Add cachix binary cache publish step to release #3759
Conversation
| nix-release: | ||
| name: 'Nix Release' | ||
| runs-on: ubuntu-20.04 | ||
| environment: production |
There was a problem hiding this comment.
This was only ever used for integration tests in the haskell-backend https://github.com/runtimeverification/haskell-backend/blob/858004428c6e9ff4a2e5733aee3b4d8909a3e13f/test.nix#L26-L36
but has long since been replaced with a different mechanism
| nix-flake-release: | ||
| name: 'Nix flake release' | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - runner: ubuntu-20.04 | ||
| os: ubuntu-20.04 | ||
| - runner: macos-13 | ||
| os: macos-13 | ||
| - runner: MacM1 | ||
| os: self-macos-12 | ||
| runs-on: ${{ matrix.runner }} | ||
| timeout-minutes: 60 | ||
| steps: | ||
| - name: 'Check out code' | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: 'Upgrade bash' | ||
| if: ${{ contains(matrix.os, 'macos') }} | ||
| run: brew install bash | ||
|
|
||
| - name: 'Install Nix' | ||
| if: ${{ !startsWith(matrix.os, 'self') }} | ||
| uses: cachix/install-nix-action@v22 | ||
| with: | ||
| install_url: https://releases.nixos.org/nix/nix-2.13.3/install | ||
| extra_nix_config: | | ||
| access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} | ||
| substituters = http://cache.nixos.org https://hydra.iohk.io | ||
| trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= | ||
|
|
||
| - name: 'Install Cachix' | ||
| if: ${{ !startsWith(matrix.os, 'self') }} | ||
| uses: cachix/cachix-action@v12 | ||
| with: | ||
| name: k-framework | ||
| authToken: '${{ secrets.CACHIX_PUBLIC_TOKEN }}' | ||
| skipPush: true | ||
|
|
||
| - name: 'Build and cache K Framework' | ||
| uses: workflow/nix-shell-action@v3 | ||
| env: | ||
| GC_DONT_GC: 1 | ||
| CACHIX_AUTH_TOKEN: '${{ secrets.CACHIX_PUBLIC_TOKEN }}' | ||
| with: | ||
| packages: jq | ||
| script: | | ||
| k=$(nix build .#k --json | jq -r '.[].outputs | to_entries[].value') | ||
| drv=$(nix-store --query --deriver ${k}) | ||
| nix-store --query --requisites --include-outputs ${drv} | cachix push k-framework | ||
|
|
There was a problem hiding this comment.
this should not have been in master push. It has instead been replaced by the cachix-release job in release.yml
There was a problem hiding this comment.
@goodlyrottenapple we need to remove the needs: ... clause from later in the job under gh-release.
There was a problem hiding this comment.
Ah thanks for the spot!
goodlyrottenapple
changed the title
| packages: jq | ||
| script: | | ||
| export PATH="$(nix build github:runtimeverification/kup --no-link --json | jq -r '.[].outputs | to_entries[].value')/bin:$PATH" | ||
| kup publish k-framework-binary .#k --keep-days 180 |
There was a problem hiding this comment.
I guess the limiting thing here is the maximum time between updates for a downstream project; if something were to go longer than 180 days without an update then is the downside risk just that their CI / build process will need to build K from source if going via Nix? (as opposed to breaking a build). My gut feeling is that we should go for a shorter time, but that also depends on what the risk is on the other side - will we get charged extra by cachix? Will we fill up a disk somewhere more quickly?
(sorry for the lengthy answer, just trying to understand the tradeoff space here)
There was a problem hiding this comment.
yes, kup will still install fine but will have to rely on the old cache and therefore will build for a bit longer. This can be mitigated in a few different ways. If the downstream CI is not ephemeral, then this should not matter anyway, otherwise we could either manually re-pin without the --keep-days argument which means that version will be pinned indefinitely, or we/they can set up another cachix cach and copy whatever they need into that cache...
There was a problem hiding this comment.
Are we paying for cachix? I remember in the past there was an issue where we would run out of space and they would start to delete old stuff. Is that going to be an issue that interacts poorly with these changes?
There was a problem hiding this comment.
We are paying for cachix, yes. We have a plan that allows us quite a bit of storage across several repositories, @F-WRunTime has more details.
This change will push K to the k-framework-binary cachix cache and pin it to the commit hash. See https://github.com/runtimeverification/k/actions/runs/6664139255/job/18111232575 for a successful test run