Skip to content
Evaluate NixOS Configuration

fix #52

Sign in to view logs

fix

fix #52

Workflow file for this run

.github/workflows/build.yml at 7e42138
name: "Evaluate NixOS Configuration"
on:
push:
branches: [ main, master ]
pull_request:
branches: [ main, master ]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v25
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Setup Cachix
uses: cachix/cachix-action@v14
with:
name: hyprland
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
skipPush: true
- name: Prepare /usr/share/wallpaper and update flake.lock hash/timestamp
run: |
sudo mkdir -p /usr/share/wallpaper
echo "dummy" | sudo tee /usr/share/wallpaper/dummy.jpg
HASH=$(nix hash path /usr/share/wallpaper)
NOW=$(stat -c %Y /usr/share/wallpaper)
echo "Updating wallpapers block: lastModified=$NOW, narHash=$HASH"
# Extract wallpapers block
sed -n '/"wallpapers": {/,/^ },$/p' flake.lock > wallpapers_block.tmp
# Update hash and timestamp
sed -i '0,/"lastModified": [0-9]\+,/{s|"lastModified": [0-9]\+,|"lastModified": '"$NOW"',|}' wallpapers_block.tmp
sed -i 's|"narHash": "[^"]*"|"narHash": "'"$HASH"'"|' wallpapers_block.tmp
# Replace the block in flake.lock
START=$(grep -n '"wallpapers": {' flake.lock | cut -d: -f1)
END=$(awk -v start="$START" 'NR > start && /^ },/ {print NR; exit}' flake.lock)
head -n $((START-1)) flake.lock > flake.lock.new
cat wallpapers_block.tmp >> flake.lock.new
tail -n +$((END+1)) flake.lock >> flake.lock.new
mv flake.lock.new flake.lock
rm wallpapers_block.tmp
- name: Check flake
run: nix flake check --verbose
evaluate:
runs-on: ubuntu-latest
needs: check
strategy:
matrix:
host: [centaur]
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v25
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
extra_nix_config: |
experimental-features = nix-command flakes
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- name: Setup Cachix
uses: cachix/cachix-action@v14
with:
name: hyprland
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
skipPush: true
- name: Prepare /usr/share/wallpaper and update flake.lock hash/timestamp
run: |
sudo mkdir -p /usr/share/wallpaper
echo "dummy" | sudo tee /usr/share/wallpaper/dummy.jpg
HASH=$(nix hash path /usr/share/wallpaper)
NOW=$(stat -c %Y /usr/share/wallpaper)
echo "Updating wallpapers block: lastModified=$NOW, narHash=$HASH"
# Extract wallpapers block
sed -n '/"wallpapers": {/,/^ },$/p' flake.lock > wallpapers_block.tmp
# Update hash and timestamp
sed -i '0,/"lastModified": [0-9]\+,/{s|"lastModified": [0-9]\+,|"lastModified": '"$NOW"',|}' wallpapers_block.tmp
sed -i 's|"narHash": "[^"]*"|"narHash": "'"$HASH"'"|' wallpapers_block.tmp
# Replace the block in flake.lock
START=$(grep -n '"wallpapers": {' flake.lock | cut -d: -f1)
END=$(awk -v start="$START" 'NR > start && /^ },/ {print NR; exit}' flake.lock)
head -n $((START-1)) flake.lock > flake.lock.new
cat wallpapers_block.tmp >> flake.lock.new
tail -n +$((END+1)) flake.lock >> flake.lock.new
mv flake.lock.new flake.lock
rm wallpapers_block.tmp
- name: Evaluate NixOS configuration for ${{ matrix.host }}
run: |
echo "� Evaluating NixOS configuration..."
# Evaluate the full system configuration to ensure it's valid
echo "📋 Evaluating system configuration..."
nix eval .#nixosConfigurations.${{ matrix.host }}.config.system.build.toplevel.drvPath \
--verbose \
--show-trace
echo "🔍 Checking kernel configuration..."
nix eval .#nixosConfigurations.${{ matrix.host }}.config.boot.kernelPackages.kernel.version \
--raw
echo ""
echo "📦 Checking system packages..."
nix eval .#nixosConfigurations.${{ matrix.host }}.config.environment.systemPackages \
--apply "pkgs: builtins.toString (builtins.length pkgs)" \
--raw
echo " packages configured"
echo "✅ Configuration evaluation completed successfully!"
- name: Evaluate Home Manager configuration for ${{ matrix.host }}
run: |
echo "🏠 Evaluating Home Manager configuration..."
# Try to evaluate Home Manager if it exists
if nix eval .#nixosConfigurations.${{ matrix.host }}.config.home-manager.users --apply "users: builtins.attrNames users" 2>/dev/null; then
echo "✅ Home Manager configuration found and valid"
else
echo "ℹ️ No Home Manager configuration found or not configured"
fi
continue-on-error: true
format-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v25
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
extra_nix_config: |
experimental-features = nix-command flakes
- name: Check Nix formatting with alejandra
run: |
nix fmt -- --check .
security-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v25
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
extra_nix_config: |
experimental-features = nix-command flakes
- name: Check for known vulnerabilities
run: |
echo "Checking for common security issues..."
# Check for hardcoded secrets or passwords
echo "Scanning for potential secrets..."
if grep -r -i "password\|secret\|key" --include="*.nix" . | grep -v "# " | grep -v "//" | head -10; then
echo "⚠️ Found potential secrets - please review above lines"
else
echo "✅ No obvious secrets found"
fi
# Check for insecure package versions (if any)
echo "Checking for security-related configurations..."
if grep -r "allowUnfree\|allowBroken\|allowInsecure" --include="*.nix" .; then
echo "⚠️ Found security-relaxing options - please review"
else
echo "✅ No security-relaxing options found"
fi
echo "Basic security check completed!"
continue-on-error: true