
}

20
workflows/check-workflows.nix Normal file
View file

@ -0,0 +1,20 @@
{
name = "Check workflows";
on = {
pull_request.branches = [ "main" ];
push.paths = [ "workflows/*" ];
};
jobs = {
check_workflows = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Check that the workflows are up to date";
run = "nix-shell --run '[ $(git status --porcelain) -eq 0 ]'";
}
];
};
};
}

32
workflows/eval-nodes.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib }:
let
inherit (lib) attrNames genAttrs;
nodes = attrNames (builtins.readDir ../machines);
in
{
name = "Build all the nodes";
on = {
pull_request.branches = [ "main" ];
push.branches = [ "main" ];
};
jobs = genAttrs nodes (node: {
runs-on = "nix";
steps = [
{ uses = "actions/checkous@v3"; }
{
name = "Build and cache ${node}";
run = "nix-shell --run cache-node";
env = {
STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
STORE_USER = "admin";
STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
BUILD_NODE = node;
};
}
];
});
}

50
.forgejo/workflows/npins.yaml → workflows/npins-update.nix
View file

@ -1,31 +1,24 @@
name: npins update {
on: name = "npins update";
schedule: on.schedule = [
# Run at 11 o'clock every wednesday # Run at 11 o'clock every wednesday
- cron: "25 15 * * *" { cron = "25 15 * * *"; }
];
jobs: jobs.npins_update = {
npins_update: runs-on = "nix";
runs-on: nix steps = [
steps: {
# - name: Install applications uses = "actions/checkout@v3";
# run: apt-get update && apt-get install sudo "with" = {
# depth = 0;
- uses: actions/checkout@v3 token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
with: };
depth: 0 }
token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
#
# - uses: https://github.com/cachix/install-nix-action@v22
# with:
# nix_path: nixpkgs=channel:nixos-unstable
# - name: Install tea {
# run: | name = "Update dependencies and open PR if necessary";
# nix-env -f '<nixpkgs>' -i tea run = ''
- name: Update dependencies and open PR if necessary
run: |
npins update npins update
if [ ! -z "$(git diff --name-only)" ]; then if [ ! -z "$(git diff --name-only)" ]; then
@ -44,7 +37,7 @@ jobs:
# Connect to the server with the cli # Connect to the server with the cli
tea login add \ tea login add \
-n dgnum-chores \ -n dgnum-chores \
-t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \ -t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
-u https://git.dgnum.eu -u https://git.dgnum.eu
# Create a pull request if needed # Create a pull request if needed
@ -56,3 +49,8 @@ jobs:
--head npins-update --head npins-update
fi fi
fi fi
'';
}
];
};
}

18
workflows/pre-commit.nix Normal file
View file

@ -0,0 +1,18 @@
{
name = "Run pre-commit on all files";
on = [
"push"
"pull_request"
];
jobs.check = {
runs-on = "nix";
steps = [
{ uses = "actions/checkout@v3"; }
{
name = "Run pre-commit on all files";
run = "nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.";
}
];
};
}