feat(ci): migrate to gitleaks and optimize docs deployments #44

Workflow file for this run

	name: "CI/CD"

	on:
	workflow_dispatch:
	inputs:
	job:
	description: "Specific job to run (leave empty for all)"
	type: string
	required: false
	nix_installer:
	description: "Nix installer strategy"
	type: choice
	options:
	- full
	- quick
	default: quick
	required: false
	debug_enabled:
	description: "Run the workflow with tmate.io debugging enabled"
	required: true
	type: boolean
	default: false
	deploy_enabled:
	description: "Deploy to Cloudflare Workers"
	required: false
	type: boolean
	default: false
	workflow_call:
	pull_request:
	types: [opened, labeled, reopened, synchronize]
	paths-ignore:
	- "*.md"
	push:
	branches:
	- "main"
	paths-ignore:
	- "*.md"

	defaults:
	run:
	shell: bash

	permissions:
	contents: read
	deployments: write
	actions: write
	id-token: write

	jobs:
	secrets-scan:
	name: gitleaks
	runs-on: ubuntu-latest
	if: \|
	github.event_name != 'workflow_dispatch' \|\|
	inputs.job == '' \|\|
	inputs.job == 'secrets-scan'
	steps:
	- name: Checkout repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Setup Nix
	uses: ./.github/actions/setup-nix
	env:
	SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
	with:
	installer: ${{ inputs.nix_installer \|\| 'quick' }}
	system: x86_64-linux
	setup-cachix: true

	- name: Scan for secrets with gitleaks
	run: nix develop -c just scan-secrets

	set-variables:
	needs: secrets-scan
	runs-on: ubuntu-latest
	if: \|
	!cancelled() &&
	(github.event_name != 'workflow_dispatch' \|\|
	inputs.job == '' \|\|
	inputs.job == 'set-variables')
	outputs:
	debug: ${{ steps.set-variables.outputs.debug }}
	skip_ci: ${{ steps.set-variables.outputs.skip_ci }}
	deploy_enabled: ${{ steps.set-variables.outputs.deploy_enabled }}
	deploy_environment: ${{ steps.set-variables.outputs.deploy_environment }}
	checkout_ref: ${{ steps.set-variables.outputs.checkout_ref }}
	checkout_rev: ${{ steps.set-variables.outputs.checkout_rev }}
	packages: ${{ steps.discover-packages.outputs.packages }}

	steps:
	- name: Set action variables
	id: set-variables
	run: \|
	DEBUG="false"
	SKIP_CI="false"
	DEPLOY_ENABLED="false"
	DEPLOY_ENVIRONMENT="preview"

	if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
	DEBUG="${{ inputs.debug_enabled }}"
	DEPLOY_ENABLED="${{ inputs.deploy_enabled }}"
	fi

	if [[ "${{ github.event_name }}" == "pull_request" ]]; then
	if ${{ contains(github.event.pull_request.labels.*.name, 'skip-ci') }}; then
	SKIP_CI="true"
	fi
	if ${{ contains(github.event.pull_request.labels.*.name, 'actions-debug') }}; then
	DEBUG="true"
	fi
	if ${{ contains(github.event.pull_request.labels.*.name, 'docs-preview') }}; then
	DEPLOY_ENABLED="true"
	DEPLOY_ENVIRONMENT="preview"
	fi
	CHECKOUT_REF="${{ github.event.pull_request.head.ref }}"
	CHECKOUT_REV="${{ github.event.pull_request.head.sha }}"
	else
	CHECKOUT_REF="${{ github.ref_name }}"
	CHECKOUT_REV="${{ github.sha }}"
	fi

	# Enable deployment on push to main (production)
	if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == "refs/heads/main" ]]; then
	DEPLOY_ENABLED="true"
	DEPLOY_ENVIRONMENT="production"
	fi

	echo "DEBUG=$DEBUG"
	echo "SKIP_CI=$SKIP_CI"
	echo "DEPLOY_ENABLED=$DEPLOY_ENABLED"
	echo "DEPLOY_ENVIRONMENT=$DEPLOY_ENVIRONMENT"
	echo "CHECKOUT_REF=$CHECKOUT_REF"
	echo "CHECKOUT_REV=$CHECKOUT_REV"

	echo "DEBUG=$DEBUG" >> $GITHUB_OUTPUT
	echo "SKIP_CI=$SKIP_CI" >> $GITHUB_OUTPUT
	echo "DEPLOY_ENABLED=$DEPLOY_ENABLED" >> $GITHUB_OUTPUT
	echo "DEPLOY_ENVIRONMENT=$DEPLOY_ENVIRONMENT" >> $GITHUB_OUTPUT
	echo "CHECKOUT_REF=$CHECKOUT_REF" >> $GITHUB_OUTPUT
	echo "CHECKOUT_REV=$CHECKOUT_REV" >> $GITHUB_OUTPUT

	- name: Checkout for package discovery
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
	with:
	sparse-checkout: \|
	packages
	justfile
	sparse-checkout-cone-mode: false

