4 Commits

Author SHA1 Message Date
9ad7e54527 Merge remote-tracking branch 'origin/master' into publish/greeter-0.1.0
Some checks failed
validate-pr / validate (pull_request) Failing after 1m48s
2026-05-18 18:46:30 +00:00
29222f17c8 Merge remote-tracking branch 'origin/master' into publish/greeter-0.1.0
Some checks failed
validate-pr / validate (pull_request) Failing after 9s
2026-05-18 18:38:36 +00:00
55f18b1439 retrigger ci
Some checks failed
validate-pr / validate (pull_request) Failing after 5s
2026-05-18 18:26:15 +00:00
91fe154ad1 publish: greeter 0.1.0
Some checks failed
validate-pr / validate (pull_request) Failing after 3s
2026-05-18 18:15:16 +00:00
7 changed files with 10 additions and 110 deletions

View File

@@ -68,7 +68,9 @@ jobs:
done
done
# 4. Build smoke — every changed package must build.
# 4. Build smoke — every changed package must build. Cache push
# is intentionally absent for now (no shared binary cache);
# add a step here once cache infra is decided.
- name: build smoke
if: steps.changed.outputs.packages != ''
run: |
@@ -77,18 +79,6 @@ jobs:
.#${pkg} --no-link --print-out-paths
done
# 4b. Push the validated outputs to the binary cache. The runner's
# config.yaml bind-mounts /srv/cargoxx-cache and the signing
# key into every job container.
- name: push to binary cache
if: steps.changed.outputs.packages != ''
run: |
for pkg in ${{ steps.changed.outputs.packages }}; do
nix copy --extra-experimental-features 'nix-command flakes' \
--to "file:///srv/cargoxx-cache/store?secret-key=/srv/cargoxx-cache/keys/cache.sec" \
.#${pkg}
done
# 5. Maintainer check — PR must come from someone listed in
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
# since the PR introduces the file in the same commit).

8
flake.lock generated
View File

@@ -31,11 +31,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1779130481,
"narHash": "sha256-RLeNukl/4X828SipqJib9sNJhSvcSy8Cck4TVZDgIkY=",
"lastModified": 1779128270,
"narHash": "sha256-0ummfZJPptdxdvGvlob9viAdByvW+VFJOVDiNCvQYXE=",
"ref": "refs/heads/master",
"rev": "f9932a3ad9ecdcdf5ea2906f1d8698b02b8b3e30",
"revCount": 65,
"rev": "3138e78f47bbd865d55aaacda6d2a15c7b14e110",
"revCount": 64,
"type": "git",
"url": "https://git.amadey.xyz/mozart/cargoxx"
},

View File

@@ -1,17 +0,0 @@
schema = 1
name = "greeter"
version = "0.1.1"
[source]
type = "git"
url = "https://git.amadey.xyz/mozart/greeter"
commit = "d79a99468a158e2b37739404073dcfaab8c12308"
sha256 = "sha256-1IV9HrdYoQOFcI3bP280/CYsdmuYvuMFK9hvjdanNto="
[lock]
nixpkgs_rev = "d233902339c02a9c334e7e593de68855ad26c4cb"
flake_utils_rev = "11707dc2f618dd54ca8739b309ec4fc024de578b"
[meta]
description = "minimal cargoxx demo library — greets you"
license = "MIT"

5
runner/.gitignore vendored
View File

@@ -1,8 +1,3 @@
.env
data/
result
# Binary cache state + signing keys. The cache.sec must never be
# committed; the public key is regenerated per deployment too
# (`nix-store --generate-binary-cache-key`).
cache/

View File

@@ -46,39 +46,7 @@ Self-hosted Gitea Actions runner that validates package PRs.
GITEA_RUNNER_LABELS=self-hosted
```
4. **Generate the binary-cache signing key** + cache directory. The
workflow's "push to binary cache" step writes here; nginx (or
anything you point at it) serves it back over HTTPS to consumers.
```sh
mkdir -p cache/store
nix-store --generate-binary-cache-key \
cache.cargoxx.<your-domain> \
cache/cache.sec cache/cache.pub
chmod 600 cache/cache.sec
```
The `cache/` directory is gitignored. Both keys live alongside
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
5. **(optional) Front the store with nginx** so substituters can read it:
```nginx
# /etc/nginx/sites-available/cargoxx-cache
server {
listen 443 ssl;
server_name cache.cargoxx.<your-domain>;
root /path/to/cargoxx-pkgs/runner/cache/store;
autoindex off;
location / { try_files $uri =404; }
}
```
Consumers later need `substituters = https://cache.cargoxx.<your-domain>`
and `trusted-public-keys = <contents of cache.pub>` in their nix
config (bake this into the cargoxx wrapper once ready).
6. **Start the runner**:
4. **Start the runner**:
```sh
docker compose up -d

View File

@@ -18,29 +18,3 @@ services:
- ./config.yaml:/config.yaml:ro
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
# archives here. Named volumes (defined below) make the same
# storage reachable from both this runner container AND every
# job container act_runner spawns. nginx (on the host) serves
# ./cache/store over HTTPS for consumers' substituter config.
- cargoxx-cache-store:/srv/cargoxx-cache/store
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
volumes:
cargoxx-cache-store:
# Explicit name disables compose's project-prefix so spawned job
# containers (which don't know about compose) can reference the
# same volume by the same name.
name: cargoxx-cache-store
driver: local
driver_opts:
type: none
o: bind
device: "${PWD}/cache/store"
cargoxx-cache-keys:
name: cargoxx-cache-keys
driver: local
driver_opts:
type: none
o: bind
device: "${PWD}/cache/keys"

View File

@@ -18,19 +18,9 @@ cache:
container:
network: bridge
privileged: false
# Bind the binary cache into every job container by referencing the
# named volumes defined in compose.yml — those, in turn, are bound
# to ./cache/{store,cache.sec} via `${PWD}` so the path is
# deployment-relative, not absolute.
options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store
-v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro"
options: ""
workdir_parent: /workspace
# Whitelist regex of bind specs act_runner forwards to spawned job
# containers. The regex matches the full `source:target[:opts]`
# string, so a permissive prefix is enough.
valid_volumes:
- "cargoxx-cache-store"
- "cargoxx-cache-keys"
valid_volumes: []
docker_host: "unix:///var/run/docker.sock"
force_pull: false