Skip to content

Test building against secure packages #288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
edolstra wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Test building against secure packages #288

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3a04f1c
Support building against secure packages
edolstra Dec 8, 2025
304f165
Support building against secure packages
edolstra Dec 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 19 additions & 10 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
on:
workflow_call:
inputs:
flake:
required: false
default: "."
type: string
system:
required: true
type: string
Expand Down Expand Up @@ -33,6 +37,10 @@ on:
required: false
default: false
type: boolean
upload_artifacts:
required: false
default: true
type: boolean
secrets:
manual_netlify_auth_token:
required: false
Expand All @@ -50,9 +58,10 @@ jobs:
- uses: actions/checkout@v4
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: nix build .#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L
- run: nix build .#packages.${{ inputs.system }}.binaryTarball --out-link tarball
- run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L
- run: nix build ${{ inputs.flake }}#packages.${{ inputs.system }}.binaryTarball --out-link tarball
- uses: actions/upload-artifact@v4
if: inputs.upload_artifacts
with:
name: ${{ inputs.system }}
path: ./tarball/*.xz
Expand All @@ -68,7 +77,7 @@ jobs:
- uses: actions/checkout@v4
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: nix flake check -L --system ${{ inputs.system }}
- run: nix flake check ${{ inputs.flake }} -L --system ${{ inputs.system }}

vm_tests_smoke:
if: inputs.run_vm_tests && github.event_name != 'merge_group'
Expand All @@ -80,10 +89,10 @@ jobs:
- uses: DeterminateSystems/flakehub-cache-action@main
- run: |
nix build -L \
.#hydraJobs.tests.functional_user \
.#hydraJobs.tests.githubFlakes \
.#hydraJobs.tests.nix-docker \
.#hydraJobs.tests.tarballFlakes \
${{ inputs.flake }}#hydraJobs.tests.functional_user \
${{ inputs.flake }}#hydraJobs.tests.githubFlakes \
${{ inputs.flake }}#hydraJobs.tests.nix-docker \
${{ inputs.flake }}#hydraJobs.tests.tarballFlakes \
;

vm_tests_all:
Expand All @@ -102,7 +111,7 @@ jobs:
.hydraJobs.tests
| with_entries(select(.value.type == "derivation"))
| keys[]
| ".#hydraJobs.tests." + .')
| "${{ inputs.flake }}#hydraJobs.tests." + .')
}

if ! cmd; then
Expand Down Expand Up @@ -167,7 +176,7 @@ jobs:
mkdir -p "${NSC_CACHE_PATH}/nix/xdg-cache"
export XDG_CACHE_HOME="${NSC_CACHE_PATH}/nix/xdg-cache"
fi
nix build -L --out-link ./new-nix
nix build ${{ inputs.flake }} -L --out-link ./new-nix
export PATH=$(pwd)/new-nix/bin:$PATH
[[ $(type -p nix) = $(pwd)/new-nix/bin/nix ]]

Expand Down Expand Up @@ -199,7 +208,7 @@ jobs:
- uses: DeterminateSystems/flakehub-cache-action@main
- name: Build manual
if: inputs.system == 'x86_64-linux'
run: nix build .#hydraJobs.manual
run: nix build ${{ inputs.flake }}#hydraJobs.manual
- uses: nwtgck/[email protected]
if: inputs.publish_manual && inputs.system == 'x86_64-linux'
with:
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,23 @@ jobs:
- uses: DeterminateSystems/determinate-nix-action@main
- run: nix flake show --all-systems --json

build_x86_64-linux_secure:
uses: ./.github/workflows/build.yml
with:
flake: ./packaging/secure-packages
system: x86_64-linux
runner: namespace-profile-linuxamd32c64g-cache
runner_for_virt: UbuntuLatest32Cores128G
runner_small: ubuntu-latest
run_tests: true
run_vm_tests: true
run_regression_tests: true
publish_manual: false
upload_artifacts: false
secrets:
manual_netlify_auth_token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
manual_netlify_site_id: ${{ secrets.NETLIFY_SITE_ID }}

build_x86_64-linux:
uses: ./.github/workflows/build.yml
with:
Expand Down
135 changes: 135 additions & 0 deletions packaging/secure-packages/flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions packaging/secure-packages/flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
inputs.nix.url = "../..";
inputs.nix.inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0";

outputs = { self, nix }: nix;
}
Loading