unionlabs/union
12 workflows · maturity 33% · 5 patterns · GitHub ↗
Practices
○ Matrix✓ Permissions○ Security scan○ AI review○ Cache✓ Concurrency✓ Reusable workflows
Detected patterns
Security dimensions
Workflows (12)
check perms .github/workflows/check.yml
View raw YAML
name: Check
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main
- union-1-staging
merge_group:
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
lfs: true
fetch-depth: 0
- name: Check for LFS files
run: ./.github/scripts/lfs.sh
- name: Lint commit messages
uses: wagoid/commitlint-github-action@v5
with:
failOnWarnings: false
deploy-app2 .github/workflows/deploy-app2.yml
View raw YAML
name: Deploy App 2
on:
push:
branches:
- main
- release/app2
paths:
- 'app2/**'
pull_request:
paths:
- 'app2/**'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
NODE_OPTIONS: '--no-warnings'
ACTIONS_RUNNER_DEBUG: true
jobs:
deploy-preview:
runs-on: ['ubuntu-latest']
permissions:
contents: read
pull-requests: write
env:
npm_config_yes: true
ENVIRONMENT: 'preview'
environment: 'app2-preview'
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
run: |
nix build .#app2
- name: '[preview] 🔶 Publish to Cloudflare Pages'
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="app2" deploy result >> /tmp/app2_deploy.txt
- name: Set Deploy Output
run: |
{
echo 'DEPLOY_OUTPUT<<EOF'
tail -n 2 /tmp/app2_deploy.txt
echo 'EOF'
} >> $GITHUB_ENV
- name: Comment Site Deploy Results
uses: thollander/actions-comment-pull-request@v2
with:
message: |
# App 2 🤌
${{ env.DEPLOY_OUTPUT }}
**${{ env.LAST_UPDATED_AT }}**
comment_tag: deploy-app2-preview-result
deploy-manual:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
ENVIRONMENT: 'preview'
if: github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
run: |
nix build .#app2
- name: '[workflow-dispatch] 🔶 Publish to Cloudflare Pages'
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="app2" deploy result
deploy-staging:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
ENVIRONMENT: 'staging'
environment: 'app2-staging'
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
run: |
nix build .#app2
- name: '[staging] 🔶 Publish to Cloudflare Pages'
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="app2" --branch="staging" deploy result
deploy-production:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
ENVIRONMENT: 'production'
environment: 'app2-production'
if: github.event_name == 'push' && github.ref == 'refs/heads/release/app2'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
run: |
nix build .#app2
- name: '[production] 🔶 Publish to Cloudflare Pages'
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="app2" --branch="main" deploy result
deploy-ceremony .github/workflows/deploy-ceremony.yml
View raw YAML
name: Deploy Ceremony
on:
push:
branches:
- main
- release/ceremony
paths:
- 'ceremony/**'
pull_request:
paths:
- 'ceremony/**'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
NODE_OPTIONS: '--no-warnings'
ACTIONS_RUNNER_DEBUG: true
ASTRO_TELEMETRY_DISABLED: true
jobs:
deploy-preview:
runs-on: ['ubuntu-latest']
permissions:
contents: read
pull-requests: write
env:
npm_config_yes: true
environment: 'ceremony-preview'
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#ceremony
- name: '[preview] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="ceremony" deploy result >> /tmp/ceremony_deploy.txt
- name: Set Deploy Output
run: |
{
echo 'DEPLOY_OUTPUT<<EOF'
tail -n 2 /tmp/ceremony_deploy.txt
echo 'EOF'
} >> $GITHUB_ENV
- name: Comment Site Deploy Results
uses: thollander/actions-comment-pull-request@v2
with:
message: |
# Ceremony 🤌
${{ env.DEPLOY_OUTPUT }}
**${{ env.LAST_UPDATED_AT }}**
comment_tag: deploy-ceremony-preview-result
deploy-manual:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
if: github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#ceremony
- name: '[workflow-dispatch] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="ceremony" deploy result
deploy-staging:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
environment: 'ceremony-staging'
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#ceremony
