chore: use extractions/netrc to configure GitHub API authentication
#2703
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous integration | |
| on: | |
| push: | |
| branches: master | |
| pull_request: | |
| branches: master | |
| workflow_dispatch: # allows manual triggering | |
| schedule: | |
| - cron: '1 11 * * *' | |
| env: | |
| # Bump this number to invalidate the GH actions cache | |
| cache-version: 0 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} | |
| jobs: | |
| lint: | |
| name: Format & Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: tweag/configure-bazel-remote-cache-auth@v0 | |
| with: | |
| buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| bazelrc_path: .bazelrc.auth | |
| - uses: ./.github/actions/set_tcp_keepalive_time | |
| - uses: extractions/netrc@v1 | |
| with: | |
| machine: api.github.com | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure | |
| run: | | |
| cat >>.bazelrc.local <<EOF | |
| common --config=ci | |
| EOF | |
| - run: | | |
| bazelisk test buildifier:buildifier_test | |
| test-nixpkgs: | |
| name: Build & Test - Nixpkgs | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-11] | |
| module: [rules_haskell, rules_haskell_nix, rules_haskell_tests] | |
| bzlmod: [true, false] | |
| ghc: | |
| - 9.2.8 | |
| - 9.4.6 | |
| - 9.6.2 | |
| exclude: | |
| - module: rules_haskell_nix | |
| bzlmod: false | |
| # TODO: in a MODULE.bazel file we declare version specific dependencies, would need to use stack snapshot json | |
| # and stack config per GHC version | |
| - ghc: 9.4.6 | |
| bzlmod: true | |
| - ghc: 9.6.2 | |
| bzlmod: true | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/free_disk_space_on_linux | |
| - name: Mount Bazel cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/repo-cache | |
| key: repo-cache-${{ runner.os }}-nixpkgs-${{ env.cache-version }} | |
| - uses: cachix/install-nix-action@v24 | |
| with: | |
| nix_path: nixpkgs=./nixpkgs/default.nix | |
| extra_nix_config: | | |
| trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= | |
| extra-substituters = https://cache.iog.io | |
| - uses: tweag/configure-bazel-remote-cache-auth@v0 | |
| with: | |
| buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| bazelrc_path: .bazelrc.auth | |
| - uses: ./.github/actions/set_tcp_keepalive_time | |
| - uses: extractions/netrc@v1 | |
| with: | |
| machine: api.github.com | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure | |
| run: | | |
| case ${{ runner.os }} in | |
| macOS) BUILD_CONFIG=ci-macos-nixpkgs;; | |
| Linux) BUILD_CONFIG=ci-linux-nixpkgs;; | |
| esac | |
| cat >>.bazelrc.local <<EOF | |
| common --config=ci | |
| build --config=$BUILD_CONFIG | |
| common --enable_bzlmod=${{ matrix.bzlmod }} | |
| EOF | |
| cp .bazelrc.local rules_haskell_nix | |
| cp .bazelrc.local rules_haskell_tests | |
| - name: Check Bazel version | |
| run: | | |
| nix-shell --arg docTools false --argstr ghcVersion ${{ matrix.ghc }} --pure --run .ci/check-bazel-version | |
| - name: Build & test - rules_haskell | |
| if: matrix.module == 'rules_haskell' | |
| run: | | |
| nix-shell --arg docTools false --argstr ghcVersion ${{ matrix.ghc }} --pure --run ' | |
| set -euo pipefail | |
| bazel test //... | |
| bazel build //docs:api_html | |
| bazel build //docs:guide_html | |
| ' | |
| - name: Build & test - rules_haskell_nix | |
| if: matrix.module == 'rules_haskell_nix' | |
| run: | | |
| nix-shell --arg docTools false --argstr ghcVersion ${{ matrix.ghc }} --pure --run ' | |
| set -euo pipefail | |
| cd rules_haskell_nix | |
| bazel test //... | |
| ' | |
| - name: Build & test - rules_haskell_tests | |
| if: matrix.module == 'rules_haskell_tests' | |
| run: | | |
| nix-shell --arg docTools false --argstr ghcVersion ${{ matrix.ghc }} --pure --run ' | |
| set -euo pipefail | |
| cd rules_haskell_tests | |
| # XXX run start script `--with-bzlmod=true` when supported | |
| if ! ${{ matrix.bzlmod }}; then | |
| ./tests/run-start-script.sh --use-nix --with-bzlmod=${{ matrix.bzlmod }} | |
| fi | |
| bazel build //tests:run-tests | |
| ./bazel-ci-bin/tests/run-tests | |
| bazel coverage //... | |
| ' | |
| test-bindist: | |
| name: Build & Test - bindist | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-11, windows-latest] | |
| module: [rules_haskell, rules_haskell_tests] | |
| bzlmod: [true, false] | |
| ghc: | |
| - 9.2.8 | |
| - 9.4.6 | |
| - 9.6.2 | |
| exclude: | |
