dash/.github/workflows/guix-build.yml
pasta 167608c7c7
Merge #6338: ci: attest results of guix builds
cd712e86b7 ci: attest results of guix builds (pasta)

Pull request description:

  ## Issue being fixed or feature implemented
  This simply adds attestations to guix results by GitHub. This way, not only can someone verify that all us developers agree, but also that GitHub hosted runners agree :)

  ## What was done?
  Add actions/attest-build-provenance to guix-build CI

  ## How Has This Been Tested?
  see: https://github.com/PastaPastaPasta/dash/actions/runs/11239755631

  ## Breaking Changes
  None

  ## Checklist:
    _Go over all the following points, and put an `x` in all the boxes that apply._
  - [x] I have performed a self-review of my own code
  - [ ] I have commented my code, particularly in hard-to-understand areas
  - [ ] I have added or updated relevant unit/integration/functional/e2e tests
  - [ ] I have made corresponding changes to the documentation
  - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  UdjinM6:
    utACK cd712e86b7

Tree-SHA512: b590ee2cf29aa57f78cb68c22d5327e8c9272d63d523c3b64fbbdffabb90981a6b6505c5f511bde19310ea1d8c96fc6d181359a7d7a0672612473110cbe079ef
2024-10-22 12:22:54 -05:00

136 lines
4.9 KiB
YAML

name: Guix Build
permissions:
packages: write
id-token: write
attestations: write
on:
pull_request_target:
push:
jobs:
build-image:
runs-on: ubuntu-latest
outputs:
image-tag: ${{ steps.prepare.outputs.image-tag }}
repo-name: ${{ steps.prepare.outputs.repo-name }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: dash
fetch-depth: 0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Commit variables
id: prepare
run: |
echo "hash=$(sha256sum ./dash/contrib/containers/guix/Dockerfile | cut -d ' ' -f1)" >> $GITHUB_OUTPUT
echo "host_user_id=$(id -u)" >> $GITHUB_OUTPUT
echo "host_group_id=$(id -g)" >> $GITHUB_OUTPUT
BRANCH_NAME=$(echo "${GITHUB_REF##*/}" | tr '[:upper:]' '[:lower:]')
REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
echo "::set-output name=image-tag::${BRANCH_NAME}"
echo "::set-output name=repo-name::${REPO_NAME}"
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: ${{ github.workspace }}/dash
build-args: |
USER_ID=${{ steps.prepare.outputs.host_user_id }}
GROUP_ID=${{ steps.prepare.outputs.host_group_id }}
build-contexts: |
docker_root=${{ github.workspace }}/dash/contrib/containers/guix
file: ./dash/contrib/containers/guix/Dockerfile
push: true
tags: |
ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:${{ steps.prepare.outputs.image-tag }}
ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:latest
cache-from: type=registry,ref=ghcr.io/${{ steps.prepare.outputs.repo-name }}/dashcore-guix-builder:latest
cache-to: type=inline,mode=max
build:
needs: build-image
# runs-on: [ "self-hosted", "linux", "x64", "ubuntu-core" ]
runs-on: ubuntu-latest
# if: ${{ contains(github.event.pull_request.labels.*.name, 'guix-build') }}
strategy:
matrix:
build_target: [x86_64-linux-gnu, arm-linux-gnueabihf, aarch64-linux-gnu, riscv64-linux-gnu, x86_64-w64-mingw32, x86_64-apple-darwin, arm64-apple-darwin]
timeout-minutes: 480
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: dash
fetch-depth: 0
- name: Cache Guix and depends
id: guix-cache-restore
uses: actions/cache@v3
with:
path: |
${{ github.workspace }}/.cache
${{ github.workspace }}/dash/depends/built
${{ github.workspace }}/dash/depends/sources
${{ github.workspace }}/dash/depends/work
/gnu/store
key: ${{ runner.os }}-guix-${{ matrix.build_target }}-${{ github.sha }}
restore-keys: |
${{ runner.os }}-guix-${{ matrix.build_target }}
${{ runner.os }}-guix-
- name: Create .cache folder if missing
if: steps.guix-cache-restore.outputs.cache-hit != 'true'
run: mkdir -p .cache
- name: Run Guix build
timeout-minutes: 480
run: |
docker run --privileged -d --rm -t \
--name guix-daemon \
-e ADDITIONAL_GUIX_COMMON_FLAGS="--max-jobs=$(nproc --all)" \
-v ${{ github.workspace }}/dash:/src/dash \
-v ${{ github.workspace }}/.cache:/home/ubuntu/.cache \
-w /src/dash \
ghcr.io/${{ needs.build-image.outputs.repo-name }}/dashcore-guix-builder:${{ needs.build-image.outputs.image-tag }} && \
docker exec guix-daemon bash -c 'HOSTS=${{ matrix.build_target }} /usr/local/bin/guix-start'
- name: Ensure build passes
run: |
if [[ $? != 0 ]]; then
echo "Guix build failed!"
exit 1
fi
- name: Compute SHA256 checksums
continue-on-error: true # It will complain on depending on only some hosts
run: |
HOSTS=${{ matrix.build_target }} ./dash/contrib/containers/guix/scripts/guix-check ${{ github.workspace }}/dash
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: guix-artifacts-${{ matrix.build_target }}
path: |
${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/
- name: Attest build provenance
uses: actions/attest-build-provenance@v1
with:
subject-path: ${{ github.workspace }}/dash/guix-build*/output/${{ matrix.build_target }}/*