Ledger release 10.0 #2954

Workflow file for this run

	name: CI

	on:
	# Following https://github.com/orgs/community/discussions/26276
	# to get builds on PRs and pushes to master but not double
	# builds on PRs.
	push:
	branches:
	- main
	pull_request:
	workflow_dispatch:

	env:
	NIX_CONFIG: accept-flake-config = true

	jobs:
	shellcheck:
	runs-on: nixos
	steps:
	- uses: actions/checkout@v4
	- name: Run shellcheck on scripts/*.sh
	run: nix-shell -I nixpkgs=https://github.com/nixos/nixpkgs/archive/release-23.05.tar.gz -p shellcheck --run 'shellcheck scripts/*.sh'

	check:
	runs-on: nixos

	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0 # the check script below needs the whole history

	- name: Run checks
	run: nix develop -c ./scripts/check.sh

	build-repo:
	runs-on: nixos

	steps:
	- name: Checkout main
	uses: actions/checkout@v4
	with:
	ref: main

	# See https://github.com/actions/cache/pull/1231
	# Astonishingly, this simple bump is not merged and released yet
	- uses: kbdharun/cache@8070854e57d983bdd2887b0a708ad985f77398ab
	with:
	path: _cache
	key: 1 # bump to refresh

	- name: Unpack keys
	env:
	KEYS: ${{ secrets.KEYS }}
	run: \|
	if [[ -z "$KEYS" ]]; then
	echo "Could not access repository secret keys (PR is coming from a fork?)"
	echo "Generating fresh keys for this run"
	nix develop -c foliage create-keys
	else
	mkdir _keys
	echo "$KEYS" \| base64 -d \| tar xvz -C _keys
	fi

	- name: Build repository (main)
	run: \|
	nix develop -c foliage build -j 0 --write-metadata
	mv _repo _repo-main
	cp _repo-main/foliage/packages.json packages-old.json

	- name: Checkout tip commit
	uses: actions/checkout@v4
	with:
	clean: false

	- name: Build repository (tip)
	run: \|
	nix develop -c foliage build -j 0 --write-metadata
	cp _repo/foliage/packages.json packages-new.json

	- name: Copy static web assets
	run: \|
	cp static/index.html _repo
	cp README.md _repo

	# See https://github.com/actions/upload-artifact/issues/36
	- name: Pack repository in a tar archive
	run: tar cf _repo.tar -C _repo .

	# Do this before the check, useful to have the artifact in case the
	# check fails!
	- name: Upload built repository
	uses: actions/upload-artifact@v4
	with:
	name: built-repo
	path: _repo.tar

	- name: Upload package metadata
	uses: actions/upload-artifact@v4
	with:
	name: package-metadata
	path: \|
	packages-old.json
	packages-new.json

	# Note: we use the check script from the tip so we pick up changes
	# to the script from the PR itself.
	- name: Check new index is an extension of the old index
	run: \|
	echo "If this check failed because 'some entries only exist in the old index'"
	echo "then you may need to update your branch.\n"
	echo "If it failed because 'the last old entry is newer than the first new entry'"
	echo "then you may need to update the timestamps in your new packages to be newer than those in main."
	./scripts/check-archive-extension.sh _repo-main/01-index.tar _repo/01-index.tar

	build-packages:
	runs-on: nixos
	needs:
	- build-repo

	steps:
	- uses: actions/checkout@v4

	- name: Download built repository
	uses: actions/download-artifact@v4
	with:
	name: built-repo

	- name: Unpack built repository
	run: \|
	mkdir _repo
	tar xf _repo.tar -C _repo

	- name: Build smoke test packages
	# The > is the "YAML folded string" marker, which replaces
	# newlines with spaces, since the usual bash idiom of \
	# doesn't work for some reason
	run: >
	nix build .#allSmokeTestPackages
	-L
	--override-input CHaP path:_repo
	--show-trace

	build-new-packages:
	runs-on: nixos

	needs:
	- build-repo

	steps:
	- uses: actions/checkout@v4

	- name: Download built repository
	uses: actions/download-artifact@v4
	with:
	name: built-repo

	- name: Unpack built repository
	run: \|
	mkdir _repo
	tar xf _repo.tar -C _repo

	- name: Download package metadata
	uses: actions/download-artifact@v4
	with:
	name: package-metadata
	path: .

