Skip to content

ci(nix): use runner nix on self-hosted lanes #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Jesssullivan merged 1 commit into from
Apr 22, 2026
Merged

ci(nix): use runner nix on self-hosted lanes #243

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions .github/workflows/release-linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -419,6 +419,14 @@ jobs:
echo "Generated local release-artifacts override:"
cat nix/release-artifacts.override.nix

- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Verify KVM access
run: |
echo "=== KVM device ==="
Expand All @@ -435,13 +443,13 @@ jobs:
fi

- name: Rocky 9 package test (RPM proxy)
run: nix build .#checks.x86_64-linux.distro-rocky9 --print-build-logs -L --option sandbox relaxed
run: nix --store daemon build .#checks.x86_64-linux.distro-rocky9 --print-build-logs -L --option sandbox relaxed

- name: Debian 12 package test
run: nix build .#checks.x86_64-linux.distro-debian12 --print-build-logs -L --option sandbox relaxed
run: nix --store daemon build .#checks.x86_64-linux.distro-debian12 --print-build-logs -L --option sandbox relaxed

- name: Ubuntu 24.04 package test
run: nix build .#checks.x86_64-linux.distro-ubuntu2404 --print-build-logs -L --option sandbox relaxed
run: nix --store daemon build .#checks.x86_64-linux.distro-ubuntu2404 --print-build-logs -L --option sandbox relaxed

- name: Upload distro validation logs
if: always()
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/release-qcow2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,17 @@ jobs:
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "Building QCOW2 ${{ matrix.variant }} for $TAG (version $VERSION)"

- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Build QCOW2 image
run: |
nix build .#qcow2-${{ matrix.variant }} \
nix --store daemon build .#qcow2-${{ matrix.variant }} \
--print-build-logs -L \
--option sandbox relaxed

Expand Down
20 changes: 9 additions & 11 deletions .github/workflows/test-cjk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,15 +37,13 @@ jobs:
- name: Setup GloriousFlywheel
uses: tinyland-inc/GloriousFlywheel/.github/actions/setup-flywheel@main

- name: Bootstrap Nix CLI
uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
extra-substituters = http://attic.nix-cache.svc.cluster.local/main
extra-trusted-public-keys = main:NKRk1XYo/dfd9fcDqgotUJg2DTDHWp5ny+Ba7WzRjgE=
- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix toolchain
run: nix --version
- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Strip non-version tags from ghostty
run: git -C ghostty tag -l 'xcframework-*' | xargs git -C ghostty tag -d 2>/dev/null || true
Expand All @@ -67,15 +65,15 @@ jobs:

- name: Build libghostty (Nix)
run: |
nix develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
nix --store daemon develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
bash scripts/ghostty-compat-symlinks.sh
ls -lh ghostty/zig-out/lib/libghostty.*

- name: Build cmux-linux (Nix)
run: nix develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'
run: nix --store daemon develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'

- name: Run CJK input tests
run: nix develop --command bash scripts/test-cjk-input.sh
run: nix --store daemon develop --command bash scripts/test-cjk-input.sh

- name: Upload test logs
if: always()
Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/test-distro.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,14 @@ jobs:
echo "Generated nix/release-artifacts.override.nix for ${TAG}"
cat nix/release-artifacts.override.nix

- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Verify KVM access
run: |
echo "=== KVM device ==="
Expand All @@ -130,16 +138,16 @@ jobs:

- name: Rocky 9 package test (RPM proxy)
if: inputs.distro == 'all' || inputs.distro == 'rocky9' || inputs.distro == ''
run: nix build .#checks.x86_64-linux.distro-rocky9 --print-build-logs -L --option sandbox relaxed
run: nix --store daemon build .#checks.x86_64-linux.distro-rocky9 --print-build-logs -L --option sandbox relaxed


- name: Debian 12 package test
if: inputs.distro == 'all' || inputs.distro == 'debian12' || inputs.distro == ''
run: nix build .#checks.x86_64-linux.distro-debian12 --print-build-logs -L --option sandbox relaxed
run: nix --store daemon build .#checks.x86_64-linux.distro-debian12 --print-build-logs -L --option sandbox relaxed

- name: Ubuntu 24.04 package test
if: inputs.distro == 'all' || inputs.distro == 'ubuntu2404' || inputs.distro == ''
run: nix build .#checks.x86_64-linux.distro-ubuntu2404 --print-build-logs -L --option sandbox relaxed
run: nix --store daemon build .#checks.x86_64-linux.distro-ubuntu2404 --print-build-logs -L --option sandbox relaxed

- name: Upload test logs
if: always()
Expand Down
22 changes: 10 additions & 12 deletions .github/workflows/test-gpu.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,13 @@ jobs:
- name: Setup GloriousFlywheel
uses: tinyland-inc/GloriousFlywheel/.github/actions/setup-flywheel@main

