From 45b97aab400623f375b3267be57718a3f1710675 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Thu, 20 Mar 2025 23:26:11 +0100 Subject: [PATCH 01/17] add derivation test --- flake.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/flake.nix b/flake.nix index a7fb171..2c1d68e 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,20 @@ ... }: { + checks = { + test-template-bad-readme = + pkgs.runCommand "test-bad-readme" + { + nativeBuildInputs = [ + pkgs.nix + pkgs.git + ]; + } + '' + echo "evertyhing is fine" + touch $out # Create output file to indicate success + ''; + }; devShells.default = pkgs.mkShell { packages = [ # keep-sorted start From ba3f56b950d65aca0ee993c83d454177b599a9d0 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 00:36:13 +0100 Subject: [PATCH 02/17] actually run a first test --- flake.nix | 36 ++++++++++++++++++++++++++++++++---- templates/base/flake.nix | 29 +++++++++++++++++++++++------ 2 files changed, 55 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index 2c1d68e..749deca 100644 --- a/flake.nix +++ b/flake.nix @@ -52,14 +52,42 @@ test-template-bad-readme = pkgs.runCommand "test-bad-readme" { - nativeBuildInputs = [ + buildInputs = [ pkgs.nix - pkgs.git ]; } '' - echo "evertyhing is fine" - touch $out # Create output file to indicate success + mkdir -p $TMPDIR/home + export HOME=$TMPDIR/home + # cd $tmp + nix flake init --template ${self}#default + echo "bad _markdown*" > README.md + if ! nix flake check; then + touch $out + else + echo "Test failed: nix flake check succeeded unexpectedly" + exit 1 + fi + ''; + test-template-good-readme = + pkgs.runCommand "test-good-readme" + { + buildInputs = [ + pkgs.nix + ]; + } + '' + mkdir -p $TMPDIR/home + export HOME=$TMPDIR/home + # cd $tmp + nix flake init --template ${self}#default + echo "good *markdown*" > README.md + if nix flake check; then + touch $out + else + echo "Test failed: nix flake check failed unexpectedly" + exit 1 + fi ''; }; devShells.default = pkgs.mkShell { diff --git a/templates/base/flake.nix b/templates/base/flake.nix index 79c2130..cc80efd 100644 --- a/templates/base/flake.nix +++ b/templates/base/flake.nix @@ -1,12 +1,29 @@ +# flake.nix { - description = "nullkomma"; - - inputs = { - nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.2411.*"; - }; + inputs.treefmt-nix.url = "github:numtide/treefmt-nix"; outputs = - { ... }: { + self, + nixpkgs, + systems, + treefmt-nix, + }: + let + # Small tool to iterate over each systems + eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system}); + + # Eval the treefmt modules from ./treefmt.nix + treefmtEval = eachSystem ( + pkgs: treefmt-nix.lib.evalModule pkgs { programs.mdformat.enable = true; } + ); + in + { + # for `nix fmt` + formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper); + # for `nix flake check` + checks = eachSystem (pkgs: { + formatting = treefmtEval.${pkgs.system}.config.build.check self; + }); }; } From fa00b59aedaafbb76089b1ac03e454199936c322 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 00:51:22 +0100 Subject: [PATCH 03/17] use flakes --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 749deca..76b53c3 100644 --- a/flake.nix +++ b/flake.nix @@ -54,7 +54,9 @@ { buildInputs = [ pkgs.nix + pkgs.git ]; + NIX_CONFIG = "experimental-features = nix-command flakes"; } '' mkdir -p $TMPDIR/home From 1db99f542a30d1d709fe23f0551e7dcf3aa3a09c Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 00:56:50 +0100 Subject: [PATCH 04/17] allow filesystem access --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 76b53c3..23701f5 100644 --- a/flake.nix +++ b/flake.nix @@ -56,6 +56,7 @@ pkgs.nix pkgs.git ]; + __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; } '' From c5a6c200fe9c5afa39ec9adfb95d3fe2fb7f9e6d Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 01:03:25 +0100 Subject: [PATCH 05/17] enable flakes everywhere --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 23701f5..0ba9a3c 100644 --- a/flake.nix +++ b/flake.nix @@ -78,6 +78,8 @@ buildInputs = [ pkgs.nix ]; + __noChroot = true; + NIX_CONFIG = "experimental-features = nix-command flakes"; } '' mkdir -p $TMPDIR/home From 0003a35b29437d894cab28790c46a5147b588e7f Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 01:07:29 +0100 Subject: [PATCH 06/17] try with chroot --- flake.