Make devbox sandbox friendly, add devbox CI.#27728
Conversation
mdwn
force-pushed
the
mike.wilson/devbox-ci
branch
11 times, most recently
from
d39d596 to
02874d3
Compare
mdwn
changed the title
The devbox is now sandbox friendly, and devbox CI has been added to ensure that any changes to Devbox are properly validated.
mdwn
force-pushed
the
mike.wilson/devbox-ci
branch
from
fb0715d to
ccb345a
Compare
|
What do you mean by "sandbox friendly" out of interest ? |
You can find more info on it here: https://nixos.wiki/wiki/Nix_package_manager#sandboxing, but basically nix sandbox builds don't allow access to the internet. This is enabled by default on Linux, so if we want to use this in CI it'll be easier if we tune our devbox so that it can fit into the sandboxed nix install rather than try to wrestle a no-sandbox nix install into our build boxes, IMO. |
mdwn
requested review from
klizhentas,
r0mant,
russjones and
zmb3
as code owners
| }, | ||
| "python@3.11.2": { | ||
| "last_modified": "2023-03-31T22:52:29Z", | ||
| "plugin_version": "0.0.1", |
There was a problem hiding this comment.
Do you know why this got removed?
If I run devbox shell locally, it appears again
There was a problem hiding this comment.
Honestly I'm not sure. It disappears for me and seems to reappear for others. Definitely odd.
There was a problem hiding this comment.
Which devbox are you using?
$ devbox version
0.5.4
There was a problem hiding this comment.
The devbox folks are looking into this!
| "python@3.11.2", | ||
| "shellcheck@0.9.0", | ||
| "yamllint@1.28.0", | ||
| "zlib@1.2.13", |
There was a problem hiding this comment.
Adding zlib to our dependencies fixed the following error when I ran make full-ent FIDO2=dynamic:
ld: file not found: /usr/lib/libz.1.dylib for architecture arm64
|
|
||
| - name: Install devbox dependencies | ||
| run: | | ||
| devbox install No newline at end of file |
There was a problem hiding this comment.
🎉 🎉 🎉 In case you want to enable caching in the future, you can use https://github.com/marketplace/actions/devbox-installer or copy the yaml there
hugoShaka
left a comment
hugoShaka
left a comment
There was a problem hiding this comment.
The GHA part looks good, but I have absolutely 0 nix knowledge. So I can't vouch for the flakes part.
public-teleport-github-review-bot
Bot
removed the request for review
from espadolini
| - name: Install devbox | ||
| run: curl -fsSL https://get.jetpack.io/devbox | FORCE=1 bash |
There was a problem hiding this comment.
Could we do the curl | bash before we checkout (to descope source code)?
I'm thinking about attacks like https://about.codecov.io/security-update/ here.
I'm also somewhat amused that we're using a floating version of devbox, when the entire point of the tool is to pin the toolchain to specific known versions. We should probably pin the devbox version too. 😄
7 participants
The devbox is now sandbox friendly, and devbox CI has been added to ensure that any changes to Devbox are properly validated.