Skip to content
This repository was archived by the owner on Sep 26, 2025. It is now read-only.

Commit c2b5a49

Browse files
authored
chore: update CI (#240)
### **PR Type** Enhancement ___ ### **Description** • Enhanced CI security with permission checks and safe_to_test label • Added AI-powered PR review workflow with Claude integration • Migrated to Blacksmith runners and S3-based Nix cache • Improved AWS integration with OIDC and ECR authentication ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>checks.yaml</strong><dd><code>Enhanced security with permission checks</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></summary> <hr> .github/workflows/checks.yaml • Changed trigger from <code>pull_request</code> to <code>pull_request_target</code> for <br>security<br> • Added permission check job requiring <code>safe_to_test</code> label or <br>trusted user<br> • Added secrets for AWS account, Nix cache keys<br> • Added <br>job to automatically remove <code>safe_to_test</code> label after use </details> </td> <td><a href="https://github.com/nhost/hasura-storage/pull/240/files#diff-4af11422a4987e947e5a47adead7a30d32cdb2db82e2d3fe36f8e6cbe84d5ac5">+36/-2</a>&nbsp; &nbsp; </td> </tr> <tr> <td> <details> <summary><strong>gen_ai_review.yaml</strong><dd><code>Added AI review workflow</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></summary> <hr> .github/workflows/gen_ai_review.yaml • New workflow for AI-powered PR reviews using Claude Sonnet model<br> • <br>Triggers on PR events and issue comments<br> • Configured with OpenAI and <br>Anthropic API keys<br> • Ignores generated files and vendor directories </details> </td> <td><a href="https://github.com/nhost/hasura-storage/pull/240/files#diff-d1e4c772e0acb5ce4891df2dd94ba58ffaf6393e8f75493ec7e10cbce1c4992c">+27/-0</a>&nbsp; &nbsp; </td> </tr> <tr> <td> <details> <summary><strong>wf_build_artifacts.yaml</strong><dd><code>Migrated to Blacksmith runners and S3 cache</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></summary> <hr> .github/workflows/wf_build_artifacts.yaml • Migrated from Ubuntu runners to Blacksmith ARM/x64 runners<br> • <br>Replaced Magic Nix Cache with S3-based cache using AWS credentials<br> • <br>Added AWS OIDC configuration and ECR integration<br> • Improved <br>architecture detection and artifact naming </details> </td> <td><a href="https://github.com/nhost/hasura-storage/pull/240/files#diff-63d6f3e2e5894df4d88cf2c82b3d0c90e7b0b7c8ca9da25a3d46f35f15270fb0">+28/-22</a>&nbsp; </td> </tr> <tr> <td> <details> <summary><strong>wf_check.yaml</strong><dd><code>Enhanced checks with AWS integration</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></summary> <hr> .github/workflows/wf_check.yaml • Migrated to Blacksmith ARM runner with reduced timeout<br> • Added AWS <br>OIDC and ECR login configuration<br> • Replaced Magic Nix Cache with <br>S3-based cache<br> • Enhanced build verification for both Go and Node <br>components </details> </td> <td><a href="https://github.com/nhost/hasura-storage/pull/240/files#diff-c2ecea6736037ba6304681d744d612d44d7681788d2fbc58ce223cf52ecefa43">+47/-25</a>&nbsp; </td> </tr> </table></td></tr><tr><td><strong>Configuration changes</strong></td><td><table> <tr> <td> <details> <summary><strong>release.yaml</strong><dd><code>Updated release workflow secrets</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></summary> <hr> .github/workflows/release.yaml • Added secrets for AWS account and Nix cache keys<br> • Removed <code>DOCKER</code> <br>input parameter from build artifacts call </details> </td> <td><a href="https://github.com/nhost/hasura-storage/pull/240/files#diff-e426ed45842837026e10e66af23d9c7077e89eacbe6958ce7cb991130ad05ada">+9/-1</a>&nbsp; &nbsp; &nbsp; </td> </tr> </table></td></tr></tr></tbody></table> ___ > <details> <summary> Need help?</summary><li>Type <code>/help how to ...</code> in the comments thread for any questions about PR-Agent usage.</li><li>Check out the <a href="https://qodo-merge-docs.qodo.ai/usage-guide/">documentation</a> for more information.</li></details>
1 parent b0a2ceb commit c2b5a49

