From 48ca339b73b6ddbfea5724a16c1f6767c976479c Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:07:24 +0200 Subject: [PATCH 01/44] Add new release workflow --- .github/workflows/build-and-upload.yml | 51 ++++++++++++++++++++++++++ .github/workflows/release.yml | 24 ++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 .github/workflows/build-and-upload.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml new file mode 100644 index 0000000..c529f9d --- /dev/null +++ b/.github/workflows/build-and-upload.yml @@ -0,0 +1,51 @@ +on: + workflow_call: + inputs: + system: + type: string + runs-on: + type: string + release: + type: string +jobs: + build: + runs-on: ${{ inputs.runs-on }} + permissions: + contents: read + id-token: write + attestations: write + outputs: + name: ${{ steps.build.outputs.name }} + steps: + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + - run: | + out=$(nix build -L "$flakeref" --print-out-paths) + echo "out=$out" >> "$GITHUB_OUTPUT" + echo "name=$(basename "$out")" >> "$GITHUB_OUTPUT" + id: build + env: + flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} + - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 + id: upload-artifact + with: + name: ${{ steps.build.outputs.name }} + path: ${{ steps.build.outputs.out }} + - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + with: + subject-name: ${{ steps.build.outputs.name }} + subject-digest: sha256:${{ steps.upload-artifact.artifact-digest }} + upload: + runs-on: ubuntu-latest + needs: [build] + steps: + - uses: actions/download-artifact@v4 + with: + name: ${{ needs.build.outputs.name }} + path: ./result + - run: | + image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "smoketest/" --s3-bucket "$images_bucket") + echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" + id: upload-smoketest + env: + image_info: ./result/nix-support/image-info.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..7e2cfbb --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,24 @@ +name: Upload AMI +on: + pull_request: + push: + branches: + - main +jobs: + build-and-upload: + strategy: + fail-fast: false + matrix: + release: + - nixos-24.11 + - nixos-unstable + system: + - runs-on: ubuntu-latest + system: x86_64-linux + - runs-on: ubuntu-24.04-arm + system: aarch64-linux + uses: ./.github/workflows/build-and-upload.yml + with: + runs-on: ${{ matrix.system.runs-on }} + system: ${{ matrix.system.system }} + release: ${{ matrix.system.release }} From ba01bac50314a05df90c7b14fc571ce2823d6055 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:09:52 +0200 Subject: [PATCH 02/44] Add new release workflow --- .github/workflows/build-and-upload.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index c529f9d..fd32738 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -34,7 +34,7 @@ jobs: - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: subject-name: ${{ steps.build.outputs.name }} - subject-digest: sha256:${{ steps.upload-artifact.artifact-digest }} + subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} upload: runs-on: ubuntu-latest needs: [build] diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e2cfbb..0e410b5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,4 +21,4 @@ jobs: with: runs-on: ${{ matrix.system.runs-on }} system: ${{ matrix.system.system }} - release: ${{ matrix.system.release }} + release: ${{ matrix.release }} From 355406da3ea11d1abed9e46fa87e88e4bf4fcc48 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:11:40 +0200 Subject: [PATCH 03/44] Fix permissions --- .github/workflows/build-and-upload.yml | 1 + .github/workflows/release.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index fd32738..97a8657 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -31,6 +31,7 @@ jobs: with: name: ${{ steps.build.outputs.name }} path: ${{ steps.build.outputs.out }} + # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: subject-name: ${{ steps.build.outputs.name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e410b5..e13ce22 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,10 @@ on: - main jobs: build-and-upload: + permissions: + id-token: write + attestations: write + contents: read strategy: fail-fast: false matrix: From 3613988fd444675894ad959cd975fedd9817f16c Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:18:28 +0200 Subject: [PATCH 04/44] Actually add images to flake --- .github/workflows/build-and-upload.yml | 4 +++ flake.lock | 34 ++++++++++++++++++++++++++ flake.nix | 31 ++++++++++++++++++++++- 3 files changed, 68 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 97a8657..aec4282 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -19,6 +19,10 @@ jobs: steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + with: + # HACK: lets lie that we support kvm. make-disk-image.nix is fast enough in emulation mode + # and aarch64 has no kvm on github actions + extra-conf: extra-system-features = kvm - run: | out=$(nix build -L "$flakeref" --print-out-paths) echo "out=$out" >> "$GITHUB_OUTPUT" diff --git a/flake.lock b/flake.lock index 81816b8..55620c0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,37 @@ { "nodes": { + "nixos_2411": { + "locked": { + "lastModified": 1744309437, + "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixos_unstable": { + "locked": { + "lastModified": 1744232761, + "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1739357830, @@ -18,6 +50,8 @@ }, "root": { "inputs": { + "nixos_2411": "nixos_2411", + "nixos_unstable": "nixos_unstable", "nixpkgs": "nixpkgs", "treefmt-nix": "treefmt-nix" } diff --git a/flake.nix b/flake.nix index 628ac7e..9355202 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,8 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-24.11"; + nixos_2411.url = "github:NixOS/nixpkgs?ref=nixos-24.11"; + nixos_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable"; treefmt-nix = { url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -10,7 +12,7 @@ }; outputs = - { + inputs@{ self, nixpkgs, treefmt-nix, @@ -69,5 +71,32 @@ devShells = genAttrs supportedSystems (system: { default = self.packages.${system}.upload-ami; }); + + hydraJobs = genAttrs [ "nixos_2411" "nixos_unstable" ] ( + release: + let + nixpkgs = inputs.${release}; + in + { + amazonImage = genAttrs [ "aarch64-linux" "x86_64-linux" ] ( + system: + (nixpkgs.lib.nixosSystem { + modules = [ + "${nixpkgs}/nixos/maintainers/scripts/ec2/amazon-image.nix" + ( + { config, ... }: + # TODO: add beta to version string for beta releases + # TODO: add pre to version string for unstable + { + system.stateVersion = config.system.nixos.release; + virtualisation.diskSize = "auto"; + nixpkgs.hostPlatform = system; + } + ) + ]; + }).config.system.build.amazonImage + ); + } + ); }; } From 45245675852ead16e94d556fb145163136c36807 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:19:31 +0200 Subject: [PATCH 05/44] Add concurrency --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 9355202..380bf7d 100644 --- a/flake.nix +++ b/flake.nix @@ -82,6 +82,7 @@ system: (nixpkgs.lib.nixosSystem { modules = [ + # TODO: use @phaer's new images interface "${nixpkgs}/nixos/maintainers/scripts/ec2/amazon-image.nix" ( { config, ... }: From a600ab0bee9203fc2f5f3d1d5b2bc26ab9049c6c Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:25:04 +0200 Subject: [PATCH 06/44] Fix names --- .github/workflows/release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e13ce22..d4e5455 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: - main jobs: build-and-upload: + concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions: id-token: write attestations: write @@ -14,8 +17,8 @@ jobs: fail-fast: false matrix: release: - - nixos-24.11 - - nixos-unstable + - nixos_2411 + - nixos_unstable system: - runs-on: ubuntu-latest system: x86_64-linux From 9939493ec0384f59ee6c1df83277656daa088430 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:38:01 +0200 Subject: [PATCH 07/44] Fix download. And only attest on main --- .github/workflows/build-and-upload.