nixos-config/.github/workflows/deploy-main.yml at 82e154c550efe234558fdb3f31d4d4847ff2bd8f · jacopone/nixos-config · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
---
name: Deploy on Master

on:
  push:
    branches: [master]

concurrency:
  group: deploy
  cancel-in-progress: false

jobs:
  validate:
    name: Pre-Deploy Validation
    runs-on: ubuntu-latest
    timeout-minutes: 15

    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - uses: cachix/install-nix-action@v25
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          extra_nix_config: |
            accept-flake-config = true

      - name: Flake syntax check
        run: |
          # Validate flake structure without full evaluation
          nix flake metadata --accept-flake-config
          # Show flake outputs structure
          nix flake show --allow-import-from-derivation

      - name: Security scan
        continue-on-error: true
        run: |
          nix shell nixpkgs#gitleaks --command \
            gitleaks detect --source . --report-path /tmp/gitleaks.json || true

  build:
    name: Build Configuration
    needs: validate
    runs-on: ubuntu-latest
    timeout-minutes: 30

    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - uses: cachix/install-nix-action@v25
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          extra_nix_config: |
            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=

      - name: Build system derivation
        run: |
          nix build --no-link --print-out-paths \
            --option use-http-compression true \
            .#nixosConfigurations.nixos.config.system.build.toplevel \
            2>&1 | tee /tmp/build-output.log

      - name: Extract build metrics
        id: metrics
        run: |
          # Calculate closure size
          CLOSURE_SIZE=$(nix path-info -S -r \
            ./result 2>/dev/null | tail -1 | awk '{print int($1/1024/1024/1024)}' || echo "?")

          echo "closure_size=${CLOSURE_SIZE}GB" >> "$GITHUB_OUTPUT"
          echo "✅ Build complete - Closure: ${CLOSURE_SIZE}GB"

      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: build-artifacts
          path: /tmp/build-output.log
          retention-days: 7

  notify:
    name: Notify Deployment Ready
    needs: build
    runs-on: ubuntu-latest
    if: success()

    permissions:
      deployments: write
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Create deployment notification
        uses: actions/github-script@v7
        env:
          COMMIT_SHA: ${{ github.sha }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const sha = process.env.COMMIT_SHA;

            await github.rest.repos.createDeployment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: sha,
              environment: 'production',
              description: 'Ready for manual deployment',
              auto_merge: false,
              required_contexts: []
            }).catch(() => {
              // Continue on error
            });

  deploy-approved:
    name: Deploy (Manual Approval)
    needs: notify
    runs-on: ubuntu-latest
    timeout-minutes: 20
    if: false  # Requires manual workflow_dispatch

    environment:
      name: production
      url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

    permissions:
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Trigger remote deployment
        env:
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
          TARGET_HOST: ${{ secrets.TARGET_HOST }}
          TARGET_USER: ${{ secrets.TARGET_USER }}
        run: |
          if [ -z "$DEPLOY_KEY" ] || [ -z "$TARGET_HOST" ] || [ -z "$TARGET_USER" ]; then
            echo "⚠️  Deployment secrets not configured"
            echo "Skipping remote deployment"
            exit 0
          fi

          # Save SSH key
          mkdir -p ~/.ssh
          echo "$DEPLOY_KEY" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key

          # Deploy via SSH
          ssh -i ~/.ssh/deploy_key \
            -o StrictHostKeyChecking=accept-new \
            -o UserKnownHostsFile=/dev/null \
            "${TARGET_USER}@${TARGET_HOST}" \
            'cd ~/nixos-config && git pull && ./rebuild-nixos' || {
              echo "⚠️  Remote deployment skipped or failed"
              exit 0
            }

      - name: Clean up SSH key
        if: always()
        run: |
          rm -f ~/.ssh/deploy_key
          rm -rf ~/.ssh