xin/bin/ci

#!/usr/bin/env sh

. ./common.sh

if [ -f ./lock ]; then
	msg "${SCRIPT_NAME} locked..."
	exit 0
fi

direnv allow

CMD=${1:-""}

eval $(keychain --eval --agents ssh --inherit any)

git config user.signingkey /run/secrets/ci_signing_ed25519_key
git config commit.gpgsign true
git config gpg.ssh.allowedSignersFile .allowed_signers

start_ci

trap ci_error INT TERM

ci_branch=$(date +"%Y%m%dT%H%M%S%z")
can_sign=0

for i in $(ssh-add -L | awk '{print $NF}'); do
	grep -q $i .allowed_signers && can_sign=1
done

if [ $can_sign != 1 ]; then
	echo "Can't find signing key."
	exit 1
fi

git checkout main || handle_co_fail "main"
git pull || handle_pull_fail

if [ "${1}" = "update" ]; then
	if ! git checkout -b "${ci_branch}"; then
		handle_co_fail "${ci_branch}"
		exit 1
	fi

	bin/deploy watch update
	if ! git diff --exit-code >/dev/null; then
		git add pull_requests
		git commit -m 'watched: update watched pull requests'
	fi

	for inp in $(nix flake metadata --json | jq -r '.locks.nodes.root.inputs | keys[] as $k | $k'); do
		if ! git checkout -b "${ci_branch}_${inp}"; then
			handle_co_fail "${ci_branch}_${inp}"
			continue
		fi

		current_hash="$(git rev-parse HEAD)"

		if ! nix flake update --commit-lock-file "$inp"; then
			handle_update_fail "$inp"
			continue
		fi

		maybe_new_hash="$(git rev-parse HEAD)"

		if [ "${current_hash}" != "${maybe_new_hash}" ]; then
			if ! nix flake check --print-build-logs; then
				handle_update_check_fail "$inp"
				continue
			fi
		else
			msg "No change in input, skipping checks."
		fi

		if ! git checkout "${ci_branch}"; then
			handle_co_fail "${ci_branch}"
			continue
		fi

		if ! git merge "${ci_branch}_${inp}"; then
			handle_merge_fail "${ci_branch}_${inp}" "${ci_branch}"
			continue
		fi
	done

	if ! nix flake check --print-build-logs; then
		handle_update_check_fail "$ci_branch"
		exit 1
	fi

	if ! git checkout main; then
		handle_co_fail
		exit 1
	fi
	if ! git merge "${ci_branch}"; then
		handle_merge_fail "${ci_branch}" "main"
		exit 1
	fi

	# Agent is configured to forget keys after X, if that happens we need to re-add before push
	agentHasKey "$(cat /run/secrets/ci_ed25519_pub | awk '{print $2}')" ||
		ssh-add /run/secrets/ci_ed25519_key
	if ! git push; then
		handle_push_fail
		exit 1
	fi
else
	if ! nix flake check --print-build-logs; then
		handle_check_fail
		exit 1
	fi
fi

finish_ci
ci: add initial bits for CI 2023-01-29 06:11:36 -07:00			`#!/usr/bin/env sh`

			`. ./common.sh`

ci: add the ability to lock ci from running 2023-07-18 20:28:18 -06:00			`if [ -f ./lock ]; then`
			`msg "${SCRIPT_NAME} locked..."`
			`exit 0`
			`fi`

ci: embrace direnv \o/ 2023-02-03 06:13:54 -07:00			`direnv allow`
ci: don't rely on direnv for establishing the build env 2023-02-03 06:05:43 -07:00
ci: always set var for checking 2023-01-29 08:58:35 -07:00			`CMD=${1:-""}`

ci: install keychain for use in scripts 2023-03-03 07:48:42 -07:00			`eval $(keychain --eval --agents ssh --inherit any)`

