Skip to content

Bump github/codeql-action from 3.25.1 to 3.26.0 #296

Bump github/codeql-action from 3.25.1 to 3.26.0

Bump github/codeql-action from 3.25.1 to 3.26.0 #296

name: Upload Legacy Amazon Image
permissions:
contents: read
on:
pull_request:
workflow_dispatch:
schedule:
- cron: "0 0 * * 0"
jobs:
upload-ami:
name: Upload Legacy Amazon Image
runs-on: ubuntu-latest
environment: images
permissions:
contents: read
id-token: write
strategy:
matrix:
release:
- release-24.05
# - nixos-unstable
system:
- x86_64-linux
- aarch64-linux
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
# NOTE: We download the AMI from Hydra instead of building it ourselves
# because aarch64 is currently not supported by AWS EC2 and the legacy
# image builder requires nested virtualization.
- name: Download AMI from Hydra
id: download_ami
run: |
set -o pipefail
build_id=$(curl -sSfL -H 'Accept: application/json' https://hydra.nixos.org/job/nixos/${{ matrix.release }}/tested/latest-finished | jq -r '.id')
out=$(curl -sSfL -H 'Accept: application/json' "https://hydra.nixos.org/build/${build_id}/constituents" | jq -r '.[] | select(.job == "nixos.amazonImage.${{ matrix.system }}") | .buildoutputs.out.path')
nix-store --realise "$out" --add-root ./result
echo "image_info=$out/nix-support/image-info.json" >> "$GITHUB_OUTPUT"
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
aws-region: ${{ vars.AWS_REGION }}
- name: Upload Smoke test AMI
id: upload_smoke_test_ami
run: |
image_info='${{ steps.download_ami.outputs.image_info }}'
images_bucket='${{ vars.IMAGES_BUCKET }}'
image_ids=$(nix run .#upload-ami -- \
--image-info "$image_info" \
--prefix "smoketest/" \
--s3-bucket "$images_bucket")
echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT"
- name: Smoke test
id: smoke_test
# NOTE: make sure smoke test isn't cancelled. Such that instance gets cleaned up.
run: |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]')
nix run .#smoke-test -- --image-id "$image_id"
- name: Clean up smoke test
if: ${{ cancelled() }}
run: |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]')
nix run .#smoke-test -- --image-id "$image_id" --cancel
# NOTE: We do not pass run-id as we're not building the image ourselves
# and we thus need to poll hydra periodically. Including the run-id would
# cause us to register the same snapshot as an image over and over again
# for each run.
- name: Upload AMIs to all available regions
if: github.ref == 'refs/heads/main'
run: |
image_info='${{ steps.download_ami.outputs.image_info }}'
images_bucket='${{ vars.IMAGES_BUCKET }}'
nix run .#upload-ami -- \
--image-info "$image_info" \
--prefix "nixos/" \
--s3-bucket "$images_bucket" \
--copy-to-regions \
--public
deploy-pages:
name: Deploy images page
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: upload-ami
permissions:
contents: read
id-token: write
pages: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12
- uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages
aws-region: ${{ vars.AWS_REGION }}
- name: Describe images
run: nix run .#describe-images > ./site/images.json
- name: Upload pages
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: ./site
- name: Deploy pages
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
id: deployment
if: github.ref == 'refs/heads/main'