- name: '[staging] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="ceremony" --branch="staging" deploy result
deploy-production:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
environment: 'ceremony-production'
if: github.event_name == 'push' && github.ref == 'refs/heads/release/ceremony'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#ceremony
- name: '[production] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="ceremony" --branch="main" deploy result
deploy-docs .github/workflows/deploy-docs.yml
View raw YAML
name: Deploy Docs
on:
push:
branches:
- main
paths:
- 'docs/**'
- 'versions/**'
- 'networks/genesis/**'
pull_request:
paths:
- 'docs/**'
- 'versions/**'
- 'networks/genesis/**'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
NODE_OPTIONS: '--no-warnings'
ACTIONS_RUNNER_DEBUG: true
ASTRO_TELEMETRY_DISABLED: true
jobs:
deploy-preview:
runs-on: ['ubuntu-latest']
permissions:
contents: read
pull-requests: write
env:
npm_config_yes: true
environment: 'docs-preview'
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#docs
- name: '[preview] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="docs" deploy result >> /tmp/docs_deploy.txt
- name: Set Deploy Output
run: |
{
echo 'DEPLOY_OUTPUT<<EOF'
tail -n 2 /tmp/docs_deploy.txt
echo 'EOF'
} >> $GITHUB_ENV
- name: Comment Site Deploy Results
uses: thollander/actions-comment-pull-request@v2
with:
message: |
# Docs 🤌
${{ env.DEPLOY_OUTPUT }}
**${{ env.LAST_UPDATED_AT }}**
comment_tag: deploy-docs-preview-result
deploy-manual:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
if: github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#docs
- name: '[workflow-dispatch] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="docs" deploy result
deploy-production:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
environment: 'docs-production'
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#docs
- name: '[production] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="docs" --branch="main" deploy result
deploy-zkgm-dev .github/workflows/deploy-zkgm-dev.yml
View raw YAML
name: Deploy Zkgm-dev
on:
push:
branches:
- main
- release/zkgm-dev
paths:
- 'zkgm-dev/**'
pull_request:
paths:
- 'zkgm-dev/**'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
NODE_OPTIONS: '--no-warnings'
ACTIONS_RUNNER_DEBUG: true
ASTRO_TELEMETRY_DISABLED: true
jobs:
deploy-preview:
runs-on: ['ubuntu-latest']
permissions:
contents: read
pull-requests: write
env:
npm_config_yes: true
environment: 'zkgm-dev-preview'
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#zkgm-dev
- name: '[preview] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="zkgm-dev" deploy result >> /tmp/zkgm-dev_deploy.txt
- name: Set Deploy Output
run: |
{
echo 'DEPLOY_OUTPUT<<EOF'
tail -n 2 /tmp/zkgm-dev_deploy.txt
echo 'EOF'
} >> $GITHUB_ENV
- name: Comment Site Deploy Results
uses: thollander/actions-comment-pull-request@v2
with:
message: |
# zkgm.dev 🦀
${{ env.DEPLOY_OUTPUT }}
**${{ env.LAST_UPDATED_AT }}**
comment_tag: deploy-zkgm-dev-preview-result
deploy-manual:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
if: github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#zkgm-dev
- name: '[workflow-dispatch] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="zkgm-dev" deploy result
deploy-staging:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
environment: 'zkgm-dev-staging'
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#zkgm-dev
- name: '[staging] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="zkgm-dev" --branch="staging" deploy result
deploy-production:
runs-on: ['ubuntu-latest']
env:
npm_config_yes: true
environment: 'zkgm-dev-production'
if: github.event_name == 'push' && github.ref == 'refs/heads/release/zkgm-dev'
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#zkgm-dev
- name: '[production] 🔶 Publish to Cloudflare Pages'
env:
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN }}
run: npx --yes wrangler@latest pages --project-name="zkgm-dev" --branch="main" deploy result
e2e .github/workflows/e2e.yml
View raw YAML
name: Full end-to-end (e2e) testsuite.
