Use Nix tooling in Forgejo actions
Some checks failed
deploy-cloudflare / checks (push) Failing after 39s
ci-gates / checks (push) Failing after 41s
deploy-cloudflare / deploy (push) Has been skipped

This commit is contained in:
Conrad Kramer 2026-06-10 03:35:53 -07:00
parent 91dad67fc2
commit d7f76d6ab2
No known key found for this signature in database
3 changed files with 26 additions and 169 deletions

View file

@ -50,64 +50,28 @@ jobs:
tar -xzf .repo/src.tgz -C .repo --strip-components=1 tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz rm -f .repo/src.tgz
- name: Bootstrap Rust + web build tools - name: Check Nix toolchain
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
install -d -m 755 "$HOME/.local/bin" nix develop --accept-flake-config -c cargo --version
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" nix develop --accept-flake-config -c rustc --version
export PATH="$HOME/.local/bin:$PATH" nix develop --accept-flake-config -c trunk --version
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v cargo >/dev/null 2>&1; then
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"
elif [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
rustup target add wasm32-unknown-unknown
if ! command -v trunk >/dev/null 2>&1; then
trunk_version="0.21.14"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
*)
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" trunk
fi
cargo --version
rustc --version
trunk --version
- name: ECP lint - name: ECP lint
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
bash ./scripts/ecp-lint.sh nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
- name: Rust tests (core subset) - name: Rust tests (core subset)
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
. "$HOME/.cargo/env"
fi
cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
- name: Duplicate publisher proof gates - name: Duplicate publisher proof gates
shell: bash shell: bash
@ -143,8 +107,4 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
. "$HOME/.cargo/env"
fi
cd apps/web
env -u NO_COLOR trunk build --release --public-url /

View file

@ -54,70 +54,35 @@ jobs:
tar -xzf .repo/src.tgz -C .repo --strip-components=1 tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz rm -f .repo/src.tgz
- name: Bootstrap Rust + web build tools - name: Check Nix toolchain
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
install -d -m 755 "$HOME/.local/bin" nix develop --accept-flake-config -c cargo --version
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" nix develop --accept-flake-config -c rustc --version
export PATH="$HOME/.local/bin:$PATH" nix develop --accept-flake-config -c trunk --version
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v cargo >/dev/null 2>&1; then
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"
elif [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
rustup target add wasm32-unknown-unknown
if ! command -v trunk >/dev/null 2>&1; then
trunk_version="0.21.14"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
*)
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" trunk
fi
- name: ECP lint - name: ECP lint
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
bash ./scripts/ecp-lint.sh nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
- name: Rust tests (core subset) - name: Rust tests (core subset)
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
. "$HOME/.cargo/env"
fi
cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
- name: Build site (web) - name: Build site (web)
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
. "$HOME/.cargo/env"
fi
cd apps/web
env -u NO_COLOR trunk build --release --public-url /
deploy: deploy:
if: ${{ github.server_url != 'https://codeberg.org' }} if: ${{ github.server_url != 'https://codeberg.org' }}
@ -165,60 +130,15 @@ jobs:
tar -xzf .repo/src.tgz -C .repo --strip-components=1 tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz rm -f .repo/src.tgz
- name: Bootstrap runner deps - name: Check Nix deploy toolchain
shell: bash shell: bash
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
install -d -m 755 "$HOME/.local/bin" nix develop --accept-flake-config -c age --version
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" nix develop --accept-flake-config -c node --version
export PATH="$HOME/.local/bin:$PATH" nix develop --accept-flake-config -c npm --version
nix develop --accept-flake-config -c wrangler --version
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v age >/dev/null 2>&1; then
age_version="1.2.1"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) age_arch="amd64" ;;
aarch64|arm64) age_arch="arm64" ;;
*)
echo "error: unsupported runner arch for age prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen
fi
required_node_major=20
node_major=0
if command -v node >/dev/null 2>&1; then
node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)"
fi
if [[ "${node_major}" -lt "${required_node_major}" ]]; then
node_version="22.16.0"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) node_arch="x64" ;;
aarch64|arm64) node_arch="arm64" ;;
*)
echo "error: unsupported runner arch for node prebuilt binary: ${arch}"
exit 2
;;
esac
node_dist="node-v${node_version}-linux-${node_arch}"
curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.gz" | tar -xz -C "$HOME/.local"
ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node"
ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm"
ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx"
ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true
fi
node --version
npm --version
- name: CI Breadcrumb (bootstrap ok) - name: CI Breadcrumb (bootstrap ok)
env: env:
@ -270,7 +190,7 @@ jobs:
echo "error: missing ${secret_file}" echo "error: missing ${secret_file}"
exit 2 exit 2
fi fi
CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")" CLOUDFLARE_API_TOKEN="$(nix develop --accept-flake-config -c age -d -i "$key_file" "$secret_file")"
if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
echo "error: decrypted CLOUDFLARE_API_TOKEN is empty" echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
exit 2 exit 2
@ -290,32 +210,7 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
install -d -m 755 "$HOME/.local/bin" nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
export PATH="$HOME/.local/bin:$PATH"
if ! command -v cargo >/dev/null 2>&1; then
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"
elif [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
rustup target add wasm32-unknown-unknown
if ! command -v trunk >/dev/null 2>&1; then
trunk_version="0.21.14"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
*)
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" trunk
fi
cd apps/web
trunk build --release --public-url /
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \ -H "content-type: application/json" \
@ -329,9 +224,7 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
cd .repo cd .repo
cd deploy/cloudflare-worker nix develop --accept-flake-config -c bash -c 'cd deploy/cloudflare-worker && npm ci && wrangler deploy'
npm ci
npx wrangler deploy
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \ -H "content-type: application/json" \

View file

@ -52,3 +52,7 @@ runner label and ecp-forge runs a persistent `forgejo-runner-agent` service with
tool PATH so the Cloudflare deploy can actually leave the queue on the self-hosted forge. Teardown is tool PATH so the Cloudflare deploy can actually leave the queue on the self-hosted forge. Teardown is
removing the HTML seed/cache/warmup path, returning to live-API-only station rendering, and removing the HTML seed/cache/warmup path, returning to live-API-only station rendering, and
explicitly passing `--passthrough=false` only if an older watcher path is restored. explicitly passing `--passthrough=false` only if an older watcher path is restored.
Forgejo CI and deploy jobs run inside the repository Nix dev shell instead of downloading generic
Linux Rust, Trunk, age, or Node binaries. This keeps self-hosted NixOS runners reproducible and
prevents dynamic-linker failures from blocking the Cloudflare asset rollout.