Merge pull request 'cachix action failing for unknown reasons, patch to use local runner' (#2 ) from pjjw/gitea-actions into master

Reviewed-on: sbl/docker-nixpkgs#2
cachix action failing for unknown reasons, patch to use local runner
2026-01-12 12:50:36 -05:00 · 2023-09-08 12:24:27 -04:00 · 2023-09-07 16:06:59 -04:00
24 changed files with 38 additions and 230 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -2,13 +2,12 @@ name: Nix
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
  workflow_dispatch:
  schedule:
    # Run once per day
    - cron: '0 0 * * *'
-
 jobs:
  build:
    strategy:
@@ -17,66 +16,14 @@ jobs:
      matrix:
        channel:
          - nixos-unstable
-          - nixos-25.05
-          - nixos-25.11
-        system:
-          - aarch64-linux
-          - x86_64-linux
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      packages: write
-
+          - nixos-22.11
+          - nixos-23.05
+    runs-on: native
+    container: pjjw/nix-flake-runner:1
    steps:
-      - uses: actions/checkout@v6
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: arm64
-      - uses: DeterminateSystems/nix-installer-action@main
-        with:
-          extra-conf: |
-            extra-platforms = aarch64-linux
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-
-      - name: Push to Docker Hub
-        run: nix-shell --run ./ci.sh
+      - uses: actions/checkout@v3
+      - run: nix-shell --run ./ci.sh
        env:
-          CI_PROJECT_PATH: 'nixpkgs'
-          CI_REGISTRY: 'docker.io'
+          CI_PROJECT_PATH: pjjw
          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
-          NIX_SYSTEM_NAME: '${{ matrix.system }}'
-
-      - name: Push to GitHub Pages
-        run: nix-shell --run ./ci.sh
-        env:
-          CI_PROJECT_PATH: 'nix-community/docker-nixpkgs'
-          CI_REGISTRY: 'ghcr.io'
-          CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}'
-          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
-          NIX_SYSTEM_NAME: '${{ matrix.system }}'
-
-  push-manifest:
-    needs: [build]
-    strategy:
-      fail-fast: false
-      matrix:
-        channel:
-          - nixos-unstable
-          - nixos-25.05
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-      - uses: DeterminateSystems/nix-installer-action@main
-        with:
-          extra-conf: |
-            extra-platforms = aarch64-linux
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-
-      - run: nix-shell --run ./ci-manifests.sh
-        env:
-          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
-          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
-          NIX_SYSTEM_NAME: '${{ matrix.system }}'
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,12 +3,12 @@ stages:

 build:
  stage: build
-  image: nixpkgs/nix:nixos-25.05
+  image: nixpkgs/nix:nixos-22.11
  script: nix-shell --run ./ci.sh
  parallel:
    matrix:
      - NIXPKGS_CHANNEL: nixos-unstable
        IMAGE_TAG: latest
      - NIXPKGS_CHANNEL:
-          - nixos-25.05
-          - nixos-25.11
+          - nixos-22.11
+          - nixos-23.05
--- a/README.md
+++ b/README.md
@@ -39,8 +39,8 @@ nixpkgs channel describes.

 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
-| nixos-25.05    | nixos-25.05 | only minor versions that include security updates |
-| nixos-25.11    | nixos-25.11 | only minor versions that include security updates |
+| nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
+| nixos-23.05    | nixos-23.05 | only minor versions that include security updates |
 | nixos-unstable | latest      | latest and greatest, major versions might change  |

 ## List of images
@@ -52,11 +52,9 @@ All images are automatically built and published to Docker Hub, and served
 on our custom domain, courtesy of [Scarf](https://scarf.sh).

