reprobuild/.github/workflows/ci.yml at 75a3fbb8c5cdd70b411f19004d0ec5bcecb2d8a0 · metacraft-labs/reprobuild · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
name: CI

on:
  push:
    branches: [main, dev]
  pull_request:

# CI replays the project's deterministic dev environment via the
# shared `metacraft-github-actions` composite actions. Per the
# `ci-shared-dev-env` policy, this workflow:
#
#   - does NOT install tools (nim, gcc, capnp, etc.) directly; the
#     flake's devShell declares them.
#   - does NOT inline `nix develop --command …` invocations; it
#     uses `dev-exec` from the shared `setup-dev-env` action.
#   - clones sibling repos via `clone-repo` and threads them through
#     `flake-override-inputs` so the dev shell consumes the local
#     checkouts instead of pinned github tarballs.
#
# Policy doc:
#   github.com/metacraft-labs/metacraft-dev-guidelines/blob/latest/policies/ci-shared-dev-env.md

jobs:
  lint:
    name: Lint
    runs-on: [self-hosted, nixos]
    steps:
      - uses: actions/checkout@v4
      # Mint a GitHub App installation token via the CI Token Provider
      # app.  GitHub free plan restricts org-level secrets with
      # visibility ALL from being readable inside private repos, so we
      # mint per-run tokens from the repo-local CI_TOKEN_PROVIDER_APP_ID
      # + CI_TOKEN_PROVIDER_PRIVATE_KEY secrets.
      - name: Mint installation token for cross-repo sibling access
        id: ci_token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CI_TOKEN_PROVIDER_APP_ID }}
          private-key: ${{ secrets.CI_TOKEN_PROVIDER_PRIVATE_KEY }}
          owner: metacraft-labs
      - uses: metacraft-labs/metacraft-github-actions/setup-dev-env@main
        with:
          env-flavor: nix
          gh-token: ${{ steps.ci_token.outputs.token }}
      - name: just lint
        run: dev-exec just lint
      - name: Upload logs
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: lint-logs
          path: test-logs/
          retention-days: 30

  test:
    name: Test
    # Self-hosted bare-metal Linux runner. Standard ubuntu-latest is
    # too small (4 vCPU / 16 GB) — the parallel nim c phase trips OOM
    # and the test runner hits an fd race at higher concurrency. The
    # metacraft-labs bare-metal pool has nixos hosts with plenty of
    # cores + RAM; lift the parallelism caps below for them.
    runs-on: [self-hosted, Linux, X64, bare-metal, nixos]
    env:
      REPROBUILD_MAX_PARALLELISM: "16"
      REPROBUILD_TEST_THREADS: "4"
    steps:
      - uses: actions/checkout@v4

      # Mint a GitHub App installation token via the CI Token Provider
      # app for the sibling-repo clones + setup-dev-env below.  See the
      # comment in the `lint` job for the rationale.
      - name: Mint installation token for cross-repo sibling access
        id: ci_token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CI_TOKEN_PROVIDER_APP_ID }}
          private-key: ${{ secrets.CI_TOKEN_PROVIDER_PRIVATE_KEY }}
          owner: metacraft-labs

      # Sibling clones: scripts/run_tests.sh builds ../runquota and
      # ct_test_nim_unittest resolves the ct-test source via the
      # `CT_TEST_SRC` env var. Both come from local clones so changes
      # in either sibling are picked up immediately without waiting
      # for a flake.lock bump.
      - name: Clone ct-test sibling
        uses: metacraft-labs/metacraft-github-actions/clone-repo@main
        with:
          repo: metacraft-labs/ct-test
          ref: main
          path: ${{ github.workspace }}/../ct-test
          gh-token: ${{ steps.ci_token.outputs.token }}
      - name: Clone runquota sibling
        uses: metacraft-labs/metacraft-github-actions/clone-repo@main
        with:
          repo: metacraft-labs/runquota
          ref: main
          path: ${{ github.workspace }}/../runquota
          gh-token: ${{ steps.ci_token.outputs.token }}

      # reprobuild-examples carries the canonical M71 reference home.nim
      # under m71-home-profile-walkthrough/ + a number of hello-binary
      # fixtures (haskell-cabal, crystal-shards, nim/mode3-pilot, …) that
      # several library / e2e tests assert against by walking up to the
      # metacraft root and then into ../reprobuild-examples. Without this
      # clone, the M71 reference-home check fails at runtime because the
      # path baked in via currentSourcePath() at compile time points at
      # a non-existent file on the CI runner.
      - name: Clone reprobuild-examples sibling
        uses: metacraft-labs/metacraft-github-actions/clone-repo@main
        with:
          repo: metacraft-labs/reprobuild-examples
          ref: main
          path: ${{ github.workspace }}/../reprobuild-examples
          gh-token: ${{ steps.ci_token.outputs.token }}

      # vm-harness ships the ``vm_harness`` library that the ReproOS
      # R2 / R9 boot integration tests import unconditionally at the
      # top of the file.  ``addPackagePath("VM_HARNESS_SRC", …)`` in
      # ``config.nims`` falls back to ``../vm-harness/src`` when the
      # env var isn't set, so a sibling clone is all the test runner
      # needs.  Without this clone, ``tests/integration/t_r2_iso_boot.
      # nim`` and ``tests/integration/t_r9_systemd_boot.nim`` fail at
      # the ``import vm_harness`` line and ``repro build
      # .#test-builds`` surfaces ``Error: cannot open file: vm_harness``
      # long before the ``when not defined(windows): quit(0)`` skip
      # block can run.  The tests still skip at runtime on Linux /
      # macOS because the Hyper-V backend they exercise is Windows-
      # only.
      - name: Clone vm-harness sibling
        uses: metacraft-labs/metacraft-github-actions/clone-repo@main
        with:
          repo: metacraft-labs/vm-harness
          ref: main
          path: ${{ github.workspace }}/../vm-harness
          gh-token: ${{ steps.ci_token.outputs.token }}

      - uses: metacraft-labs/metacraft-github-actions/setup-dev-env@main
        with:
          env-flavor: nix
          gh-token: ${{ steps.ci_token.outputs.token }}
          flake-override-inputs: |
            ct-test-src=../ct-test
            runquota-src=../runquota

      - name: just test
        run: dev-exec just test
      - name: Upload logs
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: test-logs
          path: test-logs/
          retention-days: 30

  nix-build:
    name: Nix Build
    runs-on: [self-hosted, nixos]
    steps:
      - uses: actions/checkout@v4
      - name: Mint installation token for cross-repo sibling access
        id: ci_token
        uses: actions/create-github-app-token@v2
        with:
          app-id: ${{ secrets.CI_TOKEN_PROVIDER_APP_ID }}
          private-key: ${{ secrets.CI_TOKEN_PROVIDER_PRIVATE_KEY }}
          owner: metacraft-labs
      - uses: metacraft-labs/metacraft-github-actions/setup-dev-env@main
        with:
          env-flavor: nix
          gh-token: ${{ steps.ci_token.outputs.token }}
      - name: nix build
        run: dev-exec nix build .#default
      - name: Upload logs
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: build-logs
          path: test-logs/
          retention-days: 30