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index aec4282..ff34f43 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -37,6 +37,7 @@ jobs: path: ${{ steps.build.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + if: github.ref == 'refs/heads/main' with: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} @@ -44,10 +45,13 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + id: download-artifact with: name: ${{ needs.build.outputs.name }} path: ./result + - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - run: | image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "smoketest/" --s3-bucket "$images_bucket") echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" From bee4faf4de986a775be6987565df2cdbd1496c84 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:40:12 +0200 Subject: [PATCH 08/44] Fix concurrency --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4e5455..3dabb46 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: jobs: build-and-upload: concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.release }}-${{ matrix.system.runs-on }}-${{ matrix.system.system }} cancel-in-progress: true permissions: id-token: write From 4000dddcf61fad2a9e0258afe937ca9a7f7ef0bb Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 15:47:09 +0200 Subject: [PATCH 09/44] Add debug info --- .github/workflows/build-and-upload.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index ff34f43..0e38cd5 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -45,14 +45,15 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 id: download-artifact with: name: ${{ needs.build.outputs.name }} path: ./result - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - run: | + find result image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "smoketest/" --s3-bucket "$images_bucket") echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" id: upload-smoketest From 58628a1b4f937b5b54703e8261f2b7e877a012d5 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:03:20 +0200 Subject: [PATCH 10/44] use github artifacts as a cache --- .github/workflows/build-and-upload.yml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 0e38cd5..a03f2e3 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -16,28 +16,43 @@ jobs: attestations: write outputs: name: ${{ steps.build.outputs.name }} + env: + flakeref: .#hydraJobs${{ inputs.release }}.amazonImage.${{ inputs.system }} steps: - - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 with: # HACK: lets lie that we support kvm. make-disk-image.nix is fast enough in emulation mode # and aarch64 has no kvm on github actions extra-conf: extra-system-features = kvm + - run: | + out=$(nix eval --raw "$flakeref") + name=$(basename "$out") + echo "out=$out" >> "$GITHUB_OUTPUT" + echo "name=$name" >> "$GITHUB_OUTPUT" + id: eval + - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + id: download-artifact + with: + name: ${{ needs.eval.outputs.name }} + path: ./result + continue-on-error: true - run: | out=$(nix build -L "$flakeref" --print-out-paths) echo "out=$out" >> "$GITHUB_OUTPUT" echo "name=$(basename "$out")" >> "$GITHUB_OUTPUT" id: build + if: steps.download-artifact.outcome != "success" env: flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 id: upload-artifact + if: steps.download-artifact.outcome != "success" with: - name: ${{ steps.build.outputs.name }} - path: ${{ steps.build.outputs.out }} + name: ${{ steps.eval.outputs.name }} + path: ${{ steps.eval.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - if: github.ref == 'refs/heads/main' + if: steps.download-artifact.outcome != "success" && github.ref == 'refs/heads/main' with: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} From cd6e402e537f68aa0686e4d0ec633e389acdaf53 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:04:00 +0200 Subject: [PATCH 11/44] Fix syntax error --- .github/workflows/build-and-upload.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index a03f2e3..501a3ba 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -19,6 +19,7 @@ jobs: env: flakeref: .#hydraJobs${{ inputs.release }}.amazonImage.${{ inputs.system }} steps: + - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 with: # HACK: lets lie that we support kvm. make-disk-image.nix is fast enough in emulation mode @@ -41,12 +42,12 @@ jobs: echo "out=$out" >> "$GITHUB_OUTPUT" echo "name=$(basename "$out")" >> "$GITHUB_OUTPUT" id: build - if: steps.download-artifact.outcome != "success" + if: steps.download-artifact.outcome != 'success' env: flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 id: upload-artifact - if: steps.download-artifact.outcome != "success" + if: steps.download-artifact.outcome != 'success' with: name: ${{ steps.eval.outputs.name }} path: ${{ steps.eval.outputs.out }} From e78501d5c2c48a0b7cda03e34b168ff7fead6fe9 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:06:28 +0200 Subject: [PATCH 12/44] Fix typo --- .github/workflows/build-and-upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 501a3ba..bf0c335 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -53,7 +53,7 @@ jobs: path: ${{ steps.eval.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - if: steps.download-artifact.outcome != "success" && github.ref == 'refs/heads/main' + if: steps.download-artifact.outcome != 'success' && github.ref == 'refs/heads/main' with: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} @@ -69,9 +69,9 @@ jobs: path: ./result - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 - run: | - find result image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "smoketest/" --s3-bucket "$images_bucket") echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" id: upload-smoketest env: image_info: ./result/nix-support/image-info.json + # TODO: Add provenance info that binds hash to snapshot and image id From 98586002203adf82d92bb6176aecb3d84797053a Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:08:01 +0200 Subject: [PATCH 13/44] Fix flake-ref --- .github/workflows/build-and-upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index bf0c335..0b4351f 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -17,7 +17,7 @@ jobs: outputs: name: ${{ steps.build.outputs.name }} env: - flakeref: .#hydraJobs${{ inputs.release }}.amazonImage.${{ inputs.system }} + flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 From 1953c6b52034d64eee291260e00663483a9c21c8 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:11:12 +0200 Subject: [PATCH 14/44] debutg --- .github/workflows/build-and-upload.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 0b4351f..24e7083 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -27,6 +27,7 @@ jobs: extra-conf: extra-system-features = kvm - run: | out=$(nix eval --raw "$flakeref") + echo "$out" name=$(basename "$out") echo "out=$out" >> "$GITHUB_OUTPUT" echo "name=$name" >> "$GITHUB_OUTPUT" From 78e2ee56d43b5fcf21c3ac58bf75410181071227 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:13:22 +0200 Subject: [PATCH 15/44] Fix it --- .github/workflows/build-and-upload.