Add manual push script #609
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check PR | |
on: | |
pull_request: | |
jobs: | |
check-pr: | |
strategy: | |
matrix: | |
os: [ubuntu-22.04, macos-14] | |
runs-on: ${{ matrix.os }} | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: DeterminateSystems/nix-installer-action@main | |
with: | |
extra-conf: | | |
substituters = https://cache.nixos.org https://cosmosnix-store.s3.us-east-2.amazonaws.com | |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cosmosnix.store-1:O28HneR1MPtgY3WYruWFuXCimRPwY7em5s0iynkQxdk= | |
- name: Check 🔎 | |
run: | | |
nix flake check | |
- name: Run Shell 🐚 | |
run: | | |
nix develop | |
# NOTE: the if conditions below mean that we only run these steps for Pull Requests from non-forks | |
# This is partially due to this issue https://github.com/aws-actions/configure-aws-credentials/issues/373. | |
# And partially because a malicious actor could fork the repo and fill our cache with junk. | |
# Note that the cache will be pushed when merged to main, so PR's from forks that make it in will still | |
# populate the cache | |
- name: Authenticate 🔒 | |
uses: aws-actions/configure-aws-credentials@v4 | |
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} | |
with: | |
aws-region: us-east-2 | |
retry-max-attempts: 3 | |
role-to-assume: arn:aws:iam::762411426253:role/push-cosmosnix-store | |
role-session-name: InformalSystemsGithubAction | |
- name: Push Cache 🫸💨📦 | |
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} | |
env: | |
SIGNING_KEY: ${{ secrets.SECRET_STORE_SIGNING_KEY }} | |
run: | | |
echo "$SIGNING_KEY" >> key | |
nix store sign -k key --all | |
nix copy --to "s3://cosmosnix-store?region=us-east-2" --all |