diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dd98d0d00f9..9fbd86fefd7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,6 +1,10 @@ on: workflow_call: inputs: + flake: + required: false + default: "." + type: string system: required: true type: string @@ -33,6 +37,10 @@ on: required: false default: false type: boolean + upload_artifacts: + required: false + default: true + type: boolean secrets: manual_netlify_auth_token: required: false @@ -50,9 +58,10 @@ jobs: - uses: actions/checkout@v4 - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build .#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L - - run: nix build .#packages.${{ inputs.system }}.binaryTarball --out-link tarball + - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L + - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.binaryTarball --out-link tarball - uses: actions/upload-artifact@v4 + if: inputs.upload_artifacts with: name: ${{ inputs.system }} path: ./tarball/*.xz @@ -68,7 +77,7 @@ jobs: - uses: actions/checkout@v4 - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix flake check -L --system ${{ inputs.system }} + - run: nix flake check ${{ inputs.flake }} -L --system ${{ inputs.system }} vm_tests_smoke: if: inputs.run_vm_tests && github.event_name != 'merge_group' @@ -80,10 +89,10 @@ jobs: - uses: DeterminateSystems/flakehub-cache-action@main - run: | nix build -L \ - .#hydraJobs.tests.functional_user \ - .#hydraJobs.tests.githubFlakes \ - .#hydraJobs.tests.nix-docker \ - .#hydraJobs.tests.tarballFlakes \ + ${{ inputs.flake }}#hydraJobs.tests.functional_user \ + ${{ inputs.flake }}#hydraJobs.tests.githubFlakes \ + ${{ inputs.flake }}#hydraJobs.tests.nix-docker \ + ${{ inputs.flake }}#hydraJobs.tests.tarballFlakes \ ; vm_tests_all: @@ -102,7 +111,7 @@ jobs: .hydraJobs.tests | with_entries(select(.value.type == "derivation")) | keys[] - | ".#hydraJobs.tests." + .') + | "${{ inputs.flake }}#hydraJobs.tests." + .') } if ! cmd; then @@ -167,7 +176,7 @@ jobs: mkdir -p "${NSC_CACHE_PATH}/nix/xdg-cache" export XDG_CACHE_HOME="${NSC_CACHE_PATH}/nix/xdg-cache" fi - nix build -L --out-link ./new-nix + nix build ${{ inputs.flake }} -L --out-link ./new-nix export PATH=$(pwd)/new-nix/bin:$PATH [[ $(type -p nix) = $(pwd)/new-nix/bin/nix ]] @@ -199,7 +208,7 @@ jobs: - uses: DeterminateSystems/flakehub-cache-action@main - name: Build manual if: inputs.system == 'x86_64-linux' - run: nix build .#hydraJobs.manual + run: nix build ${{ inputs.flake }}#hydraJobs.manual - uses: nwtgck/actions-netlify@v3.0 if: inputs.publish_manual && inputs.system == 'x86_64-linux' with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 08000ac4c87..3da383d4c23 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,23 @@ jobs: - uses: DeterminateSystems/determinate-nix-action@main - run: nix flake show --all-systems --json + build_x86_64-linux_secure: + uses: ./.github/workflows/build.yml + with: + flake: ./packaging/secure-packages + system: x86_64-linux + runner: namespace-profile-linuxamd32c64g-cache + runner_for_virt: UbuntuLatest32Cores128G + runner_small: ubuntu-latest + run_tests: true + run_vm_tests: true + run_regression_tests: true + publish_manual: false + upload_artifacts: false + secrets: + manual_netlify_auth_token: ${{ secrets.NETLIFY_AUTH_TOKEN }} + manual_netlify_site_id: ${{ secrets.NETLIFY_SITE_ID }} + build_x86_64-linux: uses: ./.github/workflows/build.yml with: diff --git a/packaging/secure-packages/flake.lock b/packaging/secure-packages/flake.lock new file mode 100644 index 00000000000..5452d7d9c5d --- /dev/null +++ b/packaging/secure-packages/flake.lock @@ -0,0 +1,135 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "revCount": 377, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1" + } + }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": [ + "nix" + ], + "nixpkgs": [ + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "revCount": 1026, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941" + } + }, + "nix": { + "inputs": { + "flake-parts": "flake-parts", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs", + "nixpkgs-23-11": "nixpkgs-23-11", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "path": "../..", + "type": "path" + }, + "original": { + "path": "../..", + "type": "path" + }, + "parent": [] + }, + "nixpkgs": { + "locked": { + "lastModified": 1764889441, + "narHash": "sha256-3Q318uVuesbxN5pKuGZGJKqTPsjmEUNSykOT0gOkGyg=", + "rev": "7b9d787db6d7127a4965ebb550516bbf0be418ea", + "revCount": 292, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/secure/0.904649.292/019aeb9e-0f1f-73c8-8181-cf073474d7ce/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/secure/0" + } + }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1717159533, + "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "root": { + "inputs": { + "nix": "nix" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/packaging/secure-packages/flake.nix b/packaging/secure-packages/flake.nix new file mode 100644 index 00000000000..87534afcb2b --- /dev/null +++ b/packaging/secure-packages/flake.nix @@ -0,0 +1,6 @@ +{ + inputs.nix.url = "../.."; + inputs.nix.inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0"; + + outputs = { self, nix }: nix; +}