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 24e7083..9243cae 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -27,7 +27,6 @@ jobs: extra-conf: extra-system-features = kvm - run: | out=$(nix eval --raw "$flakeref") - echo "$out" name=$(basename "$out") echo "out=$out" >> "$GITHUB_OUTPUT" echo "name=$name" >> "$GITHUB_OUTPUT" @@ -35,7 +34,7 @@ jobs: - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 id: download-artifact with: - name: ${{ needs.eval.outputs.name }} + name: ${{ steps.eval.outputs.name }} path: ./result continue-on-error: true - run: | From 3795403912f6608f4e6d61304bdd152872cd36da Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:15:22 +0200 Subject: [PATCH 16/44] Always attest. as we might have a cached artifact from a pull request --- .github/workflows/build-and-upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 9243cae..f989a1c 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -53,7 +53,7 @@ jobs: path: ${{ steps.eval.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - if: steps.download-artifact.outcome != 'success' && github.ref == 'refs/heads/main' + if: github.ref == 'refs/heads/main' with: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} From f5a801c0c6f9713cd237c71d39d254da886f1449 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 16:45:35 +0200 Subject: [PATCH 17/44] Tweak --- .github/workflows/build-and-upload.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index f989a1c..90a7814 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -31,6 +31,7 @@ jobs: echo "out=$out" >> "$GITHUB_OUTPUT" echo "name=$name" >> "$GITHUB_OUTPUT" id: eval + # TODO: prefix artifact with ref name? - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 id: download-artifact with: @@ -53,7 +54,7 @@ jobs: path: ${{ steps.eval.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - if: github.ref == 'refs/heads/main' + if: steps.download-artifact.outcome != 'success' with: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} From b3ca20ee79d17f1dc5728b9dce8c064ef15416d9 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 17:01:10 +0200 Subject: [PATCH 18/44] Attest what image ids we uploaded --- .github/workflows/build-and-upload.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 90a7814..bb4c564 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -16,6 +16,7 @@ jobs: attestations: write outputs: name: ${{ steps.build.outputs.name }} + digest: ${{ steps.upload-artifact.outputs.artifact-digest }} env: flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} steps: @@ -69,10 +70,24 @@ jobs: name: ${{ needs.build.outputs.name }} path: ./result - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami + aws-region: ${{ vars.AWS_REGION }} - run: | image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "smoketest/" --s3-bucket "$images_bucket") echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" id: upload-smoketest env: image_info: ./result/nix-support/image-info.json - # TODO: Add provenance info that binds hash to snapshot and image id + - uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 + with: + subject-name: ${{ needs.build.outputs.name }} + subject-digest: ${{ needs.build.outputs.digest}} + predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" + predicate: | + { + accountId: "${{ vars.AWS_ACCOUNT_ID }}", + imageIds: ${{ steps.upload-smoketest.outputs.image_ids }}, + roleArn: "${{ arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami" + } From f81fb01929af8b24e0638f0fdc9c9edcba978898 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 17:26:48 +0200 Subject: [PATCH 19/44] Fix syntax error --- .github/workflows/build-and-upload.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index bb4c564..7b8a0ee 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -87,7 +87,7 @@ jobs: predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" predicate: | { - accountId: "${{ vars.AWS_ACCOUNT_ID }}", - imageIds: ${{ steps.upload-smoketest.outputs.image_ids }}, - roleArn: "${{ arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami" + "accountId": "${{ vars.AWS_ACCOUNT_ID }}", + "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, + "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami" } From 7efac08cc1312b77def82fec29ad8a9bcc0112ca Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 17:34:32 +0200 Subject: [PATCH 20/44] Add images environment --- .github/workflows/build-and-upload.yml | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 7b8a0ee..3002e45 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -26,42 +26,28 @@ jobs: # HACK: lets lie that we support kvm. make-disk-image.nix is fast enough in emulation mode # and aarch64 has no kvm on github actions extra-conf: extra-system-features = kvm - - run: | - out=$(nix eval --raw "$flakeref") - name=$(basename "$out") - echo "out=$out" >> "$GITHUB_OUTPUT" - echo "name=$name" >> "$GITHUB_OUTPUT" - id: eval - # TODO: prefix artifact with ref name? - - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 - id: download-artifact - with: - name: ${{ steps.eval.outputs.name }} - path: ./result - continue-on-error: true - run: | out=$(nix build -L "$flakeref" --print-out-paths) echo "out=$out" >> "$GITHUB_OUTPUT" echo "name=$(basename "$out")" >> "$GITHUB_OUTPUT" id: build - if: steps.download-artifact.outcome != 'success' env: flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 id: upload-artifact - if: steps.download-artifact.outcome != 'success' with: name: ${{ steps.eval.outputs.name }} path: ${{ steps.eval.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 - if: steps.download-artifact.outcome != 'success' + if: github.ref == 'refs/heads/main' with: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} upload: runs-on: ubuntu-latest needs: [build] + environment: images steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 @@ -83,7 +69,7 @@ jobs: - uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 with: subject-name: ${{ needs.build.outputs.name }} - subject-digest: ${{ needs.build.outputs.digest}} + subject-digest: ${{ needs.build.outputs.digest }} predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" predicate: | { From 308172fb9279784267e6e555d25d96fef14f1be5 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 17:38:10 +0200 Subject: [PATCH 21/44] Fix typo --- .github/workflows/build-and-upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 3002e45..8a8d66a 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -36,8 +36,8 @@ jobs: - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4 id: upload-artifact with: - name: ${{ steps.eval.outputs.name }} - path: ${{ steps.eval.outputs.out }} + name: ${{ steps.build.outputs.name }} + path: ${{ steps.build.outputs.out }} # TODO: use https://github.com/arianvp/nix-attest to store more provenance information - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 if: github.ref == 'refs/heads/main' From 38be76662d31d2a61df2fc0ca537cca9951d054f Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 19:35:33 +0200 Subject: [PATCH 22/44] Fix provenance --- .github/workflows/build-and-upload.