ci: use specific key for signing 2023-06-14 12:10:02 -06:00			`git config user.signingkey /run/secrets/ci_signing_ed25519_key`
ci: set git config every run 2023-06-14 08:07:04 -06:00			`git config commit.gpgsign true`
			`git config gpg.ssh.allowedSignersFile .allowed_signers`
ci: set signing key if not already set 2023-06-13 15:36:47 -06:00
ci: add signing key to allowed stuffs 2023-01-31 14:26:29 -07:00			`start_ci`
ci: do everything in a tmux session 2023-01-29 08:29:43 -07:00
ci: move back to non-tmux 2023-01-31 05:23:20 -07:00			`trap ci_error INT TERM`
ci: debug line 2023-01-29 10:01:15 -07:00
ci: move back to non-tmux 2023-01-31 05:23:20 -07:00			`ci_branch=$(date +"%Y%m%dT%H%M%S%z")`
			`can_sign=0`
ci: add initial bits for CI 2023-01-29 06:11:36 -07:00
ci: move back to non-tmux 2023-01-31 05:23:20 -07:00			`for i in $(ssh-add -L \| awk '{print $NF}'); do`
			`grep -q $i .allowed_signers && can_sign=1`
			`done`
ci: add initial bits for CI 2023-01-29 06:11:36 -07:00
ci: move back to non-tmux 2023-01-31 05:23:20 -07:00			`if [ $can_sign != 1 ]; then`
			`echo "Can't find signing key."`
			`exit 1`
ci: call ci from ci 2023-01-29 08:52:54 -07:00			`fi`
ci: move back to non-tmux 2023-01-31 05:23:20 -07:00
ci: ensure we are on main before running 2023-05-24 06:04:58 -06:00			`git checkout main \|\| handle_co_fail "main"`
ci: add the rest of the git steps 2023-01-31 16:28:08 -07:00			`git pull \|\| handle_pull_fail`
ci: add the ability to run without updating 2023-02-02 10:38:40 -07:00
			`if [ "${1}" = "update" ]; then`
ci: actually error when we have errors 2023-02-27 07:14:00 -07:00			`if ! git checkout -b "${ci_branch}"; then`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00			`handle_co_fail "${ci_branch}"`
ci: actually error when we have errors 2023-02-27 07:14:00 -07:00			`exit 1`
			`fi`
ci: update watch list when we run an update 2023-05-23 14:56:12 -06:00
deploy: use path relative to bin 2023-05-23 20:48:53 -06:00			`bin/deploy watch update`
ci: update watch list when we run an update 2023-05-23 14:56:12 -06:00			`if ! git diff --exit-code >/dev/null; then`
			`git add pull_requests`
			`git commit -m 'watched: update watched pull requests'`
			`fi`
all: fmt 2024-06-28 09:37:50 -06:00
ci: alert on failed input updates but continue updating other inputs 2023-05-09 18:31:04 -06:00			`for inp in $(nix flake metadata --json \| jq -r '.locks.nodes.root.inputs \| keys[] as $k \| $k'); do`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00			`if ! git checkout -b "${ci_branch}_${inp}"; then`
			`handle_co_fail "${ci_branch}_${inp}"`
			`continue`
			`fi`

ci: only run 'flake check' when we have a new commit 2023-07-17 06:22:16 -06:00			`current_hash="$(git rev-parse HEAD)"`

ci: switch to "nix flake update" syntax 2024-05-13 05:45:05 -06:00			`if ! nix flake update --commit-lock-file "$inp"; then`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00			`handle_update_fail "$inp"`
			`continue`
			`fi`

ci: only run 'flake check' when we have a new commit 2023-07-17 06:22:16 -06:00			`maybe_new_hash="$(git rev-parse HEAD)"`

			`if [ "${current_hash}" != "${maybe_new_hash}" ]; then`
ci: switch back to printing output to stderr 2024-05-20 06:56:47 -06:00			`if ! nix flake check --print-build-logs; then`
			`handle_update_check_fail "$inp"`
ci: only run 'flake check' when we have a new commit 2023-07-17 06:22:16 -06:00			`continue`
			`fi`
			`else`
			`msg "No change in input, skipping checks."`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00			`fi`

			`if ! git checkout "${ci_branch}"; then`
			`handle_co_fail "${ci_branch}"`
			`continue`
			`fi`

			`if ! git merge "${ci_branch}_${inp}"; then`
			`handle_merge_fail "${ci_branch}_${inp}" "${ci_branch}"`
			`continue`
ci: alert on failed input updates but continue updating other inputs 2023-05-09 18:31:04 -06:00			`fi`
			`done`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00
ci: switch back to printing output to stderr 2024-05-20 06:56:47 -06:00			`if ! nix flake check --print-build-logs; then`
			`handle_update_check_fail "$ci_branch"`
ci: actually error when we have errors 2023-02-27 07:14:00 -07:00			`exit 1`
			`fi`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00
ci: actually error when we have errors 2023-02-27 07:14:00 -07:00			`if ! git checkout main; then`
			`handle_co_fail`
			`exit 1`
			`fi`
			`if ! git merge "${ci_branch}"; then`
ci: run 'nix flake check' for each input as we update them 2023-05-09 19:02:59 -06:00			`handle_merge_fail "${ci_branch}" "main"`
ci: actually error when we have errors 2023-02-27 07:14:00 -07:00			`exit 1`
			`fi`
ci: re-add ci key to agent When a CI job runs long the agent might have removed the key, so add it back in. 2023-02-18 06:45:53 -07:00
			`# Agent is configured to forget keys after X, if that happens we need to re-add before push`
			`agentHasKey "$(cat /run/secrets/ci_ed25519_pub \| awk '{print $2}')" \|\|`
			`ssh-add /run/secrets/ci_ed25519_key`
ci: actually error when we have errors 2023-02-27 07:14:00 -07:00			`if ! git push; then`
			`handle_push_fail`
			`exit 1`
			`fi`
ci: add the ability to run without updating 2023-02-02 10:38:40 -07:00			`else`
ci: switch back to printing output to stderr 2024-05-20 06:56:47 -06:00			`if ! nix flake check --print-build-logs; then`
			`handle_check_fail`
ci: improve errors a bit 2023-03-27 06:09:11 -06:00			`exit 1`
			`fi`
ci: add the ability to run without updating 2023-02-02 10:38:40 -07:00			`fi`

ci: remove signing key when done 2023-06-16 09:28:51 -06:00			`finish_ci`