	- name: Discover packages
	id: discover-packages
	run: \|
	# Install just for package discovery
	curl --proto '=https' --tlsv1.2 -sSf https://just.systems/install.sh \| bash -s -- --to /usr/local/bin
	PACKAGES=$(just list-packages-json)
	echo "packages=$PACKAGES" >> $GITHUB_OUTPUT
	echo "Discovered packages: $PACKAGES"

	nix:
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	os: [ubuntu-latest]
	needs: set-variables
	if: \|
	!cancelled() &&
	needs.set-variables.outputs.skip_ci != 'true' &&
	(github.event_name != 'workflow_dispatch' \|\|
	inputs.job == '' \|\|
	inputs.job == 'nix')
	concurrency:
	group: nix-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number \|\| github.ref_name }}
	cancel-in-progress: true
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4
	- name: Setup Nix
	uses: ./.github/actions/setup-nix
	env:
	SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
	with:
	installer: ${{ inputs.nix_installer \|\| 'quick' }}
	system: x86_64-linux
	setup-cachix: true
	cachix-auth: true
	- name: Setup tmate debug session
	uses: mxschmitt/action-tmate@e5c7151931ca95bad1c6f4190c730ecf8c7dde48 # ratchet:mxschmitt/action-tmate@v3
	if: ${{ needs.set-variables.outputs.debug == 'true' }}
	- name: Install omnix
	run: nix --accept-flake-config profile install "github:juspay/omnix"
	- name: Summarize flake
	run: om show .
	- name: Run flake CI and push to cachix
	env:
	SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
	run: \|
	nix develop -c sops exec-env vars/shared.yaml '
	om ci run \| tee /dev/stderr \| cachix push "$CACHIX_CACHE_NAME"
	'

	test:
	needs: [set-variables]
	if: \|
	!cancelled() &&
	needs.set-variables.outputs.skip_ci != 'true' &&
	(github.event_name != 'workflow_dispatch' \|\|
	inputs.job == '' \|\|
	inputs.job == 'test')
	strategy:
	matrix:
	package: ${{ fromJson(needs.set-variables.outputs.packages) }}
	concurrency:
	group: test-${{ matrix.package.name }}-${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number \|\| github.ref_name }}
	cancel-in-progress: true
	uses: ./.github/workflows/package-test.yaml
	with:
	package-name: ${{ matrix.package.name }}
	package-path: ${{ matrix.package.path }}
	debug-enabled: ${{ needs.set-variables.outputs.debug }}
	nix-installer: ${{ inputs.nix_installer \|\| 'quick' }}
	secrets:
	SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}

	test-release-packages:
	needs: [set-variables, test]
	if: ${{ github.event_name == 'pull_request' && needs.set-variables.outputs.skip_ci != 'true' }}
	strategy:
	fail-fast: false
	matrix:
	package: ${{ fromJson(needs.set-variables.outputs.packages) }}
	concurrency:
	group: test-release-${{ matrix.package.name }}-${{ github.workflow }}-${{ github.event.pull_request.number }}
	cancel-in-progress: true
	permissions:
	contents: write
	id-token: write
	uses: ./.github/workflows/package-release.yaml
Check failure on line 238 in .github/workflows/ci.yaml View workflow run for this annotation GitHub Actions / .github/workflows/ci.yaml Invalid workflow file error parsing called workflow ".github/workflows/ci.yaml" -> "./.github/workflows/package-release.yaml" : secret name `GITHUB_TOKEN` within `workflow_call` can not be used since it would collide with system reserved name
	with:
	package-path: ${{ matrix.package.path }}
	package-name: ${{ matrix.package.name }}
	release-dry-run: true
	debug-enabled: ${{ needs.set-variables.outputs.debug == 'true' }}
	checkout-ref: ${{ needs.set-variables.outputs.checkout_ref }}
	secrets:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	release-packages:
	needs: [set-variables, test, nix]
	if: \|
	github.repository_owner == 'sciexp' &&
	(github.event_name == 'push' \|\| github.event_name == 'workflow_dispatch') &&
	(github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/beta') &&
	needs.set-variables.outputs.skip_ci != 'true'
	strategy:
	fail-fast: false
	matrix:
	package: ${{ fromJson(needs.set-variables.outputs.packages) }}
	concurrency:
	group: release-${{ matrix.package.name }}-${{ github.workflow }}-${{ github.ref_name }}
	cancel-in-progress: true
	permissions:
	contents: write
	id-token: write
	uses: ./.github/workflows/package-release.yaml
	with:
	package-path: ${{ matrix.package.path }}
	package-name: ${{ matrix.package.name }}
	release-dry-run: false
	debug-enabled: ${{ needs.set-variables.outputs.debug == 'true' }}
	checkout-ref: ${{ needs.set-variables.outputs.checkout_ref }}
	secrets:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	deploy:
	needs: [set-variables, nix, test, release-packages]
	if: \|
	!cancelled() &&
	needs.set-variables.outputs.skip_ci != 'true' &&
	needs.set-variables.outputs.deploy_enabled == 'true' &&
	(github.event_name != 'workflow_dispatch' \|\|
	inputs.job == '' \|\|
	inputs.job == 'deploy')
	uses: ./.github/workflows/deploy-docs.yaml
	with:
	debug_enabled: ${{ needs.set-variables.outputs.debug }}
	branch: ${{ needs.set-variables.outputs.checkout_ref }}
	environment: ${{ needs.set-variables.outputs.deploy_environment }}
	secrets: inherit

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(ci): migrate to gitleaks and optimize docs deployments #44

Workflow file

feat(ci): migrate to gitleaks and optimize docs deployments #44

Uh oh!

Jobs

Run details

Workflow file for this run

GitHub Actions / .github/workflows/ci.yaml