ci: migrate from GitHub Actions to tangled.org CI · overby.me/darling-nix@b87a070

-207

.github/workflows/nix.yml

··· 1 - # Nix CI for darling-nix 2 - # 3 - # This workflow builds the Darling package with Nix, runs flake checks, 4 - # and executes integration tests. It uses Cachix to cache build artifacts 5 - # so that subsequent runs (and contributor builds) are fast. 6 - # 7 - # See: plan/08-phase6-ci.md (Task 6.3) 8 - 9 - name: Nix CI 10 - 11 - on: 12 - push: 13 - branches: [master, main] 14 - paths-ignore: 15 - - "**.md" 16 - - "plan/**" 17 - - "LICENSE" 18 - - ".github/ISSUE_TEMPLATE/**" 19 - - ".github/FUNDING.yml" 20 - pull_request: 21 - paths-ignore: 22 - - "**.md" 23 - - "plan/**" 24 - - "LICENSE" 25 - - ".github/ISSUE_TEMPLATE/**" 26 - - ".github/FUNDING.yml" 27 - 28 - concurrency: 29 - group: nix-${{ github.ref }} 30 - cancel-in-progress: true 31 - 32 - jobs: 33 - # ── Flake check ─────────────────────────────────────────────────────────── 34 - # Fast: evaluates the flake, checks formatting, runs lightweight checks. 35 - flake-check: 36 - runs-on: ubuntu-latest 37 - steps: 38 - - name: Checkout 39 - uses: actions/checkout@v4 40 - with: 41 - submodules: recursive 42 - 43 - - name: Install Nix 44 - uses: cachix/install-nix-action@v27 45 - with: 46 - extra_nix_config: | 47 - accept-flake-config = true 48 - experimental-features = nix-command flakes 49 - 50 - - name: Set up Cachix 51 - uses: cachix/cachix-action@v15 52 - with: 53 - name: darling-nix 54 - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} 55 - continue-on-error: true # Don't fail if Cachix isn't configured 56 - 57 - - name: nix flake check (eval only) 58 - run: nix flake check --no-build --all-systems 2>&1 59 - 60 - # ── Build packages ──────────────────────────────────────────────────────── 61 - # Builds the main Darling package and the SDK output. 62 - build: 63 - runs-on: ubuntu-latest 64 - needs: flake-check 65 - steps: 66 - - name: Checkout 67 - uses: actions/checkout@v4 68 - with: 69 - submodules: recursive 70 - 71 - - name: Free up disk space 72 - run: | 73 - sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc 74 - df -h / 75 - 76 - - name: Install Nix 77 - uses: cachix/install-nix-action@v27 78 - with: 79 - extra_nix_config: | 80 - accept-flake-config = true 81 - experimental-features = nix-command flakes 82 - 83 - - name: Set up Cachix 84 - uses: cachix/cachix-action@v15 85 - with: 86 - name: darling-nix 87 - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} 88 - continue-on-error: true 89 - 90 - - name: Build Darling 91 - run: nix build .#darling -L --no-link --print-out-paths 92 - 93 - - name: Build Darling SDK 94 - run: nix build .#darling-sdk -L --no-link --print-out-paths 95 - 96 - # ── DevShell evaluation ─────────────────────────────────────────────────── 97 - # Ensures the devShell evaluates without error so contributors can always 98 - # `nix develop`. This is cheap (eval-only, no build). 99 - devshell: 100 - runs-on: ubuntu-latest 101 - needs: flake-check 102 - steps: 103 - - name: Checkout 104 - uses: actions/checkout@v4 105 - with: 106 - submodules: recursive 107 - 108 - - name: Install Nix 109 - uses: cachix/install-nix-action@v27 110 - with: 111 - extra_nix_config: | 112 - accept-flake-config = true 113 - experimental-features = nix-command flakes 114 - 115 - - name: Set up Cachix 116 - uses: cachix/cachix-action@v15 117 - with: 118 - name: darling-nix 119 - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} 120 - continue-on-error: true 121 - 122 - - name: Evaluate devShell 123 - run: nix eval .