name: nix on: pull_request: branches: [ "main" ] push: branches: [ "main" ] concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: check: runs-on: ubuntu-latest steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - uses: cachix/install-nix-action@v27 with: extra_nix_config: | access-tokens = github.com=${{ github.token }} - uses: cachix/cachix-action@v15 with: name: nixsgx authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' extraPullNames: vault-auth-tee - name: Enable magic Nix cache uses: DeterminateSystems/magic-nix-cache-action@main - run: nix flake check -L --show-trace --keep-going build: needs: check runs-on: ubuntu-latest steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 - uses: cachix/install-nix-action@v27 with: extra_nix_config: | access-tokens = github.com=${{ github.token }} - uses: cachix/cachix-action@v15 with: name: nixsgx authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' extraPullNames: vault-auth-tee - name: Enable magic Nix cache uses: DeterminateSystems/magic-nix-cache-action@main - name: nix build run: nix run github:nixos/nixpkgs/nixos-23.11#nixci push_to_docker: needs: build if: ${{ github.event_name == 'push' }} runs-on: ubuntu-latest concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }} cancel-in-progress: true strategy: fail-fast: false matrix: config: - { nixpackage: 'container-vault-sgx-azure', dockerfile: 'packages/container-vault-sgx-azure/Dockerfile', repository: 'teepot-vault' } - { nixpackage: 'container-vault-unseal-sgx-azure', dockerfile: 'packages/container-vault-unseal-sgx-azure/Dockerfile', repository: 'teepot-tvu' } - { nixpackage: 'container-vault-admin-sgx-azure', dockerfile: 'packages/container-vault-admin-sgx-azure/Dockerfile', repository: 'teepot-tva' } - { nixpackage: 'container-self-attestation-test-sgx-dcap', dockerfile: 'packages/container-self-attestation-test-sgx-dcap/Dockerfile', repository: 'teepot-self-attestation-test-sgx-dcap' } - { nixpackage: 'container-self-attestation-test-sgx-azure', dockerfile: 'packages/container-self-attestation-test-sgx-azure/Dockerfile', repository: 'teepot-self-attestation-test-sgx-azure' } - { nixpackage: 'container-verify-attestation-sgx-dcap' } - { nixpackage: 'container-verify-attestation-sgx-azure' } steps: - uses: actions/checkout@v4 - uses: cachix/install-nix-action@v27 with: extra_nix_config: | access-tokens = github.com=${{ github.token }} - uses: cachix/cachix-action@v15 with: name: nixsgx authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' extraPullNames: vault-auth-tee - name: Enable magic Nix cache uses: DeterminateSystems/magic-nix-cache-action@main - name: Log in to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Load and Push nix container run: | nix build -L .#${{ matrix.config.nixpackage }} export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') echo "Pushing image ${IMAGE_TAG} to Docker Hub" docker tag "${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG}" docker push matterlabsrobot/"${IMAGE_TAG}" docker tag matterlabsrobot/"${IMAGE_TAG}" matterlabsrobot/"${IMAGE_TAG%:*}:latest" docker push matterlabsrobot/"${IMAGE_TAG%:*}:latest" - name: Generate build ID for Flux Image Automation if: ${{ matrix.config.dockerfile }} id: buildid run: | sha=$(git rev-parse --short HEAD) ts=$(date +%s%N | cut -b1-13) echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT" - name: Build and Push Container if: ${{ matrix.config.dockerfile }} uses: docker/build-push-action@v5 with: file: ${{ matrix.config.dockerfile }} tags: | "matterlabsrobot/${{ matrix.config.repository }}:latest" "matterlabsrobot/${{ matrix.config.repository }}:${{ steps.buildid.outputs.BUILD_ID }}" push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}