Use Nix tooling in Forgejo actions
This commit is contained in:
parent
91dad67fc2
commit
d7f76d6ab2
3 changed files with 26 additions and 169 deletions
|
|
@ -50,64 +50,28 @@ jobs:
|
||||||
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
||||||
rm -f .repo/src.tgz
|
rm -f .repo/src.tgz
|
||||||
|
|
||||||
- name: Bootstrap Rust + web build tools
|
- name: Check Nix toolchain
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
install -d -m 755 "$HOME/.local/bin"
|
nix develop --accept-flake-config -c cargo --version
|
||||||
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
|
nix develop --accept-flake-config -c rustc --version
|
||||||
export PATH="$HOME/.local/bin:$PATH"
|
nix develop --accept-flake-config -c trunk --version
|
||||||
|
|
||||||
if ! command -v curl >/dev/null 2>&1; then
|
|
||||||
echo "error: curl is required"
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! command -v cargo >/dev/null 2>&1; then
|
|
||||||
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
|
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
elif [[ -f "$HOME/.cargo/env" ]]; then
|
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
|
|
||||||
rustup target add wasm32-unknown-unknown
|
|
||||||
|
|
||||||
if ! command -v trunk >/dev/null 2>&1; then
|
|
||||||
trunk_version="0.21.14"
|
|
||||||
arch="$(uname -m)"
|
|
||||||
case "${arch}" in
|
|
||||||
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
|
|
||||||
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
|
|
||||||
*)
|
|
||||||
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
|
|
||||||
exit 2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
|
|
||||||
| tar -xz -C "$HOME/.local/bin" trunk
|
|
||||||
fi
|
|
||||||
|
|
||||||
cargo --version
|
|
||||||
rustc --version
|
|
||||||
trunk --version
|
|
||||||
|
|
||||||
- name: ECP lint
|
- name: ECP lint
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
bash ./scripts/ecp-lint.sh
|
nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
|
||||||
|
|
||||||
- name: Rust tests (core subset)
|
- name: Rust tests (core subset)
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
if [[ -f "$HOME/.cargo/env" ]]; then
|
nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
|
|
||||||
|
|
||||||
- name: Duplicate publisher proof gates
|
- name: Duplicate publisher proof gates
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|
@ -143,8 +107,4 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
if [[ -f "$HOME/.cargo/env" ]]; then
|
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
cd apps/web
|
|
||||||
env -u NO_COLOR trunk build --release --public-url /
|
|
||||||
|
|
|
||||||
|
|
@ -54,70 +54,35 @@ jobs:
|
||||||
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
||||||
rm -f .repo/src.tgz
|
rm -f .repo/src.tgz
|
||||||
|
|
||||||
- name: Bootstrap Rust + web build tools
|
- name: Check Nix toolchain
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
install -d -m 755 "$HOME/.local/bin"
|
nix develop --accept-flake-config -c cargo --version
|
||||||
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
|
nix develop --accept-flake-config -c rustc --version
|
||||||
export PATH="$HOME/.local/bin:$PATH"
|
nix develop --accept-flake-config -c trunk --version
|
||||||
|
|
||||||
if ! command -v curl >/dev/null 2>&1; then
|
|
||||||
echo "error: curl is required"
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! command -v cargo >/dev/null 2>&1; then
|
|
||||||
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
|
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
elif [[ -f "$HOME/.cargo/env" ]]; then
|
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
rustup target add wasm32-unknown-unknown
|
|
||||||
|
|
||||||
if ! command -v trunk >/dev/null 2>&1; then
|
|
||||||
trunk_version="0.21.14"
|
|
||||||
arch="$(uname -m)"
|
|
||||||
case "${arch}" in
|
|
||||||
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
|
|
||||||
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
|
|
||||||
*)
|
|
||||||
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
|
|
||||||
exit 2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
|
|
||||||
| tar -xz -C "$HOME/.local/bin" trunk
|
|
||||||
fi
|
|
||||||
|
|
||||||
- name: ECP lint
|
- name: ECP lint
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
bash ./scripts/ecp-lint.sh
|
nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
|
||||||
|
|
||||||
- name: Rust tests (core subset)
|
- name: Rust tests (core subset)
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
if [[ -f "$HOME/.cargo/env" ]]; then
|
nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
|
|
||||||
|
|
||||||
- name: Build site (web)
|
- name: Build site (web)
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
if [[ -f "$HOME/.cargo/env" ]]; then
|
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
cd apps/web
|
|
||||||
env -u NO_COLOR trunk build --release --public-url /
|
|
||||||
|
|
||||||
deploy:
|
deploy:
|
||||||
if: ${{ github.server_url != 'https://codeberg.org' }}
|
if: ${{ github.server_url != 'https://codeberg.org' }}
|
||||||
|
|
@ -165,60 +130,15 @@ jobs:
|
||||||
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
tar -xzf .repo/src.tgz -C .repo --strip-components=1
|
||||||
rm -f .repo/src.tgz
|
rm -f .repo/src.tgz
|
||||||
|
|
||||||
- name: Bootstrap runner deps
|
- name: Check Nix deploy toolchain
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
install -d -m 755 "$HOME/.local/bin"
|
nix develop --accept-flake-config -c age --version
