stages: - ci - artifacts - publish variables: # Makes some things print in color TERM: ansi # Avoid duplicate pipelines # See: https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS when: never - if: $CI before_script: # Enable nix-command and flakes - if command -v nix > /dev/null; then echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi # Add our own binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://attic.conduit.rs/conduit" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:ddcaWZiWm0l0IXZlO8FERRdWvEufwmd0Negl1P+c0Ns=" >> /etc/nix/nix.conf; fi # Add alternate binary cache - if command -v nix > /dev/null && [ -n "$ATTIC_ENDPOINT" ]; then echo "extra-substituters = $ATTIC_ENDPOINT" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null && [ -n "$ATTIC_PUBLIC_KEY" ]; then echo "extra-trusted-public-keys = $ATTIC_PUBLIC_KEY" >> /etc/nix/nix.conf; fi # Add crane binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://crane.cachix.org" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" >> /etc/nix/nix.conf; fi # Add nix-community binary cache - if command -v nix > /dev/null; then echo "extra-substituters = https://nix-community.cachix.org" >> /etc/nix/nix.conf; fi - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> /etc/nix/nix.conf; fi # Install direnv and nix-direnv - if command -v nix > /dev/null; then nix-env -iA nixpkgs.direnv nixpkgs.nix-direnv; fi # Allow .envrc - if command -v nix > /dev/null; then direnv allow; fi # Set CARGO_HOME to a cacheable path - export CARGO_HOME="$(git rev-parse --show-toplevel)/.gitlab-ci.d/cargo" ci: stage: ci image: nixos/nix:2.20.4 script: # Cache the inputs required for the devShell - ./bin/nix-build-and-cache .#devShells.x86_64-linux.default.inputDerivation - direnv exec . engage cache: key: nix paths: - target - .gitlab-ci.d rules: # CI on upstream runners (only available for maintainers) - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $IS_UPSTREAM_CI == "true" # Manual CI on unprotected branches that are not MRs - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_REF_PROTECTED == "false" when: manual # Manual CI on forks - if: $IS_UPSTREAM_CI != "true" when: manual - if: $CI interruptible: true artifacts: stage: artifacts image: nixos/nix:2.20.4 script: - ./bin/nix-build-and-cache .#static-x86_64-unknown-linux-musl - cp result/bin/conduit x86_64-unknown-linux-musl - mkdir -p target/release - cp result/bin/conduit target/release - direnv exec . cargo deb --no-build - mv target/debian/*.deb x86_64-unknown-linux-musl.deb # Since the OCI image package is based on the binary package, this has the # fun side effect of uploading the normal binary too. Conduit users who are # deploying with Nix can leverage this fact by adding our binary cache to # their systems. # # Note that although we have an `oci-image-x86_64-unknown-linux-musl` # output, we don't build it because it would be largely redundant to this # one since it's all containerized anyway. - ./bin/nix-build-and-cache .#oci-image - cp result oci-image-amd64.tar.gz - ./bin/nix-build-and-cache .#static-aarch64-unknown-linux-musl - cp result/bin/conduit aarch64-unknown-linux-musl - ./bin/nix-build-and-cache .#oci-image-aarch64-unknown-linux-musl - cp result oci-image-arm64v8.tar.gz - ./bin/nix-build-and-cache .#book # We can't just copy the symlink, we need to dereference it https://gitlab.com/gitlab-org/gitlab/-/issues/19746 - cp -r --dereference result public artifacts: paths: - x86_64-unknown-linux-musl - aarch64-unknown-linux-musl - x86_64-unknown-linux-musl.deb - oci-image-amd64.tar.gz - oci-image-arm64v8.tar.gz - public rules: # CI required for all MRs - if: $CI_PIPELINE_SOURCE == "merge_request_event" # Optional CI on forks - if: $IS_UPSTREAM_CI != "true" when: manual allow_failure: true - if: $CI interruptible: true .push-oci-image: stage: publish image: docker:25.0.0 services: - docker:25.0.0-dind variables: IMAGE_SUFFIX_AMD64: amd64 IMAGE_SUFFIX_ARM64V8: arm64v8 script: - docker load -i oci-image-amd64.tar.gz - IMAGE_ID_AMD64=$(docker images -q conduit:next) - docker load -i oci-image-arm64v8.tar.gz - IMAGE_ID_ARM64V8=$(docker images -q conduit:next) # Tag and push the architecture specific images - docker tag $IMAGE_ID_AMD64 $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 - docker tag $IMAGE_ID_ARM64V8 $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8 - docker push $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 - docker push $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8 # Tag the multi-arch image - docker manifest create $IMAGE_NAME:$CI_COMMIT_SHA --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8 - docker manifest push $IMAGE_NAME:$CI_COMMIT_SHA # Tag and push the git ref - docker manifest create $IMAGE_NAME:$CI_COMMIT_REF_NAME --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8 - docker manifest push $IMAGE_NAME:$CI_COMMIT_REF_NAME # Tag git tags as 'latest' - | if [[ -n "$CI_COMMIT_TAG" ]]; then docker manifest create $IMAGE_NAME:latest --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8 docker manifest push $IMAGE_NAME:latest fi dependencies: - artifacts only: - next - master - tags oci-image:push-gitlab: extends: .push-oci-image variables: IMAGE_NAME: $CI_REGISTRY_IMAGE/matrix-conduit before_script: - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY oci-image:push-dockerhub: extends: .push-oci-image variables: IMAGE_NAME: matrixconduit/matrix-conduit before_script: - docker login -u $DOCKER_HUB_USER -p $DOCKER_HUB_PASSWORD pages: stage: publish dependencies: - artifacts only: - next script: - "true" artifacts: paths: - public