ci: Propagate github token to actinos to avoid nix reaching GH rate l…

…imit easily Guard against GH rate limit, wait until limit is reset if limit is nearly reached. The GH rate limit can be reached after installing Nix when fetching the nixpkgs channel. Therefore, propagating the GH token to nix.conf ensures that Nix operations have a higher GH rate limit. Signed-off-by: Thing-han, Lim <[email protected]>
pq-code-package · Oct 17, 2024 · 77bb0de · 77bb0de
1 parent 8a13524
commit 77bb0de
Show file tree

Hide file tree

Showing 9 changed files with 45 additions and 2 deletions.
diff --git a/.github/actions/bench/action.yml b/.github/actions/bench/action.yml
@@ -52,6 +52,7 @@ runs:
         nix-shell: ${{ inputs.nix-shell }}
         nix-cache: ${{ inputs.nix-cache }}
         nix-verbose: ${{ inputs.nix-verbose }}
+        gh_token: ${{ inputs.gh_token }}
         custom_shell: ${{ inputs.custom_shell }}
         script: |
           ARCH=$(uname -m)

diff --git a/.github/actions/cbmc/action.yml b/.github/actions/cbmc/action.yml
@@ -16,6 +16,9 @@ inputs:
   custom_shell:
     description: The shell to use. Only relevant if use-nix is 'false'
     default: "bash"
+  gh_token:
+    description: Github access token to use
+    required: true
 runs:
   using: composite
   steps:
@@ -25,6 +28,7 @@ runs:
           nix-shell: ${{ inputs.nix-shell }}
           nix-cache: ${{ inputs.nix-cache }}
           nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           custom_shell: ${{ inputs.custom_shell }}
           script: |
             cat >> $GITHUB_STEP_SUMMARY << EOF

diff --git a/.github/actions/functest/action.yml b/.github/actions/functest/action.yml
@@ -16,6 +16,9 @@ inputs:
   custom_shell:
     description: The shell to use. Only relevant if no nix-shell specified
     default: "bash"
+  gh_token:
+    description: Github access token to use
+    required: true
   cflags:
     description: CFLAGS to pass to compilation
     default: ""
@@ -66,6 +69,7 @@ runs:
           nix-shell: ${{ inputs.nix-shell }}
           nix-cache: ${{ inputs.nix-cache }}
           nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           custom_shell: ${{ inputs.custom_shell }}
           script: |
             # only summary on the first time

diff --git a/.github/actions/lint/action.yml b/.github/actions/lint/action.yml
@@ -19,6 +19,9 @@ inputs:
   cross-prefix:
     description: Binary prefix for cross compilation
     default: ""
+  gh_token:
+    description: Github access token to use
+    required: true
 runs:
   using: composite
   steps:
@@ -28,6 +31,7 @@ runs:
           custom_shell: ${{ inputs.custom_shell }}
           nix-cache: ${{ inputs.nix-cache }}
           nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           script: |
             cat >> $GITHUB_STEP_SUMMARY << EOF
               ## Setup

diff --git a/.github/actions/multi-functest/action.yml b/.github/actions/multi-functest/action.yml
@@ -16,6 +16,9 @@ inputs:
   nix-verbose:
     description: Determine wether to suppress nix log or not
     default: 'false'
+  gh_token:
+    description: Github access token to use
+    required: true
   cflags:
     description: CFLAGS to pass to compilation
     default: ""
@@ -44,6 +47,7 @@ runs:
           nix-shell: ${{ inputs.nix-shell }}
           nix-cache: ${{ inputs.nix-cache }}
           nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           custom_shell: ${{ inputs.custom_shell }}
           cflags: ${{ inputs.cflags }}
           mode: native
@@ -57,6 +61,8 @@ runs:
         with:
           nix-shell: ${{ inputs.nix-shell }}
           nix-cache: ${{ inputs.nix-cache }}
+          nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           custom_shell: ${{ inputs.custom_shell }}
           cflags: ${{ inputs.cflags }}
           mode: native
@@ -69,6 +75,9 @@ runs:
         uses: ./.github/actions/functest
         with:
           nix-shell: ${{ inputs.nix-shell }}
+          nix-cache: ${{ inputs.nix-cache }}
+          nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           custom_shell: ${{ inputs.custom_shell }}
           cflags: ${{ inputs.cflags }}
           mode: cross
@@ -81,6 +90,9 @@ runs:
         uses: ./.github/actions/functest
         with:
           nix-shell: ${{ inputs.nix-shell }}
+          nix-cache: ${{ inputs.nix-cache }}
+          nix-verbose: ${{ inputs.nix-verbose }}
+          gh_token: ${{ inputs.gh_token }}
           custom_shell: ${{ inputs.custom_shell }}
           cflags: ${{ inputs.cflags }}
           mode: cross

