Add security.pki.installCACerts config #1139
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Test" | |
on: | |
pull_request: | |
push: | |
env: | |
CURRENT_STABLE_CHANNEL: nixpkgs-23.05-darwin | |
jobs: | |
test-stable: | |
runs-on: macos-12 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install nix corresponding to latest stable channel | |
uses: cachix/install-nix-action@v22 | |
with: | |
install_url: https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.10.0pre20220822_7c3ab57/install | |
- run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A tests | |
- run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A manpages | |
- run: nix-build ./release.nix -I nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} -I darwin=. -A examples.simple | |
test-unstable: | |
runs-on: macos-12 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install nix from current unstable channel | |
uses: cachix/install-nix-action@v22 | |
- run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A tests | |
- run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A manpages | |
- run: nix-build ./release.nix -I nixpkgs=channel:nixpkgs-unstable -I darwin=. -A examples.simple | |
install-against-stable: | |
runs-on: macos-12 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install nix corresponding to latest stable channel | |
uses: cachix/install-nix-action@v22 | |
with: | |
install_url: https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.10.0pre20220822_7c3ab57/install | |
nix_path: nixpkgs=channel:${{ env.CURRENT_STABLE_CHANNEL }} | |
- name: Install ${{ env.CURRENT_STABLE_CHANNEL }} channel | |
run: | | |
nix-channel --add https://nixos.org/channels/${{ env.CURRENT_STABLE_CHANNEL }} nixpkgs | |
nix-channel --update | |
- name: Install nix-darwin and test | |
run: | | |
export NIX_PATH=$HOME/.nix-defexpr/channels | |
# We run nix-darwin twice to test that it can create darwin-configuration correctly for us | |
# but we expect it to fail setting up /etc/nix/nix.conf | |
nix-shell -A installer || true | |
nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) | |
/usr/bin/sed -i.bak \ | |
"s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ | |
~/.nixpkgs/darwin-configuration.nix | |
nix-shell -A installer | |
nix-shell -A installer.check | |
- name: Build and activate default derivation | |
run: | | |
. /etc/static/bashrc | |
darwin-rebuild switch -I darwin=. | |
- name: Test uninstallation of nix-darwin | |
run: | | |
export NIX_PATH=$HOME/.nix-defexpr/channels | |
nix-shell -A uninstaller | |
nix-shell -A uninstaller.check | |
- name: Debugging tmate session | |
if: ${{ failure() }} | |
uses: mxschmitt/action-tmate@v3 | |
timeout-minutes: 15 | |
with: | |
limit-access-to-actor: true | |
install-against-unstable: | |
runs-on: macos-12 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install nix from current unstable channel | |
uses: cachix/install-nix-action@v22 | |
with: | |
nix_path: nixpkgs=channel:nixpkgs-unstable | |
- name: Install nixpkgs-unstable channel | |
run: | | |
nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgs | |
nix-channel --update | |
- name: Install nix-darwin and test | |
run: | | |
export NIX_PATH=$HOME/.nix-defexpr/channels | |
# We run nix-darwin twice to test that it can create darwin-configuration correctly for us | |
# but we expect it to fail setting up /etc/nix/nix.conf | |
nix-shell -A installer || true | |
nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) | |
/usr/bin/sed -i.bak \ | |
"s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ | |
~/.nixpkgs/darwin-configuration.nix | |
nix-shell -A installer | |
nix-shell -A installer.check | |
- name: Build and activate default derivation | |
run: | | |
. /etc/static/bashrc | |
darwin-rebuild switch -I darwin=. | |
- name: Test uninstallation of nix-darwin | |
run: | | |
export NIX_PATH=$HOME/.nix-defexpr/channels | |
nix-shell -A uninstaller | |
nix-shell -A uninstaller.check | |
- name: Debugging tmate session | |
if: ${{ failure() }} | |
uses: mxschmitt/action-tmate@v3 | |
timeout-minutes: 15 | |
with: | |
limit-access-to-actor: true | |
install-flake-against-stable: | |
runs-on: macos-12 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install nix version corresponding to latest stable channel | |
uses: cachix/install-nix-action@v22 | |
with: | |
install_url: https://github.com/nix-community/nix-unstable-installer/releases/download/nix-2.10.0pre20220822_7c3ab57/install | |
- name: Install nix-darwin | |
run: | | |
mkdir -p ~/.config/nix-darwin | |
darwin=$(pwd) | |
pushd ~/.config/nix-darwin | |
nix flake init -t $darwin | |
nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) | |
/usr/bin/sed -i.bak \ | |
"s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ | |
flake.nix | |
popd | |
