-
Notifications
You must be signed in to change notification settings - Fork 1
126 lines (106 loc) · 4.05 KB
/
pr-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# see https://github.com/EdenEast/nyx/blob/718063918f0ffe36ca1e049b222d5a5d3e939025/.github/workflows/pr.yml
name: Build pull request
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
build:
name: Build ${{ matrix.target }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-24.04
target: nixosConfigurations.nixluon.config.system.build.toplevel
steps:
- name: create nix mount point
if: contains(matrix.os, 'ubuntu')
run: sudo mkdir /nix
- name: maximize build space
uses: easimon/maximize-build-space@v10
if: contains(matrix.os, 'ubuntu')
with:
build-mount-path: /nix
overprovision-lvm: true
remove-android: true
remove-codeql: true
remove-docker-images: true
remove-dotnet: true
remove-haskell: true
root-reserve-mb: 512
swap-size-mb: 1024
- name: install nix
uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ github.token }}
- name: setup cachix
uses: cachix/cachix-action@v15
with:
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
extraPullNames: nix-community
name: viluon
- name: build system
env:
TARGET: "github:${{ github.repository }}/${{ github.ref }}#${{ matrix.target }}"
run: nix build $TARGET --fallback --log-format raw --print-build-logs
- name: garbage-collect build dependencies
run: nix-collect-garbage
- name: fetch old system to profile
env:
TARGET: "github:${{ github.repository }}/${{ github.base_ref }}#${{ matrix.target }}"
run: nix build $TARGET --log-format raw --print-build-logs --profile ./profile
- name: add new system to profile
env:
TARGET: "github:${{ github.repository }}/${{ github.ref }}#${{ matrix.target }}"
run: nix build $TARGET --log-format raw --print-build-logs --profile ./profile
- name: output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Scan for security issues
id: security
run: | # https://stackoverflow.com/a/74232400
nix run nixpkgs/nixos-unstable#vulnix -- \
--whitelist https://raw.githubusercontent.com/ckauhaus/nixos-vulnerability-roundup/master/whitelists/nixos-unstable.toml \
./profile \
| tee /tmp/security.txt
delimiter="$(openssl rand -hex 16)"
echo "security<<${delimiter}" >> "${GITHUB_OUTPUT}"
cat /tmp/security.txt >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
# if the report has more than 3 lines
if [ $(wc -l < /tmp/security.txt) -gt 3 ]; then
echo "icon=:warning:" >> "${GITHUB_OUTPUT}"
else
echo "icon=:white_check_mark:" >> "${GITHUB_OUTPUT}"
fi
- name: diff profile
id: diff
run: |
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
- name: comment
uses: marocchino/sticky-pull-request-comment@v2
with:
header: ".#${{ matrix.target }}"
message: |
### Diff of `${{ matrix.target }}`
```
${{ steps.diff.outputs.diff }}
```
<details>
<summary> ${{ steps.security.outputs.icon }} Security vulnerability report </summary> <br>
<pre> ${{ steps.security.outputs.security }} </pre>
</details>