Skip to content

Make release

Make release #66

Workflow file for this run

name: Make release
on:
workflow_dispatch:
inputs:
holo-nixpkgs-tag:
description: "The holo-nixpkgs tag to build from"
required: true
default: "develop"
type: string
skip-upload-binary:
description: "skip the upload-binary job"
required: true
default: true
type: boolean
skip-update-sources:
description: "skip the update-sources job"
required: true
default: true
type: boolean
env:
NIX_GITHUB_PRIVATE_USERNAME: ${{ secrets.NIX_GITHUB_PRIVATE_USERNAME }}
NIX_GITHUB_PRIVATE_PASSWORD: ${{ secrets.NIX_GITHUB_PRIVATE_PASSWORD }}
jobs:
build:
runs-on: ${{ matrix.build-config.runner }}
outputs:
nixpkgs-revision: ${{ steps.nixpkgs-revision.outputs.nixpkgs-revision }}
rust-overlay-revision: ${{ steps.rust-overlay-revision.outputs.rust-overlay-revision }}
rust-version: ${{ steps.rust-version.outputs.rust-version }}
build-deps: ${{ steps.build-deps.outputs.build-deps }}
strategy:
matrix:
build-config:
- { system: x86_64-linux, runner: "ubuntu-latest", native: true }
- { system: aarch64-linux, runner: "ubuntu-latest", native: false }
- { system: aarch64-darwin, runner: "macos-latest", native: true }
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
with:
github-token: ${{ secrets.STEVEEJ_READ_ONLY_ACCESS }}
extra-conf: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
substituters = https://cache.nixos.org/
netrc-file = /etc/nix/netrc
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Configure nix with github credentials
run: |
set -xu
sudo mkdir -p /etc/nix/
sudo dd of=/etc/nix/netrc <<EOF
machine github.com
username ${{ secrets.NIX_GITHUB_PRIVATE_USERNAME }}
password ${{ secrets.NIX_GITHUB_PRIVATE_PASSWORD }}
machine api.github.com
username ${{ secrets.NIX_GITHUB_PRIVATE_USERNAME }}
password ${{ secrets.NIX_GITHUB_PRIVATE_PASSWORD }}
EOF
if type systemctl; then
sudo mkdir -p /etc/systemd/system/nix-daemon.service.d/
sudo dd of=/etc/systemd/system/nix-daemon.service.d/github-credentials.conf <<EOF
[Service]
Environment=NIX_GITHUB_PRIVATE_USERNAME=$NIX_GITHUB_PRIVATE_USERNAME
Environment=NIX_GITHUB_PRIVATE_PASSWORD=$NIX_GITHUB_PRIVATE_PASSWORD
EOF
sudo systemctl daemon-reload
sudo systemctl restart nix-daemon.service
elif type launchctl; then
sudo launchctl debug system/org.nixos.nix-daemon --environment NIX_GITHUB_PRIVATE_USERNAME=$NIX_GITHUB_PRIVATE_USERNAME NIX_GITHUB_PRIVATE_PASSWORD=$NIX_GITHUB_PRIVATE_PASSWORD
# debug whether the nix-daemon PID changes before and after as a restart of it is required for the changes to take effect
(
set +eE +o pipefail
set -x
sudo pgrep nix-daemon
sudo launchctl stop system/org.nixos.nix-daemon
sudo pkill -9 nix-daemon
sudo launchctl start system/org.nixos.nix-daemon
sudo pgrep nix-daemon
exit 0
)
else
echo Unsupported system
exit 1
fi
echo all good
- name: "download holo-nixpkgs tag"
run: |
set -eou pipefail
# cat >> ~/.config/nix/nix.conf <<EOF
# access-tokens = github.com=${{ secrets.HOLO_NIXPKGS_READ_KEY }}
# EOF
# cat ~/.config/nix/nix.conf
nix flake update holo-nixpkgs --override-input holo-nixpkgs github:holo-host/holo-nixpkgs/${{ inputs.holo-nixpkgs-tag }}
- name: "build holo-dev-server"
if: ${{ matrix.build-config.native }}
run: |
nix build -vL \
--out-link holo-dev-server \
'.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin'
- name: "build holo-dev-server"
if: ${{ ! matrix.build-config.native }}
run: |
sudo apt-get update
sudo apt-get install binfmt-support qemu-user-static
nix build -vL \
--option extra-platforms aarch64-linux \
--option extra-sandbox-paths "/usr/libexec/qemu-binfmt /usr/bin/qemu-aarch64-static /usr/bin/qemu-aarch64-static /usr/bin/qemu-arm-static" \