#devShells.x86_64-linux.default.name 2>&1 124 - 125 - - name: Build devShell 126 - run: nix build .#devShells.x86_64-linux.default -L --no-link --print-out-paths 127 - 128 - # ── Smoke test ──────────────────────────────────────────────────────────── 129 - # If the build succeeds, run a quick smoke test to verify Darling starts 130 - # and the sandbox-exec stub is present. 131 - smoke-test: 132 - runs-on: ubuntu-latest 133 - needs: build 134 - steps: 135 - - name: Checkout 136 - uses: actions/checkout@v4 137 - with: 138 - submodules: recursive 139 - 140 - - name: Free up disk space 141 - run: | 142 - sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc 143 - df -h / 144 - 145 - - name: Install Nix 146 - uses: cachix/install-nix-action@v27 147 - with: 148 - extra_nix_config: | 149 - accept-flake-config = true 150 - experimental-features = nix-command flakes 151 - 152 - - name: Set up Cachix 153 - uses: cachix/cachix-action@v15 154 - with: 155 - name: darling-nix 156 - authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} 157 - continue-on-error: true 158 - 159 - - name: Build Darling 160 - id: build 161 - run: | 162 - out=$(nix build .#darling -L --no-link --print-out-paths) 163 - echo "darling=$out" >> "$GITHUB_OUTPUT" 164 - 165 - - name: Verify Darling binary exists 166 - run: | 167 - test -x "${{ steps.build.outputs.darling }}/bin/darling" 168 - echo "✓ darling binary found" 169 - 170 - - name: Check sandbox-exec stub is installed 171 - run: | 172 - test -f "${{ steps.build.outputs.darling }}/libexec/darling/usr/bin/sandbox-exec" 173 - echo "✓ sandbox-exec stub found" 174 - 175 - - name: Check diskutil supports info verb 176 - run: | 177 - grep -q 'info' "${{ steps.build.outputs.darling }}/libexec/darling/usr/sbin/diskutil" 178 - echo "✓ diskutil info verb found" 179 - 180 - # The following tests require actually running Darling, which needs 181 - # user namespaces and overlayfs — these may not be available in all 182 - # GitHub Actions runners. We attempt them but allow failure. 183 - - name: Test darling shell (may need user namespaces) 184 - run: | 185 - timeout 30 "${{ steps.build.outputs.darling }}/bin/darling" shell echo "Hello from Darling" || { 186 - echo "::warning::darling shell failed — runner may lack user namespace support" 187 - exit 0 188 - } 189 - continue-on-error: true 190 - 191 - - name: Test sandbox-exec stub inside Darling 192 - run: | 193 - timeout 30 "${{ steps.build.outputs.darling }}/bin/darling" shell \ 194 - /usr/bin/sandbox-exec -f /dev/null -D _GLOBAL_TMP_DIR=/tmp /bin/echo "sandbox-exec works" || { 195 - echo "::warning::sandbox-exec test failed — darling shell may not be functional on this runner" 196 - exit 0 197 - } 198 - continue-on-error: true 199 - 200 - - name: Test diskutil info inside Darling 201 - run: | 202 - timeout 30 "${{ steps.build.outputs.darling }}/bin/darling" shell \ 203 - /usr/sbin/diskutil info / || { 204 - echo "::warning::diskutil info test failed — darling shell may not be functional on this runner" 205 - exit 0 206 - } 207 - continue-on-error: true

+31

.tangled/workflows/ci.yml

··· 1 + when: 2 + - event: ["push", "pull_request"] 3 + branch: main 4 + 5 + engine: nixery 6 + 7 + environment: 8 + USER: root 9 + CACHIX_NAME: darling-nix 10 + 11 + steps: 12 + - name: "Setup Cachix" 13 + command: | 14 + nix-env -iA cachix -f https://cachix.org/api/v1/install 15 + mkdir -p /tangled/home/.config/nix 16 + echo -e "experimental-features = nix-command flakes\nmax-jobs = auto" > /tangled/home/.config/nix/nix.conf 17 + cachix use $CACHIX_NAME 18 + 19 + - name: "Nix flake check" 20 + command: | 21 + rm -rf /homeless-shelter 22 + ulimit -n 65536 23 + cachix watch-exec $CACHIX_NAME -- nix flake check --max-jobs 1 24 + 25 + - name: "Build Darling" 26 + command: | 27 + cachix watch-exec $CACHIX_NAME -- nix build .#darling -L --no-link --print-out-paths 28 + 29 + - name: "Build Darling SDK" 30 + command: | 31 + cachix watch-exec $CACHIX_NAME -- nix build .#darling-sdk -L --no-link --print-out-paths

+6 -6

PLAN.md

··· 18 18 | Phase 3 — Nix Install | 🚧 In progress | `scripts/install-nix-in-darling.sh`, `scripts/darling-nix`, `scripts/verify-nix.sh` | 19 19 | Phase 4 — Building | 🚧 Tooling ready | `scripts/build-trivial.sh` (new) | 20 20 | Phase 5 — Daemon | 🚧 Stubs done | `src/dirserv/` (new), `tests/dirserv/` (new) | 21 - | Phase 6 — CI | 🚧 In progress | `.github/workflows/nix.yml`, `tests/darling-smoke.nix`, `tests/nix-in-darling.nix` (new) | 21 + | Phase 6 — CI | 🚧 In progress | `.tangled/workflows/ci.yml`, `tests/darling-smoke.nix`, `tests/nix-in-darling.nix` (new) | 22 22 | Phase 7 — Remote Builder | 📋 Planned | — | 23 23 | Phase 8 — Stretch | 📋 Planned | — | 24 24 ··· 130 130 a Darling prefix in single-user mode. 131 131 - **Phase 3.4**: Created `scripts/darling-nix` — host-side wrapper for running 132 132 Nix commands inside Darling without manual `darling shell bash -lc` boilerplate. 133 - - **Phase 6.3**: Created `.github/workflows/nix.yml` — Nix CI workflow with 134 - flake check, package build, devShell evaluation, and smoke tests. 133 + - **Phase 6.3**: Created `.tangled/workflows/ci.yml` — tangled.org CI workflow 134 + with Cachix caching and `nix flake check`. 135 135 - **Phase 1.7**: Created `plan/syscall-triage.md` — tracking table for 136 136 unimplemented syscalls with categories, impact levels, and discovery log. 137 137 - **Testing**: Created `tests/sandbox/test_sandbox_api.c` (C-level sandbox API ··· 151 151 | [plan/05-phase3-nix-install.md](./plan/05-phase3-nix-install.md) | Automated installer, verification, wrappers | 152 152 | [plan/06-phase4-building.md](./plan/06-phase4-building.md) | Trivial derivations → stdenv → binary substitution | 153 153 | [plan/07-phase5-daemon.md](./plan/07-phase5-daemon.md) | Multi-user mode, Directory Services stubs, launchd | 154 - | [plan/08-phase6-ci.md](./plan/08-phase6-ci.md) | NixOS VM tests, regression suite, GitHub Actions | 154 + | [plan/08-phase6-ci.md](./plan/08-phase6-ci.md) | NixOS VM tests, regression suite, tangled.org CI | 155 155 | [plan/09-phase7-remote-builder.md](./plan/09-phase7-remote-builder.md) | Darling as a `nix.buildMachines` target | 156 156 | [plan/10-phase8-stretch.md](./plan/10-phase8-stretch.md) | `aarch64-darwin`, GUI testing, Hydra builder | 157 157 | [plan/11-architecture.md](./plan/11-architecture.md) | System diagram, key technical decisions, glossary | ··· 163 163 164 164 ```text 165 165 darling-nix/ 166 - ├── .github/workflows/nix.yml # Nix CI workflow (Phase 6) 166 + ├── .tangled/workflows/ci.yml # tangled.org CI workflow (Phase 6) 167 167 ├── flake.nix # Flake with package, devShell, NixOS module (Phase 0) 168 168 ├── nix/ 169 169 │ ├── package.nix # Darling Nix derivation (Phase 0) ··· 309 309 | 5.1 | ✅ | Directory Services stubs (`dseditgroup`, `sysadminctl`, `dscl`) | 310 310 | 6.1 | ✅ | NixOS VM test (`tests/nix-in-darling.nix`) | 311 311 | 6.2 | ✅ | Wired tests into `flake.nix` (checks output) | 312 - | 6.3 | ✅ | `.github/workflows/nix.yml` CI workflow | 312 + | 6.3 | ✅ | `.tangled/workflows/ci.yml` tangled.org CI workflow | 313 313 | 6.6 | ✅ | Darling smoke test (`tests/darling-smoke.nix`) | 314 314 | — | ✅ | `run-tests.sh` unified test runner (6 suites) | 315 315 | — | ✅ | `getattrlist` attribute buffer ordering bug fixed |

