ci: add cachix to CI build (#40)

Signed-off-by: Gabriel Nützi <[email protected]>
Co-authored-by: Cyril Matthey-Doret <[email protected]>

.github/workflows/main-and-pr.yaml

@@ -20,5 +20,6 @@ on:
 jobs:
   normal:
     uses: ./.github/workflows/normal.yaml
+    secrets: inherit
     with:
       is_release: false

.github/workflows/normal.yaml

@@ -28,102 +28,170 @@ on:
         type: boolean
 
 jobs:
-  format:
-    if: ${{ ! inputs.is_release }}
+  cache:
+    environment: ci
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.0.0
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Setup Git & Cache Nix
+      - name: Cache Nix Shell
         run: |
           ./tools/ci/setup-git.sh
-          just nix-develop-ci echo "Built cache."
+          ./tools/ci/setup-nix-cache.sh
+          just nix-cache-upload-shell
+
+  format:
+    environment: ci
+    if: ${{ ! inputs.is_release }}
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+    steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
 
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Setup
+        run: |
+          ./tools/ci/setup-git.sh
+          ./tools/ci/setup-nix-cache.sh
       - name: Format
         run: |
           just nix-develop-ci just format
 
   lint:
+    environment: ci
     if: ${{ ! inputs.is_release }}
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.0.0
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Setup Git & Cache Nix
+      - name: Setup
         run: |
           ./tools/ci/setup-git.sh
-          just nix-develop-ci echo "Built cache."
+          ./tools/ci/setup-nix-cache.sh
 
       - name: Lint
         run: |
           just nix-develop-ci just lint
 
   build:
+    environment: ci
     if: ${{ ! inputs.is_release }}
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.0.0
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Setup Git & Cache Nix
+      - name: Setup
         run: |
           ./tools/ci/setup-git.sh
-          just nix-develop-ci echo "Built cache."
+          ./tools/ci/setup-nix-cache.sh
 
       - name: Build
         run: |
           just nix-develop-ci just build
 
   test:
+    environment: ci
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.0.0
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
     steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Setup Git & Cache Nix
+      - name: Setup
         run: |
           ./tools/ci/setup-git.sh
-          just nix-develop-ci git --version
+          ./tools/ci/setup-nix-cache.sh
 
       - name: Test
         run: |
           just nix-develop-ci just test
 
   package:
+    environment: ci
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.0.0
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
     if: ${{ ! inputs.is_release }}
 
     steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Setup Git
+      - name: Setup
         run: |
           ./tools/ci/setup-git.sh
-           just nix-develop-ci echo "Built cache."
+          ./tools/ci/setup-nix-cache.sh
 
       - name: Build Package (nix)
         run: |
@@ -134,30 +202,36 @@ jobs:
           just nix-develop-ci just nix-image
 
   deploy:
+    environment: ci
     if: ${{ inputs.is_release }}
     needs: [test]
-
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.0.0
+      image: ghcr.io/sdsc-ordes/tripsu:ci-nix-1.1.0
+    env:
+      CI_IS_RELEASE: true
+      CACHIX_CACHE_NAME: ${{ secrets.CACHIX_CACHE_NAME }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
     permissions:
       contents: write
       packages: write
 
-    env:
-      CI_IS_RELEASE: true
-
     steps:
+      - name: Github Actions Workarounds
+        run: |
+          echo "HOME=/root" >> $GITHUB_ENV
+          cat /container-setup/.ld-library-path >> "$GITHUB_ENV"
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 1
 
-      - name: Setup Git & Nix Cache
+      - name: Cache Dev Shell
         run: |
           ./tools/ci/setup-git.sh
-           just nix-develop-ci echo "Built cache."
+          ./tools/ci/setup-nix-cache.sh
 
       - name: Create Version Tag
         run: |
@@ -194,6 +268,9 @@ jobs:
       contents: write
 
     steps:
+      - name: Define Proper 'HOME' Path
+        run: echo "HOME=/root" >> $GITHUB_ENV
+
       - name: Checkout
         uses: actions/checkout@v4
         with:

.github/workflows/release.yaml

@@ -18,5 +18,6 @@ on:
 jobs:
   release:
     uses: ./.github/workflows/normal.yaml
+    secrets: inherit
     with:
       is_release: true

.gitignore

@@ -7,3 +7,5 @@
 # Nix
 result
 build
+
+.env

justfile

@@ -15,13 +15,14 @@ nix-develop *args:
     cd "{{root_dir}}" && \
     cmd=("$@") && \
     { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \
-    nix develop ./tools/nix#default --command "${cmd[@]}"
+    nix develop ./tools/nix#default --accept-flake-config --command "${cmd[@]}"
 
 nix-develop-ci *args:
-    cd "{{root_dir}}" && \
-    cmd=("$@") && \
-    { [ -n "${cmd:-}" ] || cmd=("zsh"); } && \
-    nix develop ./tools/nix#ci --command "${cmd[@]}"
+    #!/usr/bin/env bash
+    set -eu
+    cd "{{root_dir}}"
+    cachix watch-exec "$CACHIX_CACHE_NAME" -- \
+        nix develop ./tools/nix#ci --accept-flake-config --command "$@"
 