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 8a8d66a..982d91c 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -66,6 +66,17 @@ jobs: id: upload-smoketest env: image_info: ./result/nix-support/image-info.json + images_bucket: ${{ vars.IMAGES_BUCKET }} + - run: | + json=$(jq . "$image_info") + echo "json=$json" >> "$GITHUB_OUTPUT" + id: image-info + env: + image_info: ./result/nix-support/image-info.json + - run: | + json=$(aws sts get-caller-identity --output json) + echo "json=$json" + id: caller-identity - uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 with: subject-name: ${{ needs.build.outputs.name }} @@ -73,7 +84,8 @@ jobs: predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" predicate: | { - "accountId": "${{ vars.AWS_ACCOUNT_ID }}", + "imageInfo": ${{ steps.image-info.json }}, "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, - "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami" + "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", + "callerIdentity": ${{ steps.caller-identity.json }} } From 4fc97514778f91498ce378e806bc6b2316e0ec0e Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 19:36:04 +0200 Subject: [PATCH 23/44] Add predicate accountId --- .github/workflows/build-and-upload.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 982d91c..30502d3 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -87,5 +87,6 @@ jobs: "imageInfo": ${{ steps.image-info.json }}, "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", + "accountId": "${{ vars.AWS_ACCOUNT_ID }}", "callerIdentity": ${{ steps.caller-identity.json }} } From 171589ec9fac148577fadd135159bb747eeae1fd Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 19:54:56 +0200 Subject: [PATCH 24/44] hack around fact that download-artifact is not in nix store. Should fix with some nix caching instead later maybe? --- .github/workflows/build-and-upload.yml | 4 ++-- upload-ami/src/upload_ami/upload_ami.py | 18 +++++++++++------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 30502d3..c99ce7e 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -84,9 +84,9 @@ jobs: predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" predicate: | { - "imageInfo": ${{ steps.image-info.json }}, + "imageInfo": ${{ steps.image-info.outputs.json }}, "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", "accountId": "${{ vars.AWS_ACCOUNT_ID }}", - "callerIdentity": ${{ steps.caller-identity.json }} + "callerIdentity": ${{ steps.caller-identity.outputs.json }} } diff --git a/upload-ami/src/upload_ami/upload_ami.py b/upload-ami/src/upload_ami/upload_ami.py index f1fb447..6092f5c 100644 --- a/upload-ami/src/upload_ami/upload_ami.py +++ b/upload-ami/src/upload_ami/upload_ami.py @@ -16,6 +16,7 @@ from mypy_boto3_s3.client import S3Client from concurrent.futures import ThreadPoolExecutor +from importlib import reload class ImageInfo(TypedDict): @@ -292,7 +293,7 @@ def _copy_image(target_region: RegionTypeDef) -> tuple[str, str]: def upload_ami( - image_info: ImageInfo, + image_info_file: str, s3_bucket: str, copy_to_regions: bool, prefix: str, @@ -308,11 +309,17 @@ def upload_ami( ec2: EC2Client = boto3.client("ec2") s3: S3Client = boto3.client("s3") - image_file = Path(image_info["file"]) + with open(image_info_file, "r") as f: + image_info = json.load(f) + + # HACK: This is to get this to work if we're pointing to an image-info + # out of the nix store + original_path = Path(image_info["file"]) + image_info_path = Path(image_info_file) + image_file = image_info_path.parent / original_path.name label = image_info["label"] system = image_info["system"] image_name = prefix + label + "-" + system + ("." + run_id if run_id else "") - image_format = image_info.get("format") or "VHD" snapshot_id = import_snapshot_if_not_exist( s3, ec2, s3_bucket, image_name, image_file, image_format @@ -357,12 +364,9 @@ def main() -> None: level = logging.DEBUG if args.debug else logging.INFO logging.basicConfig(level=level) - with open(args.image_info, "r") as f: - image_info = json.load(f) - image_ids = {} image_ids = upload_ami( - image_info, + args.image_info, args.s3_bucket, args.copy_to_regions, args.prefix, From 7f3003f96eacb4c0117aa2e0bb75b7a6a0bfc14b Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 20:03:50 +0200 Subject: [PATCH 25/44] Fix --- upload-ami/src/upload_ami/upload_ami.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upload-ami/src/upload_ami/upload_ami.py b/upload-ami/src/upload_ami/upload_ami.py index 6092f5c..a627363 100644 --- a/upload-ami/src/upload_ami/upload_ami.py +++ b/upload-ami/src/upload_ami/upload_ami.py @@ -316,7 +316,7 @@ def upload_ami( # out of the nix store original_path = Path(image_info["file"]) image_info_path = Path(image_info_file) - image_file = image_info_path.parent / original_path.name + image_file = image_info_path.parent.parent / original_path.name label = image_info["label"] system = image_info["system"] image_name = prefix + label + "-" + system + ("." + run_id if run_id else "") From eff83fd20a2f6710c9f435401f56a3e38883c3b3 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 20:32:36 +0200 Subject: [PATCH 26/44] fix multi-line --- .github/workflows/build-and-upload.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index c99ce7e..792c701 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -69,7 +69,9 @@ jobs: images_bucket: ${{ vars.IMAGES_BUCKET }} - run: | json=$(jq . "$image_info") - echo "json=$json" >> "$GITHUB_OUTPUT" + echo "json<> "$GITHUB_OUTPUT" id: image-info env: image_info: ./result/nix-support/image-info.json From 30c1965132b3cea83790e60efd246a10448add0b Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 20:38:56 +0200 Subject: [PATCH 27/44] Try again --- .github/workflows/build-and-upload.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 792c701..fbdd4d4 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -69,9 +69,11 @@ jobs: images_bucket: ${{ vars.IMAGES_BUCKET }} - run: | json=$(jq . "$image_info") - echo "json<> "$GITHUB_OUTPUT" + { + echo "json<> "$GITHUB_OUTPUT" id: image-info env: image_info: ./result/nix-support/image-info.json From 19af74f8eaded09521e72b7b69e69de8430fc4db Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 21:13:08 +0200 Subject: [PATCH 28/44] Fix --- .github/workflows/build-and-upload.yml | 11 +++++++---- .github/workflows/release.yml | 24 +++++++++++++++++++++--- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index fbdd4d4..7ece1ad 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -78,18 +78,21 @@ jobs: env: image_info: ./result/nix-support/image-info.json - run: | - json=$(aws sts get-caller-identity --output json) - echo "json=$json" + { + echo "json<> "$GITHUB_OUTPUT" id: caller-identity - uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 with: subject-name: ${{ needs.build.outputs.name }} - subject-digest: ${{ needs.build.outputs.digest }} + subject-digest: sha256:${{ needs.build.outputs.digest }} predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" predicate: | { "imageInfo": ${{ steps.image-info.outputs.json }}, - "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, + "imageIds": ${{ steps.upload.outputs.image_ids }}, "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", "accountId": "${{ vars.AWS_ACCOUNT_ID }}", "callerIdentity": ${{ steps.caller-identity.outputs.json }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3dabb46..d90f755 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,14 +18,32 @@ jobs: matrix: release: - nixos_2411 - - nixos_unstable + # - nixos_unstable system: - runs-on: ubuntu-latest system: x86_64-linux - - runs-on: ubuntu-24.04-arm - system: aarch64-linux + # - runs-on: ubuntu-24.04-arm + # system: aarch64-linux uses: ./.github/workflows/build-and-upload.yml with: runs-on: ${{ matrix.system.runs-on }} system: ${{ matrix.system.system }} release: ${{ matrix.release }} + delete-deprecated-images: + runs-on: ubuntu-latest + needs: [upload-ami] + environment: images + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 + - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami + aws-region: ${{ vars.AWS_REGION }} + - name: Delete deprecated AMIs + if: github.ref == 'refs/heads/main' + run: nix run .