Skip to content

Update ❄️ flake #88

Update ❄️ flake

Update ❄️ flake #88

Workflow file for this run

# see https://github.com/EdenEast/nyx/blob/718063918f0ffe36ca1e049b222d5a5d3e939025/.github/workflows/pr.yml
name: Build pull request
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
build:
name: Build ${{ matrix.target }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-24.04
target: nixosConfigurations.nixluon.config.system.build.toplevel
steps:
- name: create nix mount point
if: contains(matrix.os, 'ubuntu')
run: sudo mkdir /nix
- name: maximize build space
uses: easimon/maximize-build-space@v10
if: contains(matrix.os, 'ubuntu')
with:
build-mount-path: /nix
overprovision-lvm: true
remove-android: true
remove-codeql: true
remove-docker-images: true
remove-dotnet: true
remove-haskell: true
root-reserve-mb: 512
swap-size-mb: 1024
- name: install nix
uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ github.token }}
- name: setup cachix
uses: cachix/cachix-action@v15
with:
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
extraPullNames: nix-community
name: viluon
- name: build system
env:
TARGET: "github:${{ github.repository }}/${{ github.ref }}#${{ matrix.target }}"
run: nix build $TARGET --fallback --log-format raw --print-build-logs
- name: garbage-collect build dependencies
run: nix-collect-garbage
- name: fetch old system to profile
env:
TARGET: "github:${{ github.repository }}/${{ github.base_ref }}#${{ matrix.target }}"
run: nix build $TARGET --log-format raw --print-build-logs --profile ./profile
- name: add new system to profile
env:
TARGET: "github:${{ github.repository }}/${{ github.ref }}#${{ matrix.target }}"
run: nix build $TARGET --log-format raw --print-build-logs --profile ./profile
- name: output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Scan for security issues
id: security
run: | # https://stackoverflow.com/a/74232400
nix run nixpkgs/nixos-unstable#vulnix -- \
--whitelist https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml \
./profile \
| tee /tmp/security.txt
delimiter="$(openssl rand -hex 16)"
echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
cat /tmp/security.txt >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
# if the report has more than 3 lines
if [ $(wc -l < /tmp/security.txt) -gt 3 ]; then
echo "icon=:warning:" >> "${GITHUB_OUTPUT}"
else
echo "icon=:white_check_mark:" >> "${GITHUB_OUTPUT}"
fi
- name: diff profile
id: diff
run: |
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: comment
uses: marocchino/sticky-pull-request-comment@v2
with:
header: ".#${{ matrix.target }}"
message: |
### Diff of `${{ matrix.target }}`
```
${{ steps.diff.outputs.diff }}
```
<details>
<summary> ${{ steps.security.outputs.icon }} Security vulnerability report </summary> <br>
<pre> ${{ steps.security.outputs.security }} </pre>
</details>