6 files changed

Lines changed: 149 additions & 50 deletions

File tree

.github/workflows/checks.yaml

Lines changed: 36 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,56 @@
11
---
22
name: "check and build"
33
on:
4-
pull_request:
4+
pull_request_target:
55
push:
66
branches:
77
- main
88

99
jobs:
10+
check-permissions:
11+
runs-on: ubuntu-latest
12+
steps:
13+
- run: |
14+
echo "github.event_name: ${{ github.event_name }}"
15+
echo "github.event.pull_request.author_association: ${{ github.event.pull_request.author_association }}"
16+
- name: "This task will run and fail if user has no permissions and label safe_to_test isn't pressent"
17+
if: "github.event_name == 'pull_request_target' && ! ( contains(github.event.pull_request.labels.*.name, 'safe_to_test') || contains(fromJson('[\"OWNER\", \"MEMBER\", \"COLLABORATOR\"]'), github.event.pull_request.author_association) )"
18+
run: |
19+
exit 1
20+
1021
tests:
1122
uses: ./.github/workflows/wf_check.yaml
23+
needs:
24+
- check-permissions
1225
with:
1326
NAME: hasura-storage
1427
GIT_REF: ${{ github.event.pull_request.head.sha }}
28+
secrets:
29+
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
30+
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
31+
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
1532

1633
build_artifacts:
1734
uses: ./.github/workflows/wf_build_artifacts.yaml
35+
needs:
36+
- check-permissions
1837
with:
1938
NAME: hasura-storage
2039
VERSION: 0.0.0-dev # hardcoded to avoid rebuilding
21-
DOCKER: true
2240
GIT_REF: ${{ github.event.pull_request.head.sha }}
41+
secrets:
42+
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
43+
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
44+
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
45+
46+
remove_label:
47+
runs-on: ubuntu-latest
48+
needs:
49+
- check-permissions
50+
steps:
51+
- uses: actions/checkout@v4
52+
- uses: actions-ecosystem/action-remove-labels@v1
53+
with:
54+
labels: |
55+
safe_to_test
56+
if: contains(github.event.pull_request.labels.*.name, 'safe_to_test')
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
---
2+
name: "gen: AI review"
3+
on:
4+
pull_request:
5+
types: [opened, reopened, ready_for_review]
6+
issue_comment:
7+
jobs:
8+
pr_agent_job:
9+
if: ${{ github.event.sender.type != 'Bot' }}
10+
runs-on: ubuntu-latest
11+
timeout-minutes: 10
12+
permissions:
13+
issues: write
14+
pull-requests: write
15+
name: Run pr agent on every pull request, respond to user comments
16+
steps:
17+
- name: PR Agent action step
18+
id: pragent
19+
uses: Codium-ai/pr-agent@v0.29
20+
env:
21+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
22+
OPENAI_KEY: ${{ secrets.OPENAI_API_KEY }}
23+
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
24+
config.max_model_tokens: 100000
25+
config.model: "anthropic/claude-sonnet-4-20250514"
26+
config.model_turbo: "anthropic/claude-sonnet-4-20250514"
27+
ignore.glob: "['vendor/**','**/client_gen.go','**/models_gen.go','**/generated.go','**/*.gen.go']"

.github/workflows/release.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,21 @@ jobs:
99
uses: ./.github/workflows/wf_check.yaml
1010
with:
1111
NAME: hasura-storage
12+
secrets:
13+
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
14+
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
15+
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
16+
1217

1318
build_artifacts:
1419
uses: ./.github/workflows/wf_build_artifacts.yaml
1520
with:
1621
NAME: hasura-storage
1722
VERSION: ${{ github.ref_name }}
18-
DOCKER: true
23+
secrets:
24+
AWS_ACCOUNT_ID: ${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}
25+
NIX_CACHE_PUB_KEY: ${{ secrets.NIX_CACHE_PUB_KEY }}
26+
NIX_CACHE_PRIV_KEY: ${{ secrets.NIX_CACHE_PRIV_KEY }}
1927

2028
push_docker_image:
2129
uses: ./.github/workflows/wf_docker_push_image.yaml

.github/workflows/wf_build_artifacts.yaml

Lines changed: 28 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -15,20 +15,23 @@ on:
1515
type: string
1616
default: "."
1717
required: false
18-
DOCKER:
19-
type: boolean
18+
secrets:
19+
AWS_ACCOUNT_ID:
20+
required: true
21+
NIX_CACHE_PUB_KEY:
22+
required: true
23+
NIX_CACHE_PRIV_KEY:
2024
required: true
2125