on:
workflow_call:
secrets:
nixbuild_token:
required: true
gh_token:
required: true
org_token:
required: true
jobs:
build:
uses: unionlabs/workflows/.github/workflows/build.yml@8fdbd5d131725a503e1e8c7a415edf6726da25c5
secrets:
nixbuild_token: ${{ secrets.nixbuild_token }}
access-tokens: github.com=${{ secrets.github_token }}
org_token: ${{ secrets.org_token }}
with:
filter_builds: '((.top_attr == "checks") and (.system == "x86_64-linux") and (.attr == "virtualisation-works" or .attr == "ensure-blocks" or .attr == "sepolia-runs" or .attr == "union-runs" or .attr == "epoch-completes" or .attr == "forced-set-rotation" or .attr == "upgrade-from-genesis" or .attr == "upgrade-with-tokenfactory-state"))'
e2e-manual .github/workflows/e2e-manual.yml
View raw YAML
name: e2e Manual
on:
workflow_dispatch:
jobs:
build:
uses: ./.github/workflows/e2e.yml
secrets:
nixbuild_token: ${{ secrets.NIXBUILD_TOKEN }}
gh_token: ${{ secrets.GITHUB_TOKEN }}
org_token: ${{ secrets.UNION_ORG_PAT }}
nightly .github/workflows/nightly.yml
View raw YAML
name: Nightly
on:
workflow_dispatch:
workflow_call:
jobs:
build:
uses: ./.github/workflows/e2e.yml
secrets:
nixbuild_token: ${{ secrets.nixbuild_token }}
gh_token: ${{ secrets.GITHUB_TOKEN }}
org_token: ${{ secrets.UNION_ORG_PAT }}
create-issue:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
needs: [build]
# only create an issue if it failed in a scheduled run
if: github.event_name == 'schedule' && failure()
steps:
- uses: actions/checkout@v4
- uses: JasonEtco/create-an-issue@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
with:
filename: .github/templates/nightly-issue-template.md
nightly-e2e-lst .github/workflows/nightly-e2e-lst.yml
View raw YAML
on:
schedule:
- cron: "20 4 * * *"
workflow_dispatch:
jobs:
deploy-preview:
runs-on: ['ubuntu-latest']
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
run: |
nix build .#checks.x86_64-linux.e2e-lst -L --option sandbox false
package-release perms .github/workflows/package-release.yml
View raw YAML
name: NPM Release
on:
push:
branches: [main]
paths:
- 'ts-sdk/**'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
permissions: {}
jobs:
release:
if: github.repository_owner == 'unionlabs'
name: Release
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: write
id-token: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
run: |
nix build .#ts-sdk
- name: Create Release Pull Request or Publish
uses: changesets/action@v1
with:
version: pnpm changeset-version
publish: pnpm changeset-publish
package-snapshot perms .github/workflows/package-snapshot.yml
View raw YAML
name: NPM Snapshot
on:
pull_request:
branches: [main, next-minor, next-major]
paths:
- 'ts-sdk/**'
- '.changeset/**'
workflow_dispatch: {}
permissions: {}
jobs:
snapshot:
name: Snapshot
if: github.repository_owner == 'unionlabs'
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
ENVIRONMENT: ${{ env.ENVIRONMENT }}
run: |
nix build .#ts-sdk
- name: Make writable snapshot copy
run: |
rm -rf ./snapshot-pkg
rsync -a --copy-links ./result/ ./snapshot-pkg/
chmod -R u+w ./snapshot-pkg
- uses: actions/setup-node@v4
with: {node-version: 22}
- uses: pnpm/action-setup@v3
with:
version: 10
run_install: false
- name: Create snapshot
id: snapshot
run: pnpm dlx pkg-pr-new@0.0.54 publish --pnpm --comment=off ./snapshot-pkg
release-component .github/workflows/release-component.yml
View raw YAML
name: Release Component
on:
push:
tags: ['*/v[0-9]+\.[0-9]+\.[0-9]+\-rc[0-9]+*', '*/v[0-9]+\.[0-9]+\.[0-9]+*']
jobs:
eval-tag:
runs-on: ubuntu-latest
outputs:
build: ${{ steps.eval.outputs.BUILD }}
component: ${{ steps.eval.outputs.COMPONENT }}
image-produced: ${{ steps.eval.outputs.IMAGE_PRODUCED}}
binary-produced: ${{ steps.eval.outputs.binary_PRODUCED}}
version: ${{ steps.eval.outputs.VERSION }}
systems: ${{ steps.eval.outputs.SYSTEMS }}
archive: ${{ steps.eval.outputs.ARCHIVE }}
steps:
- id: eval
env:
TAG: ${{github.ref_name}}
run: |
component="${TAG%/*}"
case $component in
bundle-union-1)
attrs="[\"bundle-union-1\", \"bundle-union-1-image\"]"
systems="[\"x86_64-linux\", \"aarch64-linux\"]"
echo "COMPONENT=$component" >> $GITHUB_OUTPUT
echo "IMAGE_PRODUCED=true" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "ARCHIVE=true" >> $GITHUB_OUTPUT
;;
bundle-union-testnet-10)
attrs="[\"bundle-union-testnet-10\", \"bundle-union-testnet-10-image\"]"
systems="[\"x86_64-linux\", \"aarch64-linux\"]"
echo "COMPONENT=$component" >> $GITHUB_OUTPUT
echo "IMAGE_PRODUCED=true" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "ARCHIVE=true" >> $GITHUB_OUTPUT
;;
cometbls-light-client)
attrs="[\"cometbls-light-client\"]"
systems="[\"x86_64-linux\"]"
echo "COMPONENT=$component" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "ARCHIVE=true" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
;;
ucs01-relay)
attrs="[\"ucs01-relay\"]"
systems="[\"x86_64-linux\"]"
echo "COMPONENT=$component" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "ARCHIVE=true" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
;;
uniond)
attrs="[\"uniond-release\", \"uniond-release-image\"]"
systems="[\"x86_64-linux\", \"aarch64-linux\"]"
echo "COMPONENT=uniond-release" >> $GITHUB_OUTPUT
echo "IMAGE_PRODUCED=true" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
;;
voyager)
attrs="[\"voyager\"]"
systems="[\"x86_64-linux\", \"aarch64-linux\"]"
echo "COMPONENT=$component" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
;;
voyager-image)
attrs="[\"voyager-docker-image\"]"
systems="[\"x86_64-linux\", \"aarch64-linux\"]"
echo "COMPONENT=voyager-docker" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "IMAGE_PRODUCED=true" >> $GITHUB_OUTPUT
;;
evm-contracts)
attrs="[\"evm-contracts\"]"
systems="[\"x86_64-linux\"]"
echo "COMPONENT=$component" >> $GITHUB_OUTPUT
echo "SYSTEMS=$systems" >> $GITHUB_OUTPUT
echo "ARCHIVE=true" >> $GITHUB_OUTPUT
echo "BINARY_PRODUCED=true" >> $GITHUB_OUTPUT
;;
*)
echo "Invalid tag $TAG"
exit 1
;;
esac
echo "BUILD=(.top_attr == \"packages\") \
and ([.system] | inside($systems) ) \
and ([.attr] | inside($attrs))" >> $GITHUB_OUTPUT
echo "VERSION=${TAG##*/}" >> $GITHUB_OUTPUT
download-images-x86_64:
if: ${{ needs.eval-tag.outputs.image-produced }}
needs: [eval-tag]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
run: |
nix build .#packages.x86_64-linux."$COMPONENT"-image --accept-flake-config
cp -Lr result x86_64-linux."$COMPONENT"-image
- uses: actions/upload-artifact@v4
with:
name: x86_64-linux.${{ needs.eval-tag.outputs.component }}-image
path: x86_64-linux.${{ needs.eval-tag.outputs.component }}-image
download-images-aarch64:
if: ${{ needs.eval-tag.outputs.image-produced && contains(needs.eval-tag.outputs.systems, 'aarch64-linux') }}
needs: [eval-tag]
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- name: Fetch from Cache
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
run: |
nix build .#packages.aarch64-linux."$COMPONENT"-image --accept-flake-config
cp -Lr result aarch64-linux."$COMPONENT"-image
- uses: actions/upload-artifact@v4
with:
name: aarch64-linux.${{ needs.eval-tag.outputs.component }}-image
path: aarch64-linux.${{ needs.eval-tag.outputs.component }}-image
