M9.R.37.4+5: link nix-glibc ld.so.cache to /etc + narrow LD_LIBRARY_PATH #1981
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, dev] | |
| pull_request: | |
| # CI replays the project's deterministic dev environment via the | |
| # shared `metacraft-github-actions` composite actions. Per the | |
| # `ci-shared-dev-env` policy, this workflow: | |
| # | |
| # - does NOT install tools (nim, gcc, capnp, etc.) directly; the | |
| # flake's devShell declares them. | |
| # - does NOT inline `nix develop --command …` invocations; it | |
| # uses `dev-exec` from the shared `setup-dev-env` action. | |
| # - clones sibling repos via `clone-repo` and threads them through | |
| # `flake-override-inputs` so the dev shell consumes the local | |
| # checkouts instead of pinned github tarballs. | |
| # | |
| # Policy doc: | |
| # github.com/metacraft-labs/metacraft-dev-guidelines/blob/latest/policies/ci-shared-dev-env.md | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: [self-hosted, nixos] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Mint a GitHub App installation token via the CI Token Provider | |
| # app. GitHub free plan restricts org-level secrets with | |
| # visibility ALL from being readable inside private repos, so we | |
| # mint per-run tokens from the repo-local CI_TOKEN_PROVIDER_APP_ID | |
| # + CI_TOKEN_PROVIDER_PRIVATE_KEY secrets. | |
| - name: Mint installation token for cross-repo sibling access | |
| id: ci_token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.CI_TOKEN_PROVIDER_APP_ID }} | |
| private-key: ${{ secrets.CI_TOKEN_PROVIDER_PRIVATE_KEY }} | |
| owner: metacraft-labs | |
| - uses: metacraft-labs/metacraft-github-actions/setup-dev-env@main | |
| with: | |
| env-flavor: nix | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| - name: just lint | |
| run: dev-exec just lint | |
| - name: Upload logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: lint-logs | |
| path: test-logs/ | |
| retention-days: 30 | |
| test: | |
| name: Test | |
| # Self-hosted bare-metal Linux runner. Standard ubuntu-latest is | |
| # too small (4 vCPU / 16 GB) — the parallel nim c phase trips OOM | |
| # and the test runner hits an fd race at higher concurrency. The | |
| # metacraft-labs bare-metal pool has nixos hosts with plenty of | |
| # cores + RAM; lift the parallelism caps below for them. | |
| runs-on: [self-hosted, Linux, X64, bare-metal, nixos] | |
| env: | |
| REPROBUILD_MAX_PARALLELISM: "16" | |
| REPROBUILD_TEST_THREADS: "4" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # Mint a GitHub App installation token via the CI Token Provider | |
| # app for the sibling-repo clones + setup-dev-env below. See the | |
| # comment in the `lint` job for the rationale. | |
| - name: Mint installation token for cross-repo sibling access | |
| id: ci_token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.CI_TOKEN_PROVIDER_APP_ID }} | |
| private-key: ${{ secrets.CI_TOKEN_PROVIDER_PRIVATE_KEY }} | |
| owner: metacraft-labs | |
| # Sibling clones: scripts/run_tests.sh builds ../runquota and | |
| # ct_test_nim_unittest resolves the ct-test source via the | |
| # `CT_TEST_SRC` env var. Both come from local clones so changes | |
| # in either sibling are picked up immediately without waiting | |
| # for a flake.lock bump. | |
| - name: Clone ct-test sibling | |
| uses: metacraft-labs/metacraft-github-actions/clone-repo@main | |
| with: | |
| repo: metacraft-labs/ct-test | |
| ref: main | |
| path: ${{ github.workspace }}/../ct-test | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| - name: Clone runquota sibling | |
| uses: metacraft-labs/metacraft-github-actions/clone-repo@main | |
| with: | |
| repo: metacraft-labs/runquota | |
| # runquota's mainline is ``dev`` (its default branch); ``main`` is | |
| # stale and lacks the b0 config.nims closure fix + the forking-lease | |
| # completion fix the reprobuild b0 / cmake-develop tests depend on. | |
| ref: dev | |
| path: ${{ github.workspace }}/../runquota | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| # reprobuild-cmake is the CMake fork carrying the Reprobuild | |
| # generator. The cmake-develop e2e tests (tests/e2e/cmake-develop/) | |
| # hard-require its built ``cmake`` binary (no graceful skip), so the | |
| # test job must clone it and scripts/run_tests.sh builds it as a | |
| # prerequisite. Pinned to the ``reprobuild`` branch (the fork). | |
