Bump github/codeql-action from 3.26.11 to 3.28.4 #380
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Upload Legacy Amazon Image | |
permissions: | |
contents: read | |
on: | |
pull_request: | |
workflow_dispatch: | |
schedule: | |
- cron: "0 0 * * 0" | |
jobs: | |
upload-ami: | |
name: Upload Legacy Amazon Image | |
runs-on: ubuntu-latest | |
environment: images | |
permissions: | |
contents: read | |
id-token: write | |
strategy: | |
matrix: | |
release: | |
- release-24.05 | |
- release-24.11 | |
# - nixos-unstable | |
system: | |
- x86_64-linux | |
- aarch64-linux | |
steps: | |
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 | |
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 | |
# NOTE: We download the AMI from Hydra instead of building it ourselves | |
# because aarch64 is currently not supported by AWS EC2 and the legacy | |
# image builder requires nested virtualization. | |
- name: Download AMI from Hydra | |
id: download_ami | |
run: | | |
set -o pipefail | |
build_id=$(curl -sSfL -H 'Accept: application/json' https://hydra.nixos.org/job/nixos/${{ matrix.release }}/tested/latest-finished | jq -r '.id') | |
out=$(curl -sSfL -H 'Accept: application/json' "https://hydra.nixos.org/build/${build_id}/constituents" | jq -r '.[] | select(.job == "nixos.amazonImage.${{ matrix.system }}") | .buildoutputs.out.path') | |
nix-store --realise "$out" --add-root ./result | |
echo "image_info=$out/nix-support/image-info.json" >> "$GITHUB_OUTPUT" | |
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami | |
aws-region: ${{ vars.AWS_REGION }} | |
- name: Upload Smoke test AMI | |
id: upload_smoke_test_ami | |
run: | | |
image_info='${{ steps.download_ami.outputs.image_info }}' | |
images_bucket='${{ vars.IMAGES_BUCKET }}' | |
image_ids=$(nix run .#upload-ami -- \ | |
--image-info "$image_info" \ | |
--prefix "smoketest/" \ | |
--s3-bucket "$images_bucket") | |
echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" | |
- name: Smoke test | |
id: smoke_test | |
# NOTE: make sure smoke test isn't cancelled. Such that instance gets cleaned up. | |
run: | | |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}' | |
image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]') | |
nix run .#smoke-test -- --image-id "$image_id" | |
- name: Clean up smoke test | |
if: ${{ cancelled() }} | |
run: | | |
image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}' | |
image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]') | |
nix run .#smoke-test -- --image-id "$image_id" --cancel | |
# NOTE: We do not pass run-id as we're not building the image ourselves | |
# and we thus need to poll hydra periodically. Including the run-id would | |
# cause us to register the same snapshot as an image over and over again | |
# for each run. | |
- name: Upload AMIs to all available regions | |
if: github.ref == 'refs/heads/main' | |
run: | | |
image_info='${{ steps.download_ami.outputs.image_info }}' | |
images_bucket='${{ vars.IMAGES_BUCKET }}' | |
nix run .#upload-ami -- \ | |
--image-info "$image_info" \ | |
--prefix "nixos/" \ | |
--s3-bucket "$images_bucket" \ | |
--copy-to-regions \ | |
--public | |
delete-deprecated-images: | |
name: Delete deprecated images | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: upload-ami | |
environment: images | |
steps: | |
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 | |
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 | |
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1 | |
with: | |
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages | |
aws-region: ${{ vars.AWS_REGION }} | |
- name: Delete deprecated AMIs | |
if: github.ref == 'refs/heads/main' | |
run: | | |
nix run .#delete-deprecated-images | |
deploy-pages: | |
name: Deploy images page | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
needs: [ upload-ami, delete-deprecated-images ] | |
permissions: | |
contents: read | |
id-token: write | |
pages: write | |
environment: | |
name: github-pages | |
url: ${{ steps.deployment.outputs.page_url }} | |
steps: | |
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 | |
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 | |
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.1 | |
with: | |
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages | |
aws-region: ${{ vars.AWS_REGION }} | |
- name: Describe images | |
run: nix run .#describe-images > ./site/images.json | |
- name: Upload pages | |
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 | |
with: | |
path: ./site | |
- name: Deploy pages | |
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 | |
id: deployment | |
if: github.ref == 'refs/heads/main' |