| # TODO: in a MODULE.bazel file we declare version specific dependencies, would need to use stack snapshot json | |
| # and stack config per GHC version | |
| - ghc: 9.4.6 | |
| bzlmod: true | |
| - ghc: 9.6.2 | |
| bzlmod: true | |
| # currently proto-lens-protoc fails with an access violation on Windows | |
| - ghc: 9.6.2 | |
| os: windows-latest | |
| env: | |
| # prevent auto-detection of system compilers on Windows | |
| BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN: ${{ matrix.os == 'windows-latest' && 1 || 0 }} | |
| # do not use Xcode on macOS | |
| BAZEL_USE_CPP_ONLY_TOOLCHAIN: ${{ matrix.os == 'macos-11' && 1 || 0 }} | |
| GHC_VERSION: ${{ matrix.ghc }} | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/free_disk_space_on_linux | |
| - uses: ./.github/actions/install_apt_pkgs | |
| with: | |
| packages: libtinfo5 | |
| - name: Mount Bazel cache | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/repo-cache | |
| key: repo-cache-${{ runner.os }}-bindist-${{ env.cache-version }} | |
| - name: Install Bazel | |
| shell: bash | |
| run: | | |
| BAZEL_DIR="$(.ci/fetch-bazel-bindist)" | |
| mv $BAZEL_DIR $HOME/bazel | |
| echo "$HOME/bazel" >> "$GITHUB_PATH" | |
| - uses: tweag/configure-bazel-remote-cache-auth@v0 | |
| with: | |
| buildbuddy_api_key: ${{ secrets.BUILDBUDDY_API_KEY }} | |
| bazelrc_path: .bazelrc.auth | |
| - uses: ./.github/actions/set_tcp_keepalive_time | |
| - uses: extractions/netrc@v1 | |
| with: | |
| machine: api.github.com | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure | |
| shell: bash | |
| run: | | |
| case "${{ runner.os }},${{ matrix.module }}" in | |
| macOS,*) BUILD_CONFIG=ci-macos-bindist;; | |
| Linux,*) BUILD_CONFIG=ci-linux-bindist;; | |
| Windows,rules_haskell) BUILD_CONFIG=ci-windows-bindist-rules-haskell;; | |
| Windows,rules_haskell_tests) BUILD_CONFIG=ci-windows-bindist-rules-haskell-tests;; | |
| esac | |
| if [[ ${{ runner.os }} == Windows ]]; then | |
| output_root_setting="startup --output_user_root=C:/_bzl" | |
| # On windows, we use a separate remote cache for bzlmod, | |
| # because the c dependency analysis is leaking absolute paths which are different | |
| if ${{ matrix.bzlmod }}; then | |
| bzlmod_cache_silo_key='build --remote_default_exec_properties=bzlmod-cache-silo-key=bzlmod' | |
| else | |
| bzlmod_cache_silo_key='build --remote_default_exec_properties=bzlmod-cache-silo-key=workspace' | |
| fi | |
| else | |
| output_root_setting="" | |
| bzlmod_cache_silo_key="" | |
| fi | |
| cat >>.bazelrc.local <<EOF | |
| common --config=ci | |
| build --config=$BUILD_CONFIG | |
| $output_root_setting | |
| $bzlmod_cache_silo_key | |
| common --enable_bzlmod=${{ matrix.bzlmod }} | |
| EOF | |
| cp .bazelrc.local rules_haskell_tests | |
| - name: Build & test - rules_haskell | |
| if: matrix.module == 'rules_haskell' | |
| shell: bash | |
| run: | | |
| # Quote the package specifier so that it works on Windows | |
| bazel test "//..." | |
| - name: Build & test - rules_haskell_tests | |
| if: matrix.module == 'rules_haskell_tests' | |
| shell: bash | |
| run: | | |
| cd rules_haskell_tests | |
| ./tests/run-start-script.sh --use-bindists --with-bzlmod=${{ matrix.bzlmod }} | |
| # Quote the package specifier so that it works on Windows | |
| bazel test "//..." | |
| # Test stack_snapshot pinning | |
| # NOTE keep in sync with tests/RunTests.hs | |
| bazel run @stackage-pinning-test-unpinned//:pin | |
| bazel build @stackage-pinning-test//:hspec | |
| - name: Collect Logs | |
| id: collect_logs | |
| if: failure() | |
| shell: bash | |
| run: | | |
| mkdir -p logs | |
| if [[ ${{ matrix.module }} == 'rules_haskell_tests' ]]; then | |
| dir=rules_haskell_tests | |
| else | |
| dir=. | |
| fi | |
| base=$( cd "$dir" ; bazel info output_base ) | |
| find "$base" -mindepth 1 -maxdepth 1 -name "java*.log.*" -print0 | xargs -0rI % cp % logs/ | |
| - name: Upload Logs | |
| if: ${{ failure() && steps.collect_logs.conclusion == 'success' }} | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: Logs ${{ matrix.os }} ${{ matrix.module }} ${{ matrix.bzlmod }} | |
| path: logs | |
| all_ci_tests: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - lint | |
| - test-nixpkgs | |
| - test-bindist | |
| if: ${{ always() }} | |
| steps: | |
| - uses: cgrindel/gha_join_jobs@794a2d117251f22607f1aab937d3fd3eaaf9a2f5 # v1 | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} |