2226
jobs:
2327
artifacts:
24-
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
2528
permissions:
2629
id-token: write
2730
contents: write
2831

2932
strategy:
3033
matrix:
31-
os: [ubuntu-22.04, ubuntu-arm64-22.04-2cores]
34+
os: [blacksmith-2vcpu-ubuntu-2404-arm, blacksmith-2vcpu-ubuntu-2404]
3235
fail-fast: true
3336

3437
runs-on: ${{ matrix.os }}
@@ -41,6 +44,12 @@ jobs:
4144
fetch-depth: 0
4245
ref: ${{ inputs.GIT_REF }}
4346

47+
- name: Configure aws
48+
uses: aws-actions/configure-aws-credentials@v4
49+
with:
50+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
51+
aws-region: eu-central-1
52+
4453
- uses: cachix/install-nix-action@v31
4554
with:
4655
install_url: "https://releases.nixos.org/nix/nix-2.22.3/install"
@@ -49,20 +58,15 @@ jobs:
4958
experimental-features = nix-command flakes
5059
sandbox = false
5160
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
52-
substituters = https://cache.nixos.org/?priority=40
53-
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
54-
55-
- uses: DeterminateSystems/magic-nix-cache-action@v9
56-
with:
57-
diagnostic-endpoint: ""
58-
use-flakehub: false
61+
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
62+
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
5963
6064
- name: Compute common env vars
6165
id: vars
6266
run: |
6367
echo "VERSION=$(make get-version VER=${{ inputs.VERSION }})" >> $GITHUB_OUTPUT
64-
echo "ARCHITECTURE=$(uname -m)" >> $GITHUB_OUTPUT
65-
68+
ARCH=$([ "${{ runner.arch }}" == "X64" ] && echo "x86_64" || echo "aarch64")
69+
echo "ARCH=${ARCH}" >> $GITHUB_OUTPUT
6670
- name: "Build artifact"
6771
run: |
6872
make build
@@ -71,24 +75,26 @@ jobs:
7175
- name: "Push artifact to artifact repository"
7276
uses: actions/upload-artifact@v4
7377
with:
74-
name: ${{ inputs.NAME }}-artifact-${{ steps.vars.outputs.ARCHITECTURE }}-${{ steps.vars.outputs.VERSION }}
75-
path: result/bin/hasura-storage
78+
name: ${{ inputs.NAME }}-artifact-${{ steps.vars.outputs.ARCH }}-${{ steps.vars.outputs.VERSION }}
79+
path: result.zip
7680
retention-days: 7
7781

7882
- name: "Build docker image"
7983
run: |
84+
sudo chmod 755 /run/containers
85+
sudo mkdir -p "/run/containers/$(id -u runner)"
86+
sudo chown runner: "/run/containers/$(id -u runner)"
8087
make build-docker-image
81-
if: ${{ ( inputs.DOCKER ) }}
8288
8389
- name: "Push docker image to artifact repository"
8490
uses: actions/upload-artifact@v4
8591
with:
86-
name: ${{ inputs.NAME }}-docker-image-${{ steps.vars.outputs.ARCHITECTURE }}-${{ steps.vars.outputs.VERSION }}
92+
name: ${{ inputs.NAME }}-docker-image-${{ steps.vars.outputs.ARCH }}-${{ steps.vars.outputs.VERSION }}
8793
path: result
8894
retention-days: 7
89-
if: ${{ ( inputs.DOCKER ) }}
9095

91-
# - name: "Cache build environment"
92-
# run: |
93-
# # DEPENDENCIES=($(nix-store --query --requisites --include-outputs ${{ steps.verify-build.outputs.DERIVATION_PATH }}))
94-
# nix copy --to http://127.0.0.1:37515 "${DEPENDENCIES[@]}" || exit 0
96+
- name: "Cache build"
97+
run: |
98+
nix store sign --key-file <(echo "${{ secrets.NIX_CACHE_PRIV_KEY }}") --all
99+
find /nix/store -maxdepth 1 -name "*-*" -type d -exec nix copy --to s3://nhost-nix-cache\?region=eu-central-1 {} \;
100+
if: always()

.github/workflows/wf_check.yaml

Lines changed: 47 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -8,24 +8,42 @@ on:
88
GIT_REF:
99
type: string
1010
required: false
11+
secrets:
12+
AWS_ACCOUNT_ID:
13+
required: true
14+
NIX_CACHE_PUB_KEY:
15+
required: true
16+
NIX_CACHE_PRIV_KEY:
17+
required: true
1118