#delete-deprecated-images From dcf52bd1764e049362a81b4146de0da7a3dfc5b7 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sat, 12 Apr 2025 21:14:38 +0200 Subject: [PATCH 29/44] one last try with attesting the image ids --- .github/workflows/build-and-upload.yml | 2 +- .github/workflows/release.yml | 18 ------------------ 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 7ece1ad..674075a 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -92,7 +92,7 @@ jobs: predicate: | { "imageInfo": ${{ steps.image-info.outputs.json }}, - "imageIds": ${{ steps.upload.outputs.image_ids }}, + "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", "accountId": "${{ vars.AWS_ACCOUNT_ID }}", "callerIdentity": ${{ steps.caller-identity.outputs.json }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d90f755..25f7211 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,21 +29,3 @@ jobs: runs-on: ${{ matrix.system.runs-on }} system: ${{ matrix.system.system }} release: ${{ matrix.release }} - delete-deprecated-images: - runs-on: ubuntu-latest - needs: [upload-ami] - environment: images - permissions: - contents: read - id-token: write - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 - - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 - - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 - with: - role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami - aws-region: ${{ vars.AWS_REGION }} - - name: Delete deprecated AMIs - if: github.ref == 'refs/heads/main' - run: nix run .#delete-deprecated-images From ac17880db0788da07e295cb51b8f412f3bf188ec Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Sun, 13 Apr 2025 12:36:13 +0200 Subject: [PATCH 30/44] ignore the flake interface of nixpkgs as it's utterly broken --- flake.nix | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/flake.nix b/flake.nix index 380bf7d..53f3425 100644 --- a/flake.nix +++ b/flake.nix @@ -3,8 +3,18 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-24.11"; - nixos_2411.url = "github:NixOS/nixpkgs?ref=nixos-24.11"; - nixos_unstable.url = "github:NixOS/nixpkgs?ref=nixos-unstable"; + + # NOTE: We use the channel tarballs as they contain a .version and + # .version-suffix file with the naming convetions we want. The + # lib.trivial.version for flakes and git repos returns the wrong thing + nixos_2411 = { + url = "https://channels.nixos.org/nixos-24.11/nixexprs.tar.xz"; + flake = false; + }; + nixos_unstable = { + url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; + flake = false; + }; treefmt-nix = { url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -76,18 +86,21 @@ release: let nixpkgs = inputs.${release}; + # NOTE: we can not use nixpkgs.lib.nixosSystem as that uses + # an extended version of lib that overrides lib.trivial.version + # with something flake-specific which breaks the naming conventions + # for images. (e.g. pre for unstable, beta for 25.05, etc) + nixosSystem = args: import "${nixpkgs}/nixos/lib/eval-config.nix" ({ system = null; } // args); in { amazonImage = genAttrs [ "aarch64-linux" "x86_64-linux" ] ( system: - (nixpkgs.lib.nixosSystem { + (nixosSystem { modules = [ # TODO: use @phaer's new images interface "${nixpkgs}/nixos/maintainers/scripts/ec2/amazon-image.nix" ( { config, ... }: - # TODO: add beta to version string for beta releases - # TODO: add pre to version string for unstable { system.stateVersion = config.system.nixos.release; virtualisation.diskSize = "auto"; From 840930791f508cad44e40409d029919f31021c1b Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Tue, 22 Apr 2025 19:46:35 +0200 Subject: [PATCH 31/44] lock flake --- flake.lock | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index 55620c0..1bd0af6 100644 --- a/flake.lock +++ b/flake.lock @@ -1,35 +1,31 @@ { "nodes": { "nixos_2411": { + "flake": false, "locked": { - "lastModified": 1744309437, - "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7", - "type": "github" + "lastModified": 1744533305, + "narHash": "sha256-56qCMHw9q2hkyh6qlbrTKTN102OfZPkXVI4YGLa5Wgc=", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.716947.26d499fc9f1d/nixexprs.tar.xz" }, "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://channels.nixos.org/nixos-24.11/nixexprs.tar.xz" } }, "nixos_unstable": { + "flake": false, "locked": { - "lastModified": 1744232761, - "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14", - "type": "github" + "lastModified": 1744987241, + "narHash": "sha256-n2OqF5zuL7LTrEF4Gx0cUlHccvTm3jPYre0g5snnYK0=", + "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05pre785698.b024ced1aac2/nixexprs.tar.xz" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" } }, "nixpkgs": { From 086fde09545b078c8c742e1bac29cfcd8ee26a5a Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Tue, 22 Apr 2025 19:49:47 +0200 Subject: [PATCH 32/44] Change custom predicate type --- .github/workflows/build-and-upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 674075a..da3fcaa 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -88,7 +88,7 @@ jobs: with: subject-name: ${{ needs.build.outputs.name }} subject-digest: sha256:${{ needs.build.outputs.digest }} - predicate-type: "https://github.com/nixos/amis/predicates/upload-ami/v0" + predicate-type: "https://github.com/NixOS/amis/predicates/upload-ami/v0" predicate: | { "imageInfo": ${{ steps.image-info.outputs.json }}, From 883ee3771e827929d0428bc46454ee32b4038723 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Tue, 22 Apr 2025 20:42:19 +0200 Subject: [PATCH 33/44] implement actual upload --- .github/workflows/build-and-upload.yml | 51 +++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index da3fcaa..c2a44ce 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -60,23 +60,58 @@ jobs: with: role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami aws-region: ${{ vars.AWS_REGION }} - - run: | - image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "smoketest/" --s3-bucket "$images_bucket") + + - name: Upload smoke test + id: upload-smoke-test + run: | + image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "nixos/" --s3-bucket "$images_bucket") echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" - id: upload-smoketest env: image_info: ./result/nix-support/image-info.json images_bucket: ${{ vars.IMAGES_BUCKET }} + + - name: Run smoke test + id: smoke-test + run: | + image_id=$(echo "$image_ids" | jq -r ".['$AWS_REGION']") + nix run .#smoke-test -- --image-id "$image_id" + env: + image_ids: ${{ steps.upload-smoke-test.outputs.image_ids }} + + - name: Clean up smoke test + if: ${{ cancelled() }} + run: | + image_id=$(echo "$image_ids" | jq -r ".['$AWS_REGION']") + nix run .#smoke-test -- --image-id "$image_id" --cancel + env: + image_ids: ${{ steps.upload-smoke-test.outputs.image_ids }} + + - name: Upload AMIs to all available regions + if: github.ref == 'refs/heads/main' + id: upload-amis + run: | + image_ids=$(nix run .