diff --git a/.envrc b/.envrc new file mode 100644 index 00000000000..0f94eedeb55 --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +# shellcheck shell=bash +use flake diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace4600a1f..d89d38d5525 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,16 @@ version: 2 + updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 + groups: + actions: + patterns: ["*"] + ignore: + - dependency-name: DeterminateSystems/* + commit-message: + prefix: ci diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9d5cbfc34e2..b5fbbea21ab 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -59,14 +59,19 @@ jobs: strategy: fail-fast: false runs-on: ${{ inputs.runner }} + env: + FLAKE: ${{ inputs.flake }} + SYSTEM: ${{ inputs.system }} timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L - - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.binaryTarball --out-link tarball - - run: nix build ${{ inputs.flake }}#^debug,out + - run: nix build "${FLAKE}#packages.${SYSTEM}.default" "${FLAKE}#packages.${SYSTEM}.binaryTarball" --no-link -L + - run: nix build "${FLAKE}#packages.${SYSTEM}.binaryTarball" --out-link tarball + - run: nix build .#^debug,out - name: Upload debug info to Sentry run: ./maintainers/upload-debug-info-to-sentry.py --debug-dir ./result-debug ./result/bin/nix if: env.SENTRY_AUTH_TOKEN != '' @@ -74,10 +79,10 @@ jobs: SENTRY_AUTH_TOKEN: ${{ secrets.sentry_auth_token }} SENTRY_ORG: ${{ secrets.sentry_org }} SENTRY_PROJECT: ${{ secrets.sentry_project }} - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: inputs.upload_artifacts with: - name: ${{ inputs.system }} + name: ${{ env.SYSTEM }} path: ./tarball/*.xz build_static: @@ -86,11 +91,16 @@ jobs: fail-fast: false runs-on: ${{ inputs.runner }} timeout-minutes: 120 + env: + FLAKE: ${{ inputs.flake }} + SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.nix-cli-static --no-link -L + - run: nix build "${FLAKE}#packages.${SYSTEM}.nix-cli-static" --no-link -L test: if: ${{ inputs.if && inputs.run_tests}} @@ -99,34 +109,47 @@ jobs: fail-fast: false runs-on: ${{ inputs.runner }} timeout-minutes: 120 + env: + FLAKE: ${{ inputs.flake }} + SYSTEM: ${{ inputs.system }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - - run: nix flake check --keep-going ${{ inputs.flake }} -L --system ${{ inputs.system }} + - run: nix flake check --keep-going "${FLAKE}" -L --system "${SYSTEM}" vm_tests_smoke: if: inputs.run_vm_tests && github.event_name != 'merge_group' needs: build runs-on: ${{ inputs.runner_for_virt }} + env: + FLAKE: ${{ inputs.flake }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - run: | nix build -L \ - ${{ inputs.flake }}#hydraJobs.tests.functional_user \ - ${{ inputs.flake }}#hydraJobs.tests.githubFlakes \ - ${{ inputs.flake }}#hydraJobs.tests.nix-docker \ - ${{ inputs.flake }}#hydraJobs.tests.tarballFlakes \ + "${FLAKE}#hydraJobs.tests.functional_user" \ + "${FLAKE}#hydraJobs.tests.githubFlakes" \ + "${FLAKE}#hydraJobs.tests.nix-docker" \ + "${FLAKE}#hydraJobs.tests.tarballFlakes" \ ; vm_tests_all: if: inputs.run_vm_tests && github.event_name == 'merge_group' needs: build runs-on: ${{ inputs.runner_for_virt }} + env: + FLAKE: ${{ inputs.flake }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - run: | @@ -137,7 +160,7 @@ jobs: .hydraJobs.tests | with_entries(select(.value.type == "derivation")) | keys[] - | "${{ inputs.flake }}#hydraJobs.tests." + .') + | "${FLAKE}#hydraJobs.tests." + .') } if ! cmd; then @@ -183,27 +206,33 @@ jobs: steps: - name: Checkout nix - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - name: Checkout flake-regressions - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: NixOS/flake-regressions path: flake-regressions + persist-credentials: false - name: Checkout flake-regressions-data - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: NixOS/flake-regressions-data path: flake-regressions/tests + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Run flake regression tests env: #PARALLEL: ${{ !contains(matrix.nix_config, 'eval-cores') && '-P 50%' || '-P 1' }} - PARALLEL: '-P 1' + PARALLEL: "-P 1" FLAKE_REGRESSION_GLOB: ${{ matrix.glob }} NIX_CONFIG: ${{ matrix.nix_config }} PREFETCH: "1" USE_NIX_FLAKE_SHOW: "1" + FLAKE: ${{ inputs.flake }} run: | set -x echo "PARALLEL: $PARALLEL" @@ -212,7 +241,7 @@ jobs: mkdir -p "${NSC_CACHE_PATH}/nix/xdg-cache" export XDG_CACHE_HOME="${NSC_CACHE_PATH}/nix/xdg-cache" fi - nix build ${{ inputs.flake }} -L --out-link ./new-nix + nix