--out-link holo-dev-server \
'.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin'
- name: get nixpkgs revision
id: nixpkgs-revision
run: |
echo "nixpkgs-revision=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.nixpkgs-revision')" >> ${GITHUB_OUTPUT}
- name: get rust-overlay revision
id: rust-overlay-revision
run: |
echo "rust-overlay-revision=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.rust-overlay-revision')" >> ${GITHUB_OUTPUT}
- name: get rust version
id: rust-version
run: |
echo "rust-version=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.rust-version')" >> ${GITHUB_OUTPUT}
- name: get build deps
id: build-deps
run: |
echo "build-deps=$(nix eval --raw '.#legacyPackages.${{ matrix.build-config.system }}.holo-dev-server-bin.propagatedBuildInputs')" >> ${GITHUB_OUTPUT}
- name: upload artifact
if: ${{ inputs.skip-upload-binary == false }}
uses: actions/upload-artifact@v4
with:
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-${{ matrix.build-config.system }}
path: |
holo-dev-server
if-no-files-found: error
- name: Setup upterm session
if: ${{ always() }}
uses: owenthereal/action-upterm@v1
with:
limit-access-to-actor: true # Restrict to the user who triggered the workflow
limit-access-to-users: steveej # Specific authorized users only
## If no one connects after 5 minutes, shut down server.
wait-timeout-minutes: 5
upload-binary:
if: ${{ inputs.skip-upload-binary == false }}
runs-on: ubuntu-latest
permissions:
contents: write
needs: build
outputs:
release_name: ${{ steps.make_release.outputs.release }}
tag_name: ${{ steps.date.outputs.date }}
steps:
- name: download x86_64-linux artifact
uses: actions/download-artifact@v4
with:
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-x86_64-linux
path: holo-dev-server
- name: "Create the x86_64-linux tarball"
run: |
chmod +x holo-dev-server/bin/holo-dev-server
tar -czf holo-dev-server-x86_64-linux.tar.gz holo-dev-server
rm -rf holo-dev-server
- name: download aarch64-linux artifact
uses: actions/download-artifact@v4
with:
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-aarch64-linux
path: holo-dev-server
- name: "Create the aarch64-linux tarball"
run: |
chmod +x holo-dev-server/bin/holo-dev-server
tar -czf holo-dev-server-aarch64-linux.tar.gz holo-dev-server
rm -rf holo-dev-server
- name: download aarch64-darwin artifact
uses: actions/download-artifact@v4
with:
name: holo-dev-server-${{ inputs.holo-nixpkgs-tag }}-aarch64-darwin
path: holo-dev-server
- name: "Create the aarch64-darwin tarball"
run: |
chmod +x holo-dev-server/bin/holo-dev-server
tar -czf holo-dev-server-aarch64-darwin.tar.gz holo-dev-server
rm -rf holo-dev-server
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d-%H%M%S')" >> ${GITHUB_OUTPUT}
- name: Create draft release
id: make_release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |-
release=$(
gh release create --draft ${{ steps.date.outputs.date }} \
--repo ${{ github.repository }} \
--title "Version ${{ steps.date.outputs.date }}" \
"holo-dev-server-x86_64-linux.tar.gz" \
"holo-dev-server-aarch64-linux.tar.gz" \
"holo-dev-server-aarch64-darwin.tar.gz"
)
echo "release=${release}" >> ${GITHUB_OUTPUT}
update-sources:
if: ${{ inputs.skip-update-sources == false }}
runs-on: ubuntu-latest
permissions:
contents: write
needs:
- build
- upload-binary
steps:
- uses: actions/checkout@v4
- name: "install nix"
uses: "cachix/install-nix-action@v22"
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE= cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=
substituters = https://cache.holo.host https://cache.nixos.org/
- name: prefetch nixpkgs
id: prefetch-nixpkgs
run: |
tar -xzf <(curl --location https://github.com/nixos/nixpkgs/archive/${{ needs.build.outputs.nixpkgs-revision }}.tar.gz)
echo "hash=$(nix hash path --base32 nixpkgs-${{ needs.build.outputs.nixpkgs-revision }}/)" >> ${GITHUB_OUTPUT}
- name: prefetch rust-overlay
id: prefetch-rust-overlay
run: |
tar -xzf <(curl --location https://github.com/oxalica/rust-overlay/archive/${{ needs.build.outputs.rust-overlay-revision }}.tar.gz)
echo "hash=$(nix hash path --base32 rust-overlay-${{ needs.build.outputs.rust-overlay-revision }}/)" >> ${GITHUB_OUTPUT}
- name: prefetch release binaries
id: prefetch-binaries
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download ${{ needs.upload-binary.outputs.tag_name }}
tar -xzf holo-dev-server-x86_64-linux.tar.gz
echo "hash_x86_64_linux=$(nix hash path --base32 holo-dev-server/)" >> ${GITHUB_OUTPUT}
rm -rf holo-dev-server
tar -xzf holo-dev-server-aarch64-linux.tar.gz
echo "hash_aarch64_linux=$(nix hash path --base32 holo-dev-server/)" >> ${GITHUB_OUTPUT}
rm -rf holo-dev-server
tar -xzf holo-dev-server-aarch64-darwin.tar.gz
echo "hash_aarch64_darwin=$(nix hash path --base32 holo-dev-server/)" >> ${GITHUB_OUTPUT}
rm -rf holo-dev-server
- name: overwrite sources.nix
run: |
cat > sources.nix << EOF
# this file is autogenerated by .github/workflows/build-hds.yml
{
nixpkgs = builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${{ needs.build.outputs.nixpkgs-revision }}.tar.gz";
sha256 = "${{ steps.prefetch-nixpkgs.outputs.hash }}";
};
rust-overlay = builtins.fetchTarball {
url = "https://github.com/oxalica/rust-overlay/archive/${{ needs.build.outputs.rust-overlay-revision }}.tar.gz";
sha256 = "${{ steps.prefetch-rust-overlay.outputs.hash }}";
};
rust-version = "${{ needs.build.outputs.rust-version }}";
x86_64-linux.holo-dev-server-bin = builtins.fetchTarball {
url = "https://github.com/${{ github.repository }}/releases/download/${{ needs.upload-binary.outputs.tag_name }}/holo-dev-server-x86_64-linux.tar.gz";
sha256 = "${{ steps.prefetch-binaries.outputs.hash_x86_64_linux }}";
};
aarch64-linux.holo-dev-server-bin = builtins.fetchTarball {
url = "https://github.com/${{ github.repository }}/releases/download/${{ needs.upload-binary.outputs.tag_name }}/holo-dev-server-aarch64-linux.tar.gz";
sha256 = "${{ steps.prefetch-binaries.outputs.hash_aarch64_linux }}";
};
aarch64-darwin.holo-dev-server-bin = builtins.fetchTarball {
url = "https://github.com/${{ github.repository }}/releases/download/${{ needs.upload-binary.outputs.tag_name }}/holo-dev-server-aarch64-darwin.tar.gz";
sha256 = "${{ steps.prefetch-binaries.outputs.hash_aarch64_darwin }}";
};
}
EOF
- name: overwrite holo-dev-server.deps.json
run: |
cat > holo-dev-server.deps.json << EOF
${{ needs.build.outputs.build-deps }}
EOF
- name: commit and push sources.nix
run: |
if [[ "$(git status --porcelain)" != "" ]]; then
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
git add sources.nix holo-dev-server.deps.json
git commit -m "update to release ${{ needs.upload-binary.outputs.tag_name }}"
git push origin HEAD:refs/heads/main
fi
- name: update and undraft release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |-
gh release edit --draft=false ${{ needs.upload-binary.outputs.tag_name }}
# Unfortunately we cannot do this earlier, since the release artifacts are
# only public after the release was undrafted.
# TODO: can we make a prerelease first, then test, then make the real release?
- name: test if flake works
run: |
nix flake show --all-systems
nix flake check -L