tools: reuse V8 builds even without Cachix on test-shared #5999
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action uses the following secrets: | |
| # CACHIX_AUTH_TOKEN: Write access to nodejs.cachix.org βΒ without it, the cache is read-only. | |
| name: Test Shared libraries | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| push: | |
| branches: | |
| - main | |
| - canary | |
| - v[0-9]+.x-staging | |
| - v[0-9]+.x | |
| paths-ignore: | |
| - '**.md' | |
| - eslint.config.mjs | |
| - '**/eslint.config_partial.mjs' | |
| - android-configure | |
| - android-configure.py | |
| - android-patches/** | |
| - benchmarks/** | |
| - codecov.yml | |
| - deps/ada/** | |
| - deps/brotli/** | |
| - deps/cares/** | |
| - deps/crates/** | |
| - deps/corepack/** | |
| - deps/googletest/** | |
| - deps/histogram/** | |
| - deps/icu-small/** | |
| - deps/icu-tmp/** | |
| - deps/llhttp/** | |
| - deps/merve/** | |
| - deps/nbytes/** | |
| - deps/nghttp2/** | |
| - deps/ngtcp2/** | |
| - deps/openssl/*/** | |
| - deps/simdjson/** | |
| - deps/sqlite/** | |
| - deps/uv/** | |
| - deps/uvwasi/** | |
| - deps/zlib/** | |
| - deps/zstd/** | |
| - doc/** | |
| - pyproject.yml | |
| - tsconfig.json | |
| - test/internet/** | |
| - tools/** | |
| - '!tools/gyp/**' | |
| - '!tools/nix/**' | |
| - '!tools/v8/**' | |
| - '!tools/v8_gypfiles/**' | |
| - typings/** | |
| - vcbuild.bat | |
| - .** | |
| - '!.github/workflows/test-shared.yml' | |
| - '!.github/actions/build-shared/**' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| FLAKY_TESTS: keep_retrying | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-tarball: | |
| if: github.event.pull_request.draft == false | |
| name: ${{ github.event_name == 'workflow_dispatch' && 'Skipped job' || 'Build slim tarball' }} | |
| runs-on: ubuntu-slim | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Make tarball | |
| run: | | |
| export DATESTRING=$(date "+%Y-%m-%d") | |
| export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA") | |
| ./configure && make tar -j4 SKIP_XZ=1 SKIP_SHARED_DEPS=1 | |
| env: | |
| DISTTYPE: nightly | |
| - name: Upload tarball artifact | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: tarballs | |
| path: '*.tar.gz' | |
| compression-level: 0 | |
| build: | |
| needs: build-tarball | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| system: x86_64-linux | |
| # built separately in build-aarch64-linux-v8 | |
| # - runner: ubuntu-24.04-arm | |
| # system: aarch64-linux | |
| - runner: macos-15-intel | |
| system: x86_64-darwin | |
| - runner: macos-latest | |
| system: aarch64-darwin | |
| name: '${{ matrix.system }}: with shared libraries' | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - uses: ./.github/actions/build-shared | |
| name: Build and test Node.js | |
| with: | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| extra-nix-flags: | | |
| --arg useSeparateDerivationForV8 true \ | |
| ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }} | |
| build-aarch64-linux-v8: | |
| needs: build-tarball | |
| runs-on: ubuntu-24.04-arm | |
| name: 'aarch64-linux: Cache V8 build' | |
| outputs: | |
| local-cache: ${{ steps.upload.outcome != 'skipped' && 'true' || '' }} | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: tarballs | |
| path: tarballs | |
| - name: Extract tarball | |
| shell: bash | |
| run: | | |
| tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP" | |
| echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV" | |
| - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe # v31.10.3 | |
| with: | |
| extra_nix_config: sandbox = true | |
| - name: Evaluate V8 derivation | |
| id: v8-drv | |
| run: | | |
| V8_DRV=$( | |
| nix-instantiate -E "builtins.filter (p: p.pname == ''v8'') (import $TAR_DIR/shell.nix { useSeparateDerivationForV8=true; }).buildInputs" | |
| ) | |
| echo "V8_DRV=$V8_DRV" >> "$GITHUB_OUTPUT" | |