 `> ./readme-image-matrix`
-
 <!-- BEGIN mdsh -->
 | Image / Tag | Pull |
 | ---         | ---  |
-| [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` |
 | [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` |
 | [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` |
 | [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` |
@@ -64,19 +62,15 @@ on our custom domain, courtesy of [Scarf](https://scarf.sh).
 | [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` |
 | [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` |
 | [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` |
-| [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` |
 | [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |
 | [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |
 | [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |
 | [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |
-| [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` |
 | [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |
 | [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |
 | [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |
 | [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |
 | [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |
-| [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` |
-| [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` |
 <!-- END mdsh -->
 ## Adding new images

--- a/ci-manifests.sh
+++ b/ci-manifests.sh
@@ -1,39 +0,0 @@
-#!/usr/bin/env bash
-#
-# CI specific build script.
-#
-set -euo pipefail
-
-channel=${NIXPKGS_CHANNEL:-nixos-unstable}
-registry=${CI_REGISTRY:-docker.io}
-registry_auth=${CI_REGISTRY_AUTH:-}
-image_prefix=${CI_PROJECT_PATH:-nixpkgs}
-
-if [[ $channel == nixos-unstable ]]; then
-  image_tag=latest
-else
-  image_tag=$channel
-fi
-
-export NIX_PATH=channel:$channel
-
-banner() {
-  echo "========================================================"
-  echo "  $*"
-  echo "========================================================"
-}
-
-cd "$(dirname "$0")"
-
-if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
-  banner "Skipping push on non-main branch"
-  exit
-fi
-
-if [[ -n "${registry_auth}" ]]; then
-  banner "docker login"
-  ./docker-login "$registry_auth" "$registry"
-fi
-
-banner "generate manifests"
-./generate-manifests "$registry" "$image_prefix" "$image_tag"
--- a/ci.sh
+++ b/ci.sh
@@ -8,7 +8,6 @@ channel=${NIXPKGS_CHANNEL:-nixos-unstable}
 registry=${CI_REGISTRY:-docker.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
 image_prefix=${CI_PROJECT_PATH:-nixpkgs}
-system_name=${NIX_SYSTEM_NAME:-x86_64-linux}

 if [[ $channel == nixos-unstable ]]; then
  image_tag=latest
@@ -31,10 +30,9 @@ banner "Building images"
 nix-build \
  --no-out-link \
  --option sandbox true \
-  --argstr system "$system_name"

-if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
-  banner "Skipping push on non-main branch"
+if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
+  banner "Skipping push on non-master branch"
  exit
 fi

--- a/default.nix
+++ b/default.nix
@@ -1,14 +1,4 @@
-{
-  system ? builtins.currentSystem
-}: let
-  _parts = builtins.split "-" system;
-  arch = builtins.elemAt _parts 0;
-  os = builtins.elemAt _parts 2;
-  system' =
-    if os == "darwin"
-    then "${arch}-linux"
-    else system;
-  pkgs =
-    import ./pkgs.nix system';
+let
+  pkgs = import ./pkgs.nix;
 in
 pkgs.docker-nixpkgs
--- a/3
+++ b/3
@@ -8,10 +8,9 @@ set -euo pipefail

 user=$1
 org=${2:-nixpkgs}
-system_name=${NIX_SYSTEM_NAME:-x86_64-linux}

 nix_eval() {
-  nix-instantiate --strict --eval --argstr system "$system_name" --json "$@"
+  nix-instantiate --strict --eval --json "$@"
 }

 releases_json=$(nix_eval)
--- a/25
+++ b/25
@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-#
-# Usage: ./push-all <registry> <image-prefix> <image-tag>
-set -euo pipefail
-
-registry=${1:-docker.io}
-image_prefix=${2:-nixpkgs}
-image_tag=${3:-latest}
-system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
-
-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
-
-echo "=== Generating manifests for $registry"
-
-for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
-  repository=$registry/$image_prefix/$attr
-  target_image=${repository}:${image_tag}
-  echo "--- attr=$attr target=$target_image"
-  podman manifest create "$target_image"
-  podman manifest add "$target_image" "docker://$repository:${image_tag}-x86_64-linux"
-  podman manifest add "$target_image" "docker://$repository:${image_tag}-aarch64-linux"
-  podman manifest push --all "$target_image" "docker://$target_image"
-done
-
-echo OK
--- a/images/attic/default.nix
+++ b/images/attic/default.nix
@@ -1,10 +0,0 @@
-{ docker-nixpkgs
-, attic-client
-}:
-(docker-nixpkgs.nix.override {
-  extraContents = [ attic-client ];
-}).overrideAttrs (prev: {
-  meta = (prev.meta or { }) // {
-    description = "Nix and Attic client image";
-  };
-})
--- a/images/devcontainer/default.nix
+++ b/images/devcontainer/default.nix
@@ -14,7 +14,7 @@
 , gnutar
 , gzip
 , iana-etc
-, iproute2
+, iproute
 , less
 , lib
 , nix
@@ -42,11 +42,7 @@ let
      nix

