rosenpass/.github/workflows/nix.yaml

name: Nix
permissions:
  contents: write
on:
  pull_request: null
  push:
    branches:
      - main
  workflow_run:
    workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
    types:
      - completed

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  i686-linux---default:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build i686-linux.default
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - i686-linux---rosenpass
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.i686-linux.default --print-build-logs
  i686-linux---rosenpass:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build i686-linux.rosenpass
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.i686-linux.rosenpass --print-build-logs
  i686-linux---rosenpass-oci-image:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build i686-linux.rosenpass-oci-image
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - i686-linux---rosenpass
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.i686-linux.rosenpass-oci-image --print-build-logs
  i686-linux---check:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Run Nix checks on i686-linux
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Check
        run: nix flake check . --print-build-logs
  x86_64-linux---default:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.default
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - x86_64-linux---rosenpass
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.default --print-build-logs
  x86_64-linux---proof-proverif:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.proof-proverif
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - x86_64-linux---proverif-patched
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.proof-proverif --print-build-logs
  x86_64-linux---proverif-patched:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.proverif-patched
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.proverif-patched --print-build-logs
  x86_64-linux---release-package:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.release-package
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - x86_64-linux---rosenpass-static
      - x86_64-linux---rosenpass-static-oci-image
      - x86_64-linux---rp-static
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.release-package --print-build-logs
  # aarch64-linux---release-package:
  #   name: Build aarch64-linux.release-package
  #   runs-on:
  #     - ubicloud-standard-2-arm-ubuntu-2204
  #   needs:
  #     - aarch64-linux---rosenpass-oci-image
  #     - aarch64-linux---rosenpass
  #     - aarch64-linux---rp
  #   steps:
  #     - run: |
  #         DEBIAN_FRONTEND=noninteractive
  #         sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
  #     - uses: actions/checkout@v4
  #     - uses: cachix/install-nix-action@v30
  #       with:
  #         nix_path: nixpkgs=channel:nixos-unstable
  #         extra_nix_config: |
  #           system = aarch64-linux
  #     - uses: cachix/cachix-action@v15
  #       with:
  #         name: rosenpass
  #         authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
  #     - name: Build
  #       run: nix build .#packages.aarch64-linux.release-package --print-build-logs
  x86_64-linux---rosenpass:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.rosenpass
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.rosenpass --print-build-logs
  aarch64-linux---rosenpass:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build aarch64-linux.rosenpass
    runs-on:
      - ubicloud-standard-2-arm-ubuntu-2204
    needs: []
    steps:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          extra_nix_config: |
            system = aarch64-linux
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.aarch64-linux.rosenpass --print-build-logs
  aarch64-linux---rp:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build aarch64-linux.rp
    runs-on:
      - ubicloud-standard-2-arm-ubuntu-2204
    needs: []
    steps:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          extra_nix_config: |
            system = aarch64-linux
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.aarch64-linux.rp --print-build-logs
  x86_64-linux---rosenpass-oci-image:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.rosenpass-oci-image
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - x86_64-linux---rosenpass
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.rosenpass-oci-image --print-build-logs
  aarch64-linux---rosenpass-oci-image:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build aarch64-linux.rosenpass-oci-image
    runs-on:
      - ubicloud-standard-2-arm-ubuntu-2204
    needs:
      - aarch64-linux---rosenpass
    steps:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          extra_nix_config: |
            system = aarch64-linux
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.aarch64-linux.rosenpass-oci-image --print-build-logs
  x86_64-linux---rosenpass-static:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.rosenpass-static
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.rosenpass-static --print-build-logs
  x86_64-linux---rp-static:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.rp-static
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.rp-static --print-build-logs
  x86_64-linux---rosenpass-static-oci-image:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.rosenpass-static-oci-image
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs:
      - x86_64-linux---rosenpass-static
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.rosenpass-static-oci-image --print-build-logs
  x86_64-linux---whitepaper:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Build x86_64-linux.whitepaper
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Build
        run: nix build .#packages.x86_64-linux.whitepaper --print-build-logs
  x86_64-linux---check:
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Run Nix checks on x86_64-linux
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Check
        run: nix flake check . --print-build-logs
  x86_64-linux---whitepaper-upload:
    name: Upload whitepaper x86_64-linux
    runs-on: ubicloud-standard-2-ubuntu-2204
    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
    if: ${{ (github.ref == 'refs/heads/main') && (github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run') }}
    steps:
      - uses: actions/checkout@v4
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - uses: cachix/cachix-action@v15
        with:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Git add git sha and commit
        run: cd papers && ./tex/gitinfo2.sh && git add gitHeadInfo.gin
      - name: Build
        run: nix build .#packages.x86_64-linux.whitepaper --print-build-logs
      - name: Deploy PDF artifacts
        uses: peaceiris/actions-gh-pages@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: result/
          publish_branch: papers-pdf
          force_orphan: true