stages: - ci - artifacts - publish variables: # Makes some things print in color TERM: ansi # Faster cache and artifact compression / decompression FF_USE_FASTZIP: true # Print progress reports for cache and artifact transfers TRANSFER_METER_FREQUENCY: 5s # Avoid duplicate pipelines # See: https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS when: never - if: $CI before_script: # Enable nix-command and flakes - if command -v nix > /dev/null; then echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi # Add conduwuit binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduwuit" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE=" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduit" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk=" >> /etc/nix/nix.conf; fi # Add alternate binary cache - if command -v nix > /dev/null && [ -n "$ATTIC_ENDPOINT" ]; then echo "extra-substituters = $ATTIC_ENDPOINT" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null && [ -n "$ATTIC_PUBLIC_KEY" ]; then echo "extra-trusted-public-keys = $ATTIC_PUBLIC_KEY" >> /etc/nix/nix.conf; fi # Add Lix binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://cache.lix.systems" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" >> /etc/nix/nix.conf; fi # Add crane binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://crane.cachix.org" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" >> /etc/nix/nix.conf; fi # Add nix-community binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://nix-community.cachix.org" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> /etc/nix/nix.conf; fi # Install direnv and nix-direnv - if command -v nix > /dev/null; then nix-env -iA nixpkgs.direnv nixpkgs.nix-direnv; fi # Allow .envrc - if command -v nix > /dev/null; then direnv allow; fi # Set CARGO_HOME to a cacheable path - export CARGO_HOME="$(git rev-parse --show-toplevel)/.gitlab-ci.d/cargo" ci: stage: ci image: nixos/nix:2.24.9 script: # Cache CI dependencies - ./bin/nix-build-and-cache ci - direnv exec . engage cache: key: nix paths: - target - .gitlab-ci.d rules: # CI on upstream runners (only available for maintainers) - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $IS_UPSTREAM_CI == "true" # Manual CI on unprotected branches that are not MRs - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_REF_PROTECTED == "false" when: manual # Manual CI on forks - if: $IS_UPSTREAM_CI != "true" when: manual - if: $CI interruptible: true artifacts: stage: artifacts image: nixos/nix:2.24.9 script: - ./bin/nix-build-and-cache just .#static-x86_64-unknown-linux-musl - cp result/bin/conduit x86_64-unknown-linux-musl - mkdir -p target/release - cp result/bin/conduit target/release - direnv exec . cargo deb --no-build --no-strip - mv target/debian/*.deb x86_64-unknown-linux-musl.deb # Since the OCI image package is based on the binary package, this has the # fun side effect of uploading the normal binary too. Conduit users who are # deploying with Nix can leverage this fact by adding our binary cache to # their systems. # # Note that although we have an `oci-image-x86_64-unknown-linux-musl` # output, we don't build it because it would be largely redundant to this # one since it's all containerized anyway. - ./bin/nix-build-and-cache just .#oci-image - cp result oci-image-amd64.tar.gz - ./bin/nix-build-and-cache just .#static-aarch64-unknown-linux-musl - cp result/bin/conduit aarch64-unknown-linux-musl - ./bin/nix-build-and-cache just .#oci-image-aarch64-unknown-linux-musl - cp result oci-image-arm64v8.tar.gz - ./bin/nix-build-and-cache just .#book # We can't just copy the symlink, we need to dereference it https://gitlab.com/gitlab-org/gitlab/-/issues/19746 - cp -r --dereference result public artifacts: paths: - x86_64-unknown-linux-musl - aarch64-unknown-linux-musl - x86_64-unknown-linux-musl.deb - oci-image-amd64.tar.gz - oci-image-arm64v8.tar.gz - public rules: # CI required for all MRs - if: $CI_PIPELINE_SOURCE == "merge_request_event" # Optional CI on forks - if: $IS_UPSTREAM_CI != "true" when: manual allow_failure: true - if: $CI interruptible: true pages: stage: publish dependencies: - artifacts only: - next script: - "true" artifacts: paths: - public