Skip to content

Upload Legacy Amazon Image #141

Upload Legacy Amazon Image

Upload Legacy Amazon Image #141

name: Upload Legacy Amazon Image
permissions:
contents: read
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
schedule:
- cron: '0 0 * * 0'
env:
AWS_REGION: eu-central-1
jobs:
upload-ami:
name: Upload Legacy Amazon Image
runs-on: ubuntu-latest
environment: images
permissions:
contents: read
id-token: write
strategy:
matrix:
system:
- x86_64-linux
- aarch64-linux
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9
- uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
# NOTE: We download the AMI from Hydra instead of building it ourselves
# because aarch64 is currently not supported by AWS EC2 and the legacy
# image builder requires nested virtualization.
- name: Download AMI from Hydra
id: download_ami
run: |
set -o pipefail
out=$(curl --location --silent --fail-with-body --header 'Accept: application/json' https://hydra.nixos.org/job/nixos/release-23.11/nixos.amazonImage.${{ matrix.system }}/latest-finished | jq --raw-output '.buildoutputs.out.path')
nix-store --realise "$out" --add-root ./result
echo "image_info=$out/nix-support/image-info.json" >> "$GITHUB_OUTPUT"
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
aws-region: ${{ env.AWS_REGION }}
- name: For all regions disable-image-block-public-access
run: nix run .#disable-image-block-public-access
- name: Upload Smoke test AMI
id: upload_smoke_test_ami
run: |
image_info='${{ steps.download_ami.outputs.image_info }}'
images_bucket='${{ vars.IMAGES_BUCKET }}'
image_ids=$(nix run .#upload-ami -- \
--image-info "$image_info" \
--prefix "smoketest/" \
--s3-bucket "$images_bucket")
echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT"
- name: Smoke test
id: smoke_test
# NOTE: make sure smoke test isn't cancelled. Such that instance gets cleaned up.
run: |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["${{ env.AWS_REGION }}"]')
run_id='${{ github.run_id }}'
nix run .#smoke-test -- --image-id "$image_id" --region "${{ env.AWS_REGION }}" --run-id "$run_id"
- name: Clean up smoke test
if: ${{ cancelled() }}
run: |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}'
image_id=$(echo "$image_ids" | jq -r '.["${{ env.AWS_REGION }}"]')
run_id='${{ github.run_id }}'
nix run .#smoke-test -- --image-id "$image_id" --region "${{ env.AWS_REGION }}" --run-id "$run_id" --cancel
# NOTE: We do not pass run-id as we're not building the image ourselves
# and we thus need to poll hydra periodically. Including the run-id would
# cause us to register the same snapshot as an image over and over again
# for each run.
- name: Upload AMIs to all available regions
if: github.ref == 'refs/heads/main'
run: |
image_info='${{ steps.download_ami.outputs.image_info }}'
images_bucket='${{ vars.IMAGES_BUCKET }}'
image_ids=$(nix run .#upload-ami -- \
--image-info "$image_info" \
--prefix "nixos/" \
--s3-bucket "$images_bucket" \
--copy-to-regions \
--public)
echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT"
deploy-pages:
name: Deploy images page
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
needs: upload-ami
permissions:
contents: read
id-token: write
pages: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@cd46bde16ab981b0a7b2dce0574509104543276e # v9
- uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 # v3
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1 with:
with:
# TODO: Separate role?
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami
aws-region: ${{ env.AWS_REGION }}
- name: Describe images
run: nix run .#describe-images > ./site/images.json
- name: Upload pages
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: ./site
- name: Deploy pages
uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4
id: deployment
if: github.ref == 'refs/heads/main'