#upload-ami -- \ + --image-info "$image_info" \ + --prefix "nixos/" \ + --s3-bucket "$images_bucket" \ + --copy-to-regions \ + --public) + echo "image_ids=$image_ids" >> "GITHUB_OUTPUT" + env: + image_info: ./result/nix-support/image-info.json + images_bucket: ${{ vars.IMAGES_BUCKET }} + - run: | - json=$(jq . "$image_info") { echo "json<> "$GITHUB_OUTPUT" id: image-info + if: github.ref == 'refs/heads/main' env: image_info: ./result/nix-support/image-info.json + - run: | { echo "json<> "$GITHUB_OUTPUT" id: caller-identity - - uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 + if: github.ref == 'refs/heads/main' + + - name: Create upload attestation + uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 + if: github.ref == 'refs/heads/main' with: subject-name: ${{ needs.build.outputs.name }} subject-digest: sha256:${{ needs.build.outputs.digest }} @@ -92,7 +131,7 @@ jobs: predicate: | { "imageInfo": ${{ steps.image-info.outputs.json }}, - "imageIds": ${{ steps.upload-smoketest.outputs.image_ids }}, + "imageIds": ${{ steps.upload-amis.outputs.image_ids }}, "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", "accountId": "${{ vars.AWS_ACCOUNT_ID }}", "callerIdentity": ${{ steps.caller-identity.outputs.json }} From d8eec360b9f30b566c799a3822b808993180a49b Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Tue, 22 Apr 2025 20:44:57 +0200 Subject: [PATCH 34/44] Hello ci? From 799717200cf701878d900195cb3638e223551f4e Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Tue, 22 Apr 2025 20:48:10 +0200 Subject: [PATCH 35/44] latest github action --- .github/workflows/build-and-upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index c2a44ce..8a81220 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -21,7 +21,7 @@ jobs: flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16 with: # HACK: lets lie that we support kvm. make-disk-image.nix is fast enough in emulation mode # and aarch64 has no kvm on github actions @@ -55,7 +55,7 @@ jobs: with: name: ${{ needs.build.outputs.name }} path: ./result - - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 + - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16 - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami From cde3c07417c419f2fb7a94054db033f3c95da721 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 11:25:14 +0200 Subject: [PATCH 36/44] Complete release.yml --- .github/workflows/release.yml | 47 +++++++++ .github/workflows/upload-legacy-ami.yml | 131 ------------------------ 2 files changed, 47 insertions(+), 131 deletions(-) delete mode 100644 .github/workflows/upload-legacy-ami.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 25f7211..4754f8d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,3 +29,50 @@ jobs: runs-on: ${{ matrix.system.runs-on }} system: ${{ matrix.system.system }} release: ${{ matrix.release }} + delete-deprecated-images: + name: Delete deprecated images + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: build-and-upload + environment: images + permissions: + contents: read + id-token: write + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16 + - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami + aws-region: ${{ vars.AWS_REGION }} + - name: Delete deprecated AMIs + if: github.ref == 'refs/heads/main' + run: "nix run .#delete-deprecated-images" + deploy-pages: + name: Deploy images page + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + needs: [build-and-upload, delete-deprecated-images] + permissions: + contents: read + id-token: write + pages: write + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16 + - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages + aws-region: ${{ vars.AWS_REGION }} + - name: Describe images + run: nix run .#describe-images > ./site/images.json + - name: Upload pages + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 + with: + path: ./site + - name: Deploy pages + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 + id: deployment diff --git a/.github/workflows/upload-legacy-ami.yml b/.github/workflows/upload-legacy-ami.yml deleted file mode 100644 index ef6085e..0000000 --- a/.github/workflows/upload-legacy-ami.yml +++ /dev/null @@ -1,131 +0,0 @@ -name: Upload Legacy Amazon Image -permissions: - contents: read -on: - pull_request: - workflow_dispatch: - schedule: - - cron: "0 0 * * 0" -jobs: - upload-ami: - name: Upload Legacy Amazon Image - runs-on: ubuntu-latest - environment: images - permissions: - contents: read - id-token: write - strategy: - matrix: - release: - - release-24.11 - # - nixos-unstable - system: - - x86_64-linux - - aarch64-linux - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 - - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 - # NOTE: We download the AMI from Hydra instead of building it ourselves - # because aarch64 is currently not supported by AWS EC2 and the legacy - # image builder requires nested virtualization. - - name: Download AMI from Hydra - id: download_ami - run: | - set -o pipefail - build_id=$(curl -sSfL -H 'Accept: application/json' https://hydra.nixos.org/job/nixos/${{ matrix.release }}/tested/latest-finished | jq -r '.id') - out=$(curl -sSfL -H 'Accept: application/json' "https://hydra.nixos.org/build/${build_id}/constituents" | jq -r '.[] | select(.job == "nixos.amazonImage.${{ matrix.system }}") | .buildoutputs.out.path') - nix-store --realise "$out" --add-root ./result - echo "image_info=$out/nix-support/image-info.json" >> "$GITHUB_OUTPUT" - - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 - with: - role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami - aws-region: ${{ vars.AWS_REGION }} - - name: Upload Smoke test AMI - id: upload_smoke_test_ami - run: | - image_info='${{ steps.download_ami.outputs.image_info }}' - images_bucket='${{ vars.IMAGES_BUCKET }}' - image_ids=$(nix run .#upload-ami -- \ - --image-info "$image_info" \ - --prefix "smoketest/" \ - --s3-bucket "$images_bucket") - echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" - - name: Smoke test - id: smoke_test - # NOTE: make sure smoke test isn't cancelled. Such that instance gets cleaned up. - run: | - image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}' - image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]') - nix run .#smoke-test -- --image-id "$image_id" - - name: Clean up smoke test - if: ${{ cancelled() }} - run: | - image_ids='${{ steps.upload_smoke_test_ami.outputs.image_ids }}' - image_id=$(echo "$image_ids" | jq -r '.["${{ vars.AWS_REGION }}"]') - nix run .#smoke-test -- --image-id "$image_id" --cancel - # NOTE: We do not pass run-id as we're not building the image ourselves - # and we thus need to poll hydra periodically. Including the run-id would - # cause us to register the same snapshot as an image over and over again - # for each run. - - name: Upload AMIs to all available regions - if: github.ref == 'refs/heads/main' - run: | - image_info='${{ steps.download_ami.outputs.image_info }}' - images_bucket='${{ vars.IMAGES_BUCKET }}' - nix run .#upload-ami -- \ - --image-info "$image_info" \ - --prefix "nixos/" \ - --s3-bucket "$images_bucket" \ - --copy-to-regions \ - --public - delete-deprecated-images: - name: Delete deprecated images - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - needs: upload-ami - environment: images - permissions: - contents: read - id-token: write - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 - - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 - - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 - with: - role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami - aws-region: ${{ vars.AWS_REGION }} - - name: Delete deprecated AMIs - if: github.ref == 'refs/heads/main' - run: "nix run .