nix run .#darwin-rebuild -- \ | |
switch --flake ~/.config/nix-darwin#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} | |
- name: Rebuild and activate simple flake, but this time using nix-darwin's flake interface | |
run: | | |
. /etc/static/bashrc | |
darwin-rebuild build --flake ./modules/examples/flake#simple --override-input nix-darwin . --override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} | |
- name: Test git submodules | |
run: | | |
. /etc/static/bashrc | |
mkdir -p /tmp/{test-nix-darwin-submodules,example-submodule} | |
pushd /tmp/example-submodule | |
echo '"hello"' > hello.nix | |
git init | |
git add . | |
git commit -m "add a submodule we will import" | |
popd | |
cp -a ./modules/examples/. /tmp/test-nix-darwin-submodules | |
cp -a ./modules/examples/flake/flake.nix /tmp/test-nix-darwin-submodules | |
pushd /tmp/test-nix-darwin-submodules | |
/usr/bin/sed -i.bak \ | |
'\#modules = \[#s#configuration#configuration ./simple.nix#' \ | |
./flake.nix | |
/usr/bin/sed -i.bak \ | |
's#pkgs.vim#pkgs."${import ./submodule-test/hello.nix}"#' \ | |
./simple.nix | |
git init | |
git add flake.nix simple.nix | |
git \ | |
-c protocol.file.allow=always \ | |
submodule add /tmp/example-submodule submodule-test | |
popd | |
# Should fail | |
darwin-rebuild build \ | |
--flake /tmp/test-nix-darwin-submodules#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} \ | |
&& { | |
printf 'succeeded while expecting failure due to submodule\n' >/dev/stderr | |
exit 1 | |
} | |
# Should also fail | |
darwin-rebuild build \ | |
--flake /tmp/test-nix-darwin-submodules?submodules=0#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} \ | |
&& { | |
printf 'succeeded while expecting failure due to submodule\n' >/dev/stderr | |
exit 1 | |
} | |
# Should succeed | |
darwin-rebuild build \ | |
--flake /tmp/test-nix-darwin-submodules?submodules=1#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/${{ env.CURRENT_STABLE_CHANNEL }} \ | |
install-flake-against-unstable: | |
runs-on: macos-12 | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install nix from current unstable channel | |
uses: cachix/install-nix-action@v22 | |
- name: Install nix-darwin | |
run: | | |
mkdir -p ~/.config/nix-darwin | |
darwin=$(pwd) | |
pushd ~/.config/nix-darwin | |
nix flake init -t $darwin | |
nixConfHash=$(shasum -a 256 /etc/nix/nix.conf | cut -d ' ' -f 1) | |
/usr/bin/sed -i.bak \ | |
"s/# nix.package = pkgs.nix;/nix.settings.access-tokens = [ \"github.com=\${{ secrets.GITHUB_TOKEN }}\" ]; environment.etc.\"nix\/nix.conf\".knownSha256Hashes = [ \"$nixConfHash\" ];/" \ | |
flake.nix | |
popd | |
nix run .#darwin-rebuild -- \ | |
switch --flake ~/.config/nix-darwin#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/nixpkgs-unstable | |
- name: Rebuild and activate simple flake, but this time using nix-darwin's flake interface | |
run: | | |
. /etc/static/bashrc | |
darwin-rebuild build --flake ./modules/examples/flake#simple --override-input nix-darwin . --override-input nixpkgs nixpkgs/nixpkgs-unstable | |
- name: Test git submodules | |
run: | | |
. /etc/static/bashrc | |
mkdir -p /tmp/{test-nix-darwin-submodules,example-submodule} | |
pushd /tmp/example-submodule | |
echo '"hello"' > hello.nix | |
git init | |
git add . | |
git commit -m "add a submodule we will import" | |
popd | |
cp -a ./modules/examples/. /tmp/test-nix-darwin-submodules | |
cp -a ./modules/examples/flake/flake.nix /tmp/test-nix-darwin-submodules | |
pushd /tmp/test-nix-darwin-submodules | |
/usr/bin/sed -i.bak \ | |
'\#modules = \[#s#configuration#configuration ./simple.nix#' \ | |
./flake.nix | |
/usr/bin/sed -i.bak \ | |
's#pkgs.vim#pkgs."${import ./submodule-test/hello.nix}"#' \ | |
./simple.nix | |
git init | |
git add flake.nix simple.nix | |
git \ | |
-c protocol.file.allow=always \ | |
submodule add /tmp/example-submodule submodule-test | |
popd | |
# Should fail | |
darwin-rebuild build \ | |
--flake /tmp/test-nix-darwin-submodules#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/nixpkgs-unstable \ | |
&& { | |
printf 'succeeded while expecting failure due to submodule\n' >/dev/stderr | |
exit 1 | |
} | |
# Should also fail | |
darwin-rebuild build \ | |
--flake /tmp/test-nix-darwin-submodules?submodules=0#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/nixpkgs-unstable \ | |
&& { | |
printf 'succeeded while expecting failure due to submodule\n' >/dev/stderr | |
exit 1 | |
} | |
# Should succeed | |
darwin-rebuild build \ | |
--flake /tmp/test-nix-darwin-submodules?submodules=1#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/nixpkgs-unstable | |
# Should also succeed | |
darwin-rebuild build \ | |
--flake git+file:///tmp/test-nix-darwin-submodules?submodules=1#simple \ | |
--override-input nix-darwin . \ | |
--override-input nixpkgs nixpkgs/nixpkgs-unstable |