      # runtime dependencies of nix
-      # HACK: don't include the "hashed" output. It has overlapping files with
-      #       the "unbundled" output, and that breaks the build.
-      (cacert // {
-        outputs = builtins.filter (x: x != "hashed") cacert.outputs;
-      })
+      cacert
      gitReallyMinimal
      gnutar
      gzip
@@ -65,7 +61,7 @@ let
      (gcc-unwrapped // {
        outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
      })
-      iproute2
+      iproute
    ];
  };

@@ -130,7 +126,7 @@ let
      ];
      Labels = {
        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "main";
+        "org.label-schema.vcs-ref" = "master";
        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
      };
    };
--- a/images/devenv/default.nix
+++ b/images/devenv/default.nix
@@ -1,11 +0,0 @@
-{ docker-nixpkgs
-, devenv ? null
-}:
-(docker-nixpkgs.nix.override {
-  # only available since 24.05
-  extraContents = [ devenv ];
-}).overrideAttrs (prev: {
-  meta = (prev.meta or { }) // {
-    description = "Nix and devenv image";
-  };
-})
--- a/images/maddy/default.nix
+++ b/images/maddy/default.nix
@@ -1,6 +0,0 @@
-{ buildCLIImage
-, maddy
-}:
-buildCLIImage {
-  drv = maddy;
-}
--- a/images/nix-flakes/default.nix
+++ b/images/nix-flakes/default.nix
@@ -1,10 +1,10 @@
 { docker-nixpkgs
-, nixVersions
+, nixFlakes
 , writeTextFile
 , extraContents ? [ ]
 }:
 docker-nixpkgs.nix.override {
-  nix = nixVersions.stable;
+  nix = nixFlakes;
  extraContents = [
    (writeTextFile {
      name = "nix.conf";
@@ -12,12 +12,7 @@ docker-nixpkgs.nix.override {
      text = ''
        accept-flake-config = true
        experimental-features = nix-command flakes
-        max-jobs = auto
      '';
    })
  ] ++ extraContents;
-
-  extraEnv = [
-    "PATH=/root/.nix-profile/bin:/usr/bin:/bin" # Not sure how to just prepend
-  ];
 }
--- a/images/nix-unstable-static/default.nix
+++ b/images/nix-unstable-static/default.nix
@@ -19,8 +19,8 @@ let

  # Get nix from Hydra because the nixpkgs one is not fully static
  nixStaticBin = fetchurl {
-    url = "https://hydra.nixos.org/build/305222051/download/1/nix";
-    hash = "sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM=";
+    url = "https://hydra.nixos.org/build/181573550/download/1/nix";
+    hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok=";
  };

  nixSymlinks = [
@@ -84,12 +84,11 @@ let
    mkdir -p libexec/nix
    ln -s /bin/nix libexec/nix/build-remote

-    # Enable flakes and parallel building
+    # Enable flakes
    mkdir -p etc/nix
    cat <<NIX_CONFIG > etc/nix/nix.conf
    accept-flake-config = true
    experimental-features = nix-command flakes
-    max-jobs = auto
    NIX_CONFIG

