Skip to content

apalache: 0.24.0 -> 0.42.0, refactor #510

apalache: 0.24.0 -> 0.42.0, refactor

apalache: 0.24.0 -> 0.42.0, refactor #510

Workflow file for this run

name: Check PR
on:
pull_request:
jobs:
check-pr:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
with:
extra-conf: |
substituters = https://cache.nixos.org https://cosmosnix-store.s3.us-east-2.amazonaws.com
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cosmosnix.store-1:O28HneR1MPtgY3WYruWFuXCimRPwY7em5s0iynkQxdk=
- name: Check 🔎
run: |
nix flake check
- name: Run Shell 🐚
run: |
nix develop
# NOTE: the if conditions below mean that we only run these steps for Pull Requests from non-forks
# This is partially due to this issue https://github.com/aws-actions/configure-aws-credentials/issues/373.
# And partially because a malicious actor could fork the repo and fill our cache with junk.
# Note that the cache will be pushed when merged to main, so PR's from forks that make it in will still
# populate the cache
- name: Authenticate 🔒
uses: aws-actions/configure-aws-credentials@v4
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
with:
aws-region: us-east-2
retry-max-attempts: 3
role-to-assume: arn:aws:iam::762411426253:role/push-cosmosnix-store
role-session-name: InformalSystemsGithubAction
- name: Push Cache 🫸📦💨
if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
env:
SIGNING_KEY: ${{ secrets.SECRET_STORE_SIGNING_KEY }}
run: |
echo "$SIGNING_KEY" >> key
nix store sign -k key --all
nix copy --to "s3://cosmosnix-store?region=us-east-2" --all