mirror of
				https://github.com/matter-labs/teepot.git
				synced 2025-10-26 03:34:06 +01:00 
			
		
		
		
	 c369fb7c83
			
		
	
	
		c369fb7c83
		
			
		
	
	
	
	
		
			
			- Replaced outdated substituter URL with a new static IP-based URL. - Ensures proper configuration and access to the required substituter.
		
			
				
	
	
		
			158 lines
		
	
	
	
		
			7.1 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			158 lines
		
	
	
	
		
			7.1 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| name: nix
 | |
| 
 | |
| on:
 | |
|   pull_request:
 | |
|     branches: ["main"]
 | |
|   push:
 | |
|     branches: ["main"]
 | |
|     tags: ["*"]
 | |
| 
 | |
| concurrency:
 | |
|   group: ${{ github.workflow }}-${{ github.ref }}
 | |
|   cancel-in-progress: true
 | |
| 
 | |
| jobs:
 | |
|   check:
 | |
|     runs-on: ubuntu-latest
 | |
|     steps:
 | |
|       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 | |
|       - uses: cachix/install-nix-action@v31
 | |
|         with:
 | |
|           install_url: https://releases.nixos.org/nix/nix-2.28.3/install
 | |
|           extra_nix_config: |
 | |
|             access-tokens = github.com=${{ github.token }}
 | |
|             trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
 | |
|             substituters = https://cache.nixos.org/ https://static.188.92.12.49.clients.your-server.de/tee-pot
 | |
|             sandbox = true
 | |
|       - name: Setup Attic cache
 | |
|         uses: ryanccn/attic-action@v0
 | |
|         with:
 | |
|           endpoint: https://static.188.92.12.49.clients.your-server.de/
 | |
|           cache: tee-pot
 | |
|           token: ${{ secrets.ATTIC_TOKEN }}
 | |
| 
 | |
|       - run: nix flake check -L --show-trace --keep-going
 | |
| 
 | |
|   build:
 | |
|     needs: check
 | |
|     runs-on: [matterlabs-default-infra-runners]
 | |
|     steps:
 | |
|       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 | |
|       - uses: cachix/install-nix-action@v31
 | |
|         with:
 | |
|           install_url: https://releases.nixos.org/nix/nix-2.28.3/install
 | |
|           extra_nix_config: |
 | |
|             access-tokens = github.com=${{ github.token }}
 | |
|             trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
 | |
|             substituters = https://cache.nixos.org/ https://static.188.92.12.49.clients.your-server.de/tee-pot
 | |
|             sandbox = true
 | |
|       - name: Setup Attic cache
 | |
|         uses: ryanccn/attic-action@v0
 | |
|         with:
 | |
|           endpoint: https://static.188.92.12.49.clients.your-server.de/
 | |
|           cache: tee-pot
 | |
|           token: ${{ secrets.ATTIC_TOKEN }}
 | |
| 
 | |
|       - name: nix build
 | |
|         run: nix run github:nixos/nixpkgs/nixos-23.11#nixci
 | |
| 
 | |
|   push_to_docker:
 | |
|     needs: build
 | |
|     runs-on: [matterlabs-default-infra-runners]
 | |
|     concurrency:
 | |
|       group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.nixpackage }}
 | |
|       cancel-in-progress: true
 | |
|     strategy:
 | |
|       fail-fast: false
 | |
|       matrix:
 | |
|         config:
 | |
|           - { nixpackage: 'container-vault-sgx-azure' }
 | |
|           - { nixpackage: 'container-vault-unseal-sgx-azure' }
 | |
|           - { nixpackage: 'container-vault-admin-sgx-azure' }
 | |
|           - { nixpackage: 'container-vault-unseal' }
 | |
|           - { nixpackage: 'container-vault-admin' }
 | |
|           - { nixpackage: 'container-self-attestation-test-sgx-dcap' }
 | |
|           - { nixpackage: 'container-self-attestation-test-sgx-azure' }
 | |
|           - { nixpackage: 'container-verify-attestation-sgx' }
 | |
|           - { nixpackage: 'container-verify-era-proof-attestation-sgx' }
 | |
|           - { nixpackage: 'container-tdx-test' }
 | |
|     steps:
 | |
|       - uses: actions/checkout@v4
 | |
|       - uses: cachix/install-nix-action@v31
 | |
|         with:
 | |
|           install_url: https://releases.nixos.org/nix/nix-2.28.3/install