    # Add run-as-user script
--- a/images/nix-unstable/default.nix
+++ b/images/nix-unstable/default.nix
@@ -1,6 +1,6 @@
 { docker-nixpkgs
-, pkgs
+, nixUnstable
 }:
 docker-nixpkgs.nix.override {
-  nix = pkgs.nixVersions.latest;
+  nix = nixUnstable;
 }
--- a/images/nix/default.nix
+++ b/images/nix/default.nix
@@ -11,7 +11,6 @@
 , openssh
 , xz
 , extraContents ? [ ]
-, extraEnv ? [ ]
 }:
 let
  image = dockerTools.buildImageWithNixDb {
@@ -59,7 +58,7 @@ let
        "PATH=/usr/bin:/bin"
        "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
        "USER=root"
-      ] ++ extraEnv;
+      ];
    };
  };
 in
--- a/images/nix/fake_nixpkgs/default.nix
+++ b/images/nix/fake_nixpkgs/default.nix
@@ -3,7 +3,7 @@ throw ''
  This container doesn't include nixpkgs.

  The best way to work around that is to pin your dependencies. See
-    https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html
+    https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html

  Or if you must, override the NIX_PATH environment variable with eg:
    "NIX_PATH=nixpkgs=channel:nixos-unstable"
--- a/images/pocket-id/default.nix
+++ b/images/pocket-id/default.nix
@@ -1,6 +0,0 @@
-{ buildCLIImage
-, pocket-id
-}:
-buildCLIImage {
-  drv = pocket-id;
-}
--- a/images/yarr/default.nix
+++ b/images/yarr/default.nix
@@ -1,6 +0,0 @@
-{ buildCLIImage
-, yarr
-}:
-buildCLIImage {
-  drv = yarr;
-}
--- a/lib/buildCLIImage.nix
+++ b/lib/buildCLIImage.nix
@@ -28,7 +28,7 @@ let
      ];
      Labels = {
        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "main";
+        "org.label-schema.vcs-ref" = "master";
        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
      };
    };
--- a/pkgs.nix
+++ b/pkgs.nix
@@ -1,9 +1,7 @@
-system:
-# docker images run on Linux
-assert builtins.elem system ["x86_64-linux" "aarch64-linux"];
 import <nixpkgs> {
+  # docker images run on Linux
+  system = "x86_64-linux";
  config = { };
-  inherit system;
  overlays = [
    (import ./overlay.nix)
  ];
--- a/5
+++ b/5
@@ -6,16 +6,15 @@ set -euo pipefail
 registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
-system_name=${NIX_SYSTEM_NAME:-x86_64-linux}

-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)

 echo "=== Pushing images to $registry"

 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  file=$(echo "$releases_json" | jq -r ".\"$attr\"")
  src=docker-archive://$file
-  dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name}
+  dst=docker://$registry/$image_prefix/$attr:$image_tag
  echo "--- attr=$attr src=$src dst=$dst"
  skopeo copy --insecure-policy "$src" "$dst"
 done
--- a/4
+++ b/4
@@ -3,11 +3,9 @@
 # Usage: ./dockerhub-image-matrix
 set -euo pipefail

-system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
-
 ## Main ##

-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)

 echo "| Image / Tag | Pull |"
 echo "| ---         | ---  |"
--- a/shell.nix
+++ b/shell.nix
@@ -1,5 +1,5 @@
 let
-  nixpkgs = builtins.fetchTarball "channel:nixos-23.11";
+  nixpkgs = builtins.fetchTarball "channel:nixos-22.05";
  pkgs = import nixpkgs { config = { }; overlays = [ ]; };
 in
 with pkgs;
@@ -8,7 +8,6 @@ mkShell {
    dive
    jq
    skopeo
-    podman
  ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;

  shellHook = ''
Author	SHA1	Message	Date
pjjw	1cc157b032	Merge pull request 'cachix action failing for unknown reasons, patch to use local runner' (#2 ) from pjjw/gitea-actions into master Reviewed-on: sbl/docker-nixpkgs#2	2023-09-08 12:24:27 -04:00
Peter Woodman	617b5494c1	cachix action failing for unknown reasons, patch to use local runner	2023-09-07 16:06:59 -04:00