#delete-deprecated-images \n" - deploy-pages: - name: Deploy images page - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - needs: [upload-ami, delete-deprecated-images] - permissions: - contents: read - id-token: write - pages: write - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: DeterminateSystems/nix-installer-action@7993355175c2765e5733dae74f3e0786fe0e5c4f # v12 - - uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 - - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 - with: - role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/github-pages - aws-region: ${{ vars.AWS_REGION }} - - name: Describe images - run: nix run .#describe-images > ./site/images.json - - name: Upload pages - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 - with: - path: ./site - - name: Deploy pages - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 - id: deployment - if: github.ref == 'refs/heads/main' From 08757bfd9b7a3969ebd3e4a285a376bd678c85cb Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 11:25:43 +0200 Subject: [PATCH 37/44] Re-enable arm --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4754f8d..617283e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,8 @@ jobs: system: - runs-on: ubuntu-latest system: x86_64-linux - # - runs-on: ubuntu-24.04-arm - # system: aarch64-linux + - runs-on: ubuntu-24.04-arm + system: aarch64-linux uses: ./.github/workflows/build-and-upload.yml with: runs-on: ${{ matrix.system.runs-on }} From 51632ebc91383c512974ee2b2b110bdd2f8c6c2d Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 11:28:52 +0200 Subject: [PATCH 38/44] Fix jq syntax --- .github/workflows/build-and-upload.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 8a81220..ab8d078 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -73,7 +73,7 @@ jobs: - name: Run smoke test id: smoke-test run: | - image_id=$(echo "$image_ids" | jq -r ".['$AWS_REGION']") + image_id=$(echo "$image_ids" | jq -r '.[$ENV.AWS_REGION]') nix run .#smoke-test -- --image-id "$image_id" env: image_ids: ${{ steps.upload-smoke-test.outputs.image_ids }} @@ -81,7 +81,7 @@ jobs: - name: Clean up smoke test if: ${{ cancelled() }} run: | - image_id=$(echo "$image_ids" | jq -r ".['$AWS_REGION']") + image_id=$(echo "$image_ids" | jq -r '.[$ENV.AWS_REGION]') nix run .#smoke-test -- --image-id "$image_id" --cancel env: image_ids: ${{ steps.upload-smoke-test.outputs.image_ids }} From 90309b4a6cf3574632ce45643d4761a7303373e5 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 11:48:31 +0200 Subject: [PATCH 39/44] Try to make github actions matrix prettier in UI --- .github/workflows/build-and-upload.yml | 3 +++ .github/workflows/release.yml | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index ab8d078..d456988 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -1,3 +1,4 @@ +name: Build and upload AMI on: workflow_call: inputs: @@ -9,6 +10,7 @@ on: type: string jobs: build: + name: Build runs-on: ${{ inputs.runs-on }} permissions: contents: read @@ -45,6 +47,7 @@ jobs: subject-name: ${{ steps.build.outputs.name }} subject-digest: sha256:${{ steps.upload-artifact.outputs.artifact-digest }} upload: + name: Upload runs-on: ubuntu-latest needs: [build] environment: images diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 617283e..609d68f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: Upload AMI +name: Build and upload AMIs on: pull_request: push: @@ -6,6 +6,7 @@ on: - main jobs: build-and-upload: + name: Build and upload AMI for ${{ matrix.release }} ${{ matrix.system.system }} concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.release }}-${{ matrix.system.runs-on }}-${{ matrix.system.system }} cancel-in-progress: true From 826726abb6b6fbd8ae524eb5899c96b49e6d06c3 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 11:50:11 +0200 Subject: [PATCH 40/44] more prettification --- .github/workflows/build-and-upload.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index d456988..85e19d4 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -104,7 +104,8 @@ jobs: image_info: ./result/nix-support/image-info.json images_bucket: ${{ vars.IMAGES_BUCKET }} - - run: | + - name: Get image info + run: | { echo "json< Date: Wed, 23 Apr 2025 11:58:40 +0200 Subject: [PATCH 41/44] Bikeshed name so the GitHub UI doesn't look bad --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 609d68f..9d8c9b2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,7 @@ on: - main jobs: build-and-upload: - name: Build and upload AMI for ${{ matrix.release }} ${{ matrix.system.system }} + name: ${{ matrix.release }} ${{ matrix.system.system }} concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.release }}-${{ matrix.system.runs-on }}-${{ matrix.system.system }} cancel-in-progress: true From 9288f39c4c7373909083a6bd76efe48a6f2bbb70 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 16:38:16 +0200 Subject: [PATCH 42/44] Track AMIs in separate flake so we only run the job when the channel is bumped --- .github/workflows/build-and-upload.yml | 48 +++++----------------- .github/workflows/release.yml | 4 ++ amis/flake.lock | 40 ++++++++++++++++++ amis/flake.nix | 54 +++++++++++++++++++++++++ flake.lock | 16 ++++---- upload-ami/src/upload_ami/upload_ami.py | 13 +++++- 6 files changed, 127 insertions(+), 48 deletions(-) create mode 100644 amis/flake.lock create mode 100644 amis/flake.nix diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml index 85e19d4..1ab864d 100644 --- a/.github/workflows/build-and-upload.yml +++ b/.github/workflows/build-and-upload.yml @@ -20,7 +20,7 @@ jobs: name: ${{ steps.build.outputs.name }} digest: ${{ steps.upload-artifact.outputs.artifact-digest }} env: - flakeref: .#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} + flakeref: .?dir=amis#hydraJobs.${{ inputs.release }}.amazonImage.${{ inputs.system }} steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16 @@ -67,19 +67,17 @@ jobs: - name: Upload smoke test id: upload-smoke-test run: | - image_ids=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "nixos/" --s3-bucket "$images_bucket") - echo "image_ids=$image_ids" >> "$GITHUB_OUTPUT" + predicate=$(nix run .#upload-ami -- --image-info "$image_info" --prefix "nixos/" --s3-bucket "$images_bucket") + echo "predicate=$predicate" >> "$GITHUB_OUTPUT" env: image_info: ./result/nix-support/image-info.json images_bucket: ${{ vars.IMAGES_BUCKET }} - name: Run smoke test id: smoke-test - run: | - image_id=$(echo "$image_ids" | jq -r '.[$ENV.AWS_REGION]') - nix run .#smoke-test -- --image-id "$image_id" + run: nix run .#smoke-test -- --image-id "$image_id" env: - image_ids: ${{ steps.upload-smoke-test.outputs.image_ids }} + image_id: ${{ fromJson(steps.upload-smoke-test.outputs.predicate).image_ids[vars.AWS_REGION] }} - name: Clean up smoke test if: ${{ cancelled() }} @@ -93,39 +91,18 @@ jobs: if: github.ref == 'refs/heads/main' id: upload-amis run: | - image_ids=$(nix run .#upload-ami -- \ + predicate=$(nix run .