 | |
|           extra_nix_config: |
 | |
|             access-tokens = github.com=${{ github.token }}
 | |
|             trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= tee-pot:SS6HcrpG87S1M6HZGPsfo7d1xJccCGev7/tXc5+I4jg=
 | |
|             substituters = https://cache.nixos.org/ https://static.188.92.12.49.clients.your-server.de/tee-pot
 | |
|             sandbox = true
 | |
|       - name: Setup Attic cache
 | |
|         uses: ryanccn/attic-action@v0
 | |
|         with:
 | |
|           endpoint: https://static.188.92.12.49.clients.your-server.de/
 | |
|           cache: tee-pot
 | |
|           token: ${{ secrets.ATTIC_TOKEN }}
 | |
| 
 | |
|       - name: Login to GitHub Container Registry
 | |
|         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
 | |
|         with:
 | |
|           registry: ghcr.io
 | |
|           username: ${{ github.actor }}
 | |
|           password: ${{ secrets.GITHUB_TOKEN }}
 | |
| 
 | |
|       - name: Load container
 | |
|         id: build
 | |
|         run: |
 | |
|           nix build --accept-flake-config -L .#${{ matrix.config.nixpackage }}
 | |
|           export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*')
 | |
|           echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
 | |
|           echo "IMAGE_NAME=${IMAGE_TAG%:*}" >> "$GITHUB_OUTPUT"
 | |
| 
 | |
|       - name: Push container
 | |
|         run: |
 | |
|           echo "Pushing image ${{ steps.build.outputs.IMAGE_TAG }} to GitHub Container Registry"
 | |
|           docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_TAG }}"
 | |
|           docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_TAG }}"
 | |
| 
 | |
|       - name: Tag container as latest
 | |
|         if: ${{ github.event_name == 'push' }}
 | |
|         run: |
 | |
|           docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
 | |
|           docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:latest"
 | |
| 
 | |
|       - name: Tag container with tag
 | |
|         if: ${{ github.event_name == 'push' && github.ref_type == 'tag' }}
 | |
|         run: |
 | |
|           docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME"
 | |
|           docker push "ghcr.io/${{ github.repository_owner }}"/"${{ steps.build.outputs.IMAGE_NAME }}:$GITHUB_REF_NAME"
 | |
| 
 | |
|       - name: Generate build ID for Flux Image Automation
 | |
|         id: flux
 | |
|         if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/tags') }}
 | |
|         run: |
 | |
|           sha=$(git rev-parse --short HEAD)
 | |
|           ts=$(date +%s%N | cut -b1-13)
 | |
|           echo "BUILD_ID=${sha}-${ts}" >> "$GITHUB_OUTPUT"
 | |
| 
 | |
|       - name: Generate build ID for Flux Image Automation
 | |
|         id: tag
 | |
|         if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
 | |
|         run: |
 | |
|           echo "BUILD_ID=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
 | |
| 
 | |
|       - name: Auth to google artifact registry
 | |
|         if: ${{ github.event_name == 'push' }}
 | |
|         run: |
 | |
|           gcloud auth configure-docker us-docker.pkg.dev -q
 | |
| 
 | |
|       - name: Push Docker image to matterlabs-infra
 | |
|         if: ${{ github.event_name == 'push' && !startsWith(github.ref, 'refs/tags') }}
 | |
|         run: |
 | |
|           docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.flux.outputs.BUILD_ID }}"
 | |
|           docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.flux.outputs.BUILD_ID }}"
 | |
| 
 | |
|       - name: Push Docker image to matterlabs-infra
 | |
|         if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags') }}
 | |
|         run: |
 | |
|           docker tag "${{ steps.build.outputs.IMAGE_TAG }}" "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.tag.outputs.BUILD_ID }}"
 | |
|           docker push "us-docker.pkg.dev/matterlabs-infra/matterlabs-docker/${{ steps.build.outputs.IMAGE_NAME }}:${{ steps.tag.outputs.BUILD_ID }}"
 |