From bf1338907c7a921ef969d67e5ebd0c59e38f1584 Mon Sep 17 00:00:00 2001 From: Jonas Chevalier Date: Wed, 10 Feb 2021 12:25:01 +0000 Subject: [PATCH] ci: add GitHub Actions cron (#16) * ci: add dependabot * ci: revamp logic Merge username and password as a single auth token. It doesn't make sense to split out the user and password since they are so tied together. Might as well treat the whole think as a secret blob. Remove Travis-CI. Travis is dead for OSS. Add GitHub Actions cron. Remove cachix as it's pushing too much stuff. Merge all of the CI logic into a single ci.sh script. --- .github/dependabot.yml | 6 +++++ .github/workflows/nix.yml | 19 ++++++++------- .gitlab-ci.sh | 26 -------------------- .gitlab-ci.yml | 6 ++--- .travis.sh | 28 ---------------------- .travis.yml | 15 ------------ build | 8 ------- ci.sh | 50 +++++++++++++++++++++++++++++++++++++++ docker-login | 7 +++--- dockerhub-metadata | 6 ++--- 10 files changed, 75 insertions(+), 96 deletions(-) create mode 100644 .github/dependabot.yml delete mode 100755 .gitlab-ci.sh delete mode 100755 .travis.sh delete mode 100644 .travis.yml delete mode 100755 build create mode 100755 ci.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5ace460 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index a09c12d..a345c43 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -5,19 +5,22 @@ on: - master pull_request: workflow_dispatch: + schedule: + # Run once per day + - cron: '0 0 * * *' jobs: build: strategy: matrix: - os: [ ubuntu-20.04 ] - runs-on: ${{ matrix.os }} + channel: + - nixos-unstable + - nixos-20.09 + - nixos-20.03 + runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 - uses: cachix/install-nix-action@v12 - - uses: cachix/cachix-action@v8 - with: - name: nix-community - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - run: ./build + - run: nix-shell --run ./ci.sh env: - - NIX_PATH=channel:nixos-unstable + CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}' + NIXPKGS_CHANNEL: '${{ matrix.channel }}' diff --git a/.gitlab-ci.sh b/.gitlab-ci.sh deleted file mode 100755 index dcc3ced..0000000 --- a/.gitlab-ci.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash -# -# Gitlab CI specific build script. -# -set -euo pipefail - -./build - -# default to the Gitlab registry -: "${REGISTRY:=$CI_REGISTRY}" -: "${REGISTRY_USER:=$CI_REGISTRY_USER}" -: "${REGISTRY_PASSWORD:=$CI_REGISTRY_PASSWORD}" -: "${IMAGE_PREFIX:=$CI_PROJECT_PATH}" - -# IMAGE_TAG is provided by .gitlab-ci.yml - - -if [[ "$CI_COMMIT_REF_NAME" = master ]]; then - ./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY" - ./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG" - if [[ $REGISTRY = *docker.io ]]; then - ./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX" - fi -else - echo "=== not pushing on non-master ===" -fi diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b543d0..efb6ffa 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,19 +5,19 @@ stages: nixos-unstable: stage: build - script: NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.gitlab-ci.sh + script: nix-shell --run ./ci.sh variables: NIXPKGS_CHANNEL: nixos-unstable IMAGE_TAG: latest nixos-20.03: stage: build - script: NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.gitlab-ci.sh + script: nix-shell --run ./ci.sh variables: NIXPKGS_CHANNEL: nixos-20.03 nixos-20.09: stage: build - script: NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.gitlab-ci.sh + script: nix-shell --run ./ci.sh variables: NIXPKGS_CHANNEL: nixos-20.09 diff --git a/.travis.sh b/.travis.sh deleted file mode 100755 index 2aeed2b..0000000 --- a/.travis.