16 Commits

Author SHA1 Message Date
4f29316075 Merge remote-tracking branch 'origin/master' into publish/greeter-0.1.1
All checks were successful
validate-pr / validate (pull_request) Successful in 2m6s
2026-05-18 19:59:16 +00:00
7aa6e4d200 runner: try non-anchored regex (some validators match substring) 2026-05-18 19:59:12 +00:00
83fcf5ea58 Merge remote-tracking branch 'origin/master' into publish/greeter-0.1.1
Some checks failed
validate-pr / validate (pull_request) Failing after 1m58s
2026-05-18 19:49:28 +00:00
8f3053b5e7 runner: valid_volumes matches just the source name 2026-05-18 19:49:26 +00:00
b5627c73a5 Merge remote-tracking branch 'origin/master' into publish/greeter-0.1.1
Some checks failed
validate-pr / validate (pull_request) Failing after 2m2s
2026-05-18 19:43:25 +00:00
133df762ab runner: valid_volumes regex matches the full source:target form 2026-05-18 19:43:22 +00:00
8236341a47 Merge remote-tracking branch 'origin/master' into publish/greeter-0.1.1
Some checks failed
validate-pr / validate (pull_request) Failing after 2m3s
2026-05-18 19:34:40 +00:00
031d943979 runner: drop volume name prefix, whitelist in valid_volumes 2026-05-18 19:34:37 +00:00
53b2d01335 publish: greeter 0.1.1
Some checks failed
validate-pr / validate (pull_request) Failing after 2m32s
2026-05-18 19:28:21 +00:00
202f6389bc ci: re-enable cache push step (named-volume bind for relative path) 2026-05-18 19:21:40 +00:00
abbc16cdc0 publish: greeter 0.1.0 (#3)
Co-authored-by: Amadey Vorontsov <vorontsov@amadey.xyz>
Co-committed-by: Amadey Vorontsov <vorontsov@amadey.xyz>
2026-05-18 18:59:05 +00:00
b9a1ac623d flake.lock: bump cargoxx to fixed installPhase 2026-05-18 18:54:45 +00:00
9701b09cb9 flake: point cargoxx at Gitea; commit both flake.lock files for repro 2026-05-18 18:46:28 +00:00
27943a53b0 ci: explicitly fetch PR base SHA before diff 2026-05-18 18:31:14 +00:00
45b9cd2bc1 runner: mkdir etc/nix (was etc/) so config write succeeds 2026-05-18 18:25:39 +00:00
4890e7a953 ci: nodejs in job image, fetch-depth=0 for base diff 2026-05-18 18:23:59 +00:00
13 changed files with 530 additions and 16 deletions

View File

@@ -10,6 +10,8 @@ jobs:
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # need full history for `git diff base...HEAD`
# 1. Identify which recipes the PR touches.
- name: detect changed packages
@@ -17,6 +19,10 @@ jobs:
run: |
set -e
base="${{ github.event.pull_request.base.sha }}"
# act's actions/checkout@v4 doesn't reliably pull the base SHA
# into the local history even with fetch-depth: 0. Fetch it
# explicitly so the three-dot diff resolves.
git fetch --depth=1 origin "$base" || git fetch --depth=1 origin
changed=$(git diff --name-only "$base"...HEAD -- 'recipes/' \
| awk -F/ '{print $2}' | sort -u)
if [[ -z "$changed" ]]; then
@@ -62,9 +68,7 @@ jobs:
done
done
# 4. Build smoke — every changed package must build. Cache push
# is intentionally absent for now (no shared binary cache);
# add a step here once cache infra is decided.
# 4. Build smoke — every changed package must build.
- name: build smoke
if: steps.changed.outputs.packages != ''
run: |
@@ -73,6 +77,18 @@ jobs:
.#${pkg} --no-link --print-out-paths
done
# 4b. Push the validated outputs to the binary cache. The runner's
# config.yaml bind-mounts /srv/cargoxx-cache and the signing
# key into every job container.
- name: push to binary cache
if: steps.changed.outputs.packages != ''
run: |
for pkg in ${{ steps.changed.outputs.packages }}; do
nix copy --extra-experimental-features 'nix-command flakes' \
--to "file:///srv/cargoxx-cache/store?secret-key=/srv/cargoxx-cache/keys/cache.sec" \
.#${pkg}
done
# 5. Maintainer check — PR must come from someone listed in
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
# since the PR introduces the file in the same commit).

