xin/bin/ci

116 lines
2.5 KiB
Bash
Executable File

#!/usr/bin/env sh
. ./common.sh
if [ -f ./lock ]; then
msg "${SCRIPT_NAME} locked..."
exit 0
fi
direnv allow
CMD=${1:-""}
eval $(keychain --eval --agents ssh --inherit any)
git config user.signingkey /run/secrets/ci_signing_ed25519_key
git config commit.gpgsign true
git config gpg.ssh.allowedSignersFile .allowed_signers
start_ci
trap ci_error INT TERM
ci_branch=$(date +"%Y%m%dT%H%M%S%z")
can_sign=0
for i in $(ssh-add -L | awk '{print $NF}'); do
grep -q $i .allowed_signers && can_sign=1
done
if [ $can_sign != 1 ]; then
echo "Can't find signing key."
exit 1
fi
git checkout main || handle_co_fail "main"
git pull || handle_pull_fail
if [ "${1}" = "update" ]; then
if ! git checkout -b "${ci_branch}"; then
handle_co_fail "${ci_branch}"
exit 1
fi
bin/deploy watch update
if ! git diff --exit-code >/dev/null; then
git add pull_requests
git commit -m 'watched: update watched pull requests'
fi
for inp in $(nix flake metadata --json | jq -r '.locks.nodes.root.inputs | keys[] as $k | $k'); do
if ! git checkout -b "${ci_branch}_${inp}"; then
handle_co_fail "${ci_branch}_${inp}"
continue
fi
current_hash="$(git rev-parse HEAD)"
if ! nix flake update --commit-lock-file "$inp"; then
handle_update_fail "$inp"
continue
fi
maybe_new_hash="$(git rev-parse HEAD)"
if [ "${current_hash}" != "${maybe_new_hash}" ]; then
if ! nix flake check --print-build-logs 2>/tmp/ci-flake-check-${inp}; then
handle_update_check_fail "$inp" /tmp/ci-flake-check-${inp}
continue
fi
else
msg "No change in input, skipping checks."
fi
if ! git checkout "${ci_branch}"; then
handle_co_fail "${ci_branch}"
continue
fi
if ! git merge "${ci_branch}_${inp}"; then
handle_merge_fail "${ci_branch}_${inp}" "${ci_branch}"
continue
fi
done
if ! nix flake check --print-build-logs 2>/tmp/ci-flake-check; then
handle_update_check_fail "$ci_branch" /tmp/ci-flake-check
exit 1
fi
if ! git checkout main; then
handle_co_fail
exit 1
fi
if ! git merge "${ci_branch}"; then
handle_merge_fail "${ci_branch}" "main"
exit 1
fi
# Agent is configured to forget keys after X, if that happens we need to re-add before push
agentHasKey "$(cat /run/secrets/ci_ed25519_pub | awk '{print $2}')" ||
ssh-add /run/secrets/ci_ed25519_key
if ! git push; then
handle_push_fail
exit 1
fi
else
if ! nix flake check --print-build-logs 2>/tmp/ci-flake-check; then
handle_check_fail /tmp/ci-flake-check
exit 1
fi
fi
finish_ci