-
-
Notifications
You must be signed in to change notification settings - Fork 10
137 lines (130 loc) · 5.68 KB
/
upload-legacy-ami.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Upload Legacy Amazon Image
permissions:
contents: read
on:
pull_request:
workflow_dispatch:
schedule:
- cron: "0 0 * * 0"
jobs:
upload-ami:
name: Upload Legacy Amazon Image
runs-on: ubuntu-latest
environment: images
permissions:
contents: read
id-token: write
strategy:
matrix:
release:
- release-24.05
- release-24.11
# - nixos-unstable
system:
- x86_64-linux
- aarch64-linux
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
# NOTE: We download the AMI from Hydra instead of building it ourselves
# because aarch64 is currently not supported by AWS EC2 and the legacy
# image builder requires nested virtualization.
- name: Download AMI from Hydra
id: download_ami
run: |
set -o pipefail
build_id=$(curl -sSfL -H 'Accept: application/json' https://hydra.nixos.org/job/nixos/${{ matrix.release }}/tested/latest-finished | jq -r '.id')
out=$(curl -sSfL -H 'Accept: application/json' "https://hydra.nixos.org/build/${build_id}/constituents" | jq -r '.[] | select(.job == "nixos.amazonImage.${{ matrix.system }}") | .buildoutputs.out.path')
nix-store --realise "$out" --add-root ./result
echo "image_info=$out/nix-support/image-info.json" >> "$GITHUB_OUTPUT"
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
aws-region: ${{ vars.AWS_REGION }}
- name: Upload Smoke test AMI
id: upload_smoke_test_ami
run: |
image_info='${{ steps.download_ami.outputs.image_info }}'
images_bucket='${{ vars.IMAGES_BUCKET }}'
image_ids=$(nix run .#upload-ami -- \
--image-info "$image_info" \
--prefix "smoketest/" \
--s3-bucket "$images_bucket")
echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT"
- name: Smoke test
id: smoke_test
# NOTE: make sure smoke test isn't cancelled. Such that instance gets cleaned up.
run: |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]')
nix run .#smoke-test -- --image-id "$image_id"
- name: Clean up smoke test
if: ${{ cancelled() }}
run: |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]')
nix run .#smoke-test -- --image-id "$image_id" --cancel
# NOTE: We do not pass run-id as we're not building the image ourselves
# and we thus need to poll hydra periodically. Including the run-id would
# cause us to register the same snapshot as an image over and over again
# for each run.
- name: Upload AMIs to all available regions
if: github.ref == 'refs/heads/main'
run: |
image_info='${{ steps.download_ami.outputs.image_info }}'
images_bucket='${{ vars.IMAGES_BUCKET }}'
nix run .#upload-ami -- \
--image-info "$image_info" \
--prefix "nixos/" \
--s3-bucket "$images_bucket" \
--copy-to-regions \
--public
delete-deprecated-images:
name: Deploy images page
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: upload-ami
environment: images
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages
aws-region: ${{ vars.AWS_REGION }}
- name: Delete deprecated AMIs
if: github.ref == 'refs/heads/main'
run: |
nix run .#delete-deprecated-images
deploy-pages:
name: Deploy images page
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: [ upload-ami, delete-deprecated-images ]
permissions:
contents: read
id-token: write
pages: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages
aws-region: ${{ vars.AWS_REGION }}
- name: Describe images
run: nix run .#describe-images > ./site/images.json
- name: Upload pages
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: ./site
- name: Deploy pages
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
id: deployment
if: github.ref == 'refs/heads/main'