 # Enter nix development shell for benchmarking.
 nix-develop-bench *args:
@@ -83,6 +84,27 @@ nix-image *args:
     cd "{{root_dir}}" && \
        "./tools/build-image.sh" "$@"
 
+
+# Upload the dev shell to the Nix cache.
+nix-cache-upload-shell:
+    #!/usr/bin/env bash
+    set -eu
+    cd "{{root_dir}}"
+
+    profile=./dev-profile
+    mkdir -p "$profile"
+
+    # Cache development shell.
+    nix develop --profile "$profile/dev" ./tools/nix#ci --command true
+    cachix push "$CACHIX_CACHE_NAME" "$profile/dev"
+    rm -rf "$profile"
+
+    # Cache flake inputs.
+    nix flake archive ./tools/nix --json \
+      | jq -r '.path,(.inputs|to_entries[].value.path)' \
+      | cachix push "$CACHIX_CACHE_NAME"
+
+
 # Upload all images for CI (local machine)
 upload-ci-images:
     cd "{{root_dir}}" && \

tools/ci/images/Containerfile

@@ -3,41 +3,31 @@
 # or use `nix develop` to start a sandboxed environment to
 # do other non-docker related stuff.
 
-FROM alpine:latest as base-podman
-LABEL org.opencontainers.image.source https://github.com/sdsc-ordes/tripsu
-LABEL org.opencontainers.image.description "CI container image for tripsu"
-LABEL org.opencontainers.image.license "Apache"
-
-RUN apk add findutils coreutils git jq curl bash just parallel podman
+FROM docker.nix-community.org/nixpkgs/cachix-flakes as base
 
 # Nix Image
 # ===============================================
-FROM base-podman as ci-nix
-ARG USER_NAME=ci
-ARG USER_UID=1000
-ARG USER_GID=1000
-ARG CACHE_TOOLCHAIN=false
-ARG USER_HOME="/github/home"
+FROM base as ci-nix
+
+LABEL org.opencontainers.image.source https://github.com/sdsc-ordes/tripsu
+LABEL org.opencontainers.image.description "CI container image for tripsu"
+LABEL org.opencontainers.image.license "Apache"
 
 RUN [ "TARGETPLATFORM" = "linux/amd64" ] || echo "Platform not yet supported."
 COPY ./tools /container-setup/tools
 
-# Install Nix and pre-cache the env.
-RUN bash -c ". /container-setup/tools/general.sh && ci_setup_nix"
+# Install Nix.
+RUN bash -eu -o pipefail -c \
+    ". /container-setup/tools/general.sh && ci_setup_nix"
 
-# Create user (does not work because action/checkout uses `root` in its own container ... 💩)
-# Leave this code here for a reference:
-# RUN mkdir -p "$USER_HOME" && \
-#     adduser "$USER_NAME" -s /bin/zsh -D -u "$USER_UID" -g "$USER_GID" -h "$USER_HOME/$USER_NAME" && \
-#     mkdir -p /etc/sudoers.d && \
-#     echo "$USER_NAME ALL=(root) NOPASSWD:ALL" > "/etc/sudoers.d/$USER_NAME" && \
-#     chmod 0440 "/etc/sudoers.d/$USER_NAME" && \
-#     chown -R "$USER_NAME:$USER_NAME" /home /container-setup
-# USER "$USER_NAME"
-
-COPY rust-toolchain.toml /container-setup/
-RUN [ "${CACHE_TOOLCHAIN}" = "false" ] || { cd /container-setup && \
+# Bootstrap the Nix store with some basic utilities.
+RUN cd /container-setup && \
     git init && git add . && \
-    nix --accept-flake-config \
-    build --no-link "./tools/nix#devShells.x86_64-linux.ci" && \
-    nix store optimise; }
+    nix profile install --profile /nix/var/nix/profiles/ci \
+    --accept-flake-config "./tools/nix#ci.bootstrap" --impure && \
+    nix store gc && nix store optimise
+ENV PATH="/nix/var/nix/profiles/ci/bin:$PATH"
+
+RUN bash -eu -o pipefail -c \
+    ". /container-setup/tools/general.sh && ci_setup_github_workarounds" && \
+    nix store gc && nix store optimise

tools/ci/setup-nix-cache.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC1091
+# This script is sourced in each step.
+set -u
+set -e
+
+ROOT_DIR=$(git rev-parse --show-toplevel)
+. "$ROOT_DIR/tools/general.sh"
+
+ci_setup_cachix "${CACHIX_CACHE_NAME}" "${CACHIX_AUTH_TOKEN}"

tools/ci/upload-ci-images.sh

@@ -27,7 +27,7 @@ function build_ci_image() {
     ci_container_mgr push "$image_name" || die "Could not upload image."
 }
 
-tag="${1:-1.0.0}"
+tag="${1:-1.1.0}"
 repository="${2:-ghcr.io/sdsc-ordes/tripsu}"
 container_file="$DIR/images/Containerfile"