Fix GitHub actions & rework Flake

Author: 9999years

.config/nextest.toml

@@ -0,0 +1,13 @@
+# https://nexte.st/book/configuration.html
+
+[profile.ci]
+# Print out output for failing tests as soon as they fail, and also at the end
+# of the run (for easy scrollability).
+failure-output = "immediate-final"
+# Do not cancel the test run on the first failure.
+fail-fast = false
+# The Garnix CI builders run in some weird virtual filesystem that messes with
+# `notify`. Even with sleeps before writing and poll-based notifications,
+# sometimes `notify` misses events (this is rare, maybe 1 in 50 test runs).
+# Retry tests if they fail in CI to mitigate this.
+retries = 3

.github/workflows/ci.yaml

@@ -3,7 +3,7 @@
 
 # Run when PRs to main are closed.
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
     branches:
@@ -24,7 +24,7 @@ jobs:
     steps:
       - run: |
           echo "This is a canonical hack to run GitHub Actions on merged PRs"
-          echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-workflow-when-a-pull-request-merges"
+          echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges"
 
       - name: Comment on PR with link to this action
         uses: peter-evans/create-or-update-comment@v2
@@ -45,16 +45,16 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Install rustup
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Install jq
-        run: sudo apt install -y jq
+      - uses: cachix/install-nix-action@v22
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+          extra_nix_config: |
+            extra-experimental-features = nix-command flakes
+            accept-flake-config = true
 
       - name: Get version number
         id: get_cargo_metadata
-        run: |
-          echo "version=$(./.github/workflows/get-crate-version.sh)" >> "$GITHUB_OUTPUT"
+        run: echo "version=$(nix run .#get-crate-version)" >> "$GITHUB_OUTPUT"
 
   build:
     name: Release Build
@@ -67,75 +67,24 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest]
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Install rustup
-        uses: dtolnay/rust-toolchain@stable
-        if: runner.os == 'macOS'
-        with:
-          target: x86_64-apple-darwin, aarch64-apple-darwin
-
-      - name: Install rustup
-        uses: dtolnay/rust-toolchain@stable
-        if: runner.os == 'Linux'
-        with:
-          target: x86_64-unknown-linux-musl, aarch64-unknown-linux-musl
-
-      - name: Log versions
-        run: which -a rustup && rustup --version
-
-      - name: Test
-        run: cargo test
-
-      - name: Build (macOS, x86_64)
-        if: runner.os == 'macOS'
-        run: cargo build --release --target x86_64-apple-darwin
-
-      - name: Build (macOS, aarch64)
-        if: runner.os == 'macOS'
-        run: cargo build --release --target aarch64-apple-darwin
-
-      - name: Build (Linux, x86_64)
-        if: runner.os == 'Linux'
-        run: cargo build --release --target x86_64-unknown-linux-musl
-
-      - name: Create macOS universal executable and codesign it
-        if: runner.os == 'macOS'
-        run: |
-          lipo -create -output target/release/nix-your-shell-macos \
-            target/x86_64-apple-darwin/release/nix-your-shell \
-            target/aarch64-apple-darwin/release/nix-your-shell
-
-      - name: Rename executables for upload
-        if: runner.os == 'Linux'
-        run: |
-          mkdir -p target/release
-          mv target/x86_64-unknown-linux-musl/release/nix-your-shell \
-             target/release/nix-your-shell-x86_64-linux
-
-      - name: Upload macOS executable
-        uses: actions/upload-artifact@v3
-        if: runner.os == 'macOS'
-        with:
-          name: macos
-          path: target/release/nix-your-shell-macos
-
-      - name: Upload Linux x86_64 executable
-        uses: actions/upload-artifact@v3
-        if: runner.os == 'Linux'
+      - uses: cachix/install-nix-action@v22
         with:
-          name: linux-x86_64
-          path: target/release/nix-your-shell-x86_64-linux
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+          extra_nix_config: |
+            extra-experimental-features = nix-command flakes
+            accept-flake-config = true
 
