diff --git a/.forgejo/workflows/ci-gates.yml b/.forgejo/workflows/ci-gates.yml index c3d2c67..2e69921 100644 --- a/.forgejo/workflows/ci-gates.yml +++ b/.forgejo/workflows/ci-gates.yml @@ -50,64 +50,28 @@ jobs: tar -xzf .repo/src.tgz -C .repo --strip-components=1 rm -f .repo/src.tgz - - name: Bootstrap Rust + web build tools + - name: Check Nix toolchain shell: bash run: | set -euo pipefail cd .repo - install -d -m 755 "$HOME/.local/bin" - echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" - export PATH="$HOME/.local/bin:$PATH" - - if ! command -v curl >/dev/null 2>&1; then - echo "error: curl is required" - exit 2 - fi - - if ! command -v cargo >/dev/null 2>&1; then - curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal - . "$HOME/.cargo/env" - elif [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - - rustup target add wasm32-unknown-unknown - - if ! command -v trunk >/dev/null 2>&1; then - trunk_version="0.21.14" - arch="$(uname -m)" - case "${arch}" in - x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;; - aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;; - *) - echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}" - exit 2 - ;; - esac - curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \ - | tar -xz -C "$HOME/.local/bin" trunk - fi - - cargo --version - rustc --version - trunk --version + nix develop --accept-flake-config -c cargo --version + nix develop --accept-flake-config -c rustc --version + nix develop --accept-flake-config -c trunk --version - name: ECP lint shell: bash run: | set -euo pipefail cd .repo - bash ./scripts/ecp-lint.sh + nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh - name: Rust tests (core subset) shell: bash run: | set -euo pipefail cd .repo - if [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv + nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv - name: Duplicate publisher proof gates shell: bash @@ -143,8 +107,4 @@ jobs: run: | set -euo pipefail cd .repo - if [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - cd apps/web - env -u NO_COLOR trunk build --release --public-url / + nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /' diff --git a/.forgejo/workflows/deploy-cloudflare.yml b/.forgejo/workflows/deploy-cloudflare.yml index 6439f85..1385e5b 100644 --- a/.forgejo/workflows/deploy-cloudflare.yml +++ b/.forgejo/workflows/deploy-cloudflare.yml @@ -54,70 +54,35 @@ jobs: tar -xzf .repo/src.tgz -C .repo --strip-components=1 rm -f .repo/src.tgz - - name: Bootstrap Rust + web build tools + - name: Check Nix toolchain shell: bash run: | set -euo pipefail cd .repo - install -d -m 755 "$HOME/.local/bin" - echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" - export PATH="$HOME/.local/bin:$PATH" - - if ! command -v curl >/dev/null 2>&1; then - echo "error: curl is required" - exit 2 - fi - - if ! command -v cargo >/dev/null 2>&1; then - curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal - . "$HOME/.cargo/env" - elif [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - rustup target add wasm32-unknown-unknown - - if ! command -v trunk >/dev/null 2>&1; then - trunk_version="0.21.14" - arch="$(uname -m)" - case "${arch}" in - x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;; - aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;; - *) - echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}" - exit 2 - ;; - esac - curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \ - | tar -xz -C "$HOME/.local/bin" trunk - fi + nix develop --accept-flake-config -c cargo --version + nix develop --accept-flake-config -c rustc --version + nix develop --accept-flake-config -c trunk --version - name: ECP lint shell: bash run: | set -euo pipefail cd .repo - bash ./scripts/ecp-lint.sh + nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh - name: Rust tests (core subset) shell: bash run: | set -euo pipefail cd .repo - if [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv + nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv - name: Build site (web) shell: bash run: | set -euo pipefail cd .repo - if [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - cd apps/web - env -u NO_COLOR trunk build --release --public-url / + nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /' deploy: if: ${{ github.server_url != 'https://codeberg.org' }} @@ -165,60 +130,15 @@ jobs: tar -xzf .repo/src.tgz -C .repo --strip-components=1 rm -f .repo/src.tgz - - name: Bootstrap runner deps + - name: Check Nix deploy toolchain shell: bash run: | set -euo pipefail cd .repo - install -d -m 755 "$HOME/.local/bin" - echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" - export PATH="$HOME/.local/bin:$PATH" - - if ! command -v curl >/dev/null 2>&1; then - echo "error: curl is required" - exit 2 - fi - - if ! command -v age >/dev/null 2>&1; then - age_version="1.2.1" - arch="$(uname -m)" - case "${arch}" in - x86_64|amd64) age_arch="amd64" ;; - aarch64|arm64) age_arch="arm64" ;; - *) - echo "error: unsupported runner arch for age prebuilt binary: ${arch}" - exit 2 - ;; - esac - curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \ - | tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen - fi - - required_node_major=20 - node_major=0 - if command -v node >/dev/null 2>&1; then - node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)" - fi - if [[ "${node_major}" -lt "${required_node_major}" ]]; then - node_version="22.16.0" - arch="$(uname -m)" - case "${arch}" in - x86_64|amd64) node_arch="x64" ;; - aarch64|arm64) node_arch="arm64" ;; - *) - echo "error: unsupported runner arch for node prebuilt binary: ${arch}" - exit 2 - ;; - esac - node_dist="node-v${node_version}-linux-${node_arch}" - curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.gz" | tar -xz -C "$HOME/.local" - ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node" - ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm" - ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx" - ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true - fi - node --version - npm --version + nix develop --accept-flake-config -c age --version + nix develop --accept-flake-config -c node --version + nix develop --accept-flake-config -c npm --version + nix develop --accept-flake-config -c wrangler --version - name: CI Breadcrumb (bootstrap ok) env: @@ -270,7 +190,7 @@ jobs: echo "error: missing ${secret_file}" exit 2 fi - CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")" + CLOUDFLARE_API_TOKEN="$(nix develop --accept-flake-config -c age -d -i "$key_file" "$secret_file")" if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then echo "error: decrypted CLOUDFLARE_API_TOKEN is empty" exit 2 @@ -290,32 +210,7 @@ jobs: run: | set -euo pipefail cd .repo - install -d -m 755 "$HOME/.local/bin" - export PATH="$HOME/.local/bin:$PATH" - if ! command -v cargo >/dev/null 2>&1; then - curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal - . "$HOME/.cargo/env" - elif [[ -f "$HOME/.cargo/env" ]]; then - . "$HOME/.cargo/env" - fi - rustup target add wasm32-unknown-unknown - if ! command -v trunk >/dev/null 2>&1; then - trunk_version="0.21.14" - arch="$(uname -m)" - case "${arch}" in - x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;; - aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;; - *) - echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}" - exit 2 - ;; - esac - curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \ - | tar -xz -C "$HOME/.local/bin" trunk - fi - - cd apps/web - trunk build --release --public-url / + nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /' curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ @@ -329,9 +224,7 @@ jobs: run: | set -euo pipefail cd .repo - cd deploy/cloudflare-worker - npm ci - npx wrangler deploy + nix develop --accept-flake-config -c bash -c 'cd deploy/cloudflare-worker && npm ci && wrangler deploy' curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ diff --git a/evolution/proposals/ECP-0123-instant-station-guide-and-player-warmup.md b/evolution/proposals/ECP-0123-instant-station-guide-and-player-warmup.md index 22a133d..f7e20f4 100644 --- a/evolution/proposals/ECP-0123-instant-station-guide-and-player-warmup.md +++ b/evolution/proposals/ECP-0123-instant-station-guide-and-player-warmup.md @@ -52,3 +52,7 @@ runner label and ecp-forge runs a persistent `forgejo-runner-agent` service with tool PATH so the Cloudflare deploy can actually leave the queue on the self-hosted forge. Teardown is removing the HTML seed/cache/warmup path, returning to live-API-only station rendering, and explicitly passing `--passthrough=false` only if an older watcher path is restored. + +Forgejo CI and deploy jobs run inside the repository Nix dev shell instead of downloading generic +Linux Rust, Trunk, age, or Node binaries. This keeps self-hosted NixOS runners reproducible and +prevents dynamic-linker failures from blocking the Cloudflare asset rollout.