+51 -94

plan/08-phase6-ci.md

··· 23 23 - Verify Nix compatibility. 24 24 - Test inside a NixOS VM (which is needed for namespace/overlay support). 25 25 26 - We need to replace or supplement this with a Nix-native CI pipeline that runs 27 - real integration tests. 26 + We use [tangled.org](https://tangled.org) CI instead of GitHub Actions. Tangled 27 + provides a `nixery` engine that gives us a Nix-enabled container out of the box, 28 + eliminating the need for `install-nix-action` and simplifying the workflow. The 29 + workflow is defined in `.tangled/workflows/ci.yml`. 28 30 29 31 --- 30 32 ··· 146 148 147 149 --- 148 150 149 - ### 6.3 — GitHub Actions Workflow ✅ 151 + ### 6.3 — tangled.org CI Workflow ✅ 150 152 151 - Replace or supplement the existing `.github/workflows/actions.yaml` with a 152 - Nix-native workflow. 153 + Replace the GitHub Actions workflow with a tangled.org CI workflow using the 154 + `nixery` engine, which provides Nix out of the box. 153 155 154 - **Workflow file**: `.github/workflows/nix-ci.yaml` 156 + **Workflow file**: `.tangled/workflows/ci.yml` 155 157 156 158 ```yaml 157 - name: Nix CI 159 + when: 160 + - event: ["push", "pull_request"] 161 + branch: main 158 162 159 - on: 160 - push: 161 - branches: [main] 162 - pull_request: 163 + engine: nixery 163 164 164 - jobs: 165 - build: 166 - runs-on: ubuntu-latest 167 - steps: 168 - - uses: actions/checkout@v4 169 - with: 170 - submodules: recursive 165 + environment: 166 + USER: root 167 + CACHIX_NAME: darling-nix 171 168 172 - - uses: cachix/install-nix-action@v27 173 - with: 174 - extra_nix_config: | 175 - experimental-features = nix-command flakes 169 + steps: 170 + - name: "Setup Cachix" 171 + command: | 172 + nix-env -iA cachix -f https://cachix.org/api/v1/install 173 + mkdir -p /tangled/home/.config/nix 174 + echo -e "experimental-features = nix-command flakes\nmax-jobs = auto" > /tangled/home/.config/nix/nix.conf 175 + cachix use $CACHIX_NAME 176 176 177 - - uses: cachix/cachix-action@v15 178 - with: 179 - name: darling-nix # our Cachix cache 180 - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' 177 + - name: "Nix flake check" 178 + command: | 179 + rm -rf /homeless-shelter 180 + ulimit -n 65536 181 + cachix watch-exec $CACHIX_NAME -- nix flake check --max-jobs 1 181 182 182 - - name: Build Darling 183 - run: nix build .#darling -L 183 + - name: "Build Darling" 184 + command: | 185 + cachix watch-exec $CACHIX_NAME -- nix build .#darling -L --no-link --print-out-paths 184 186 185 - - name: Build Darling SDK 186 - run: nix build .#darling-sdk -L 187 - 188 - test-syscalls: 189 - runs-on: ubuntu-latest 190 - needs: build 191 - steps: 192 - - uses: actions/checkout@v4 193 - with: 194 - submodules: recursive 195 - 196 - - uses: cachix/install-nix-action@v27 197 - with: 198 - extra_nix_config: | 199 - experimental-features = nix-command flakes 200 - 201 - - uses: cachix/cachix-action@v15 202 - with: 203 - name: darling-nix 204 - 205 - - name: Run syscall regression tests 206 - run: nix build .#checks.x86_64-linux.syscall-regression -L 207 - 208 - test-nix-integration: 209 - runs-on: ubuntu-latest 210 - needs: build 211 - steps: 212 - - uses: actions/checkout@v4 213 - with: 214 - submodules: recursive 215 - 216 - - uses: cachix/install-nix-action@v27 217 - with: 218 - extra_nix_config: | 219 - experimental-features = nix-command flakes 220 - system-features = kvm 221 - 222 - - uses: cachix/cachix-action@v15 223 - with: 224 - name: darling-nix 225 - 226 - - name: Run Nix-in-Darling integration test 227 - run: nix build .