- name: Bootstrap Nix CLI
uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
extra-substituters = http://attic.nix-cache.svc.cluster.local/main
extra-trusted-public-keys = main:NKRk1XYo/dfd9fcDqgotUJg2DTDHWp5ny+Ba7WzRjgE=
- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix toolchain
run: nix --version
- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Strip non-version tags from ghostty
run: git -C ghostty tag -l 'xcframework-*' | xargs git -C ghostty tag -d 2>/dev/null || true
Expand All @@ -63,20 +61,20 @@ jobs:

- name: Build libghostty (Nix)
run: |
nix develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
nix --store daemon develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
bash scripts/ghostty-compat-symlinks.sh
ls -lh ghostty/zig-out/lib/libghostty.*

- name: Build cmux-linux (Nix)
run: nix develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'
run: nix --store daemon develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'

- name: Test config parser (Nix)
run: nix develop --command bash -c 'cd cmux-linux && zig build test'
run: nix --store daemon develop --command bash -c 'cd cmux-linux && zig build test'

- name: GPU smoke test
env:
SMOKE_TIMEOUT: ${{ inputs.test_timeout || '15' }}
run: nix develop --command bash scripts/smoke-test-gpu.sh "$SMOKE_TIMEOUT"
run: nix --store daemon develop --command bash scripts/smoke-test-gpu.sh "$SMOKE_TIMEOUT"

- name: Upload crash logs
if: failure()
Expand Down
27 changes: 16 additions & 11 deletions .github/workflows/test-socket.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,29 +40,28 @@ jobs:
- name: Setup GloriousFlywheel
uses: tinyland-inc/GloriousFlywheel/.github/actions/setup-flywheel@main

- name: Bootstrap Nix CLI
uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
extra-substituters = http://attic.nix-cache.svc.cluster.local/main
extra-trusted-public-keys = main:NKRk1XYo/dfd9fcDqgotUJg2DTDHWp5ny+Ba7WzRjgE=
- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix toolchain
run: nix --version
- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Strip non-version tags from ghostty
run: git -C ghostty tag -l 'xcframework-*' | xargs git -C ghostty tag -d 2>/dev/null || true

- name: Build libghostty (Nix)
run: |
nix develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
nix --store daemon develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
bash scripts/ghostty-compat-symlinks.sh
ls -lh ghostty/zig-out/lib/libghostty.*

- name: Build cmux-linux (Nix)
run: nix develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'
run: nix --store daemon develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'

- name: Run socket tests
id: socket_tests
continue-on-error: true
env:
TEST_FILTER: ${{ inputs.test_filter || '' }}
Expand All @@ -71,7 +70,13 @@ jobs:
# candidates into BASELINE in the runner script. See cmux #216
# / TIN-183 for the expansion plan.
CMUX_TEST_PHASE1: '1'
run: nix develop --command bash scripts/run-socket-tests.sh
run: nix --store daemon develop --command bash scripts/run-socket-tests.sh

- name: Fail on baseline socket-test failure
if: ${{ always() && steps.socket_tests.outcome == 'failure' }}
run: |
echo "error: baseline socket tests failed; see the Run socket tests step and uploaded artifact." >&2
exit 1

- name: Upload test results
if: always()
Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/test-ssh-proxy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,19 +53,27 @@ jobs:
docker info --format "Docker {{.ServerVersion}}"
docker ps --format "Running containers: {{.Names}}" || true

- name: Configure self-hosted Nix
run: bash scripts/configure-self-hosted-nix.sh

- name: Verify runner Nix daemon
run: |
nix --version
nix store info --store daemon

- name: Build libghostty (Nix)
run: |
nix develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
nix --store daemon develop --command bash -c 'cd ghostty && zig build -Dapp-runtime=none -Drenderer=opengl -Doptimize=ReleaseFast'
bash scripts/ghostty-compat-symlinks.sh
ls -lh ghostty/zig-out/lib/libghostty.*

- name: Build cmux-linux (Nix)
run: nix develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'
run: nix --store daemon develop --command bash -c 'cd cmux-linux && zig build -Doptimize=ReleaseFast && ls -lh zig-out/bin/cmux'

- name: Run SSH proxy tests
env:
TEST_FILTER: ${{ inputs.test_filter || '' }}
run: nix develop --command bash scripts/run-ssh-proxy-tests.sh
run: nix --store daemon develop --command bash scripts/run-ssh-proxy-tests.sh