download-binaries-x86_64:
if: ${{ needs.eval-tag.outputs.binary-produced }}
needs: [eval-tag]
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- env:
ARCHIVE: ${{ needs.eval-tag.outputs.archive }}
COMPONENT: ${{ needs.eval-tag.outputs.component }}
run: |
nix build .#packages.x86_64-linux."$COMPONENT" --accept-flake-config
if [[ "$COMPONENT" =~ uniond-release ]]
then
cp result/bin/uniond "$COMPONENT"-x86_64-linux
elif [[ $ARCHIVE ]]
then
tar -zcf "$COMPONENT"-x86_64-linux result
else
cp result/bin/"$COMPONENT" "$COMPONENT"-x86_64-linux
fi
- uses: actions/upload-artifact@v4
with:
name: ${{ needs.eval-tag.outputs.component }}-x86_64-linux
path: ${{ needs.eval-tag.outputs.component }}-x86_64-linux
download-binaries-aarch64:
if: ${{ needs.eval-tag.outputs.binary-produced }}
needs: [eval-tag]
runs-on: ubuntu-24.04-arm
steps:
- uses: actions/checkout@v4
with:
lfs: true
- uses: cachix/install-nix-action@v30
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= union.cachix.org-1:TV9o8jexzNVbM1VNBOq9fu8NK+hL6ZhOyOh0quATy+M=
trusted-substituters = https://cache.nixos.org https://cache.garnix.io https://union.cachix.org
- env:
ARCHIVE: ${{ needs.eval-tag.outputs.archive }}
COMPONENT: ${{ needs.eval-tag.outputs.component }}
run: |
nix build .#packages.aarch64-linux."$COMPONENT" --accept-flake-config
if [[ "$COMPONENT" =~ uniond-release ]]
then
cp result/bin/uniond "$COMPONENT"-aarch64-linux
elif [[ $ARCHIVE ]]
then
tar -zcf "$COMPONENT"-aarch64-linux result
else
cp result/bin/"$COMPONENT" "$COMPONENT"-aarch64-linux
fi
- uses: actions/upload-artifact@v4
with:
name: ${{ needs.eval-tag.outputs.component }}-aarch64-linux
path: ${{ needs.eval-tag.outputs.component }}-aarch64-linux
release-images:
needs: [download-images-x86_64, download-images-aarch64, eval-tag]
if: ${{ needs.eval-tag.outputs.image-produced }}
runs-on: ubuntu-24.04
permissions:
packages: write
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download aarch64-linux.${{ needs.eval-tag.outputs.component }}-image
uses: actions/download-artifact@v4
with:
name: aarch64-linux.${{ needs.eval-tag.outputs.component }}-image
path: .
- name: Download x86_64-linux.${{ needs.eval-tag.outputs.component }}-image
uses: actions/download-artifact@v4
with:
name: x86_64-linux.${{ needs.eval-tag.outputs.component }}-image
path: .
- name: Tag Docker Images
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
TAG: ${{ needs.eval-tag.outputs.version }}
run: |
echo "Entering for loop"
for arch in 'aarch64-linux' 'x86_64-linux'
do
echo "Tagging $COMPONENT for $arch"
echo "GITHUB_WORKSPACE ($GITHUB_WORKSPACE)"
ls -la $GITHUB_WORKSPACE
echo "wd: ($(pwd))"
ls -la
dockerstring=$(docker load < $arch.$COMPONENT-image)
dockerstring=$(echo ${dockerstring##*':'})
echo "Getting image ID for $dockerstring"
imageid=$(docker images --format "{{.ID}}:{{.Tag}}" | grep $dockerstring)
imageid=$(echo ${imageid%%':'*})
echo "Tagging image"
docker tag "$imageid" "localhost:5000/unionlabs/$COMPONENT:$TAG-$arch"
echo "$COMPONENT for $arch is tagged"
docker push "localhost:5000/unionlabs/$COMPONENT:$TAG-$arch"
echo "localhost:5000/unionlabs/$COMPONENT:$TAG-$arch is pushed"
done
- name: Create Manifest
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
TAG: ${{ needs.eval-tag.outputs.version }}
run: |
docker pull "localhost:5000/unionlabs/$COMPONENT:$TAG-aarch64-linux"
docker pull "localhost:5000/unionlabs/$COMPONENT:$TAG-x86_64-linux"
docker manifest create --insecure \
"localhost:5000/unionlabs/$COMPONENT:$TAG" \
--amend "localhost:5000/unionlabs/$COMPONENT:$TAG-aarch64-linux" \
--amend "localhost:5000/unionlabs/$COMPONENT:$TAG-x86_64-linux" \
- name: Push Manifest to Local Registry
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
TAG: ${{ needs.eval-tag.outputs.version }}
run: docker manifest push "localhost:5000/unionlabs/$COMPONENT:$TAG"
- uses: actions/checkout@v4
with:
lfs: true
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Annotate Manifest
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
TAG: ${{ needs.eval-tag.outputs.version }}
run: |
curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl
chmod 755 regctl && sudo cp ./regctl /usr/bin
echo "downloaded & installed regctl"
regctl registry set --tls disabled localhost:5000
regctl image mod "localhost:5000/unionlabs/$COMPONENT:$TAG" --to-oci --create "$TAG" --annotation org.opencontainers.image.description="$(cat "$GITHUB_WORKSPACE/.github/container-descriptions/$COMPONENT.txt")"
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Copy Manifest to GHCR
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
TAG: ${{ needs.eval-tag.outputs.version }}
run: |
wget https://github.com/rapidsai/skopeo/releases/download/v1.12/skopeo-linux-amd64 -O ./skopeo
chmod +x ./skopeo && sudo cp ./skopeo /usr/bin
echo "downloaded & installed skopeo"
skopeo copy --multi-arch=all --insecure-policy --src-tls-verify=false "docker://localhost:5000/unionlabs/$COMPONENT:$TAG" "docker://ghcr.io/unionlabs/$COMPONENT:$TAG"
echo "Copied $COMPONENT:$TAG multi-arch to GHCR"
public-release:
if: ${{ needs.eval-tag.outputs.binary-produced }}
needs: [download-binaries-x86_64, download-binaries-aarch64, eval-tag]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- id: prep-artifacts
env:
COMPONENT: ${{ needs.eval-tag.outputs.component }}
ARCHIVE: ${{ needs.eval-tag.outputs.archive }}
SYSTEMS: ${{ needs.eval-tag.outputs.systems }}
run: |
echo "# sha256 Checksums" >> release.md
x86_64=$(echo "$SYSTEMS" | jq 'contains(["x86_64-linux"])')
aarch64=$(echo "$SYSTEMS" | jq 'contains(["aarch64-linux"])')
if [[ $ARCHIVE ]]; then
if [[ $x86_64 = true ]]; then
echo "Renaming x86_64-linux archive"
comp_x86_64="$COMPONENT-x86_64-linux"
comp_x86_64_archive="$comp_x86_64.tar.gz"
echo "- $(cd "$comp_x86_64" && mv "$comp_x86_64" "$comp_x86_64_archive" && sha256sum "$comp_x86_64_archive")" >> release.md
fi
if [[ $aarch64 = true ]]; then
echo "Renaming aarch64-linux archive"
comp_aarch64="$COMPONENT-aarch64-linux"
comp_aarch64_archive="$comp_aarch64.tar.gz"
echo "- $(cd "$comp_aarch64" && mv "$comp_aarch64" "$comp_aarch64_archive" && sha256sum "$comp_aarch64_archive")" >> release.md
fi
echo "Setting archive output"
echo "FILES=**/$COMPONENT-*.tar.gz" >> $GITHUB_OUTPUT
else
if [[ $x86_64 = true ]]; then
echo "Renaming x86_64-linux binary"
comp_x86_64="$COMPONENT-x86_64-linux"
echo "- $(cd "$comp_x86_64" && sha256sum "$comp_x86_64")" >> release.md
fi
if [[ $aarch64 = true ]]; then
echo "Renaming aarch64-linux binary"
comp_aarch64="$COMPONENT-aarch64-linux"
echo "- $(cd "$comp_aarch64" && sha256sum "$comp_aarch64")" >> release.md
fi
echo "Setting binary output"
echo "FILES=**/$COMPONENT-*" >> $GITHUB_OUTPUT
fi
tree
- uses: softprops/action-gh-release@v2
with:
body_path: release.md
prerelease: ${{ contains(needs.eval-tag.outputs.version, '-rc') || contains(needs.eval-tag.outputs.version, 'alpha') }}
repository: unionlabs/union
token: ${{ secrets.UNION_RELEASES_PAT }}
name: ${{needs.eval-tag.outputs.component}} ${{needs.eval-tag.outputs.version}}
tag_name: ${{ github.ref_name }}
fail_on_unmatched_files: true
files: ${{ steps.prep-artifacts.outputs.FILES }}