| echo "STORE_PATH=$(nix-store -q --outputs "$V8_DRV")" >> "$GITHUB_OUTPUT" | |
| - name: Check if available on Cachix | |
| id: cachix-check | |
| run: | | |
| echo 'HAS_WRITE_TOKEN=${{ secrets.CACHIX_AUTH_TOKEN && 'true' }}' >> "$GITHUB_OUTPUT" | |
| set -x | |
| [ "$(curl -ISsw "%{http_code}" -o /dev/null "https://nodejs.cachix.org/$(basename ${V8_STORE_PATH%-v8-*}).narinfo")" != "200" ] || | |
| echo "ALREADY_CACHED=true" >> "$GITHUB_OUTPUT" | |
| env: | |
| V8_STORE_PATH: ${{ steps.v8-drv.outputs.STORE_PATH }} | |
| - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17 | |
| if: ${{ steps.cachix-check.outputs.ALREADY_CACHED != 'true' }} | |
| with: | |
| name: nodejs | |
| authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| - name: Build V8 derivation | |
| if: ${{ steps.cachix-check.outputs.ALREADY_CACHED != 'true' }} | |
| run: nix-store --export "$(nix-build "$V8_DRV")" > libv8 | |
| env: | |
| V8_DRV: ${{ steps.v8-drv.outputs.V8_DRV }} | |
| - name: Upload libv8 | |
| if: ${{ steps.cachix-check.outputs.ALREADY_CACHED != 'true' && steps.cachix-check.outputs.HAS_WRITE_TOKEN != 'true' }} | |
| id: upload | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: libv8 | |
| path: libv8 | |
| # Builds the matrix for `build-openssl` from tools/nix/openssl-matrix.json. | |
| # Output shape: | |
| # [{ "version": "3.6.1", "attr": "openssl_3_6", "continue-on-error": false }, ...] | |
| collect-openssl-versions: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-slim | |
| outputs: | |
| matrix: ${{ steps.query.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: tools/nix/openssl-matrix.json | |
| sparse-checkout-cone-mode: false | |
| - id: query | |
| run: | | |
| { | |
| echo 'matrix<<EOF' | |
| cat tools/nix/openssl-matrix.json | |
| echo 'EOF' | |
| } >> "$GITHUB_OUTPUT" | |
| # Builds and tests Node.js with shared libraries against every supported | |
| # OpenSSL release version available in the repo-pinned nixpkgs. The default | |
| # shared `openssl` from tools/nix/sharedLibDeps.nix is overridden per matrix | |
| # entry, while all other shared libs remain at their defaults. Only runs on | |
| # a single runner/system (aarch64-linux) to keep the matrix to a minimum. | |
| build-openssl: | |
| needs: | |
| - build-aarch64-linux-v8 | |
| - collect-openssl-versions | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| openssl: ${{ fromJSON(needs.collect-openssl-versions.outputs.matrix) }} | |
| name: 'aarch64-linux: with shared ${{ matrix.openssl.attr }} (${{ matrix.openssl.version }})' | |
| runs-on: ubuntu-24.04-arm | |
| continue-on-error: ${{ matrix.openssl['continue-on-error'] }} | |
| env: | |
| OPENSSL_ATTR: ${{ matrix.openssl.attr }} | |
| OPENSSL_VERSION: ${{ matrix.openssl.version }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| sparse-checkout: .github/actions | |
| sparse-checkout-cone-mode: false | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| if: ${{ needs.build-aarch64-linux-v8.outputs.local-cache }} | |
| with: | |
| name: libv8 | |
| - uses: ./.github/actions/build-shared | |
| name: Build and test Node.js | |
| with: | |
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | |
| # Override just the `openssl` attr of the default shared-lib set with | |
| # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All | |
| # other shared libs (brotli, cares, libuv, β¦) keep their defaults. | |
| # `permittedInsecurePackages` whitelists just the matrix-selected | |
| # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support | |
| # cycles evaluate without relaxing nixpkgs' meta check globally. | |
| extra-nix-flags: | | |
| --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8)"' || 'true' }} \ | |
| --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // { | |
| openssl = (import $TAR_DIR/tools/nix/pkgs.nix { config.permittedInsecurePackages = [ \"openssl-$OPENSSL_VERSION\" ]; }).$OPENSSL_ATTR; | |
| }" \ |