|
||||||
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
|
nix develop --accept-flake-config -c node --version
|
||||||
export PATH="$HOME/.local/bin:$PATH"
|
nix develop --accept-flake-config -c npm --version
|
||||||
|
nix develop --accept-flake-config -c wrangler --version
|
||||||
if ! command -v curl >/dev/null 2>&1; then
|
|
||||||
echo "error: curl is required"
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! command -v age >/dev/null 2>&1; then
|
|
||||||
age_version="1.2.1"
|
|
||||||
arch="$(uname -m)"
|
|
||||||
case "${arch}" in
|
|
||||||
x86_64|amd64) age_arch="amd64" ;;
|
|
||||||
aarch64|arm64) age_arch="arm64" ;;
|
|
||||||
*)
|
|
||||||
echo "error: unsupported runner arch for age prebuilt binary: ${arch}"
|
|
||||||
exit 2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \
|
|
||||||
| tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen
|
|
||||||
fi
|
|
||||||
|
|
||||||
required_node_major=20
|
|
||||||
node_major=0
|
|
||||||
if command -v node >/dev/null 2>&1; then
|
|
||||||
node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)"
|
|
||||||
fi
|
|
||||||
if [[ "${node_major}" -lt "${required_node_major}" ]]; then
|
|
||||||
node_version="22.16.0"
|
|
||||||
arch="$(uname -m)"
|
|
||||||
case "${arch}" in
|
|
||||||
x86_64|amd64) node_arch="x64" ;;
|
|
||||||
aarch64|arm64) node_arch="arm64" ;;
|
|
||||||
*)
|
|
||||||
echo "error: unsupported runner arch for node prebuilt binary: ${arch}"
|
|
||||||
exit 2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
node_dist="node-v${node_version}-linux-${node_arch}"
|
|
||||||
curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.gz" | tar -xz -C "$HOME/.local"
|
|
||||||
ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node"
|
|
||||||
ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm"
|
|
||||||
ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx"
|
|
||||||
ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true
|
|
||||||
fi
|
|
||||||
node --version
|
|
||||||
npm --version
|
|
||||||
|
|
||||||
- name: CI Breadcrumb (bootstrap ok)
|
- name: CI Breadcrumb (bootstrap ok)
|
||||||
env:
|
env:
|
||||||
|
|
@ -270,7 +190,7 @@ jobs:
|
||||||
echo "error: missing ${secret_file}"
|
echo "error: missing ${secret_file}"
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")"
|
CLOUDFLARE_API_TOKEN="$(nix develop --accept-flake-config -c age -d -i "$key_file" "$secret_file")"
|
||||||
if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
|
if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
|
||||||
echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
|
echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
|
||||||
exit 2
|
exit 2
|
||||||
|
|
@ -290,32 +210,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
install -d -m 755 "$HOME/.local/bin"
|
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
|
||||||
export PATH="$HOME/.local/bin:$PATH"
|
|
||||||
if ! command -v cargo >/dev/null 2>&1; then
|
|
||||||
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
|
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
elif [[ -f "$HOME/.cargo/env" ]]; then
|
|
||||||
. "$HOME/.cargo/env"
|
|
||||||
fi
|
|
||||||
rustup target add wasm32-unknown-unknown
|
|
||||||
if ! command -v trunk >/dev/null 2>&1; then
|
|
||||||
trunk_version="0.21.14"
|
|
||||||
arch="$(uname -m)"
|
|
||||||
case "${arch}" in
|
|
||||||
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
|
|
||||||
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
|
|
||||||
*)
|
|
||||||
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
|
|
||||||
exit 2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
|
|
||||||
| tar -xz -C "$HOME/.local/bin" trunk
|
|
||||||
fi
|
|
||||||
|
|
||||||
cd apps/web
|
|
||||||
trunk build --release --public-url /
|
|
||||||
|
|
||||||
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
||||||
-H "content-type: application/json" \
|
-H "content-type: application/json" \
|
||||||
|
|
@ -329,9 +224,7 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
cd .repo
|
cd .repo
|
||||||
cd deploy/cloudflare-worker
|
nix develop --accept-flake-config -c bash -c 'cd deploy/cloudflare-worker && npm ci && wrangler deploy'
|
||||||
npm ci
|
|
||||||
npx wrangler deploy
|
|
||||||
|
|
||||||
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
|
||||||
-H "content-type: application/json" \
|
-H "content-type: application/json" \
|
||||||
|
|
|
||||||
|
|
@ -52,3 +52,7 @@ runner label and ecp-forge runs a persistent `forgejo-runner-agent` service with
|
||||||
tool PATH so the Cloudflare deploy can actually leave the queue on the self-hosted forge. Teardown is
|
tool PATH so the Cloudflare deploy can actually leave the queue on the self-hosted forge. Teardown is
|
||||||
removing the HTML seed/cache/warmup path, returning to live-API-only station rendering, and
|
removing the HTML seed/cache/warmup path, returning to live-API-only station rendering, and
|
||||||
explicitly passing `--passthrough=false` only if an older watcher path is restored.
|
explicitly passing `--passthrough=false` only if an older watcher path is restored.
|
||||||
|
|
||||||
|
Forgejo CI and deploy jobs run inside the repository Nix dev shell instead of downloading generic
|
||||||
|
Linux Rust, Trunk, age, or Node binaries. This keeps self-hosted NixOS runners reproducible and
|
||||||
|
prevents dynamic-linker failures from blocking the Cloudflare asset rollout.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue