Skip to content

Commit fe25766

Browse files
ThomasK33ThomasK33
authored
ci: refactor CI to use mise for shared tool setup (coder#25727)
1 parent 644820c commit fe25766

31 files changed

Lines changed: 995 additions & 611 deletions

.github/actions/go-cache/action.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
name: "Go cache"
2+
description: Restore and save Go build and module caches.
3+
inputs:
4+
cache-path:
5+
description: "Optional newline-delimited cache paths. Defaults to go env GOCACHE and GOMODCACHE."
6+
required: false
7+
default: ""
8+
key-prefix:
9+
description: "Prefix for the cache key."
10+
required: false
11+
default: "go"
12+
download-modules:
13+
description: "Whether to run go mod download after restoring cache."
14+
required: false
15+
default: "true"
16+
runs:
17+
using: "composite"
18+
steps:
19+
- name: Compute Go cache key
20+
id: go-cache
21+
shell: bash
22+
run: |
23+
set -euo pipefail
24+
25+
if [[ -n "${INPUT_CACHE_PATH}" ]]; then
26+
paths="${INPUT_CACHE_PATH}"
27+
else
28+
paths="$(printf '%s\n%s' "$(go env GOCACHE)" "$(go env GOMODCACHE)")"
29+
fi
30+
31+
go_version="$(go env GOVERSION)"
32+
paths_hash="$(printf '%s\n' "${paths}" | git hash-object --stdin)"
33+
hash="$(
34+
{
35+
printf '%s\n' "${go_version}"
36+
for file in go.mod go.sum; do
37+
if [[ -f "${file}" ]]; then
38+
git hash-object "${file}"
39+
fi
40+
done
41+
} | git hash-object --stdin
42+
)"
43+
44+
{
45+
echo "path<<EOF"
46+
echo "${paths}"
47+
echo "EOF"
48+
echo "key=${INPUT_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${paths_hash}-${hash}"
49+
echo "restore-key=${INPUT_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${paths_hash}-"
50+
} >> "$GITHUB_OUTPUT"
51+
env:
52+
INPUT_CACHE_PATH: ${{ inputs.cache-path }}
53+
INPUT_KEY_PREFIX: ${{ inputs.key-prefix }}
54+
55+
- name: Restore Go cache, save on main
56+
if: ${{ github.ref == 'refs/heads/main' }}
57+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
58+
with:
59+
path: ${{ steps.go-cache.outputs.path }}
60+
key: ${{ steps.go-cache.outputs.key }}
61+
restore-keys: |
62+
${{ steps.go-cache.outputs.restore-key }}
63+
64+
- name: Restore Go cache read-only
65+
if: ${{ github.ref != 'refs/heads/main' }}
66+
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
67+
with:
68+
path: ${{ steps.go-cache.outputs.path }}
69+
key: ${{ steps.go-cache.outputs.key }}
70+
restore-keys: |
71+
${{ steps.go-cache.outputs.restore-key }}
72+
73+
- name: Download Go modules
74+
if: ${{ inputs.download-modules == 'true' }}
75+
shell: bash
76+
run: ./.github/scripts/retry.sh -- go mod download -x

.github/actions/install-cosign/action.yaml

Lines changed: 0 additions & 10 deletions
This file was deleted.

.github/actions/install-syft/action.yaml

Lines changed: 0 additions & 10 deletions
This file was deleted.

.github/actions/pnpm-install/action.yml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
name: "pnpm install"
2+
description: Restore pnpm store cache and install root plus workspace dependencies.
3+
inputs:
4+
directory:
5+
description: "Workspace directory to install after the repository root."
6+
required: false
7+
default: "site"
8+
runs:
9+
using: "composite"
10+
steps:
11+
- name: Compute pnpm cache key
12+
id: pnpm-cache
13+
shell: bash
14+
run: |
15+
set -euo pipefail
16+
17+
store_path="$(pnpm store path --silent)"
18+
hash="$(
19+
for file in pnpm-lock.yaml "${INPUT_DIRECTORY}/pnpm-lock.yaml"; do
20+
if [[ -f "${file}" ]]; then
21+
git hash-object "${file}"
22+
fi
23+
done | git hash-object --stdin
24+
)"
25+
26+
{
27+
echo "store-path=${store_path}"
28+
echo "key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-${hash}"
29+
echo "restore-key=pnpm-${RUNNER_OS}-${RUNNER_ARCH}-${INPUT_DIRECTORY}-"
30+
} >> "$GITHUB_OUTPUT"
31+
env:
32+
INPUT_DIRECTORY: ${{ inputs.directory }}
33+
34+
- name: Restore and save pnpm cache
35+
if: ${{ github.ref == 'refs/heads/main' }}
36+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
37+
with:
38+
path: ${{ steps.pnpm-cache.outputs.store-path }}
39+
key: ${{ steps.pnpm-cache.outputs.key }}
40+
restore-keys: |
41+
${{ steps.pnpm-cache.outputs.restore-key }}
42+
43+
- name: Restore pnpm cache
44+
if: ${{ github.ref != 'refs/heads/main' }}
45+
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
46+
with:
47+
path: ${{ steps.pnpm-cache.outputs.store-path }}
48+
key: ${{ steps.pnpm-cache.outputs.key }}
49+
restore-keys: |
50+
${{ steps.pnpm-cache.outputs.restore-key }}
51+
52+
- name: Install root node_modules
53+
shell: bash
54+
run: ./scripts/pnpm_install.sh
55+
56+
- name: Install node_modules
57+
shell: bash
58+
run: "${GITHUB_WORKSPACE}/scripts/pnpm_install.sh"
59+
working-directory: ${{ github.workspace }}/${{ inputs.directory }}