| - name: Clone reprobuild-cmake sibling | |
| uses: metacraft-labs/metacraft-github-actions/clone-repo@main | |
| with: | |
| repo: metacraft-labs/reprobuild-cmake | |
| ref: reprobuild | |
| path: ${{ github.workspace }}/../reprobuild-cmake | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| # reprobuild-examples carries the canonical M71 reference home.nim | |
| # under m71-home-profile-walkthrough/ + a number of hello-binary | |
| # fixtures (haskell-cabal, crystal-shards, nim/mode3-pilot, …) that | |
| # several library / e2e tests assert against by walking up to the | |
| # metacraft root and then into ../reprobuild-examples. Without this | |
| # clone, the M71 reference-home check fails at runtime because the | |
| # path baked in via currentSourcePath() at compile time points at | |
| # a non-existent file on the CI runner. | |
| - name: Clone reprobuild-examples sibling | |
| uses: metacraft-labs/metacraft-github-actions/clone-repo@main | |
| with: | |
| repo: metacraft-labs/reprobuild-examples | |
| ref: main | |
| path: ${{ github.workspace }}/../reprobuild-examples | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| # vm-harness ships the ``vm_harness`` library that the ReproOS | |
| # R2 / R9 boot integration tests import unconditionally at the | |
| # top of the file. ``addPackagePath("VM_HARNESS_SRC", …)`` in | |
| # ``config.nims`` falls back to ``../vm-harness/src`` when the | |
| # env var isn't set, so a sibling clone is all the test runner | |
| # needs. Without this clone, ``tests/integration/t_r2_iso_boot. | |
| # nim`` and ``tests/integration/t_r9_systemd_boot.nim`` fail at | |
| # the ``import vm_harness`` line and ``repro build | |
| # .#test-builds`` surfaces ``Error: cannot open file: vm_harness`` | |
| # long before the ``when not defined(windows): quit(0)`` skip | |
| # block can run. The tests still skip at runtime on Linux / | |
| # macOS because the Hyper-V backend they exercise is Windows- | |
| # only. | |
| - name: Clone vm-harness sibling | |
| uses: metacraft-labs/metacraft-github-actions/clone-repo@main | |
| with: | |
| repo: metacraft-labs/vm-harness | |
| ref: main | |
| path: ${{ github.workspace }}/../vm-harness | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| - uses: metacraft-labs/metacraft-github-actions/setup-dev-env@main | |
| with: | |
| env-flavor: nix | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| flake-override-inputs: | | |
| ct-test-src=../ct-test | |
| runquota-src=../runquota | |
| # Build codetracer's `ct` binary in the sibling checkout (cloned adjacent | |
| # by setup-dev-env's clone-siblings, per .github/sibling-repos). The | |
| # ct_incremental_adapter that `repro watch --ct-incremental` uses execs | |
| # `ct test --incremental --watch-decide|--watch-record` as a subprocess | |
| # (reprobuild no longer compiles codetracer's engine), resolving the binary | |
| # from $CT_BIN. codetracer's own dev env (its flake, via direnv) supplies | |
| # the toolchain; `just build` emits src/build-debug/bin/ct. | |
| - name: Build codetracer ct (sibling) | |
| run: | | |
| set -euo pipefail | |
| ct_root="$(cd "${{ github.workspace }}/../codetracer" && pwd)" | |
| direnv allow "$ct_root" | |
| ( cd "$ct_root" && direnv exec "$ct_root" just build ) | |
| ct_bin="$ct_root/src/build-debug/bin/ct" | |
| test -x "$ct_bin" || { echo "ct not built at $ct_bin" >&2; exit 1; } | |
| echo "CT_BIN=$ct_bin" >> "$GITHUB_ENV" | |
| - name: just test | |
| env: | |
| CT_BIN: ${{ env.CT_BIN }} | |
| run: dev-exec just test | |
| - name: Upload logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: test-logs | |
| path: test-logs/ | |
| retention-days: 30 | |
| nix-build: | |
| name: Nix Build | |
| runs-on: [self-hosted, nixos] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Mint installation token for cross-repo sibling access | |
| id: ci_token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.CI_TOKEN_PROVIDER_APP_ID }} | |
| private-key: ${{ secrets.CI_TOKEN_PROVIDER_PRIVATE_KEY }} | |
| owner: metacraft-labs | |
| - uses: metacraft-labs/metacraft-github-actions/setup-dev-env@main | |
| with: | |
| env-flavor: nix | |
| gh-token: ${{ steps.ci_token.outputs.token }} | |
| - name: nix build | |
| run: dev-exec nix build .#default | |
| - name: Upload logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-logs | |
| path: test-logs/ | |
| retention-days: 30 |