Skip to content
build

GhA: Authorize workflow #3580

Sign in to view logs

GhA: Authorize workflow

GhA: Authorize workflow #3580

Workflow file for this run

.github/workflows/build.yml at e3deb97
# SPDX-FileCopyrightText: 2022-2023 TII (SSRC) and the Ghaf contributors
#
# SPDX-License-Identifier: Apache-2.0
name: build
on:
push:
branches:
- main
pull_request_target:
branches:
- main
permissions:
contents: read
jobs:
debug:
runs-on: ubuntu-latest
steps:
- name: Debug
run: |
echo "github.event_name: ${{ github.event_name }}"
echo "github.repository: ${{ github.repository }}"
echo "github.event.pull_request.head.repo.full_name: ${{ github.event.pull_request.head.repo.full_name }}"
echo "github.actor: ${{ github.actor }}"
echo "github.ref: ${{ github.ref }}"
echo "github.event.pull_request.head.sha: ${{ github.event.pull_request.head.sha }}"
authorize:
# Important: 'authorize' must run before checkout to ensure 'authorize.yml'
# runs the base version, not the untrusted version from the PR.
uses: ./.github/workflows/authorize.yml
# Skip running in forked repositories, since the workflow run would fail
# due to missing repository secret(s):
if: ${{ github.repository == 'tiiuae/ghaf' }}
with:
github-org: tiiuae
secrets:
read-org-members: ${{ secrets.READ_ORG_MEMBERS }}
no-workflow-changes:
# Send a warning and fail this job if the workflow file was changed.
# Rest of the workflow continues as normal but the job failure will grab author's attention.
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request_target' }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Check if workflow is modified
id: workflow-changed
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
with:
files: .github/workflows/build.yml
- name: Send warning
run: |
if [ "${{ steps.workflow-changed.outputs.any_changed }}" == "true" ]; then
echo "::error::"\
"This change edits workflow file '.github/workflows/build.yml'."\
"Raising this error to notify that the workflow change will only take impact after merge."\
"Therefore, you need to manually test the change (perhaps in a forked repo) "\
"before merging to make sure the change does not break anything."
exit 1
fi
build_matrix:
name: "build"
needs: [authorize]
if: needs.authorize.outputs.result == 'authorized'
runs-on: ubuntu-latest
timeout-minutes: 360
strategy:
matrix:
include:
- arch: x86_64-linux
target: generic-x86_64-debug
- arch: x86_64-linux
target: lenovo-x1-carbon-gen11-debug
- arch: x86_64-linux
target: nvidia-jetson-orin-agx-debug-from-x86_64
- arch: x86_64-linux
target: nvidia-jetson-orin-nx-debug-from-x86_64
- arch: x86_64-linux
target: doc
- arch: aarch64-linux
target: nvidia-jetson-orin-nx-debug
- arch: aarch64-linux
target: nvidia-jetson-orin-agx-debug
concurrency:
# Cancel any in-progress workflow runs from the same PR or branch,
# allowing matrix jobs to run concurrently:
group: ${{ github.workflow }}.${{ github.event.pull_request.number || github.ref }}.${{ matrix.arch }}.${{ matrix.target }}
cancel-in-progress: true
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
with:
egress-policy: audit
- name: Apt install
run: sudo apt-get update; sudo apt-get install -y inxi git
- name: Print runner system info
run: sudo inxi -c0 --width -1 --basic --memory-short
- uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1
with:
ssh-private-key: |
${{ secrets.BUILDER_SSH_KEY }}
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
fetch-depth: 0
- name: Rebase
if: ${{ github.base_ref != '' }}
run: |
BASE="origin/${{ github.base_ref }}"
COMMITS="$(git rev-list "$BASE".. --count)"
CONTEXT=5
echo -e "\n[+] Git log before rebase (with $CONTEXT commits context):"
git log --oneline -n$(( COMMITS + CONTEXT ))
echo -e "\n[+] Rebasing $COMMITS commit(s) on top of '$BASE'"
git config user.email "foo@bar.com"; git config user.name "Foo Bar"
git rebase "$BASE"
echo -e "\n[+] Git log after rebase (with $CONTEXT commits context):"
git log --oneline -n$(( COMMITS + CONTEXT ))
- name: Install nix
uses: cachix/install-nix-action@754537aaedb35f72ab11a60cc162c49ef3016495 # v31
- name: Prepare remote builds
run: |
sudo sh -c "echo '${{ vars.BUILDER_SSH_KNOWN_HOST }}' >>/etc/ssh/ssh_known_hosts"
- name: Build ${{ matrix.arch }}.${{ matrix.target }}
run: |
if [ "${{ matrix.arch }}" == "x86_64-linux" ]; then
BUILDER='${{ vars.BUILDER_X86 }}'
elif [ "${{ matrix.arch }}" == "aarch64-linux" ]; then
BUILDER='${{ vars.BUILDER_AARCH }}'
else
echo "::error::Unknown architecture: '${{ matrix.arch }}'"
exit 1
fi
nix run --inputs-from .# nixpkgs#nix-fast-build -- \
--flake .#packages.${{ matrix.arch }}.${{ matrix.target }} \
--remote "$BUILDER" \
--option accept-flake-config true \
--no-download --skip-cached --no-nom