From 32b3e357ccba876287b6634c96414f9d6fdfa137 Mon Sep 17 00:00:00 2001
From: Mike Rosseel <mike.rosseel@gmail.com>
Date: Mon, 25 May 2026 19:50:27 +0200
Subject: [PATCH] ci: add build-migration-progress workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cross-compiles python/scripts/migration_progress.c for aarch64 on a
v*-migration tag push (or manual workflow_dispatch against an existing
tag) and attaches the stripped static binary + its SHA256 sidecar to
the matching release.

Companion to PR #433 (NixOS migration infrastructure): that PR removed
the pre-compiled migration_progress blob from the source tree and now
expects nixos_migration.sh to download + verify it at runtime. This
workflow is what produces those release assets.

Landing the workflow file separately so workflow_dispatch is usable
before #433 itself merges — GitHub Actions requires the workflow file
on the default branch to expose it for manual dispatch.

migration_progress.c isn't on main yet, so the workflow sits inert
until #433 lands (or a v*-migration tag is created from the migration
branch in the meantime).
---
 .../workflows/build-migration-progress.yml    | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 .github/workflows/build-migration-progress.yml

diff --git a/.github/workflows/build-migration-progress.yml b/.github/workflows/build-migration-progress.yml
new file mode 100644
index 00000000..cff75415
--- /dev/null
+++ b/.github/workflows/build-migration-progress.yml
@@ -0,0 +1,59 @@
+name: build-migration-progress
+# Cross-compiles python/scripts/migration_progress.c for aarch64 and attaches
+# the binary + its SHA256 to the release. nixos_migration.sh downloads both
+# at migration time (with hash verification) instead of consuming a pre-built
+# blob from git.
+#
+# Triggers:
+#   - Tag push matching v*-migration   (auto for new migration releases)
+#   - workflow_dispatch with a tag name (re-build for an existing release)
+on:
+  push:
+    tags:
+      - 'v*-migration'
+  workflow_dispatch:
+    inputs:
+      release_tag:
+        description: 'Existing release tag to attach the binary to'
+        required: true
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install aarch64 cross-compiler
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc-aarch64-linux-gnu
+
+      - name: Build + strip + sha256
+        working-directory: python/scripts
+        run: |
+          aarch64-linux-gnu-gcc -static -O2 -Wall -o migration_progress migration_progress.c
+          aarch64-linux-gnu-strip migration_progress
+          sha256sum migration_progress | awk '{print $1}' > migration_progress.sha256
+          ls -la migration_progress migration_progress.sha256
+
+      - name: Determine release tag
+        id: tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ inputs.release_tag }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload to release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        working-directory: python/scripts
+        run: |
+          gh release upload "${{ steps.tag.outputs.tag }}" \
+            migration_progress migration_progress.sha256 \
+            --clobber