ci: re-enable cache push step (named-volume bind for relative path)
This commit is contained in:
@@ -68,9 +68,7 @@ jobs:
|
|||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
||||||
# 4. Build smoke — every changed package must build. Cache push
|
# 4. Build smoke — every changed package must build.
|
||||||
# is intentionally absent for now (no shared binary cache);
|
|
||||||
# add a step here once cache infra is decided.
|
|
||||||
- name: build smoke
|
- name: build smoke
|
||||||
if: steps.changed.outputs.packages != ''
|
if: steps.changed.outputs.packages != ''
|
||||||
run: |
|
run: |
|
||||||
@@ -79,6 +77,18 @@ jobs:
|
|||||||
.#${pkg} --no-link --print-out-paths
|
.#${pkg} --no-link --print-out-paths
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# 4b. Push the validated outputs to the binary cache. The runner's
|
||||||
|
# config.yaml bind-mounts /srv/cargoxx-cache and the signing
|
||||||
|
# key into every job container.
|
||||||
|
- name: push to binary cache
|
||||||
|
if: steps.changed.outputs.packages != ''
|
||||||
|
run: |
|
||||||
|
for pkg in ${{ steps.changed.outputs.packages }}; do
|
||||||
|
nix copy --extra-experimental-features 'nix-command flakes' \
|
||||||
|
--to "file:///srv/cargoxx-cache/store?secret-key=/srv/cargoxx-cache/keys/cache.sec" \
|
||||||
|
.#${pkg}
|
||||||
|
done
|
||||||
|
|
||||||
# 5. Maintainer check — PR must come from someone listed in
|
# 5. Maintainer check — PR must come from someone listed in
|
||||||
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
|
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
|
||||||
# since the PR introduces the file in the same commit).
|
# since the PR introduces the file in the same commit).
|
||||||
|
|||||||
5
runner/.gitignore
vendored
5
runner/.gitignore
vendored
@@ -1,3 +1,8 @@
|
|||||||
.env
|
.env
|
||||||
data/
|
data/
|
||||||
result
|
result
|
||||||
|
|
||||||
|
# Binary cache state + signing keys. The cache.sec must never be
|
||||||
|
# committed; the public key is regenerated per deployment too
|
||||||
|
# (`nix-store --generate-binary-cache-key`).
|
||||||
|
cache/
|
||||||
|
|||||||
@@ -46,7 +46,39 @@ Self-hosted Gitea Actions runner that validates package PRs.
|
|||||||
GITEA_RUNNER_LABELS=self-hosted
|
GITEA_RUNNER_LABELS=self-hosted
|
||||||
```
|
```
|
||||||
|
|
||||||
4. **Start the runner**:
|
4. **Generate the binary-cache signing key** + cache directory. The
|
||||||
|
workflow's "push to binary cache" step writes here; nginx (or
|
||||||
|
anything you point at it) serves it back over HTTPS to consumers.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
mkdir -p cache/store
|
||||||
|
nix-store --generate-binary-cache-key \
|
||||||
|
cache.cargoxx.<your-domain> \
|
||||||
|
cache/cache.sec cache/cache.pub
|
||||||
|
chmod 600 cache/cache.sec
|
||||||
|
```
|
||||||
|
|
||||||
|
The `cache/` directory is gitignored. Both keys live alongside
|
||||||
|
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
||||||
|
|
||||||
|
5. **(optional) Front the store with nginx** so substituters can read it:
|
||||||
|
|
||||||
|
```nginx
|
||||||
|
# /etc/nginx/sites-available/cargoxx-cache
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name cache.cargoxx.<your-domain>;
|
||||||
|
root /path/to/cargoxx-pkgs/runner/cache/store;
|
||||||
|
autoindex off;
|
||||||
|
location / { try_files $uri =404; }
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Consumers later need `substituters = https://cache.cargoxx.<your-domain>`
|
||||||
|
and `trusted-public-keys = <contents of cache.pub>` in their nix
|
||||||
|
config (bake this into the cargoxx wrapper once ready).
|
||||||
|
|
||||||
|
6. **Start the runner**:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
docker compose up -d
|
docker compose up -d
|
||||||
|
|||||||
@@ -18,3 +18,24 @@ services:
|
|||||||
- ./config.yaml:/config.yaml:ro
|
- ./config.yaml:/config.yaml:ro
|
||||||
- ./data:/data
|
- ./data:/data
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
|
||||||
|
# archives here. Named volumes (defined below) make the same
|
||||||
|
# storage reachable from both this runner container AND every
|
||||||
|
# job container act_runner spawns. nginx (on the host) serves
|
||||||
|
# ./cache/store over HTTPS for consumers' substituter config.
|
||||||
|
- cargoxx-cache-store:/srv/cargoxx-cache/store
|
||||||
|
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
cargoxx-cache-store:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
type: none
|
||||||
|
o: bind
|
||||||
|
device: "${PWD}/cache/store"
|
||||||
|
cargoxx-cache-keys:
|
||||||
|
driver: local
|
||||||
|
driver_opts:
|
||||||
|
type: none
|
||||||
|
o: bind
|
||||||
|
device: "${PWD}/cache/keys"
|
||||||
|
|||||||
@@ -18,7 +18,12 @@ cache:
|
|||||||
container:
|
container:
|
||||||
network: bridge
|
network: bridge
|
||||||
privileged: false
|
privileged: false
|
||||||
options: ""
|
# Bind the binary cache into every job container by referencing the
|
||||||
|
# named volumes defined in compose.yml — those, in turn, are bound
|
||||||
|
# to ./cache/{store,cache.sec} via `${PWD}` so the path is
|
||||||
|
# deployment-relative, not absolute.
|
||||||
|
options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store
|
||||||
|
-v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro"
|
||||||
workdir_parent: /workspace
|
workdir_parent: /workspace
|
||||||
valid_volumes: []
|
valid_volumes: []
|
||||||
docker_host: "unix:///var/run/docker.sock"
|
docker_host: "unix:///var/run/docker.sock"
|
||||||
|
|||||||
Reference in New Issue
Block a user