build "${FLAKE}" -L --out-link ./new-nix export PATH=$(pwd)/new-nix/bin:$PATH [[ $(type -p nix) = $(pwd)/new-nix/bin/nix ]] @@ -231,6 +260,8 @@ jobs: if: github.event_name != 'merge_group' needs: build runs-on: ${{ inputs.runner_small }} + env: + FLAKE: ${{ inputs.flake }} permissions: id-token: "write" contents: "read" @@ -239,13 +270,15 @@ jobs: deployments: "write" steps: - name: Checkout nix - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Build manual if: inputs.system == 'x86_64-linux' - run: nix build ${{ inputs.flake }}#hydraJobs.manual - - uses: nwtgck/actions-netlify@v3.0 + run: nix build "${FLAKE}#hydraJobs.manual" + - uses: nwtgck/actions-netlify@d22a32a27c918fe470bbc562e984f80ec48c2668 # v4.0.0 if: inputs.publish_manual && inputs.system == 'x86_64-linux' with: publish-dir: "./result/share/doc/nix/manual" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 668323ed082..6a6522ee716 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,25 +13,25 @@ on: types: - published -permissions: - id-token: "write" - contents: "read" - pull-requests: "write" - statuses: "write" - deployments: "write" - jobs: eval: runs-on: UbuntuLatest32Cores128G + permissions: + id-token: write + contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - run: nix flake show --all-systems --json build_x86_64-linux: uses: ./.github/workflows/build.yml + permissions: + id-token: write + contents: read with: system: x86_64-linux runner: namespace-profile-linuxamd32c64g-cache @@ -50,6 +50,8 @@ jobs: build_x86_64-linux_no_dsp: uses: ./.github/workflows/build.yml + permissions: + contents: read if: github.event_name == 'merge_group' with: flake: . @@ -64,17 +66,20 @@ jobs: build_aarch64-linux: uses: ./.github/workflows/build.yml + permissions: + id-token: write + contents: read with: if: ${{ - github.event_name != 'pull_request' - || ( - github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' - && ( - (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') - || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) - ) - ) - }} + github.event_name != 'pull_request' + || ( + github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' + && ( + (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') + || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) + ) + ) + }} system: aarch64-linux runner: UbuntuLatest32Cores128GArm runner_for_virt: UbuntuLatest32Cores128GArm @@ -86,6 +91,9 @@ jobs: build_aarch64-darwin: uses: ./.github/workflows/build.yml + permissions: + id-token: write + contents: read with: system: aarch64-darwin runner: namespace-profile-mac-m2-12c28g @@ -98,6 +106,12 @@ jobs: success: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + pull-requests: write + statuses: write + deployments: write needs: - eval - build_x86_64-linux @@ -116,14 +130,17 @@ jobs: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + - uses: DeterminateSystems/determinate-nix-action@main - name: Create artifacts directory run: mkdir -p ./artifacts - name: Fetch artifacts - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: path: downloaded - name: Move downloaded artifacts to artifacts directory @@ -135,15 +152,15 @@ jobs: - name: Build fallback-paths.nix if: ${{ - github.event_name != 'pull_request' - || ( - github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' - && ( - (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') - || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) - ) - ) - }} + github.event_name != 'pull_request' + || ( + github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src' + && ( + (github.event.action == 'labeled' && github.event.label.name == 'upload to s3') + || (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3')) + ) + ) + }} run: | nix build ./packaging/secure-packages#fallbackPathsNix --out-link fallback cat fallback > ./artifacts/fallback-paths.nix @@ -168,7 +185,9 @@ jobs: contents: write id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false - uses: DeterminateSystems/determinate-nix-action@main - uses: DeterminateSystems/flakehub-push@main with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000000..685f4ff1039 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +name: zizmor + +on: + push: + branches: + - main + pull_request: + +jobs: + zizmor: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + config: .github/zizmor.yml + advanced-security: false diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000..abdc40becdb --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin