mirror of
https://github.com/dashpay/dash.git
synced 2024-12-25 12:02:48 +01:00
167608c7c7
cd712e86b7
ci: attest results of guix builds (pasta) Pull request description: ## Issue being fixed or feature implemented This simply adds attestations to guix results by GitHub. This way, not only can someone verify that all us developers agree, but also that GitHub hosted runners agree :) ## What was done? Add actions/attest-build-provenance to guix-build CI ## How Has This Been Tested? see: https://github.com/PastaPastaPasta/dash/actions/runs/11239755631 ## Breaking Changes None ## Checklist: _Go over all the following points, and put an `x` in all the boxes that apply._ - [x] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have added or updated relevant unit/integration/functional/e2e tests - [ ] I have made corresponding changes to the documentation - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: UdjinM6: utACKcd712e86b7
Tree-SHA512: b590ee2cf29aa57f78cb68c22d5327e8c9272d63d523c3b64fbbdffabb90981a6b6505c5f511bde19310ea1d8c96fc6d181359a7d7a0672612473110cbe079ef
136 lines
4.9 KiB
YAML
136 lines
4.9 KiB
YAML
name: Guix Build
|
|
|
|
permissions:
|
|
packages: write
|
|
id-token: write
|
|
attestations: write
|
|
|
|
on:
|
|
pull_request_target:
|
|
push:
|
|
|
|
jobs:
|
|
build-image:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
image-tag: ${{ steps.prepare.outputs.image-tag }}
|
|
repo-name: ${{ steps.prepare.outputs.repo-name }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
path: dash
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Commit variables
|
|
id: prepare
|
|
run: |
|
|
echo "hash=$(sha256sum ./dash/contrib/containers/guix/Dockerfile | cut -d ' ' -f1)" >> $GITHUB_OUTPUT
|
|
echo "host_user_id=$(id -u)" >> $GITHUB_OUTPUT
|
|
echo "host_group_id=$(id -g)" >> $GITHUB_OUTPUT
|
|
BRANCH_NAME=$(echo "${GITHUB_REF##*/}" | tr '[:upper:]' '[:lower:]')
|
|
REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
|
|
echo "::set-output name=image-tag::${BRANCH_NAME}"
|
|
echo "::set-output name=repo-name::${REPO_NAME}"
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build Docker image
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: ${{ github.workspace }}/dash
|
|
build-args: |
|
|
USER_ID=${{ steps.prepare.outputs.host_user_id }}
|
|
GROUP_ID=${{ steps.prepare.outputs.host_group_id }}
|
|
build-contexts: |
|
|
docker_root=${{ github.workspace }}/dash/contrib/containers/guix
|
|
file: ./dash/contrib/containers/guix/Dockerfile
|
|
push: true
|
|
tags: |
|
|
ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:${{ steps.prepare.outputs.image-tag }}
|
|
ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:latest
|
|
cache-from: type=registry,ref=ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:latest
|
|
cache-to: type=inline,mode=max
|
|
|
|
build:
|
|
needs: build-image
|
|
# runs-on: [ "self-hosted", "linux", "x64", "ubuntu-core" ]
|
|
runs-on: ubuntu-latest
|
|
# if: ${{ contains(github.event.pull_request.labels.*.name, 'guix-build') }}
|
|
strategy:
|
|
matrix:
|
|
build_target: [x86_64-linux-gnu, arm-linux-gnueabihf, aarch64-linux-gnu, riscv64-linux-gnu, x86_64-w64-mingw32, x86_64-apple-darwin, arm64-apple-darwin]
|
|
|
|
timeout-minutes: 480
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
path: dash
|
|
fetch-depth: 0
|
|
|
|
- name: Cache Guix and depends
|
|
id: guix-cache-restore
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
${{ github.workspace }}/.cache
|
|
${{ github.workspace }}/dash/depends/built
|
|
${{ github.workspace }}/dash/depends/sources
|
|
${{ github.workspace }}/dash/depends/work
|
|
/gnu/store
|
|
key: ${{ runner.os }}-guix-${{ matrix.build_target }}-${{ github.sha }}
|
|
restore-keys: |
|
|
${{ runner.os }}-guix-${{ matrix.build_target }}
|
|
${{ runner.os }}-guix-
|
|
|
|
- name: Create .cache folder if missing
|
|
if: steps.guix-cache-restore.outputs.cache-hit != 'true'
|
|
run: mkdir -p .cache
|
|
|
|
- name: Run Guix build
|
|
timeout-minutes: 480
|
|
run: |
|
|
docker run --privileged -d --rm -t \
|
|
--name guix-daemon \
|
|
-e ADDITIONAL_GUIX_COMMON_FLAGS="--max-jobs=$(nproc --all)" \
|
|
-v ${{ github.workspace }}/dash:/src/dash \
|
|
-v ${{ github.workspace }}/.cache:/home/ubuntu/.cache \
|
|
-w /src/dash \
|
|
ghcr.io/${{ needs.build-image.outputs.repo-name }}/dashcore-guix-builder:${{ needs.build-image.outputs.image-tag }} && \
|
|
docker exec guix-daemon bash -c 'HOSTS=${{ matrix.build_target }} /usr/local/bin/guix-start'
|
|
|
|
- name: Ensure build passes
|
|
run: |
|
|
if [[ $? != 0 ]]; then
|
|
echo "Guix build failed!"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Compute SHA256 checksums
|
|
continue-on-error: true # It will complain on depending on only some hosts
|
|
run: |
|
|
HOSTS=${{ matrix.build_target }} ./dash/contrib/containers/guix/scripts/guix-check ${{ github.workspace }}/dash
|
|
|
|
- name: Upload build artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: guix-artifacts-${{ matrix.build_target }}
|
|
path: |
|
|
${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/
|
|
|
|
- name: Attest build provenance
|
|
uses: actions/attest-build-provenance@v1
|
|
with:
|
|
subject-path: ${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/*
|