diff --git a/.github/actions/setup-nix/action.yml b/.github/actions/setup-nix/action.yml
@@ -23,6 +23,9 @@ inputs:
     description: Determine whether to purge cache with primary key or not
     required: false
     default: 'true'
+  gh_token:
+    description: Github access token to use
+    required: true
 
 runs:
   using: composite
@@ -55,6 +58,8 @@ runs:
     - name: Install Nix
       shell: bash
       if: ${{ steps.nix-pre-check.outputs.installed == 'false' }}
+      env:
+        GH_TOKEN: ${{ inputs.gh_token }}
       run: |
         echo "::group::Nix installation"
         mkdir -p ~/.config/nix
@@ -78,7 +83,7 @@ runs:
 
         if [[ ! -z $GH_TOKEN ]]; then
            mkdir -p ~/.config/nix
-           echo "access-tokens = github.com=$GH_TOKEN" > ~/.config/nix/nix.conf
+           echo "access-tokens = github.com=$GH_TOKEN" >> ~/.config/nix/nix.conf
         fi
 
         if command -v gh >/dev/null 2>&1; then
@@ -136,6 +141,7 @@ runs:
         purge-prefixes: cache-${{ steps.nix-post-check.outputs.cache_prefix }}
         purge-created: 0
         purge-primary-key: ${{ inputs.purge_cache == 'true' && 'always' || 'never' }}
+        token: ${{ inputs.gh_token }}
     - name: Set Shell
       shell: bash -lo pipefail {0}
       run: |

diff --git a/.github/actions/setup-shell/action.yml b/.github/actions/setup-shell/action.yml
@@ -19,6 +19,9 @@ inputs:
   script:
     description: The script to be run in the nix shell
     required: false
+  gh_token:
+    description: Github access token to use
+    required: true
 
 runs:
   using: composite
@@ -28,6 +31,7 @@ runs:
       if: ${{ inputs.nix-shell != '' }}
       with:
         devShell: ${{ inputs.nix-shell }}
+        gh_token: ${{ inputs.gh_token }}
         verbose: ${{ inputs.nix-verbose }}
         cache: ${{ inputs.nix-cache }}
         script: ${{ inputs.script }}

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -77,13 +77,15 @@ jobs:
       - name: native build
         uses: ./.github/actions/multi-functest
         with:
-          compile_mode: native
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
+          compile_mode: nativ
           func: false
           nistkat: false
           kat: falst
       - name: native tests (+debug)
         uses: ./.github/actions/multi-functest
         with:
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
           compile_mode: native
           cflags: "-DMLKEM_DEBUG"
       - name: cross tests (opt only)
@@ -92,6 +94,7 @@ jobs:
         with:
           nix-shell: ci-cross
           nix-cache: true
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
           compile_mode: cross
           func: false
           nistkat: false
@@ -107,7 +110,9 @@ jobs:
       - uses: ./.github/actions/lint
         with:
           nix-shell: ci-linter
+          gh_token: ${{ secrets.GITHUB_TOKEN }}
           cross-prefix: "aarch64-unknown-linux-gnu-"
+
   ec2_all:
     needs: quickcheck
     strategy:

diff --git a/.github/workflows/ci_ec2_reusable.yml b/.github/workflows/ci_ec2_reusable.yml
@@ -117,6 +117,7 @@ jobs:
           nix-shell: ${{ steps.preprocess.outputs.nix-shell }}
           nix-cache: ${{ inputs.cbmc || inputs.compile_mode == 'cross' }}
           nix-verbose: ${{ inputs.verbose }}
+          gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
           cflags: ${{ inputs.cflags }}
           compile_mode: ${{ inputs.compile_mode }}
           opt: ${{ inputs.opt }}
@@ -129,12 +130,14 @@ jobs:
         with:
           nix-shell: ci-linter
           nix-verbose: ${{ inputs.verbose }}
+          gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
       - name: CBMC
         if: ${{ inputs.cbmc && (success() || failure()) }}
         uses: ./.github/actions/cbmc
         with:
           nix-shell: ${{ steps.preprocess.outputs.nix-shell }}
           nix-verbose: ${{ inputs.verbose }}
+          gh_token: ${{ secrets.AWS_GITHUB_TOKEN }}
   stop-ec2-runner:
     name: Stop ${{ inputs.name }} (${{ inputs.ec2_instance_type }})
     permissions: