feat: power manager module, refactor ghaf-powercontrol #3446
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors | |
| # | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request_target: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| check-identity: | |
| if: ${{ github.repository == 'tiiuae/ghaf' }} # Skip in forks | |
| runs-on: ubuntu-latest | |
| outputs: | |
| authorized_user: ${{ steps.check-authorized-user.outputs.authorized_user }} | |
| environment: "internal-build-workflow" | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 | |
| with: | |
| egress-policy: audit | |
| - name: Check identity | |
| id: check-authorized-user | |
| shell: bash | |
| run: | | |
| authorized_user='False' | |
| for user in ${{ vars.AUTHORIZED_USERS }}; | |
| do | |
| if [ "$user" = "${{ github.actor }}" ]; then | |
| authorized_user='True' | |
| break | |
| fi | |
| done | |
| echo "github.event_name: ${{ github.event_name }}" | |
| echo "github.repository: ${{ github.repository }}" | |
| echo "github.event.pull_request.head.repo.full_name: ${{ github.event.pull_request.head.repo.full_name }}" | |
| echo "github.actor: ${{ github.actor }}" | |
| echo "github.ref: ${{ github.ref }}" | |
| echo "github.event.pull_request.head.sha: ${{github.event.pull_request.head.sha }}" | |
| echo "authorized_user=$authorized_user" | |
| echo "authorized_user=$authorized_user" >> "$GITHUB_OUTPUT" | |
| # Authorization passes without approval if: | |
| # - The event is not a pull request (e.g. push to main) | |
| # - Pull request comes from another branch in the same repo | |
| # - Author is in our predefined list of authorized users | |
| # Otherwise, the workflow requires manual approval from a maintainer | |
| # as configured in the 'external-build-workflow' github environment | |
| authorize: | |
| needs: [check-identity] | |
| environment: ${{ | |
| ( github.event_name != 'pull_request_target' || | |
| github.event.pull_request.head.repo.full_name == github.repository || | |
| needs.check-identity.outputs.authorized_user == 'True' ) | |
| && 'internal-build-workflow' || 'external-build-workflow' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 | |
| with: | |
| egress-policy: audit | |
| - run: echo "Auth OK" | |
| # Send a warning and fail this job if the workflow file was changed. | |
| # Rest of the workflow continues as normal but the job failure will grab author's attention. | |
| no-workflow-changes: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event_name == 'pull_request_target' }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| fetch-depth: 0 | |
| - name: Check if workflow is modified | |
| id: workflow-changed | |
| uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3 | |
| with: | |
| files: .github/workflows/build.yml | |
| - name: Send warning | |
| run: | | |
| if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then | |
| echo "::error::"\ | |
| "This change edits workflow file '.github/workflows/build.yml'."\ | |
| "Raising this error to notify that the workflow change will only take impact after merge."\ | |
| "Therefore, you need to manually test the change (perhaps in a forked repo) "\ | |
| "before merging to make sure the change does not break anything." | |
| exit 1 | |
| fi | |
| build_matrix: | |
| name: "build" | |
| needs: [authorize] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 360 | |
| strategy: | |
| matrix: | |
| include: | |
| - arch: x86_64-linux | |
| target: generic-x86_64-debug | |
| - arch: x86_64-linux | |
| target: lenovo-x1-carbon-gen11-debug | |
| - arch: x86_64-linux | |
| target: nvidia-jetson-orin-agx-debug-from-x86_64 | |
| - arch: x86_64-linux | |
| target: nvidia-jetson-orin-nx-debug-from-x86_64 | |
| - arch: x86_64-linux | |
| target: doc | |
| - arch: aarch64-linux | |
| target: nvidia-jetson-orin-nx-debug | |
| - arch: aarch64-linux | |
| target: nvidia-jetson-orin-agx-debug | |
| concurrency: | |
| # Cancel any in-progress workflow runs from the same PR or branch, | |
| # allowing matrix jobs to run concurrently: | |
| group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }}.${{ matrix.target }} | |
| cancel-in-progress: true | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 | |
| with: | |
| egress-policy: audit | |
| - name: Apt install | |
| run: sudo apt-get update; sudo apt-get install -y inxi git | |
| - name: Print runner system info | |
| run: sudo inxi -c0 --width -1 --basic --memory-short | |
| - uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1 | |
| with: | |
| ssh-private-key: | | |
| ${{ secrets.BUILDER_SSH_KEY }} | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| fetch-depth: 0 | |
| - name: Rebase | |
| if: ${{ github.base_ref != '' }} | |
| run: | | |
| BASE="origin/${{ github.base_ref }}" | |
| COMMITS="$(git rev-list "$BASE".. --count)" | |
| CONTEXT=5 | |
| echo -e "\n[+] Git log before rebase (with $CONTEXT commits context):" | |
| git log --oneline -n$(( COMMITS + CONTEXT )) | |
| echo -e "\n[+] Rebasing $COMMITS commit(s) on top of '$BASE'" | |
| git config user.email "foo@bar.com"; git config user.name "Foo Bar" | |
| git rebase "$BASE" | |
| echo -e "\n[+] Git log after rebase (with $CONTEXT commits context):" | |
| git log --oneline -n$(( COMMITS + CONTEXT )) | |
| - name: Install nix | |
| uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31 | |
| - name: Prepare remote builds | |
| run: | | |
| sudo sh -c "echo '${{ vars.BUILDER_SSH_KNOWN_HOST }}' >>/etc/ssh/ssh_known_hosts" | |
| - name: Build ${{ matrix.arch }}.${{ matrix.target }} | |
| run: | | |
| if [ "${{ matrix.arch }}" == "x86_64-linux" ]; then | |
| BUILDER='${{ vars.BUILDER_X86 }}' | |
| elif [ "${{ matrix.arch }}" == "aarch64-linux" ]; then | |
| BUILDER='${{ vars.BUILDER_AARCH }}' | |
| else | |
| echo "::error::Unknown architecture: '${{ matrix.arch }}'" | |
| exit 1 | |
| fi | |
| nix run --inputs-from .# nixpkgs#nix-fast-build -- \ | |
| --flake .#packages.${{ matrix.arch }}.${{ matrix.target }} \ | |
| --remote "$BUILDER" \ | |
| --option accept-flake-config true \ | |
| --no-download --skip-cached --no-nom |