Skip to content

chore(deps): update cachix/install-nix-action action to v30 #65

chore(deps): update cachix/install-nix-action action to v30

chore(deps): update cachix/install-nix-action action to v30 #65

Workflow file for this run

name: Pull Request
on:
pull_request:
permissions:
pull-requests: write
jobs:
build:
if: github.event.pull_request.draft == false
name: "Build ${{ matrix.target }}"
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: macos-latest
target: elmira
- os: ubuntu-latest
target: marlon
- os: ubuntu-latest
target: roland
- os: ubuntu-latest
target: vic
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install nix
uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- uses: cachix/cachix-action@v15
with:
name: tuckershea
skipPush: true
extraPullNames: nix-community
- name: Build pr target
env:
TARGET: ".#top.${{ matrix.target }}"
run: |
set -o pipefail
nix build $TARGET --show-trace --fallback -v --log-format raw > >(tee stdout.log) 2> >(tee /tmp/nix-pr-build.log >&2)
- name: Output build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-pr-build.log | grep -oE "/nix/store/.*.drv")
nix log $drv
echo $drv
exit 1
- name: Fetch current main and build it in a profile
env:
TARGET: "github:tuckershea/constellation#top.${{ matrix.target }}"
run: nix build $TARGET -v --log-format raw --profile ./profile
- name: Apply pr to profile
env:
TARGET: ".#top.${{ matrix.target }}"
run: nix build $TARGET -v --log-format raw --profile ./profile
- name: Diff profile
id: diff
run: |
diff="$(nix profile diff-closures --profile ./profile)"
echo "$diff"
diff="$(echo "$diff" | sed 's/\x1b\[[0-9;]*m//g')"
diff="${diff//'%'/'%25'}"
diff="${diff//$'\n'/'%0A'}"
diff="${diff//$'\r'/'%0D'}"
echo "::set-output name=diff::$diff"
- name: Scan for security issues
id: security
run: |
nix run nixpkgs#vulnix -- -w https://raw.githubusercontent.com/tuckershea/vulnix-whitelist/main/whitelist.toml ./profile | tee /tmp/security.txt
OUTPUT_SECURITY="$(cat /tmp/security.txt)"
OUTPUT_SECURITY="${OUTPUT_SECURITY//'%'/'%25'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\n'/'%0A'}"
OUTPUT_SECURITY="${OUTPUT_SECURITY//$'\r'/'%0D'}"
echo "$OUTPUT_SECURITY"
echo "::set-output name=security::$OUTPUT_SECURITY"
- name: Comment report in pr
uses: marocchino/sticky-pull-request-comment@v2
with:
header: ".#top.${{ matrix.target }}"
message: |
### Report for `${{ matrix.target }}`
Version changes:
```
${{ steps.diff.outputs.diff }}
```
<details>
<summary>
Security vulnerability report
</summary>
<br>
<pre>
${{ steps.security.outputs.security }}
</pre>
</details>
# Reference
# https://github.com/arianvp/nixos-stuff/blob/adec9e6/.github/workflows/pr.yml
# https://github.com/sandhose/nixconf/blob/055de30/.github/workflows/check-pr.yaml
# https://github.com/EdenEast/nyx/blob/7786a66554c5b8a888ca4b9b5c33129f06062eb7/.github/workflows/pr.yml