Generate Installer Script #6091
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate Installer Script | |
| on: | |
| workflow_dispatch: # Allows manual triggering of the workflow | |
| inputs: | |
| testing_hydra_eval_id: | |
| description: "Eval ID of Hydra job to use artifacts from for testing" | |
| required: false | |
| default: "" | |
| jobs: | |
| create-draft-release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # gh release create | |
| id-token: write # Sigstore OIDC token for attestation | |
| attestations: write # upload to attestation registry | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Install Nix | |
| uses: NixOS/nix-installer-action@main | |
| - name: Setup Cachix | |
| uses: cachix/cachix-action@v17 | |
| with: | |
| name: nix-installer | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| - name: Create draft release | |
| # The script also depends on gh and git but those are both pre-installed on the runner | |
| run: nix run --inputs-from .# nixpkgs#python3 -- scripts/assemble_installer.py --out-dir release-artifacts "${{ github.event.inputs.testing_hydra_eval_id }}" | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| - name: Attest release artifacts | |
| # Binaries are realised from cache.nixos.org via nix-store -r, | |
| # which verifies the NAR signature against cache.nixos.org-1. | |
| # The attestation proves this workflow released exactly these bytes. | |
| uses: actions/attest-build-provenance@v3 | |
| with: | |
| subject-path: release-artifacts/* |