1219
jobs:
1320
tests:
14-
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
21+
runs-on: blacksmith-2vcpu-ubuntu-2404-arm
22+
timeout-minutes: 30
23+
1524
permissions:
1625
id-token: write
1726
contents: write
1827

19-
20-
runs-on: ubuntu-22.04
21-
timeout-minutes: 180
22-
2328
steps:
2429
- name: "Check out repository"
2530
uses: actions/checkout@v4
2631
with:
2732
fetch-depth: 0
2833
ref: ${{ inputs.GIT_REF }}
34+
actions: read
35+
36+
- name: Configure aws
37+
uses: aws-actions/configure-aws-credentials@v4
38+
with:
39+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
40+
aws-region: eu-central-1
41+
42+
- name: Login to Amazon ECR
43+
id: login-ecr
44+
uses: aws-actions/amazon-ecr-login@v2
45+
with:
46+
mask-password: 'true'
2947

3048
- uses: cachix/install-nix-action@v31
3149
with:
@@ -35,39 +53,43 @@ jobs:
3553
experimental-features = nix-command flakes
3654
sandbox = false
3755
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
38-
substituters = https://cache.nixos.org/?priority=40
39-
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
40-
41-
- uses: DeterminateSystems/magic-nix-cache-action@v9
42-
with:
43-
diagnostic-endpoint: ""
44-
use-flakehub: false
56+
substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
57+
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
4558
4659
- name: "Verify if we need to build"
4760
id: verify-build
4861
run: |
49-
export drvPath=$(make check-dry-run)
50-
echo "drvPath - $drvPath"
51-
nix store verify --no-trust --store http://127.0.0.1:37515 $drvPath \
52-
&& export BUILD_NEEDED=no \
53-
|| export BUILD_NEEDED=yes
62+
export drvPathGo=$(make check-dry-run-go)
63+
export drvPathNode=$(make check-dry-run-node)
64+
65+
nix store verify --no-trust --store s3://nhost-nix-cache\?region=eu-central-1 $drvPathGo \
66+
&& export GO_BUILD_NEEDED=no \
67+
|| export GO_BUILD_NEEDED=yes
68+
69+
nix store verify --no-trust --store s3://nhost-nix-cache\?region=eu-central-1 $drvPathNode \
70+
&& export NODE_BUILD_NEEDED=no \
71+
|| export NODE_BUILD_NEEDED=yes
72+
73+
# Set BUILD_NEEDED to yes if either Go or Node build is needed
74+
if [ "$GO_BUILD_NEEDED" = "yes" ] || [ "$NODE_BUILD_NEEDED" = "yes" ]; then
75+
export BUILD_NEEDED=yes
76+
else
77+
export BUILD_NEEDED=no
78+
fi
5479
5580
echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT
56-
echo DERIVATION_PATH=$drvPath >> $GITHUB_OUTPUT
5781
5882
- name: "Start containters for integration tests"
5983
run: |
60-
make build-docker-image
61-
nix develop -c make dev-env-up
84+
nix develop .\#${{ inputs.NAME }} -c make dev-env-up
6285
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
6386

6487
- name: "Run checks"
6588
run: make check
6689
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
6790

68-
- name: "Cache checks"
91+
- name: "Cache build"
6992
run: |
70-
# DEPENDENCIES=($(nix-store --query --requisites --include-outputs ${{ steps.verify-build.outputs.DERIVATION_PATH }}))
71-
# nix copy --to http://127.0.0.1:37515 "${DEPENDENCIES[@]}" || exit 0
72-
nix copy --to http://127.0.0.1:37515 ${{ steps.verify-build.outputs.DERIVATION_PATH }}|| exit 0
73-
if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
93+
nix store sign --key-file <(echo "${{ secrets.NIX_CACHE_PRIV_KEY }}") --all
94+
find /nix/store -maxdepth 1 -name "*-*" -type d -exec nix copy --to s3://nhost-nix-cache\?region=eu-central-1 {} \;
95+
if: always()

flake.nix

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,8 @@
104104
ccls
105105
] ++ buildInputs ++ nativeBuildInputs ++ checkDeps;
106106
};
107+
108+
hasura-storage = default;
107109
};
108110

109111
packages = flake-utils.lib.flattenTree rec {

0 commit comments

Comments
 (0)