       - name: Publish to crates.io
         if: runner.os == 'Linux'
         env:
           CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
         run: |
-          cargo publish
+          nix run .#pkgs.x86_64-linux.cargo -- publish --no-verify
 
   upload:
     name: Upload assets to release
@@ -180,9 +129,6 @@ jobs:
           prerelease: false
           generate_release_notes: true
           tag_name: v${{ needs.version.outputs.version }}
-          files: |
-            macos/nix-your-shell-macos
-            linux-x86_64/nix-your-shell-x86_64-linux
 
       - name: Comment on PR with link to the release
         uses: peter-evans/create-or-update-comment@v2

.github/workflows/get-crate-version.sh

@@ -9,13 +9,13 @@
 # and update the `REPO_GITHUB_TOKEN` secret to a new, valid token.
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
     branches:
       - main
 
-name: Update versions and release
+name: Update versions and create release PR
 
 jobs:
   # We make `if_merged` a `needs:` of the other jobs here to only run this
@@ -31,7 +31,7 @@ jobs:
     steps:
       - run: |
           echo "This is a canonical hack to run GitHub Actions on merged PRs"
-          echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-workflow-when-a-pull-request-merges"
+          echo "See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-pull_request-workflow-when-a-pull-request-merges"
 
   bump_type:
     name: Determine version bump type
@@ -56,7 +56,7 @@ jobs:
           fi
 
   version:
-    name: Update and tag version numbers
+    name: Bump version and create release PR
     permissions:
       pull-requests: write
     needs:
@@ -70,42 +70,23 @@ jobs:
           # Fetch all history/tags (needed to compute versions)
           fetch-depth: 0
 
-      - name: Install rustup
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Download and install `cargo-release`
-        run: |
-          set -v
-          pushd "$(mktemp -d)"
-          curl -L -o cargo-release.tar.gz \
-            https://github.com/crate-ci/cargo-release/releases/download/v0.21.1/cargo-release-v0.21.1-x86_64-unknown-linux-gnu.tar.gz
-          tar -xvf cargo-release.tar.gz
-          install -d ~/.local/bin
-          install cargo-release ~/.local/bin
-          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
-          popd
-          ~/.local/bin/cargo-release release --version
+      - uses: cachix/install-nix-action@v22
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+          extra_nix_config: |
+            extra-experimental-features = nix-command flakes
+            accept-flake-config = true
 
       - name: Get old version number
         id: old_cargo_metadata
-        run: |
-          echo "version=$(./.github/workflows/get-crate-version.sh)" >> "$GITHUB_OUTPUT"
+        run: echo "version=$(nix run .#get-crate-version)" >> "$GITHUB_OUTPUT"
 
       - name: Increment `Cargo.toml` version
-        # `cargo-release` changes the version numbers in `Cargo.toml` and
-        # `Cargo.lock` and commits the changes.
-        run: |
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          cargo-release release \
-            --execute \
-            --no-confirm \
-            ${{ needs.bump_type.outputs.bump_type }}
+        run: nix run .#make-release-commit -- ${{ needs.bump_type.outputs.bump_type }}
 
       - name: Get new version number
         id: new_cargo_metadata
-        run: |
-          echo "version=$(./.github/workflows/get-crate-version.sh)" >> "$GITHUB_OUTPUT"
+        run: echo "version=$(nix run .#get-crate-version)" >> "$GITHUB_OUTPUT"
 
       - name: Create release PR
         id: release_pr
@@ -128,7 +109,7 @@ jobs:
           labels: release
 
       - name: Comment on PR with link to release PR
-        uses: peter-evans/create-or-update-comment@v2
+        uses: peter-evans/create-or-update-comment@v3
         with:
           issue-number: ${{ github.event.pull_request.number }}
           body: |