-
-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: Use Nix in CI where possible #5394
chore: Use Nix in CI where possible #5394
Conversation
2b72cf1
to
8499d5d
Compare
your change to the release script could conflict with #5369. |
It should not conflict, those are new workflows. But we would also want to translate those, I imagine. |
Yes, this was meant. Could you do this and we drop my PR? |
cda78b1
to
916ca63
Compare
Done, I think :) |
916ca63
to
f2f9d21
Compare
very much in favor of Nix in CI, that should be long-term reproducible than Docker (claim that I would love to substantiate with a link to a thesis or paper). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A bit scared about the flake but worth a try. So in the future, we write bash scripts for advanced stuff and call them from nix?
@monperrus could you disable the beta release workflow in the spoon-deploy repo, see https://docs.github.com/en/actions/using-workflows/disabling-and-enabling-a-workflow? |
e59f167
to
73581e5
Compare
73581e5
to
6a350b2
Compare
There are many ways to do things. I currently added small commands as dev commands ( I also see the irony with #5333, but we got caching for free and eliminated random setup commands.
|
e36b1fa
to
0d97462
Compare
0d97462
to
126bba5
Compare
Factor out common setup into its own reused workflow
126bba5
to
6c22191
Compare
done |
6c22191
to
0dbed0c
Compare
13dc48e
to
fecf6be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Let's go on this adventure then.
Thanks @I-Al-Istannen. Let's do the first test at 0 UTC and watch the snapshot release? |
super cool thanks @I-Al-Istannen let's document this a bit? could you edit #5415 accordingly? |
Nix support is in the roadmap, both for JReleaser itself and every other consumer. jreleaser/jreleaser#1032 |
I think I will have a look at nicer nix maven builds in the upcoming future too (it ties in quite nicely with https://github.com/chains-project/maven-lockfile and gradle supports dependency lockfiles for years now). As far as I can tell, packaging things for maven currently is a bit annoying and needs to rely on fixed-output derivations, which will need updates for very minor dependency update. But my Nix game is not strong at all :P For the moment the binary packaging I built in this PR seems to work just fine (it is basically a minimal nix version of your java download script from the jreleaser-action). Source-based packaging is a bit annoying in CI, unless you can offload the binary cache to hydra :P We build z3 from source, but it is cached in GitHub actions — still takes ~30 minutes for the initial CI run though, until the package is in the GitHub cache. I was a bit surprised that I did not manage to even build Jreleaser manually (I first tried to have a from-source derivation). I have no idea how you do it, but everything I tried to build it failed, even on the release commit. It's probably me being stupid, but maybe something on your side is a tad weird too? |
Given that JReleaser is a Java project built with a very specific version of Gradle I'd suspect it may not be possible to build it from a Nix environment without network access. It should be enough to run |
You can access the internet if you know the hash of the result (which only helps if you have useful lockfiles). Nix packages gradle 6.9.4, maybe that would work as well. But I am happy with just taking your binary at face value right now :)
I tried it on my host as well, but didn't notice that my system locale was screwing things over there… Classic :P I made a tiny PR with a potential fix. Thank you for the help and enjoy your evening :) |
Thank you for the PR, I;ll have a look at it shortly. FWIW JReleaser's binaries come with SBOMs, SHAs, digitial signatures, and SLSA provenance. Thus, allowing multiple ways to verify them. |
Given the test list:
Two are left. Do you want to wait for a beta release, or shall we try patch release first? |
Okay we did patch release test and it works. First spoon release with the new nix CI 🎉 https://github.com/INRIA/spoon/tree/v10.4.1 |
I decided I hadn't inflicted enough pain on myself lately, so I spent a while trying to convert our CI pipeline to nix.
Benefits:
Most of them come down to potentially better performance, but most importantly, exact reproducibility of the CI environment (modulo tokens) locally.
Downsides:
Packaging things ourselves means we are responsible for updates though
Other questions: