Use Nix tooling in Forgejo actions
Some checks failed
deploy-cloudflare / checks (push) Failing after 39s
ci-gates / checks (push) Failing after 41s
deploy-cloudflare / deploy (push) Has been skipped

This commit is contained in:
Conrad Kramer 2026-06-10 03:35:53 -07:00
parent 91dad67fc2
commit d7f76d6ab2
No known key found for this signature in database
3 changed files with 26 additions and 169 deletions

View file

@ -50,64 +50,28 @@ jobs:
tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz
- name: Bootstrap Rust + web build tools
- name: Check Nix toolchain
shell: bash
run: |
set -euo pipefail
cd .repo
install -d -m 755 "$HOME/.local/bin"
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
export PATH="$HOME/.local/bin:$PATH"
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v cargo >/dev/null 2>&1; then
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"
elif [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
rustup target add wasm32-unknown-unknown
if ! command -v trunk >/dev/null 2>&1; then
trunk_version="0.21.14"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
*)
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" trunk
fi
cargo --version
rustc --version
trunk --version
nix develop --accept-flake-config -c cargo --version
nix develop --accept-flake-config -c rustc --version
nix develop --accept-flake-config -c trunk --version
- name: ECP lint
shell: bash
run: |
set -euo pipefail
cd .repo
bash ./scripts/ecp-lint.sh
nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
- name: Rust tests (core subset)
shell: bash
run: |
set -euo pipefail
cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
- name: Duplicate publisher proof gates
shell: bash
@ -143,8 +107,4 @@ jobs:
run: |
set -euo pipefail
cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
cd apps/web
env -u NO_COLOR trunk build --release --public-url /
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'

View file

@ -54,70 +54,35 @@ jobs:
tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz
- name: Bootstrap Rust + web build tools
- name: Check Nix toolchain
shell: bash
run: |
set -euo pipefail
cd .repo
install -d -m 755 "$HOME/.local/bin"
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
export PATH="$HOME/.local/bin:$PATH"
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v cargo >/dev/null 2>&1; then
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"
elif [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
rustup target add wasm32-unknown-unknown
if ! command -v trunk >/dev/null 2>&1; then
trunk_version="0.21.14"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
*)
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" trunk
fi
nix develop --accept-flake-config -c cargo --version
nix develop --accept-flake-config -c rustc --version
nix develop --accept-flake-config -c trunk --version
- name: ECP lint
shell: bash
run: |
set -euo pipefail
cd .repo
bash ./scripts/ecp-lint.sh
nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
- name: Rust tests (core subset)
shell: bash
run: |
set -euo pipefail
cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
- name: Build site (web)
shell: bash
run: |
set -euo pipefail
cd .repo
if [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
cd apps/web
env -u NO_COLOR trunk build --release --public-url /
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
deploy:
if: ${{ github.server_url != 'https://codeberg.org' }}
@ -165,60 +130,15 @@ jobs:
tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz
- name: Bootstrap runner deps
- name: Check Nix deploy toolchain
shell: bash
run: |
set -euo pipefail
cd .repo
install -d -m 755 "$HOME/.local/bin"
echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
export PATH="$HOME/.local/bin:$PATH"
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v age >/dev/null 2>&1; then
age_version="1.2.1"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) age_arch="amd64" ;;
aarch64|arm64) age_arch="arm64" ;;
*)
echo "error: unsupported runner arch for age prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen
fi
required_node_major=20
node_major=0
if command -v node >/dev/null 2>&1; then
node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)"
fi
if [[ "${node_major}" -lt "${required_node_major}" ]]; then
node_version="22.16.0"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) node_arch="x64" ;;
aarch64|arm64) node_arch="arm64" ;;
*)
echo "error: unsupported runner arch for node prebuilt binary: ${arch}"
exit 2
;;
esac
node_dist="node-v${node_version}-linux-${node_arch}"
curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.gz" | tar -xz -C "$HOME/.local"
ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node"
ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm"
ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx"
ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true
fi
node --version
npm --version
nix develop --accept-flake-config -c age --version
nix develop --accept-flake-config -c node --version
nix develop --accept-flake-config -c npm --version
nix develop --accept-flake-config -c wrangler --version
- name: CI Breadcrumb (bootstrap ok)
env:
@ -270,7 +190,7 @@ jobs:
echo "error: missing ${secret_file}"
exit 2
fi
CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")"
CLOUDFLARE_API_TOKEN="$(nix develop --accept-flake-config -c age -d -i "$key_file" "$secret_file")"
if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
exit 2
@ -290,32 +210,7 @@ jobs:
run: |
set -euo pipefail
cd .repo
install -d -m 755 "$HOME/.local/bin"
export PATH="$HOME/.local/bin:$PATH"
if ! command -v cargo >/dev/null 2>&1; then
curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
. "$HOME/.cargo/env"
elif [[ -f "$HOME/.cargo/env" ]]; then
. "$HOME/.cargo/env"
fi
rustup target add wasm32-unknown-unknown
if ! command -v trunk >/dev/null 2>&1; then
trunk_version="0.21.14"
arch="$(uname -m)"
case "${arch}" in
x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
*)
echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
exit 2
;;
esac
curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
| tar -xz -C "$HOME/.local/bin" trunk
fi
cd apps/web
trunk build --release --public-url /
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \
@ -329,9 +224,7 @@ jobs:
run: |
set -euo pipefail
cd .repo
cd deploy/cloudflare-worker
npm ci
npx wrangler deploy
nix develop --accept-flake-config -c bash -c 'cd deploy/cloudflare-worker && npm ci && wrangler deploy'
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \

View file

@ -52,3 +52,7 @@ runner label and ecp-forge runs a persistent `forgejo-runner-agent` service with
tool PATH so the Cloudflare deploy can actually leave the queue on the self-hosted forge. Teardown is
removing the HTML seed/cache/warmup path, returning to live-API-only station rendering, and
explicitly passing `--passthrough=false` only if an older watcher path is restored.
Forgejo CI and deploy jobs run inside the repository Nix dev shell instead of downloading generic
Linux Rust, Trunk, age, or Node binaries. This keeps self-hosted NixOS runners reproducible and
prevents dynamic-linker failures from blocking the Cloudflare asset rollout.