steffen/cryodev
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

restructure CI/CD: flake-check gates all deployments
Some checks are pending
Deploy / flake-check (push) Waiting to run
Details
Deploy / deploy-cryodev-main (push) Blocked by required conditions
Details
Deploy / build-pi-images (cryodev-pi) (push) Blocked by required conditions
Details
Deploy / create-release (push) Blocked by required conditions
Details

Browse source 
Consolidate 4 separate workflows into 2:

- ci.yml (pull_request): flake-check -> build-hosts
- deploy.yml (push to main): flake-check -> deploy + build-pi-images

Previously, deploy and build-pi-image ran on push to main without
any checks. Now flake-check must pass before anything gets deployed
or built.
This commit is contained in:
steffen 2026-03-14 13:52:21 +01:00
parent d623a01ebd
commit 8d7794a08c
4 changed files with 64 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

22
.forgejo/workflows/build-hosts.yml → .forgejo/workflows/ci.yml
View file

@ -1,12 +1,24 @@
name: Build hosts name: CI
on: on: [pull_request]
pull_request:
branches:
- main
jobs: jobs:
flake-check:
runs-on: docker
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: Run flake check
run: nix flake check --impure
build-hosts: build-hosts:
needs: flake-check
runs-on: docker runs-on: docker
steps: steps:
- name: Checkout repository - name: Checkout repository

34
.forgejo/workflows/deploy-main.yml
View file

@ -1,34 +0,0 @@
name: Deploy cryodev-main
on:
push:
branches:
- main
jobs:
deploy-cryodev-main:
runs-on: docker
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: Set up SSH
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
# Add host key (replace with actual host key or use ssh-keyscan in unsafe environments)
ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
- name: Deploy with deploy-rs
run: |
# Deploy using deploy-rs
nix run github:serokell/deploy-rs -- -s .#cryodev-main

69
.forgejo/workflows/build-pi-image.yml → .forgejo/workflows/deploy.yml
View file

@ -1,27 +1,56 @@
name: Build Raspberry Pi SD Images name: Deploy
on: on:
push: push:
branches: branches:
- main - main
paths:
- 'hosts/**'
- 'modules/**'
- 'templates/**'
- 'flake.nix'
- 'flake.lock'
- 'constants.nix'
workflow_dispatch:
jobs: jobs:
flake-check:
runs-on: docker
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: Run flake check
run: nix flake check --impure
deploy-cryodev-main:
needs: flake-check
runs-on: docker
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: Set up SSH
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
run: |
mkdir -p ~/.ssh
echo "$DEPLOY_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan -H cryodev.xyz >> ~/.ssh/known_hosts
- name: Deploy with deploy-rs
run: nix run github:serokell/deploy-rs -- -s .#cryodev-main
build-pi-images: build-pi-images:
needs: flake-check
runs-on: host runs-on: host
strategy: strategy:
matrix: matrix:
# Add new Pi hosts to this list when created
host: [cryodev-pi] host: [cryodev-pi]
fail-fast: false fail-fast: false
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -29,21 +58,19 @@ jobs:
- name: Build SD image for ${{ matrix.host }} - name: Build SD image for ${{ matrix.host }}
run: | run: |
echo "Building SD image for: ${{ matrix.host }}" echo "Building SD image for: ${{ matrix.host }}"
echo "This may take 30-60 minutes with emulation..."
nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.sdImage \ nix build .#nixosConfigurations.${{ matrix.host }}.config.system.build.sdImage \
--extra-platforms aarch64-linux \ --extra-platforms aarch64-linux \
--out-link result-${{ matrix.host }} --out-link result-${{ matrix.host }}
IMAGE_PATH=$(find result-${{ matrix.host }} -name "*.img.zst" -type f | head -1) IMAGE_PATH=$(find result-${{ matrix.host }} -name "*.img.zst" -type f | head -1)
if [ -z "$IMAGE_PATH" ]; then if [ -z "$IMAGE_PATH" ]; then
echo "Error: No image found!" echo "Error: No image found!"
exit 1 exit 1
fi fi
cp "$IMAGE_PATH" ./${{ matrix.host }}-sd-image.img.zst cp "$IMAGE_PATH" ./${{ matrix.host }}-sd-image.img.zst
sha256sum ${{ matrix.host }}-sd-image.img.zst > ${{ matrix.host }}-sd-image.img.zst.sha256 sha256sum ${{ matrix.host }}-sd-image.img.zst > ${{ matrix.host }}-sd-image.img.zst.sha256
echo "Image size:" echo "Image size:"
ls -lh ${{ matrix.host }}-sd-image.img.zst ls -lh ${{ matrix.host }}-sd-image.img.zst
@ -72,19 +99,17 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
VERSION="v$(date +%Y-%m-%d)-$(git rev-parse --short HEAD)" VERSION="v$(date +%Y-%m-%d)-$(git rev-parse --short HEAD)"
# Create release via API
curl -s -X POST \ curl -s -X POST \
-H "Authorization: token ${GITHUB_TOKEN}" \ -H "Authorization: token ${GITHUB_TOKEN}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{\"tag_name\": \"${VERSION}\", \"name\": \"Pi Images ${VERSION}\", \"body\": \"Raspberry Pi SD card images. See docs for usage.\", \"draft\": false, \"prerelease\": false}" \ -d "{\"tag_name\": \"${VERSION}\", \"name\": \"Pi Images ${VERSION}\", \"body\": \"Raspberry Pi SD card images. See docs for usage.\", \"draft\": false, \"prerelease\": false}" \
"https://git.cryodev.xyz/api/v1/repos/${GITHUB_REPOSITORY}/releases" \ "https://git.cryodev.xyz/api/v1/repos/${GITHUB_REPOSITORY}/releases" \
-o release.json -o release.json
RELEASE_ID=$(jq -r '.id' release.json) RELEASE_ID=$(jq -r '.id' release.json)
echo "Release ID: $RELEASE_ID" echo "Release ID: $RELEASE_ID"
# Upload all files
for file in $(find artifacts -type f); do for file in $(find artifacts -type f); do
echo "Uploading: $(basename $file)" echo "Uploading: $(basename $file)"
curl -s -X POST \ curl -s -X POST \
@ -93,5 +118,5 @@ jobs:
--data-binary @"$file" \ --data-binary @"$file" \
"https://git.cryodev.xyz/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $file)" "https://git.cryodev.xyz/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $file)"
done done
echo "Done: https://git.cryodev.xyz/${GITHUB_REPOSITORY}/releases/tag/${VERSION}" echo "Done: https://git.cryodev.xyz/${GITHUB_REPOSITORY}/releases/tag/${VERSION}"

18
.forgejo/workflows/flake-check.yml
View file

@ -1,18 +0,0 @@
name: Flake check
on: [pull_request]
jobs:
flake-check:
runs-on: docker
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Nix
uses: cachix/install-nix-action@v27
with:
nix_path: nixpkgs=channel:nixos-unstable
- name: Run flake check
run: nix flake check --impure