- name: Upload test results
if: always()
Expand Down
128 changes: 128 additions & 0 deletions scripts/configure-self-hosted-nix.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
#!/usr/bin/env bash
set -euo pipefail

if ! command -v nix >/dev/null 2>&1; then
echo "::error::Nix is not installed on this self-hosted runner." >&2
exit 1
fi

if [[ -z "${GITHUB_ENV:-}" ]]; then
echo "::error::GITHUB_ENV is not set; this script is meant to run inside GitHub Actions." >&2
exit 1
fi

ATTIC_PUBLIC_KEY="main:NKRk1XYo/dfd9fcDqgotUJg2DTDHWp5ny+Ba7WzRjgE="
DETERMINATE_NIXD_LOG="/tmp/determinate-nixd.log"

emit_github_env() {
local key="$1"
shift

{
printf '%s<<EOF\n' "$key"
printf '%s\n' "$@"
printf 'EOF\n'
} >>"$GITHUB_ENV"
}
Comment on lines +17 to +26
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Hardcoded EOF delimiter may truncate NIX_CONFIG

The GitHub Actions multiline env-file format requires that the chosen delimiter does not appear as a standalone line anywhere in the value. Using the fixed string EOF means any pre-existing NIX_CONFIG that contains a bare EOF line would silently truncate the exported value, causing downstream nix invocations to receive incomplete config with no error. GitHub's own documentation recommends generating a random delimiter (e.g. via $RANDOM or a hash) to eliminate the collision risk entirely.


daemon_store_available() {
nix store info --store daemon >/dev/null 2>&1
}

start_determinate_daemon() {
local daemon_bin
daemon_bin="$(command -v determinate-nixd)"

if [[ "$(id -u)" -eq 0 ]]; then
nohup "$daemon_bin" daemon >"$DETERMINATE_NIXD_LOG" 2>&1 &
return 0
fi

if ! command -v sudo >/dev/null 2>&1; then
echo "::error::determinate-nixd requires root to launch the daemon, but sudo is unavailable on this runner" >&2
return 1
fi

if ! sudo -n true >/dev/null 2>&1; then
echo "::error::Passwordless sudo is unavailable for launching determinate-nixd on this runner" >&2
return 1
fi

nohup sudo -n "$daemon_bin" daemon >"$DETERMINATE_NIXD_LOG" 2>&1 &
}

emit_diagnostics() {
echo "::notice::Nix daemon socket diagnostics"
for path in \
/nix/var/nix/daemon-socket \
/nix/var/nix/daemon-socket/socket \
/nix/var/determinate/determinate-nixd.socket \
/var/run/nix-daemon.socket \
/var/run/determinate-nixd.socket
do
if [[ -e "$path" || -L "$path" ]]; then
ls -ld "$path" >&2
else
echo "missing: $path" >&2
fi
done

if command -v ps >/dev/null 2>&1; then
ps -ef | grep '[d]eterminate-nixd' >&2 || true
fi
}

determine_daemon_mode() {
if daemon_store_available; then
echo "NIX_REMOTE=daemon" >>"$GITHUB_ENV"
echo "::notice::Using preinitialized Nix daemon"
return 0
fi

if command -v determinate-nixd >/dev/null 2>&1; then
echo "::notice::Starting determinate-nixd for this workflow"
rm -f "$DETERMINATE_NIXD_LOG"
start_determinate_daemon

local attempt
for attempt in $(seq 1 100); do
if daemon_store_available; then
echo "NIX_REMOTE=daemon" >>"$GITHUB_ENV"
echo "::notice::Determinate Nix daemon is ready"
return 0
fi
sleep 0.2
done

echo "::error::Determinate Nix daemon did not become ready" >&2
if [[ -f "$DETERMINATE_NIXD_LOG" ]]; then
sed -n '1,120p' "$DETERMINATE_NIXD_LOG" >&2
fi
emit_diagnostics
exit 1
fi

echo "::error::No usable Nix daemon detected on this self-hosted runner" >&2
emit_diagnostics
exit 1
}

determine_daemon_mode

declare -a nix_config_lines=()
if [[ -n "${NIX_CONFIG:-}" ]]; then
nix_config_lines+=("${NIX_CONFIG}")
fi

if [[ -n "${ATTIC_SERVER:-}" && -n "${ATTIC_CACHE:-}" ]]; then
nix_config_lines+=("extra-substituters = ${ATTIC_SERVER%/}/${ATTIC_CACHE}")
nix_config_lines+=("extra-trusted-public-keys = ${ATTIC_PUBLIC_KEY}")
echo "::notice::Configured Nix substituter ${ATTIC_SERVER%/}/${ATTIC_CACHE}"
fi

if (( ${#nix_config_lines[@]} > 0 )); then
emit_github_env "NIX_CONFIG" "${nix_config_lines[@]}"
fi

echo "::notice::Using Nix from $(command -v nix)"
nix --version
Loading
Loading