Skip to content

Binaries

Binaries #42

Workflow file for this run

name: Binaries
on:
workflow_dispatch:
schedule:
- cron: '0 1 * * *' # Triggers the build at 1:00 UTC time
jobs:
binary:
name: Create
permissions:
id-token: write
attestations: write
contents: write
strategy:
fail-fast: false
matrix:
include:
- os: macos-13
name: x86_64-apple-darwin
installable: .#dune-experimental
- os: macos-14
name: aarch64-apple-darwin
installable: .#dune-experimental
- os: ubuntu-22.04
name: x86_64-unknown-linux-musl
installable: .#dune-static-experimental
runs-on: ${{ matrix.os }}
outputs:
git-commit: ${{ steps.git-commit.outputs.hash }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: "WARNING: Store patches in tmp"
run: |
mv ./dune-nix.patch /tmp
mv ./dune-locking.patch /tmp
mv ./dune-diagnostic-version-number.patch /tmp
- uses: actions/checkout@v4
with:
repository: ocaml/dune
ref: main # At some point we might need to change it to point to a developer preview branch
fetch-depth: 0 # for git describe
- uses: cachix/install-nix-action@v22
- run: echo "(version $(git describe --always --dirty --abbrev=7))" >> dune-project
- name: "WARNING: import and apply dune nix patch"
run: |
git config --global user.email "[email protected]"
git config --global user.name "Temporary patch"
mv /tmp/dune-nix.patch .
mv /tmp/dune-locking.patch .
mv /tmp/dune-diagnostic-version-number.patch .
git am dune-nix.patch
git am dune-locking.patch
git am dune-diagnostic-version-number.patch
- run: nix build ${{ matrix.installable }}
- name: Extract commit
id: git-commit
run: echo "hash=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
- name: Generate artifact attestation
id: certificate
uses: actions/attest-build-provenance@v1
with:
subject-path: "result/bin/dune"
show-summary: false
- name: Extract artifact and attestation
run: |
mkdir -p ~/build/
cp ${{ steps.certificate.outputs.bundle-path }} result/bin/dune ~/build/
- uses: actions/upload-artifact@v4
with:
path: ~/build/*
name: ${{ matrix.name }}
deploy-s3:
runs-on: ubuntu-latest
needs: binary
permissions:
contents: write
steps:
- name: Install rclone
run: |
sudo -v ; curl https://rclone.org/install.sh | sudo bash
- name: Prepare SSH env
shell: bash
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/tarides
echo "$SSH_PUBLIC_KEY" > ~/.ssh/tarides.pub
chmod 600 ~/.ssh/tarides
chmod 600 ~/.ssh/tarides.pub
ssh-keyscan -H "$DEPLOY_SERVER" >> ~/.ssh/known_hosts
env:
DEPLOY_SERVER: ${{ secrets.DEPLOY_SERVER }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
- name: Checkout
uses: actions/checkout@v4
- name: Setup OCaml with cache
uses: ocaml/setup-ocaml@v3
with:
ocaml-compiler: "5.2"
dune-cache: true
- name: Install Sandworm
run: cd sandworm && opam install -y . --deps-only && opam exec -- dune build
- uses: actions/download-artifact@v4
with:
path: /home/runner/artifacts
- name: Move artifacts to scope
run: mv "/home/runner/artifacts" "."
- name: Export Rclone configuration
run: echo "${{ secrets.RCLONE_CONF }}" >> rclone.conf
- name: Export executables and generate html
shell: bash
run: ./sandworm/_build/install/default/bin/sandworm --with-certificate --commit "${{ needs.binary.outputs.git-commit }}"
- name: Commit changes to branch
run: |
git config --global user.name 'Sandworm'
git config --global user.email '[email protected]'
git add index.html metadata.json
git commit -m "Nightly build $(date +'%Y-%m-%d')"
git push