.github/actions/setup-go-tools/action.yaml

Lines changed: 0 additions & 12 deletions
This file was deleted.

.github/actions/setup-go/action.yaml

Lines changed: 0 additions & 32 deletions
This file was deleted.

.github/actions/setup-mise/action.yml

Lines changed: 168 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,168 @@
1+
name: Setup mise
2+
description: Install mise tools from SHA256-pinned binaries, with CI-layer caching.
3+
inputs:
4+
install-args:
5+
description: Tool names or extra arguments passed to mise install. --locked is added by default.
6+
required: false
7+
default: ""
8+
locked:
9+
description: Whether to pass --locked to mise install.
10+
required: false
11+
default: "true"
12+
cache-key-prefix:
13+
description: Prefix for mise tool cache keys.
14+
required: false
15+
default: mise-ci-v1
16+
mise-version:
17+
description: mise version to install.
18+
required: false
19+
default: "2026.5.12"
20+
mise-sha256:
21+
description: SHA256 checksum for the mise binary.
22+
required: false
23+
default: ""
24+
use-cache:
25+
description: Whether to restore and save mise tool caches.
26+
required: false
27+
default: "true"
28+
runs:
29+
using: composite
30+
steps:
31+
- name: Compute mise cache key
32+
id: cache-key
33+
shell: bash
34+
env:
35+
CACHE_KEY_PREFIX: ${{ inputs.cache-key-prefix }}
36+
INPUT_INSTALL_ARGS: ${{ inputs.install-args }}
37+
INPUT_LOCKED: ${{ inputs.locked }}
38+
MISE_VERSION: ${{ inputs.mise-version }}
39+
RUNNER_ARCH: ${{ runner.arch }}
40+
RUNNER_OS: ${{ runner.os }}
41+
run: |
42+
set -euo pipefail
43+
44+
case "${INPUT_LOCKED}" in
45+
true)
46+
if [[ -n "${INPUT_INSTALL_ARGS}" ]]; then
47+
install_args="--locked ${INPUT_INSTALL_ARGS}"
48+
else
49+
install_args="--locked"
50+
fi
51+
;;
52+
false)
53+
install_args="${INPUT_INSTALL_ARGS}"
54+
;;
55+
*)
56+
echo "::error::locked must be true or false."
57+
exit 1
58+
;;
59+
esac
60+
61+
install_args_hash="$(printf '%s' "$install_args" | git hash-object --stdin)"
62+
files_hash="$(git hash-object mise.toml mise.lock | git hash-object --stdin)"
63+
key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-${files_hash}"
64+
restore_key="${CACHE_KEY_PREFIX}-${RUNNER_OS}-${RUNNER_ARCH}-${MISE_VERSION}-${install_args_hash}-"
65+
66+
{
67+
echo "install-args<<EOF"
68+
echo "${install_args}"
69+
echo "EOF"
70+
echo "key=$key"
71+
echo "restore-key=$restore_key"
72+
} >> "$GITHUB_OUTPUT"
73+
74+
- name: Select mise checksum
75+
id: checksum
76+
shell: bash
77+
env:
78+
CHECKSUMS_FILE: ${{ github.action_path }}/checksums.toml
79+
INPUT_MISE_SHA256: ${{ inputs.mise-sha256 }}
80+
MISE_CHECKSUM_SCRIPT: ${{ github.workspace }}/scripts/mise_checksum.sh
81+
MISE_VERSION: ${{ inputs.mise-version }}
82+
RUNNER_ARCH: ${{ runner.arch }}
83+
RUNNER_OS: ${{ runner.os }}
84+
run: |
85+
set -euo pipefail
86+
87+
checksum="${INPUT_MISE_SHA256}"
88+
if [[ -z "${checksum}" ]]; then
89+
case "${RUNNER_OS}-${RUNNER_ARCH}" in
90+
Linux-X64)
91+
target="linux-x64"
92+
