From 202f6389bce0b37f9931ea67c70097a6d55de28a Mon Sep 17 00:00:00 2001 From: Amadey Vorontsov Date: Mon, 18 May 2026 19:17:21 +0000 Subject: [PATCH] ci: re-enable cache push step (named-volume bind for relative path) --- .gitea/workflows/validate-pr.yml | 16 ++++++++++++--- runner/.gitignore | 5 +++++ runner/README.md | 34 +++++++++++++++++++++++++++++++- runner/compose.yml | 21 ++++++++++++++++++++ runner/config.yaml | 7 ++++++- 5 files changed, 78 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/validate-pr.yml b/.gitea/workflows/validate-pr.yml index d9e8ce4..fca7764 100644 --- a/.gitea/workflows/validate-pr.yml +++ b/.gitea/workflows/validate-pr.yml @@ -68,9 +68,7 @@ jobs: done done - # 4. Build smoke — every changed package must build. Cache push - # is intentionally absent for now (no shared binary cache); - # add a step here once cache infra is decided. + # 4. Build smoke — every changed package must build. - name: build smoke if: steps.changed.outputs.packages != '' run: | @@ -79,6 +77,18 @@ jobs: .#${pkg} --no-link --print-out-paths done + # 4b. Push the validated outputs to the binary cache. The runner's + # config.yaml bind-mounts /srv/cargoxx-cache and the signing + # key into every job container. + - name: push to binary cache + if: steps.changed.outputs.packages != '' + run: | + for pkg in ${{ steps.changed.outputs.packages }}; do + nix copy --extra-experimental-features 'nix-command flakes' \ + --to "file:///srv/cargoxx-cache/store?secret-key=/srv/cargoxx-cache/keys/cache.sec" \ + .#${pkg} + done + # 5. Maintainer check — PR must come from someone listed in # recipes//maintainers.txt (auto-pass for new packages, # since the PR introduces the file in the same commit). diff --git a/runner/.gitignore b/runner/.gitignore index 15847fe..f25c230 100644 --- a/runner/.gitignore +++ b/runner/.gitignore @@ -1,3 +1,8 @@ .env data/ result + +# Binary cache state + signing keys. The cache.sec must never be +# committed; the public key is regenerated per deployment too +# (`nix-store --generate-binary-cache-key`). +cache/ diff --git a/runner/README.md b/runner/README.md index 6c9bfca..7e53f96 100644 --- a/runner/README.md +++ b/runner/README.md @@ -46,7 +46,39 @@ Self-hosted Gitea Actions runner that validates package PRs. GITEA_RUNNER_LABELS=self-hosted ``` -4. **Start the runner**: +4. **Generate the binary-cache signing key** + cache directory. The + workflow's "push to binary cache" step writes here; nginx (or + anything you point at it) serves it back over HTTPS to consumers. + + ```sh + mkdir -p cache/store + nix-store --generate-binary-cache-key \ + cache.cargoxx. \ + cache/cache.sec cache/cache.pub + chmod 600 cache/cache.sec + ``` + + The `cache/` directory is gitignored. Both keys live alongside + `compose.yml`; the named volume binds use `${PWD}/cache/...`. + +5. **(optional) Front the store with nginx** so substituters can read it: + + ```nginx + # /etc/nginx/sites-available/cargoxx-cache + server { + listen 443 ssl; + server_name cache.cargoxx.; + root /path/to/cargoxx-pkgs/runner/cache/store; + autoindex off; + location / { try_files $uri =404; } + } + ``` + + Consumers later need `substituters = https://cache.cargoxx.` + and `trusted-public-keys = ` in their nix + config (bake this into the cargoxx wrapper once ready). + +6. **Start the runner**: ```sh docker compose up -d diff --git a/runner/compose.yml b/runner/compose.yml index a4b0ab8..5d4b192 100644 --- a/runner/compose.yml +++ b/runner/compose.yml @@ -18,3 +18,24 @@ services: - ./config.yaml:/config.yaml:ro - ./data:/data - /var/run/docker.sock:/var/run/docker.sock + # Binary cache — `validate-pr.yml`'s push step writes `$out` NAR + # archives here. Named volumes (defined below) make the same + # storage reachable from both this runner container AND every + # job container act_runner spawns. nginx (on the host) serves + # ./cache/store over HTTPS for consumers' substituter config. + - cargoxx-cache-store:/srv/cargoxx-cache/store + - cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro + +volumes: + cargoxx-cache-store: + driver: local + driver_opts: + type: none + o: bind + device: "${PWD}/cache/store" + cargoxx-cache-keys: + driver: local + driver_opts: + type: none + o: bind + device: "${PWD}/cache/keys" diff --git a/runner/config.yaml b/runner/config.yaml index c1f68ca..29030c7 100644 --- a/runner/config.yaml +++ b/runner/config.yaml @@ -18,7 +18,12 @@ cache: container: network: bridge privileged: false - options: "" + # Bind the binary cache into every job container by referencing the + # named volumes defined in compose.yml — those, in turn, are bound + # to ./cache/{store,cache.sec} via `${PWD}` so the path is + # deployment-relative, not absolute. + options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store + -v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro" workdir_parent: /workspace valid_volumes: [] docker_host: "unix:///var/run/docker.sock"