cargoxx-pkgs registry skeleton

Empty package registry for cargoxx. flake.nix walks
recipes/<name>/versions/*.toml, exposes each (name, version) as
packages.<system>.{<name>_<safe_ver>, <name>}, and builds via
cargoxx.lib.${system}.buildCppPackage with pkgs.fetchgit.

.gitea/workflows/validate-pr.yml validates schema, refetches and verifies
source sha256, smoke-builds, pushes $out to the binary cache, and labels
auto-merge once the PR author is in maintainers.txt.

.gitea/workflows/auto-merge.yml merges via tea on the auto-merge label.
This commit is contained in:
2026-05-17 19:39:11 +00:00
commit f8a041f5b7
6 changed files with 289 additions and 0 deletions

View File

@@ -0,0 +1,19 @@
name: auto-merge
on:
pull_request:
types: [labeled]
jobs:
merge:
if: github.event.label.name == 'auto-merge'
runs-on: self-hosted
steps:
- name: merge
env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
run: |
tea pr merge \
--repo "${{ github.repository }}" \
--style squash \
"${{ github.event.pull_request.number }}"

View File

@@ -0,0 +1,109 @@
name: validate-pr
on:
pull_request:
paths:
- 'recipes/**'
jobs:
validate:
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
# 1. Identify which recipes the PR touches.
- name: detect changed packages
id: changed
run: |
set -e
base="${{ github.event.pull_request.base.sha }}"
changed=$(git diff --name-only "$base"...HEAD -- 'recipes/' \
| awk -F/ '{print $2}' | sort -u)
if [[ -z "$changed" ]]; then
echo "no recipe changes — nothing to validate"
echo "packages=" >> "$GITHUB_OUTPUT"
exit 0
fi
echo "changed packages: $changed"
echo "packages=$changed" >> "$GITHUB_OUTPUT"
# 2. Schema check (placeholder — refine once a JSON schema lives in-tree).
- name: schema check
if: steps.changed.outputs.packages != ''
run: |
for pkg in ${{ steps.changed.outputs.packages }}; do
for f in recipes/$pkg/versions/*.toml; do
echo "checking $f"
# TODO: validate against a schema definition once one exists.
grep -q '^schema = 1$' "$f" || { echo "missing schema = 1"; exit 1; }
grep -q '^name =' "$f" || { echo "missing name"; exit 1; }
grep -q '^version =' "$f" || { echo "missing version"; exit 1; }
grep -q '^\[source\]' "$f" || { echo "missing [source]"; exit 1; }
grep -q '^commit =' "$f" || { echo "missing source.commit"; exit 1; }
grep -q '^sha256 =' "$f" || { echo "missing source.sha256"; exit 1; }
done
done
# 3. Source fixity — re-fetch and confirm the sha256 matches.
- name: source fixity
if: steps.changed.outputs.packages != ''
run: |
for pkg in ${{ steps.changed.outputs.packages }}; do
for f in recipes/$pkg/versions/*.toml; do
url=$(awk -F'"' '/^url =/ {print $2; exit}' "$f")
rev=$(awk -F'"' '/^commit =/ {print $2; exit}' "$f")
expected=$(awk -F'"' '/^sha256 =/ {print $2; exit}' "$f")
actual=$(nix flake prefetch --extra-experimental-features 'nix-command flakes' \
"git+${url}?rev=${rev}" --json | jq -r .hash)
if [[ "$actual" != "$expected" ]]; then
echo "sha256 mismatch in $f: expected $expected, got $actual"
exit 1
fi
done
done
# 4. Build smoke — every changed package must build.
- name: build smoke
if: steps.changed.outputs.packages != ''
run: |
for pkg in ${{ steps.changed.outputs.packages }}; do
nix build --extra-experimental-features 'nix-command flakes' \
.#${pkg} --no-link --print-out-paths
done
# 5. Cache push (only on the validated outputs, before merge).
- name: push to binary cache
if: steps.changed.outputs.packages != ''
env:
NIX_SECRET_KEY_FILE: ${{ secrets.NIX_CACHE_SECRET_KEY_FILE }}
CACHE_URL: ${{ vars.CARGOXX_CACHE_URL }}
run: |
for pkg in ${{ steps.changed.outputs.packages }}; do
nix copy --extra-experimental-features 'nix-command flakes' \
--to "${CACHE_URL}?secret-key=${NIX_SECRET_KEY_FILE}" \
.#${pkg}
done
# 6. Maintainer match.
- name: maintainer check
if: steps.changed.outputs.packages != ''
run: |
author='${{ github.event.pull_request.user.login }}'
for pkg in ${{ steps.changed.outputs.packages }}; do
list="recipes/$pkg/maintainers.txt"
if [[ ! -f "$list" ]]; then
echo "new package $pkg — maintainers.txt will be added by this PR"
continue
fi
if ! grep -E -q "^\s*${author}\s*(\#.*)?$" "$list"; then
echo "PR author '$author' is not in $list"
gh pr edit ${{ github.event.pull_request.number }} \
--add-label needs-human-review
exit 1
fi
done
- name: label auto-merge
if: steps.changed.outputs.packages != ''
run: |
gh pr edit ${{ github.event.pull_request.number }} --add-label auto-merge

