tools: cache V8 builds #315
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action uses the following secrets: | |
| # CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org – without it, the cache is read-only. | |
| name: Test Shared libraries | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FLAKY_TESTS: keep_retrying | |
| # Latest OpenSSL major.minor cycle we support running tests with. | |
| # The nixpkgs updater regenerates the OpenSSL matrix using this value. | |
| SUPPORTED_OPENSSL_VERSION: '4.0' | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-tarball: | |
| if: github.event.pull_request.draft == false | |
| name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }} | |
| runs-on: ubuntu-slim | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| persist-credentials: false | |
| - name: Make tarball | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| run: | | |
| export DATESTRING=$(date "+%Y-%m-%d") | |
| export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA") | |
| ./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1 | |
| env: | |
| DISTTYPE: nightly | |
| - name: Upload tarball artifact | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: tarballs | |
| path: '*.tar.gz' | |
| compression-level: 0 | |
| build-v8: | |
| needs: build-tarball | |
| runs-on: ubuntu-24.04-arm | |
| name: 'aarch64-linux: Cache V8 build' | |
| steps: | |
| - name: Check if Cachix is available | |
| id: cachix-check | |
| run: echo 'IS_AVAILABLE=${{ secrets.CACHIX_AUTH_TOKEN && 'true' }}' >> "$GITHUB_OUTPUT" | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }} | |
| with: | |
| name: tarballs | |
| path: tarballs | |
| - name: Extract tarball | |
| if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }} | |
| shell: bash | |
| run: | | |
| tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" | |
| echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" | |
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | |
| if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }} | |
| with: | |
| extra_nix_config: sandbox = true | |
| - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 | |
| if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }} | |
| with: | |
| name: nodejs | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| - name: Build V8 | |
| if: ${{ steps.cachix-check.outputs.IS_AVAILABLE == 'true' }} | |
| shell: bash | |
| run: | | |
| nix-shell \ | |
| -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \ | |
| --pure \ | |
| --arg useSeparateDerivationForV8 true \ | |
| --arg ccache "${NIX_SCCACHE:-null}" \ | |
| --arg devTools '[]' \ | |
| --arg benchmarkTools '[]' \ | |
| --run ';' | |
| build: | |
| needs: build-v8 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| - runner: ubuntu-24.04-arm | |
| system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: with shared libraries' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| - uses: ./.github/actions/build-shared | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| with: | |
| system: ${{ matrix.system }} | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json. | |
| # Output shape: | |
| # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...] | |
| collect-openssl-versions: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-slim | |
| outputs: | |
| matrix: ${{ steps.query.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: tools/nix/openssl-matrix.json | |
| sparse-checkout-cone-mode: false | |
| - id: query | |
| run: | | |
| { | |
| echo 'matrix<<EOF' | |
| cat tools/nix/openssl-matrix.json | |
| echo 'EOF' | |
| } >> "$GITHUB_OUTPUT" | |
| # Builds and tests Node.js with shared libraries against every supported | |
| # OpenSSL release version available in the repo-pinned nixpkgs. The default | |
| # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix | |
| # entry, while all other shared libs remain at their defaults. Only runs on | |
| # a single runner/system (aarch64-linux) to keep the matrix to a minimum. | |
| build-openssl: | |
| needs: | |
| - build-v8 | |
| - collect-openssl-versions | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }} | |
| name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})' | |
| runs-on: ubuntu-24.04-arm | |
| continue-on-error: ${{ matrix.openssl['continue-on-error'] }} | |
| env: | |
| OPENSSL_ATTR: ${{ matrix.openssl.attr }} | |
| OPENSSL_VERSION: ${{ matrix.openssl.version }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| - uses: ./.github/actions/build-shared | |
| with: | |
| system: aarch64-linux | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| # Override just the `openssl` attr of the default shared-lib set with | |
| # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All | |
| # other shared libs (brotli, cares, libuv, …) keep their defaults. | |
| # `permittedInsecurePackages` whitelists just the matrix-selected | |
| # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support | |
| # cycles evaluate without relaxing nixpkgs' meta check globally. | |
| extra-nix-args: --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR; }" |