1
.gitignore vendored
View File

@@ -1,3 +1,2 @@
/result
/result-*
flake.lock

333
flake.lock generated Normal file
View File

@@ -0,0 +1,333 @@
{
"nodes": {
"bundlers": {
"inputs": {
"nix-appimage": "nix-appimage",
"nix-bundle": "nix-bundle",
"nix-utils": "nix-utils",
"nixpkgs": [
"cargoxx",
"nixpkgs"
]
},
"locked": {
"lastModified": 1777842037,
"narHash": "sha256-E6kwkFsKnU5k/QAX1aNOPfh69G6Im8/EwdRcZR4J0QE=",
"owner": "NixOS",
"repo": "bundlers",
"rev": "7bb70086c2dad3eecae4805f4d758c80e3cba960",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "bundlers",
"type": "github"
}
},
"cargoxx": {
"inputs": {
"bundlers": "bundlers",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1779130481,
"narHash": "sha256-RLeNukl/4X828SipqJib9sNJhSvcSy8Cck4TVZDgIkY=",
"ref": "refs/heads/master",
"rev": "f9932a3ad9ecdcdf5ea2906f1d8698b02b8b3e30",
"revCount": 65,
"type": "git",
"url": "https://git.amadey.xyz/mozart/cargoxx"
},
"original": {
"type": "git",
"url": "https://git.amadey.xyz/mozart/cargoxx"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nix-appimage": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": [
"cargoxx",
"bundlers",
"nixpkgs"
]
},
"locked": {
"lastModified": 1757920913,
"narHash": "sha256-jd0QwCVz4O1sHHkeaZILD/7D6oyalceEJ4EFnWCgm0k=",
"owner": "ralismark",
"repo": "nix-appimage",
"rev": "7946addbc0d97e358a6d7aefe5e82310f0fe6b18",
"type": "github"
},
"original": {
"owner": "ralismark",
"repo": "nix-appimage",
"type": "github"
}
},
"nix-bundle": {
"inputs": {
"nixpkgs": [
"cargoxx",
"bundlers",
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1756736056,
"narHash": "sha256-8YFhvulVX3iS4TYnKisA9zSImJeFN21G75HOUUFjzuE=",
"owner": "nix-community",
"repo": "nix-bundle",
"rev": "eff01593f62794d458ec714090091419194ab64d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-bundle",
"type": "github"
}
},
"nix-utils": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1744222205,
"narHash": "sha256-di1eNHQdpvvyXv6i7Z+S79KF7cQyhTs7AdFHp7q1e3Q=",
"owner": "juliosueiras-nix",
"repo": "nix-utils",
"rev": "53282197ad090c8cf47c96e99bf6c6c3b2cdc7c0",
"type": "github"
},
"original": {
"owner": "juliosueiras-nix",
"repo": "nix-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1629252929,
"narHash": "sha256-Aj20gmGBs8TG7pyaQqgbsqAQ6cB+TVuL18Pk3DPBxcQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3788c68def67ca7949e0864c27638d484389363d",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1777954456,
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1778869304,
"narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"cargoxx": "cargoxx",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_3"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

View File

@@ -5,13 +5,10 @@
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
# During local development we point at the sibling cargoxx checkout
# via an absolute `git+file://` URL. Once the registry lives on Gitea
# this becomes a Gitea URL pinned to a specific cargoxx revision —
# that pin, alongside `lock.cargoxx_rev` in each recipe, is what
# makes registry derivations deterministic across consumers (see
# docs/library-reuse-and-publish.md in the cargoxx repo).
cargoxx.url = "git+file:///home/mozart/cargoxx";
# Gitea-hosted cargoxx. flake.lock pins the exact rev — bump it
# explicitly via `nix flake update cargoxx` when the registry should
# adopt a newer cargoxx codegen.
cargoxx.url = "git+https://git.amadey.xyz/mozart/cargoxx";
};
outputs = { self, nixpkgs, flake-utils, cargoxx }:

View File

@@ -0,0 +1 @@
mozart

View File

@@ -0,0 +1,17 @@
schema = 1
name = "greeter"
version = "0.1.0"
[source]
type = "git"
url = "https://git.amadey.xyz/mozart/greeter"
commit = "7f31f3ea5f01bb03ff83705cf9295b94abb569de"
sha256 = "sha256-kOTcunYoqvVnXQOjy0C2lM99Cv4Dve7dI3y/coWaG7o="
[lock]
nixpkgs_rev = "d233902339c02a9c334e7e593de68855ad26c4cb"
flake_utils_rev = "11707dc2f618dd54ca8739b309ec4fc024de578b"
[meta]
description = "minimal cargoxx demo library — greets you"
license = "MIT"