	# This is a bit of a hack: to build the newly added packages, we:
	# 1. compute the packages.json that just contains the new pacakge-versions
	# 2. overwrite the built repository's packages.json with the computed one
	# 3. build "all the packages" which now means "the new packages"
	#
	# This avoids us having to do other complicated tricks to make the flake
	# take the set of packages to build as an argument.
	- name: Adjust repository metadata
	run: \|
	scripts/compare-package-metadata.sh packages-old.json packages-new.json > packages-diff.json
	echo "Newly added packages:"
	cat packages-diff.json
	mv -f packages-diff.json _repo/foliage/packages.json

	- name: Build all newly added packages
	run: >
	nix build .#allPackages
	-L
	--override-input CHaP path:_repo
	--show-trace

	deploy-check:
	runs-on: nixos

	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	needs:
	- build-repo

	steps:
	- uses: actions/checkout@v4
	with:
	path: src

	- uses: actions/checkout@v4
	with:
	path: repo
	ref: repo

	- name: Download built repository
	uses: actions/download-artifact@v4
	with:
	name: built-repo

	- name: Unpack built repository
	run: \|
	mkdir built-repo
	tar xf _repo.tar -C built-repo

	# This is meaningfully different to the check in 'build': that checks the repository
	# built from main and from the PR tip, but that's not _actually_ the repository
	# deployed in the repo branch. It should be the same, but it can't hurt to check
	# against the thing that's actually deployed before we deploy.
	- name: Check new index is an extension of the old index
	run: \|
	./src/scripts/check-archive-extension.sh repo/01-index.tar built-repo/01-index.tar

	deploy:
	# This job is fine to run on GitHub provided (free) runners.
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	needs:
	- check
	- build-repo
	- deploy-check

	concurrency:
	group: "pages"
	cancel-in-progress: true

	# Grant GITHUB_TOKEN the permissions required to make a Pages deployment
	permissions:
	contents: write
	id-token: write
	pages: write

	# Deploy to the github-pages environment
	environment:
	name: github-pages
	url: ${{ steps.deployment.outputs.page_url }}

	steps:
	- uses: actions/checkout@v4

	- name: Download built repository
	uses: actions/download-artifact@v4
	with:
	name: built-repo

	- name: Unpack built repository
	run: \|
	mkdir _repo
	tar xf _repo.tar -C _repo

	- name: Commit as branch
	run: \|
	set -xe

	# see https://github.com/orgs/community/discussions/26560 and https://github.com/actions/checkout/issues/13
	git config user.name "github-actions[bot]"
	git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

	# Need --force because _repo is gitignore'd
	git add --force _repo
	treeId=$(git write-tree --prefix=_repo)

	# the checkout action doesn't checkout all branches so we fetch
	# the repo branch, if the remote doesn't have it, it's ok we do
	# without
	if git fetch --quiet origin repo; then
	# add commit to branch
	commitId=$(git commit-tree -p origin/repo -m "Update from ${{ github.sha }}" "$treeId")
	else
	# add commit with no parents
	commitId=$(git commit-tree -m "Update from ${{ github.sha }}" "$treeId")
	fi
	git update-ref "refs/heads/repo" "$commitId"
	git push origin repo

	- name: Setup Pages
	uses: actions/configure-pages@v5

	- name: Upload pages artifact
	uses: actions/upload-pages-artifact@v3
	with:
	path: _repo

	- name: Deploy to GitHub Pages
	id: deployment
	uses: actions/deploy-pages@v4

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ledger release 10.0 #2954

Workflow file

Ledger release 10.0 #2954

Jobs

Run details

Workflow file for this run