;;
93+
Linux-ARM64)
94+
target="linux-arm64"
95+
;;
96+
macOS-X64)
97+
target="macos-x64"
98+
;;
99+
macOS-ARM64)
100+
target="macos-arm64"
101+
;;
102+
Windows-X64)
103+
target="windows-x64"
104+
;;
105+
*)
106+
echo "::error::No mise checksum is pinned for ${RUNNER_OS}-${RUNNER_ARCH}."
107+
exit 1
108+
;;
109+
esac
110+
111+
checksum="$("${MISE_CHECKSUM_SCRIPT}" "${CHECKSUMS_FILE}" "${MISE_VERSION}" "${target}")"
112+
if [[ -z "${checksum}" ]]; then
113+
echo "::error::No mise checksum is pinned for mise ${MISE_VERSION} on ${target}."
114+
exit 1
115+
fi
116+
fi
117+
118+
echo "sha256=${checksum}" >> "$GITHUB_OUTPUT"
119+
120+
- name: Configure mise data directory
121+
id: mise-data-dir
122+
shell: bash
123+
env:
124+
RUNNER_OS: ${{ runner.os }}
125+
run: | # zizmor: ignore[github-env] MISE_DATA_DIR uses only runner-provided paths.
126+
set -euo pipefail
127+
128+
if [[ "${RUNNER_OS}" == "Windows" ]]; then
129+
data_dir="${LOCALAPPDATA:-${USERPROFILE}\\AppData\\Local}\\mise"
130+
else
131+
data_dir="${RUNNER_TEMP}/mise-data"
132+
fi
133+
134+
{
135+
printf 'path=%s\n' "${data_dir}"
136+
} >> "$GITHUB_OUTPUT"
137+
printf 'MISE_DATA_DIR=%s\n' "${data_dir}" >> "$GITHUB_ENV"
138+
139+
- name: Cache mise tools
140+
if: ${{ inputs.use-cache == 'true' && github.ref == 'refs/heads/main' }}
141+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
142+
with:
143+
path: |
144+
~/.cache/mise
145+
${{ steps.mise-data-dir.outputs.path }}
146+
key: ${{ steps.cache-key.outputs.key }}
147+
restore-keys: |
148+
${{ steps.cache-key.outputs.restore-key }}
149+
150+
- name: Restore mise tools
151+
if: ${{ inputs.use-cache == 'true' && github.ref != 'refs/heads/main' }}
152+
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
153+
with:
154+
path: |
155+
~/.cache/mise
156+
${{ steps.mise-data-dir.outputs.path }}
157+
key: ${{ steps.cache-key.outputs.key }}
158+
restore-keys: |
159+
${{ steps.cache-key.outputs.restore-key }}
160+
161+
- name: Install mise tools
162+
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
163+
with:
164+
version: ${{ inputs.mise-version }}
165+
sha256: ${{ steps.checksum.outputs.sha256 }}
166+
mise_dir: ${{ steps.mise-data-dir.outputs.path }}
167+
install_args: ${{ steps.cache-key.outputs.install-args }}
168+
cache: "false"

.github/actions/setup-mise/checksums.toml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
# SHA256 hashes of the extracted mise binary verified by jdx/mise-action.
2+
# Keys use the GitHub runner target for each release artifact.
3+
4+
["2026.5.12"]
5+
linux-x64 = "a238972a3162d710b85b28c324372e96ca4e4b486c81fe78695000d9fbc77c48"
6+
linux-arm64 = "fd2d5227a8ad0b1e359c70527a8345a9ada72077f8dcbb559371653c3d95464f"
7+
macos-x64 = "de57e8dc82bbd880a69c9bc8aee06b9dcc578184b3e5cf86fcef80635d6a90b4"
8+
macos-arm64 = "e777070540ffe22cf8b2b9f88aed88b461d0887d940c4f1c1a97359463cde6e1"
9+
windows-x64 = "adf1b4c9f51e7d15cff723056fcd8fd51f40ebacadcca97fd5758c44d469d5ea"

0 commit comments

Comments
 (0)