3
.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
/result
/result-*
flake.lock

70
README.md Normal file
View File

@@ -0,0 +1,70 @@
# cargoxx-pkgs
Public package registry for [cargoxx](../cargoxx).
## Structure
```
recipes/
<name>/
maintainers.txt # gitea usernames, one per line
meta.toml # description, homepage, license, repository
versions/
1.0.0.toml # one file per published version
1.0.1.toml
```
## Version recipe schema
`recipes/<name>/versions/<v>.toml`:
```toml
schema = 1
name = "<package-name>"
version = "<semver>"
[source]
type = "git"
url = "https://gitea.example/<owner>/<repo>"
commit = "<40-char-commit>"
sha256 = "sha256-<base64>" # SRI form; from `nix flake prefetch`
[dependencies] # mirrors the package's Cargoxx.toml
fmt = "10.2"
otherlib = { version = "0.3", registry = "cargoxx" }
[lock]
nixpkgs_rev = "<40-char>"
flake_utils_rev = "<40-char>"
cargoxx_rev = "<40-char>" # cargoxx version that built this
[meta]
description = "..."
homepage = "https://..."
license = "MIT"
```
## Maintainers
`recipes/<name>/maintainers.txt` lists Gitea usernames authorized to
publish new versions of `<name>` or edit `maintainers.txt` itself.
Comments start with `#`; blank lines are ignored.
## Publishing
Use `cargoxx publish` from a checked-out cargoxx project. The tool
opens a PR against this repository. CI validates the PR (source
fixity, build smoke, dependency closure, maintainer match) and
auto-merges when all checks pass.
## Building locally
```sh
nix build .#<name>
```
Yields the same `$out` layout cargoxx libraries always produce —
`lib/cmake/<name>/<name>Config.cmake`, `lib/pkgconfig/<name>.pc`,
`lib/lib<name>.a`, `include/<name>/`. Consume from any CMake or
pkg-config project, or from another cargoxx project via
`{ version = "...", registry = "cargoxx" }`.

88
flake.nix Normal file
View File

@@ -0,0 +1,88 @@
{
description = "cargoxx package registry";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
# During local development we point at the sibling cargoxx checkout
# via an absolute `git+file://` URL. Once the registry lives on Gitea
# this becomes a Gitea URL pinned to a specific cargoxx revision —
# that pin, alongside `lock.cargoxx_rev` in each recipe, is what
# makes registry derivations deterministic across consumers (see
# docs/library-reuse-and-publish.md in the cargoxx repo).
cargoxx.url = "git+file:///home/mozart/cargoxx";
};
outputs = { self, nixpkgs, flake-utils, cargoxx }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs { inherit system; };
# version_safe: 1.2.3 → "1_2_3". The attr name `<pkg>_<safe>` is
# the canonical handle for a (name, version) pair; bare `<pkg>`
# aliases the highest-versioned entry.
sanitizeVersion = v:
builtins.replaceStrings ["." "-" "+"] ["_" "_" "_"] v;
# Read recipes/<name>/versions/<v>.toml → buildCppPackage'd drv.
mkPackage = recipeFile:
let r = builtins.fromTOML (builtins.readFile recipeFile);
in cargoxx.lib.${system}.buildCppPackage {
src = pkgs.fetchgit {
inherit (r.source) url;
rev = r.source.commit;
hash = r.source.sha256;
};
name = "${r.name}-${r.version}";
};
# builtins.readDir → attrset of name → type ("regular"/"directory").
# Yields [{ name, type }] entries, filtering on a predicate.
dirEntries = path: predicate:
if builtins.pathExists path
then pkgs.lib.filterAttrs (n: t: predicate n t) (builtins.readDir path)
else {};
# All package directories under recipes/.
packageNames = builtins.attrNames
(dirEntries ./recipes (_: t: t == "directory"));
# For one package: enumerate its versions, returning an attrset
# { "<pkg>_<safe>" = <drv>; "<pkg>" = <highest-version drv>; }.
versionsFor = pkgName:
let
versionsDir = ./recipes + "/${pkgName}/versions";
files = builtins.attrNames
(dirEntries versionsDir (n: t:
t == "regular" && pkgs.lib.hasSuffix ".toml" n));
versions = map (f:
let
version = pkgs.lib.removeSuffix ".toml" f;
attr = "${pkgName}_${sanitizeVersion version}";
drv = mkPackage (versionsDir + "/${f}");
in { inherit version attr drv; }
) files;
byVersion = pkgs.lib.listToAttrs
(map (v: { name = v.attr; value = v.drv; }) versions);
highest = pkgs.lib.last
(pkgs.lib.sort (a: b:
builtins.compareVersions a.version b.version < 0) versions);
latestAlias =
if versions == [] then {}
else { ${pkgName} = highest.drv; };
in byVersion // latestAlias;
packagesAttrs = pkgs.lib.foldl' (acc: n:
acc // (versionsFor n)) {} packageNames;
in {
packages = packagesAttrs;
# Bare `nix flake check` should pass with zero recipes.
checks = {
schema-ok = pkgs.runCommand "registry-schema-ok" {} ''
touch $out
'';
};
});
}

0
recipes/.gitkeep Normal file
View File