diff --git a/.github/actions/build-shared/action.yml b/.github/actions/build-shared/action.yml deleted file mode 100644 index d809f3ec2cf76d..00000000000000 --- a/.github/actions/build-shared/action.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: Build Node.js (shared libraries) -description: > - Downloads the slim tarball built by the `build-tarball` job, extracts it, - installs Nix (+ cachix + sccache), then builds Node.js and runs the CI - test suite inside the pinned nix-shell. - -inputs: - extra-nix-flags: - description: Additional CLI arguments appended to the nix-shell invocation. - required: false - default: '' - cachix-auth-token: - description: Cachix auth token for nodejs.cachix.org. - required: false - default: '' - -runs: - using: composite - steps: - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: tarballs - path: tarballs - - - name: Extract tarball - shell: bash - run: | - tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" - echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" - - - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 - with: - extra_nix_config: sandbox = true - - - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 - with: - name: nodejs - authToken: ${{ inputs.cachix-auth-token }} - - - name: Configure sccache - if: github.base_ref == 'main' || github.ref_name == 'main' - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 - with: - script: | - core.exportVariable('SCCACHE_GHA_ENABLED', 'on'); - core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on'); - core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || ''); - core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); - core.exportVariable('NIX_SCCACHE', '(import {}).sccache'); - - - name: Build Node.js and run tests - shell: bash - run: | - nix-shell \ - -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \ - --pure --keep TAR_DIR --keep FLAKY_TESTS \ - --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \ - --arg loadJSBuiltinsDynamically false \ - --arg ccache "${NIX_SCCACHE:-null}" \ - --arg devTools '[]' \ - --arg benchmarkTools '[]' \ - ${{ inputs.extra-nix-flags }} \ - --run ' - make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS" - ' "$TAR_DIR/shell.nix" diff --git a/.github/workflows/build-shared.yml b/.github/workflows/build-shared.yml new file mode 100644 index 00000000000000..f0f0a4425e6c09 --- /dev/null +++ b/.github/workflows/build-shared.yml @@ -0,0 +1,89 @@ +name: Build Node.js (shared libraries) + +on: + workflow_call: + inputs: + runner: + description: The runner to use for the job. + required: true + type: string + extra-nix-flags: + description: Additional CLI arguments appended to the nix-shell invocation. + required: false + type: string + default: '' + with-sccache: + description: Whether to enable sccache + required: false + type: boolean + default: false + v8-nar: + description: An optional name for the NAR archive for V8 that needs to be downloaded + required: false + type: string + default: '' + secrets: + CACHIX_AUTH_TOKEN: + description: Cachix auth token for nodejs.cachix.org. + required: false + +permissions: {} + +env: + FLAKY_TESTS: keep_retrying + +jobs: + build: + runs-on: ${{ inputs.runner }} + steps: + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: tarballs + path: tarballs + + - name: Extract tarball + shell: bash + run: | + tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" + echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" + + - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 + with: + extra_nix_config: sandbox = true + + - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17 + with: + name: nodejs + authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} + + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + if: inputs.v8-nar + with: + name: ${{ inputs.v8-nar }} + + - name: Configure sccache + if: inputs.with-sccache + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 + with: + script: | + core.exportVariable('SCCACHE_GHA_ENABLED', 'on'); + core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on'); + core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || ''); + core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); + core.exportVariable('NIX_SCCACHE', '(import {}).sccache'); + + - name: Build Node.js and run tests + shell: bash + run: | + nix-shell \ + -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \ + --pure --keep TAR_DIR --keep FLAKY_TESTS \ + --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \ + --arg loadJSBuiltinsDynamically false \ + --arg ccache "${NIX_SCCACHE:-null}" \ + --arg devTools '[]' \ + --arg benchmarkTools '[]' \ + ${{ inputs.extra-nix-flags }} \ + --run ' + make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS" + ' "$TAR_DIR/shell.nix" \ No newline at end of file diff --git a/.github/workflows/test-shared.yml b/.github/workflows/test-shared.yml index a8500dc47811f0..10cbd80d06f833 100644 --- a/.github/workflows/test-shared.yml +++ b/.github/workflows/test-shared.yml @@ -47,7 +47,7 @@ on: - vcbuild.bat - .** - '!.github/workflows/test-shared.yml' - - '!.github/actions/build-shared/**' + - '!.github/workflows/build-shared.yml' types: [opened, synchronize, reopened, ready_for_review] push: branches: @@ -98,15 +98,12 @@ on: - vcbuild.bat - .** - '!.github/workflows/test-shared.yml' - - '!.github/actions/build-shared/**' + - '!.github/workflows/build-shared.yml' concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true -env: - FLAKY_TESTS: keep_retrying - permissions: contents: read @@ -151,20 +148,15 @@ jobs: - runner: macos-latest system: aarch64-darwin name: '${{ matrix.system }}: with shared libraries' - runs-on: ${{ matrix.runner }} - steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - with: - persist-credentials: false - sparse-checkout: .github/actions - sparse-checkout-cone-mode: false - - uses: ./.github/actions/build-shared - name: Build and test Node.js - with: - cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - extra-nix-flags: | - --arg useSeparateDerivationForV8 true \ - ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} + uses: ./.github/workflows/build-shared.yml + with: + runner: ${{ matrix.runner }} + with-sccache: ${{ github.base_ref == 'main' || github.ref_name == 'main' }} + extra-nix-flags: | + --arg useSeparateDerivationForV8 true \ + ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} build-aarch64-linux-v8: needs: build-tarball @@ -247,34 +239,23 @@ jobs: matrix: openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }} name: 'aarch64-linux: with shared ${{ matrix.openssl.name }}' - runs-on: ubuntu-24.04-arm - continue-on-error: false - env: - OPENSSL_ATTR: ${{ matrix.openssl.attr }} - steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - with: - persist-credentials: false - sparse-checkout: .github/actions - sparse-checkout-cone-mode: false - - - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - if: ${{ needs.build-aarch64-linux-v8.outputs.local-cache }} - with: - name: libv8-aarch64-linux.nar - - - uses: ./.github/actions/build-shared - name: Build and test Node.js - with: - cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - # Override just the `openssl` attr of the default shared-lib set with - # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All - # other shared libs (brotli, cares, libuv, …) keep their defaults. - # `permittedInsecurePackages` whitelists just the matrix-selected - # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support - # cycles evaluate without relaxing nixpkgs' meta check globally. - extra-nix-flags: | - --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \ - --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { - openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR; - }" \ + uses: ./.github/workflows/build-shared.yml + with: + runner: ubuntu-24.04-arm + download-nar: ${{ needs.build-aarch64-linux-v8.outputs.local-cache && 'libv8-aarch64-linux.nar' }} + openssl-attr: ${{ matrix.openssl.attr }} + # Override just the `openssl` attr of the default shared-lib set with + # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All + # other shared libs (brotli, cares, libuv, …) keep their defaults. + # `permittedInsecurePackages` whitelists just the matrix-selected + # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support + # cycles evaluate without relaxing nixpkgs' meta check globally. + extra-nix-flags: | + --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \ + --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { + openssl = builtins.getAttr \"${{ + !contains(matrix.openssl.attr, '$') && !contains(matrix.openssl.attr, '\"') && !contains(matrix.openssl.attr, '\') && !contains(matrix.openssl.attr, '`') && matrix.openssl.attr + }}\" (import $TAR_DIR/tools/nix/openssl-matrix.nix {}); + }" \ + secrets: + CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}