View File

@@ -0,0 +1,17 @@
schema = 1
name = "greeter"
version = "0.1.1"
[source]
type = "git"
url = "https://git.amadey.xyz/mozart/greeter"
commit = "d79a99468a158e2b37739404073dcfaab8c12308"
sha256 = "sha256-1IV9HrdYoQOFcI3bP280/CYsdmuYvuMFK9hvjdanNto="
[lock]
nixpkgs_rev = "d233902339c02a9c334e7e593de68855ad26c4cb"
flake_utils_rev = "11707dc2f618dd54ca8739b309ec4fc024de578b"
[meta]
description = "minimal cargoxx demo library — greets you"
license = "MIT"

6
runner/.gitignore vendored
View File

@@ -1,4 +1,8 @@
.env
data/
flake.lock
result
# Binary cache state + signing keys. The cache.sec must never be
# committed; the public key is regenerated per deployment too
# (`nix-store --generate-binary-cache-key`).
cache/

View File

@@ -46,7 +46,39 @@ Self-hosted Gitea Actions runner that validates package PRs.
GITEA_RUNNER_LABELS=self-hosted
```
4. **Start the runner**:
4. **Generate the binary-cache signing key** + cache directory. The
workflow's "push to binary cache" step writes here; nginx (or
anything you point at it) serves it back over HTTPS to consumers.
```sh
mkdir -p cache/store
nix-store --generate-binary-cache-key \
cache.cargoxx.<your-domain> \
cache/cache.sec cache/cache.pub
chmod 600 cache/cache.sec
```
The `cache/` directory is gitignored. Both keys live alongside
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
5. **(optional) Front the store with nginx** so substituters can read it:
```nginx
# /etc/nginx/sites-available/cargoxx-cache
server {
listen 443 ssl;
server_name cache.cargoxx.<your-domain>;
root /path/to/cargoxx-pkgs/runner/cache/store;
autoindex off;
location / { try_files $uri =404; }
}
```
Consumers later need `substituters = https://cache.cargoxx.<your-domain>`
and `trusted-public-keys = <contents of cache.pub>` in their nix
config (bake this into the cargoxx wrapper once ready).
6. **Start the runner**:
```sh
docker compose up -d

View File

@@ -18,3 +18,29 @@ services:
- ./config.yaml:/config.yaml:ro
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
# archives here. Named volumes (defined below) make the same
# storage reachable from both this runner container AND every
# job container act_runner spawns. nginx (on the host) serves
# ./cache/store over HTTPS for consumers' substituter config.
- cargoxx-cache-store:/srv/cargoxx-cache/store
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
volumes:
cargoxx-cache-store:
# Explicit name disables compose's project-prefix so spawned job
# containers (which don't know about compose) can reference the
# same volume by the same name.
name: cargoxx-cache-store
driver: local
driver_opts:
type: none
o: bind
device: "${PWD}/cache/store"
cargoxx-cache-keys:
name: cargoxx-cache-keys
driver: local
driver_opts:
type: none
o: bind
device: "${PWD}/cache/keys"

View File

@@ -18,9 +18,19 @@ cache:
container:
network: bridge
privileged: false
options: ""
# Bind the binary cache into every job container by referencing the
# named volumes defined in compose.yml — those, in turn, are bound
# to ./cache/{store,cache.sec} via `${PWD}` so the path is
# deployment-relative, not absolute.
options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store
-v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro"
workdir_parent: /workspace
valid_volumes: []
# Whitelist regex of bind specs act_runner forwards to spawned job
# containers. The regex matches the full `source:target[:opts]`
# string, so a permissive prefix is enough.
valid_volumes:
- "cargoxx-cache-store"
- "cargoxx-cache-keys"
docker_host: "unix:///var/run/docker.sock"
force_pull: false

61
runner/flake.lock generated Normal file
View File

@@ -0,0 +1,61 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1778869304,
"narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

View File

@@ -42,6 +42,7 @@
curl
jq
tea
nodejs_20 # JS-based actions/checkout@v4 etc. need `node` on PATH
cacert
iana-etc
@@ -50,7 +51,7 @@
# Skeleton filesystem layout: /tmp, /etc/passwd for nix,
# writable nix store, cacert pointer.
extraCommands = ''
mkdir -p tmp etc nix/var/{nix,log/nix} root
mkdir -p tmp etc/nix nix/var/{nix,log/nix} root
chmod 1777 tmp
cat > etc/passwd <<'EOF'