#upload-ami -- \ --image-info "$image_info" \ --prefix "nixos/" \ --s3-bucket "$images_bucket" \ --copy-to-regions \ --public) - echo "image_ids=$image_ids" >> "GITHUB_OUTPUT" + echo "predicate=$predicate" >> "GITHUB_OUTPUT" env: image_info: ./result/nix-support/image-info.json images_bucket: ${{ vars.IMAGES_BUCKET }} - - name: Get image info - run: | - { - echo "json<> "$GITHUB_OUTPUT" - id: image-info - if: github.ref == 'refs/heads/main' - env: - image_info: ./result/nix-support/image-info.json - - - name: Get caller identity - run: | - { - echo "json<> "$GITHUB_OUTPUT" - id: caller-identity - if: github.ref == 'refs/heads/main' - + # TODO: Only create if something was *actually* uploaded - name: Create upload attestation uses: actions/attest@a63cfcc7d1aab266ee064c58250cfc2c7d07bc31 # v2.1.1 if: github.ref == 'refs/heads/main' @@ -133,11 +110,4 @@ jobs: subject-name: ${{ needs.build.outputs.name }} subject-digest: sha256:${{ needs.build.outputs.digest }} predicate-type: "https://github.com/NixOS/amis/predicates/upload-ami/v0" - predicate: | - { - "imageInfo": ${{ steps.image-info.outputs.json }}, - "imageIds": ${{ steps.upload-amis.outputs.image_ids }}, - "roleArn": "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/upload-ami", - "accountId": "${{ vars.AWS_ACCOUNT_ID }}", - "callerIdentity": ${{ steps.caller-identity.outputs.json }} - } + predicate: ${{ steps.upload-amis.outputs.predicate }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d8c9b2..f43638d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,13 @@ name: Build and upload AMIs on: pull_request: + paths: + - amis/** push: branches: - main + paths: + - amis/** jobs: build-and-upload: name: ${{ matrix.release }} ${{ matrix.system.system }} diff --git a/amis/flake.lock b/amis/flake.lock new file mode 100644 index 0000000..06e58d5 --- /dev/null +++ b/amis/flake.lock @@ -0,0 +1,40 @@ +{ + "nodes": { + "nixos_2411": { + "flake": false, + "locked": { + "lastModified": 1745379839, + "narHash": "sha256-4i4BgNmFmWXlDuGnGV9lYxak+48cXP9BUDV2z/KpmRs=", + "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.717196.9684b53175fc/nixexprs.tar.xz" + }, + "original": { + "type": "tarball", + "url": "https://channels.nixos.org/nixos-24.11/nixexprs.tar.xz" + } + }, + "nixos_unstable": { + "flake": false, + "locked": { + "lastModified": 1745351412, + "narHash": "sha256-HQ4k20o3kwWKIMJMMohl23kf3Qn4vZCSLPnbtzTXJig=", + "rev": "c11863f1e964833214b767f4a369c6e6a7aba141", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05pre787278.c11863f1e964/nixexprs.tar.xz" + }, + "original": { + "type": "tarball", + "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" + } + }, + "root": { + "inputs": { + "nixos_2411": "nixos_2411", + "nixos_unstable": "nixos_unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/amis/flake.nix b/amis/flake.nix new file mode 100644 index 0000000..4f8b896 --- /dev/null +++ b/amis/flake.nix @@ -0,0 +1,54 @@ +{ + inputs = { + # NOTE: We use the channel tarballs as they contain a .version and + # .version-suffix file with the naming convetions we want. The + # lib.trivial.version for flakes and git repos returns the wrong thing + nixos_2411 = { + url = "https://channels.nixos.org/nixos-24.11/nixexprs.tar.xz"; + flake = false; + }; + nixos_unstable = { + url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"; + flake = false; + }; + }; + + outputs = + inputs: + let + lib = import "${inputs.nixos_unstable}/lib"; + in + { + + hydraJobs = lib.genAttrs [ "nixos_2411" "nixos_unstable" ] ( + release: + let + nixpkgs = inputs.${release}; + # NOTE: we can not use nixpkgs.lib.nixosSystem as that uses + # an extended version of lib that overrides lib.trivial.version + # with something flake-specific which breaks the naming conventions + # for images. (e.g. pre for unstable, beta for 25.05, etc) + nixosSystem = args: import "${nixpkgs}/nixos/lib/eval-config.nix" ({ system = null; } // args); + in + { + amazonImage = lib.genAttrs [ "aarch64-linux" "x86_64-linux" ] ( + system: + (nixosSystem { + modules = [ + # TODO: use @phaer's new images interface + "${nixpkgs}/nixos/maintainers/scripts/ec2/amazon-image.nix" + ( + { config, ... }: + { + system.stateVersion = config.system.nixos.release; + virtualisation.diskSize = "auto"; + nixpkgs.hostPlatform = system; + } + ) + ]; + }).config.system.build.amazonImage + ); + } + ); + }; +} diff --git a/flake.lock b/flake.lock index 1bd0af6..df6ffaa 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "nixos_2411": { "flake": false, "locked": { - "lastModified": 1744533305, - "narHash": "sha256-56qCMHw9q2hkyh6qlbrTKTN102OfZPkXVI4YGLa5Wgc=", - "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "lastModified": 1745379839, + "narHash": "sha256-4i4BgNmFmWXlDuGnGV9lYxak+48cXP9BUDV2z/KpmRs=", + "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", "type": "tarball", - "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.716947.26d499fc9f1d/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.717196.9684b53175fc/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -17,11 +17,11 @@ "nixos_unstable": { "flake": false, "locked": { - "lastModified": 1744987241, - "narHash": "sha256-n2OqF5zuL7LTrEF4Gx0cUlHccvTm3jPYre0g5snnYK0=", - "rev": "b024ced1aac25639f8ca8fdfc2f8c4fbd66c48ef", + "lastModified": 1745351412, + "narHash": "sha256-HQ4k20o3kwWKIMJMMohl23kf3Qn4vZCSLPnbtzTXJig=", + "rev": "c11863f1e964833214b767f4a369c6e6a7aba141", "type": "tarball", - "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05pre785698.b024ced1aac2/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05pre787278.c11863f1e964/nixexprs.tar.xz" }, "original": { "type": "tarball", diff --git a/upload-ami/src/upload_ami/upload_ami.py b/upload-ami/src/upload_ami/upload_ami.py index a627363..56ca635 100644 --- a/upload-ami/src/upload_ami/upload_ami.py +++ b/upload-ami/src/upload_ami/upload_ami.py @@ -373,7 +373,18 @@ def main() -> None: args.run_id, args.public, ) - print(json.dumps(image_ids)) + + caller_identity = boto3.client("sts").get_caller_identity() + + + with open(args.image_info, "r") as f: + image_info = json.load(f) + + print(json.dumps({ + "image_ids": image_ids, + "caller_identity": caller_identity, + "image_info": image_info, + })) if __name__ == "__main__": From 80258f99a69984d24dbd60b685b3ef46f1d52636 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Wed, 23 Apr 2025 17:02:36 +0200 Subject: [PATCH 43/44] fmt upload-ami --- upload-ami/src/upload_ami/upload_ami.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/upload-ami/src/upload_ami/upload_ami.py b/upload-ami/src/upload_ami/upload_ami.py index 56ca635..569e8f3 100644 --- a/upload-ami/src/upload_ami/upload_ami.py +++ b/upload-ami/src/upload_ami/upload_ami.py @@ -376,15 +376,18 @@ def main() -> None: caller_identity = boto3.client("sts").get_caller_identity() - with open(args.image_info, "r") as f: image_info = json.load(f) - print(json.dumps({ - "image_ids": image_ids, - "caller_identity": caller_identity, - "image_info": image_info, - })) + print( + json.dumps( + { + "image_ids": image_ids, + "caller_identity": caller_identity, + "image_info": image_info, + } + ) + ) if __name__ == "__main__": From d359a747c7b11b1c8f919e18d3c603afc19060a3 Mon Sep 17 00:00:00 2001 From: Arian van Putten Date: Tue, 29 Apr 2025 11:51:02 +0200 Subject: [PATCH 44/44] new workflow only on unstable for now --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f43638d..e24671b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,8 @@ jobs: fail-fast: false matrix: release: - - nixos_2411 - # - nixos_unstable + # - nixos_2411 + - nixos_unstable system: - runs-on: ubuntu-latest system: x86_64-linux