Ami rework #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upload Legacy Amazon Image | |
| permissions: | |
| contents: read | |
| on: | |
| # TODO: Remove before merge | |
| pull_request: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| env: | |
| AWS_REGION: eu-central-1 | |
| jobs: | |
| upload-ami: | |
| name: Upload Legacy Amazon Image | |
| runs-on: ubuntu-latest | |
| environment: images | |
| permissions: | |
| contents: read | |
| id-token: write | |
| strategy: | |
| matrix: | |
| system: | |
| - x86_64-linux | |
| - aarch64-linux | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9 | |
| - uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2 | |
| # NOTE: We download the AMI from Hydra instead of building it ourselves | |
| # because aarch64 is currently not supported by AWS EC2 and the legacy | |
| # image builder requires nested virtualization. | |
| - name: Download AMI from Hydra | |
| id: download_ami | |
| run: | | |
| out=$(curl --location --silent --header 'Accept: application/json' https://hydra.nixos.org/job/nixos/release-23.11/nixos.amazonImage.${{ matrix.system }}/latest-finished | jq --raw-output '.buildoutputs.out.path') | |
| nix-store --realise $out --add-root ./result | |
| echo "image_info=$out/nix-support/image-info.json" >> "$GITHUB_OUTPUT" | |
| - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/state | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Get S3 bucket name | |
| id: get_bucket_name | |
| run: | | |
| cd tf | |
| nix shell --inputs-from . nixpkgs#opentofu --command ./tofu-init.sh | |
| images_bucket=$(nix shell --inputs-from . nixpkgs#opentofu --command tofu output -raw images_bucket) | |
| echo "images_bucket=$images_bucket" >> "$GITHUB_OUTPUT" | |
| - uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami | |
| aws-region: ${{ env.AWS_REGION }} | |
| # NOTE: We do not pass run-id as we're not building the image ourselves | |
| # and we thus need to poll hydra periodically. Including the run-id would | |
| # cause us to register the same snapshot as an image over and over again | |
| # for each run. | |
| - name: Upload Smoke test AMI | |
| id: upload_smoke_test_ami | |
| run: | | |
| image_ids=$(nix run .#upload-ami -- \ | |
| --image-info "${{ steps.download_ami.outputs.image_info }} \ | |
| --prefix "staging-legacy/" \ | |
| --s3-bucket "${{ steps.get_bucket_name.outputs.images_bucket }}") | |
| echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" | |
| - name: Smoke test | |
| id: smoke_test | |
| run: | | |
| image_ids=${{ steps.upload_smoke_test_ami.outputs.image_ids }}} | |
| image_id=$(echo "$amis" | jq -r '.["${{ env.AWS_REGION }}"]') | |
| nix run .#smoke-test -- --image-id "$image_id" --region "${{ env.AWS_REGION }}" | |
| - name: Upload AMIs to all available regions | |
| run: | | |
| image_ids=$(nix run .#upload-ami -- \ | |
| --image-info "${{ steps.download_ami.outputs.image_info }} \ | |
| --prefix "legacy/" \ | |
| --s3-bucket "${{ steps.get_bucket_name.outputs.images_bucket }}" \ | |
| --copy-to-regions) | |
| echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" | |