Support building against secure packages

Author: edolstra

.github/workflows/build.yml

@@ -1,6 +1,9 @@
 on:
   workflow_call:
     inputs:
+      flake:
+        default: "."
+        type: string
       system:
         required: true
         type: string
@@ -50,8 +53,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
       - uses: DeterminateSystems/flakehub-cache-action@main
-      - run: nix build .#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L
-      - run: nix build .#packages.${{ inputs.system }}.binaryTarball --out-link tarball
+      - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L
+      - run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.binaryTarball --out-link tarball
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ inputs.system }}
@@ -68,7 +71,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/determinate-nix-action@main
       - uses: DeterminateSystems/flakehub-cache-action@main
-      - run: nix flake check -L --system ${{ inputs.system }}
+      - run: nix flake check ${{ inputs.flake }} -L --system ${{ inputs.system }}
 
   vm_tests_smoke:
     if: inputs.run_vm_tests && github.event_name != 'merge_group'
@@ -80,10 +83,10 @@ jobs:
       - uses: DeterminateSystems/flakehub-cache-action@main
       - run: |
           nix build -L \
-            .#hydraJobs.tests.functional_user \
-            .#hydraJobs.tests.githubFlakes \
-            .#hydraJobs.tests.nix-docker \
-            .#hydraJobs.tests.tarballFlakes \
+            ${{ inputs.flake }}#hydraJobs.tests.functional_user \
+            ${{ inputs.flake }}#hydraJobs.tests.githubFlakes \
+            ${{ inputs.flake }}#hydraJobs.tests.nix-docker \
+            ${{ inputs.flake }}#hydraJobs.tests.tarballFlakes \
             ;
 
   vm_tests_all:
@@ -102,7 +105,7 @@ jobs:
                   .hydraJobs.tests
                   | with_entries(select(.value.type == "derivation"))
                   | keys[]
-                  | ".#hydraJobs.tests." + .')
+                  | "${{ inputs.flake }}#hydraJobs.tests." + .')
           }
 
           if ! cmd; then
@@ -167,7 +170,7 @@ jobs:
             mkdir -p "${NSC_CACHE_PATH}/nix/xdg-cache"
             export XDG_CACHE_HOME="${NSC_CACHE_PATH}/nix/xdg-cache"
           fi
-          nix build -L --out-link ./new-nix
+          nix build ${{ inputs.flake }} -L --out-link ./new-nix
           export PATH=$(pwd)/new-nix/bin:$PATH
           [[ $(type -p nix) = $(pwd)/new-nix/bin/nix ]]
 
@@ -199,7 +202,7 @@ jobs:
       - uses: DeterminateSystems/flakehub-cache-action@main
       - name: Build manual
         if: inputs.system == 'x86_64-linux'
-        run: nix build .#hydraJobs.manual
+        run: nix build ${{ inputs.flake }}#hydraJobs.manual
       - uses: nwtgck/[email protected]
         if: inputs.publish_manual && inputs.system == 'x86_64-linux'
         with:

.github/workflows/ci.yml

@@ -30,6 +30,22 @@ jobs:
       - uses: DeterminateSystems/determinate-nix-action@main
       - run: nix flake show --all-systems --json
 
+  build_x86_64-linux_secure:
+    uses: ./.github/workflows/build.yml
+    with:
+      flake: packaging/secure-packages
+      system: x86_64-linux
+      runner: namespace-profile-linuxamd32c64g-cache
+      runner_for_virt: UbuntuLatest32Cores128G
+      runner_small: ubuntu-latest
+      run_tests: true
+      run_vm_tests: true
+      run_regression_tests: true
+      publish_manual: true
+    secrets:
+      manual_netlify_auth_token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+      manual_netlify_site_id: ${{ secrets.NETLIFY_SITE_ID }}
+
   build_x86_64-linux:
     uses: ./.github/workflows/build.yml
     with:

packaging/secure-packages/flake.lock

@@ -0,0 +1,6 @@
+{
+  inputs.nix.url = "../..";
+  inputs.nix.inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0";
+
+  outputs = { self, nix }: nix;
+}