#checks.x86_64-linux.nix-in-darling -L 228 - timeout-minutes: 60 # generous timeout for VM test 187 + - name: "Build Darling SDK" 188 + command: | 189 + cachix watch-exec $CACHIX_NAME -- nix build .#darling-sdk -L --no-link --print-out-paths 229 190 ``` 230 191 231 192 **Notes**: 232 193 233 - - The integration test requires KVM for the NixOS VM. GitHub's `ubuntu-latest` 234 - runners have KVM available. Verify with `system-features = kvm` in the Nix 235 - config. 236 - - The build job runs first and pushes artifacts to Cachix. Subsequent test jobs 237 - pull from the cache, avoiding redundant rebuilds. 238 - - The `timeout-minutes: 60` is important — Darling operations inside a VM inside 239 - CI can be very slow. Adjust as needed based on real-world timings. 240 - - `submodules: recursive` is required because Darling has 100+ submodules. This 241 - checkout step may itself take 5–10 minutes. 242 - 243 - **Alternative: use a self-hosted runner** if GitHub's runners are too slow or 244 - lack KVM. A dedicated NixOS machine with nested virtualisation enabled would 245 - provide the most reliable CI environment. 194 + - tangled.org's `nixery` engine provides a Nix-enabled container, so there is 195 + no need for `install-nix-action` or checkout actions — the repo is already 196 + cloned and Nix is pre-installed. 197 + - Cachix is installed at runtime and used via `cachix watch-exec` to 198 + automatically push all build artifacts. Subsequent runs pull from the cache, 199 + avoiding redundant rebuilds. 200 + - `nix flake check` runs all flake checks (build smoke test, dirserv stubs, 201 + etc.) in a single step. The `--max-jobs 1` flag prevents OOM on 202 + memory-constrained CI runners. 203 + - The `CACHIX_NAME` environment variable should match the Cachix cache name. 204 + The Cachix auth token must be configured as a tangled.org secret. 205 + - `rm -rf /homeless-shelter` works around a Nix sandbox issue in containerised 206 + environments where `HOME` is set to a nonexistent path. 246 207 247 208 --- 248 209 ··· 593 554 594 555 3. **Incremental testing**: On PRs that only touch `plan/` or `docs/`, skip the 595 556 expensive VM tests. Use path filters in the workflow: 596 - ```yaml 597 - on: 598 - push: 599 - paths-ignore: 600 - - 'plan/**' 601 - - '*.md' 602 - ``` 557 + In the tangled workflow, this can be handled at the application level by 558 + checking changed paths in early steps, or by relying on Cachix cache hits 559 + to make unchanged builds near-instant. 603 560 604 561 4. **Test VM snapshots**: If the NixOS testing framework supports it, take a 605 562 snapshot after Darling initialization and restore from it for each test. This ··· 623 580 After completing Phase 6, ALL of the following should be true: 624 581 625 582 - [ ] `nix flake check` passes (includes build smoke test) 626 - - [ ] `.github/workflows/nix-ci.yaml` exists and runs on PRs 583 + - [ ] `.tangled/workflows/ci.yml` exists and runs on pushes/PRs to `main` 627 584 - [ ] Syscall regression tests exist for `lchflags`, `renameatx_np`, `utimensat` (at minimum) 628 585 - [ ] Sandbox stub tests verify `sandbox-exec` passthrough works 629 586 - [ ] NixOS VM test installs Nix inside Darling and evaluates an expression 630 587 - [ ] NixOS VM test builds a trivial derivation inside Darling 631 - - [ ] CI results are visible on GitHub PR checks 588 + - [ ] CI results are visible on tangled.org 632 589 - [ ] Cachix cache is populated by CI and speeds up subsequent runs 633 590 - [ ] Compatibility matrix script exists and produces JSON output 634 591 - [ ] Adding a new syscall implementation has a clear path: implement → add test → CI verifies

Configure Feed

Configure Feed