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash -# -# Travis CI specific build script -# -set -euo pipefail - -# default to Docker Hub -# the user has to set REGISTRY_USER and REGISTRY_PASSWORD -: "${REGISTRY:=docker.io}" -: "${IMAGE_PREFIX:=nixpkgs}" - -# either set NIX_PATH and IMAGE_TAG, or set NIXPKGS_CHANNEL -if [[ -n "${NIXPKGS_CHANNEL:-}" ]]; then - : "${IMAGE_TAG:=$NIXPKGS_CHANNEL}" - export NIX_PATH=nixpkgs=channel:$NIXPKGS_CHANNEL -fi - -./build - -if [[ "$TRAVIS_BRANCH" = master && -z "${TRAVIS_PULL_REQUEST_BRANCH:-}" ]]; then - ./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY" - ./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG" - if [[ $REGISTRY = *docker.io ]]; then - ./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX" - fi -else - echo "=== not pushing on non-master ===" -fi diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index adc0930..0000000 --- a/.travis.yml +++ /dev/null @@ -1,15 +0,0 @@ -language: nix - -nix: 2.3.6 - -matrix: - include: - - name: nixos-unstable - env: NIXPKGS_CHANNEL=nixos-unstable IMAGE_TAG=latest - - name: nixos-20.03 - env: NIXPKGS_CHANNEL=nixos-20.03 - - name: nixos-20.09 - env: NIXPKGS_CHANNEL=nixos-20.09 - -script: - - NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.travis.sh diff --git a/build b/build deleted file mode 100755 index 9209c66..0000000 --- a/build +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# build *all* the docker images -exec nix-build \ - --no-out-link \ - --option sandbox true \ - "$@" diff --git a/ci.sh b/ci.sh new file mode 100755 index 0000000..3740aca --- /dev/null +++ b/ci.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# +# CI specific build script. +# +set -euo pipefail + +channel=${NIXPKGS_CHANNEL:-nixos-unstable} +registry=${CI_REGISTRY:-docker.io} +registry_auth=${CI_REGISTRY_AUTH:-} +image_prefix=${CI_PROJECT_PATH:-nixpkgs} + +if [[ $channel == nixos-unstable ]]; then + image_tag=latest +else + image_tag=$channel +fi + +export NIX_PATH=channel:$channel + +banner() { + echo "========================================================" + echo " $*" + echo "========================================================" +} + +cd "$(dirname "$0")" + +banner "Building images" +# Build all the docker images +nix-build \ + --no-out-link \ + --option sandbox true \ + +if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then + banner "Skipping push on non-master branch" + exit +fi + +if [[ -n "${registry_auth}" ]]; then + banner "docker login" + ./docker-login "$registry_auth" "$registry" +fi + +banner "docker push" +./push-all "$registry" "$image_prefix" "$image_tag" + +if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then + banner "docker metadata update" + ./dockerhub-metadata "$registry_auth" "$image_prefix" +fi diff --git a/docker-login b/docker-login index f190a85..cfaa37d 100755 --- a/docker-login +++ b/docker-login @@ -5,9 +5,8 @@ # Usage: ./docker-login [registry] set -euo pipefail -username=$1 -password=$2 -registry=${3:-docker.io} +auth=$1 +registry=${2:-docker.io} # Encode some funky docker heuristic if [[ $registry = *docker.io ]]; then @@ -21,7 +20,7 @@ cat < ~/.docker/config.json { "auths": { "$registry": { - "auth": "$(printf "%s:%s" "$username" "$password" | base64)" + "auth": "$(echo "$auth" | base64)" } } } diff --git a/dockerhub-metadata b/dockerhub-metadata index 65fa228..efe6534 100755 --- a/dockerhub-metadata +++ b/dockerhub-metadata @@ -6,10 +6,8 @@ # Usage: ./dockerhub-metadata [org] set -euo pipefail -username=$1 -password=$2 -org=${3:-nixpkgs} -user=$username:$password +user=$1 +org=${2:-nixpkgs} nix_eval() { nix-instantiate --strict --eval --json "$@"