deploy feat(home): expand claude-code read permissions for nix store and sys… #81
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| run-name: >- | |
| ${{ github.event_name == 'workflow_dispatch' | |
| && format('deploy {0}', inputs.hosts) | |
| || format('deploy {0}', github.event.workflow_run.display_title) }} | |
| on: | |
| workflow_run: | |
| workflows: ["CI"] | |
| types: [completed] | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| hosts: | |
| description: "Hosts to deploy" | |
| required: false | |
| default: "all" | |
| type: choice | |
| options: | |
| - all | |
| - glyph | |
| - spore | |
| - zeta | |
| jobs: | |
| changes: | |
| if: >- | |
| github.event_name == 'workflow_dispatch' || | |
| github.event.workflow_run.conclusion == 'success' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 2 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| if: github.event_name != 'workflow_dispatch' | |
| with: | |
| filters: | | |
| glyph: | |
| - 'hosts/glyph/**' | |
| - 'lib/secrets/glyph.nix' | |
| spore: | |
| - 'hosts/spore/**' | |
| - 'lib/secrets/spore.nix' | |
| zeta: | |
| - 'hosts/zeta/**' | |
| - 'lib/secrets/zeta.nix' | |
| shared: | |
| - 'modules/**' | |
| - 'home/**' | |
| - 'lib/*' | |
| - 'lib/secrets/default.nix' | |
| - 'lib/secrets/home.nix' | |
| - 'overlays/**' | |
| - 'packages/**' | |
| - 'secrets/**' | |
| - 'flake.nix' | |
| - 'flake.lock' | |
| - id: set-matrix | |
| run: | | |
| all='[{"host":"glyph","system":"x86_64-linux","runner":"ubuntu-latest"},{"host":"spore","system":"x86_64-linux","runner":"ubuntu-latest"},{"host":"zeta","system":"aarch64-linux","runner":"ubuntu-24.04-arm"}]' | |
| # workflow_dispatch: use selected host or all | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| host="${{ inputs.hosts }}" | |
| if [[ "$host" == "all" ]]; then | |
| echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "matrix={\"include\":$(echo "$all" | jq -c --arg h "$host" '[.[] | select(.host == $h)]')}" >> "$GITHUB_OUTPUT" | |
| fi | |
| exit 0 | |
| fi | |
| # Shared path changes: deploy all hosts | |
| if [[ "${{ steps.filter.outputs.shared }}" == "true" ]]; then | |
| echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| selected="[]" | |
| if [[ "${{ steps.filter.outputs.glyph }}" == "true" ]]; then | |
| selected=$(echo "$selected" | jq -c '. + [{"host":"glyph","system":"x86_64-linux","runner":"ubuntu-latest"}]') | |
| fi | |
| if [[ "${{ steps.filter.outputs.spore }}" == "true" ]]; then | |
| selected=$(echo "$selected" | jq -c '. + [{"host":"spore","system":"x86_64-linux","runner":"ubuntu-latest"}]') | |
| fi | |
| if [[ "${{ steps.filter.outputs.zeta }}" == "true" ]]; then | |
| selected=$(echo "$selected" | jq -c '. + [{"host":"zeta","system":"aarch64-linux","runner":"ubuntu-24.04-arm"}]') | |
| fi | |
| # Fallback: deploy all if no specific hosts matched | |
| if [[ "$selected" == "[]" ]]; then | |
| echo "matrix={\"include\":$all}" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "matrix={\"include\":$selected}" >> "$GITHUB_OUTPUT" | |
| fi | |
| deploy: | |
| needs: changes | |
| concurrency: | |
| group: deploy-${{ matrix.host }} | |
| cancel-in-progress: false | |
| environment: ${{ matrix.host }} | |
| strategy: | |
| matrix: ${{ fromJson(needs.changes.outputs.matrix) }} | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: cachix/install-nix-action@v31 | |
| with: | |
| github_access_token: ${{ secrets.GITHUB_TOKEN }} | |
| extra_nix_config: | | |
| extra-substituters = https://cache.zx.dev/main | |
| extra-trusted-public-keys = main:mu0jkxdJTGWC3djDSEQb3rvZgqlhA8WVMulcTo5IW6c= | |
| - name: Configure Attic cache | |
| run: | | |
| nix profile install --inputs-from . attic#attic-client --fallback | |
| attic login rc https://cache.zx.dev ${{ secrets.ATTIC_TOKEN }} | |
| attic use rc:main | |
| - name: Connect to Tailscale | |
| uses: tailscale/github-action@v3 | |
| with: | |
| oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} | |
| oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} | |
| tags: tag:ci | |
| - name: Configure SSH | |
| run: | | |
| mkdir -p ~/.ssh | |
| echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/deploy_key | |
| chmod 600 ~/.ssh/deploy_key | |
| cat >> ~/.ssh/config <<'EOF' | |
| Host glyph spore zeta | |
| User root | |
| IdentityFile ~/.ssh/deploy_key | |
| IdentitiesOnly yes | |
| StrictHostKeyChecking accept-new | |
| EOF | |
| - name: Deploy to ${{ matrix.host }} | |
| env: | |
| NIX_SSHOPTS: "-i ~/.ssh/deploy_key -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new" | |
| run: | | |
| nix run --inputs-from . deploy-rs -- \ | |
| .#${{ matrix.host }} \ | |
| --skip-checks |