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/flake.nix b/flake.nix index 0ba9a3c..a093dd8 100644 --- a/flake.nix +++ b/flake.nix @@ -56,7 +56,6 @@ pkgs.nix pkgs.git ]; - __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; } '' @@ -78,7 +77,6 @@ buildInputs = [ pkgs.nix ]; - __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; } '' From 96592c2ed44b53ace7a7203cca2ce6686d296c47 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 01:28:19 +0100 Subject: [PATCH 07/17] get out of sandbox --- flake.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/flake.nix b/flake.nix index a093dd8..240e32f 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,10 @@ { description = "nullkomma"; + nixConfig = { + sandbox = false; + }; + inputs = { nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.2411.*"; # keep-sorted start @@ -56,6 +60,7 @@ pkgs.nix pkgs.git ]; + __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; } '' @@ -77,6 +82,7 @@ buildInputs = [ pkgs.nix ]; + __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; } '' From a48dac68e9639b8ff853c8c056b19a756742d975 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 01:33:43 +0100 Subject: [PATCH 08/17] try sandbox in template --- templates/base/flake.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/base/flake.nix b/templates/base/flake.nix index cc80efd..7fa89bd 100644 --- a/templates/base/flake.nix +++ b/templates/base/flake.nix @@ -1,5 +1,8 @@ # flake.nix { + nixConfig = { + sandbox = false; + }; inputs.treefmt-nix.url = "github:numtide/treefmt-nix"; outputs = From dcdaa1781ea1c129cea0e92ff4e45a4a576e8c7a Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 01:41:32 +0100 Subject: [PATCH 09/17] disable sandbox via detsys --- .github/workflows/ci.yml | 2 +- flake.nix | 4 ---- templates/base/flake.nix | 3 --- 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fc9a130..8e68ec2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ concurrency: cancel-in-progress: true jobs: DeterminateCI: - uses: dataheld/ci/.github/workflows/workflow.yml@pass-thru-failearly + uses: dataheld/ci/.github/workflows/workflow.yml@no-sandbox permissions: id-token: "write" contents: "read" diff --git a/flake.nix b/flake.nix index 240e32f..0ba9a3c 100644 --- a/flake.nix +++ b/flake.nix @@ -1,10 +1,6 @@ { description = "nullkomma"; - nixConfig = { - sandbox = false; - }; - inputs = { nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.2411.*"; # keep-sorted start diff --git a/templates/base/flake.nix b/templates/base/flake.nix index 7fa89bd..cc80efd 100644 --- a/templates/base/flake.nix +++ b/templates/base/flake.nix @@ -1,8 +1,5 @@ # flake.nix { - nixConfig = { - sandbox = false; - }; inputs.treefmt-nix.url = "github:numtide/treefmt-nix"; outputs = From 69f23e60ec60c7751b52ef47104860fb904780bd Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 01:53:01 +0100 Subject: [PATCH 10/17] poke gha From a1555a0d517ba6fdcc2d8b0855d9e82679975cd5 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 02:16:46 +0100 Subject: [PATCH 11/17] pass in more stuff --- flake.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 0ba9a3c..1db2603 100644 --- a/flake.nix +++ b/flake.nix @@ -54,7 +54,9 @@ { buildInputs = [ pkgs.nix - pkgs.git + pkgs.mdformat + pkgs.treefmt + inputs'.treefmt-nix.formatter ]; __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; @@ -77,6 +79,9 @@ { buildInputs = [ pkgs.nix + pkgs.mdformat + pkgs.treefmt + inputs'.treefmt-nix.formatter ]; __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; From 7d561b3edb335e11fc82159ad3717ce8d1e1bfc3 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 20:16:01 +0100 Subject: [PATCH 12/17] reduce sandbox --- flake.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/flake.nix b/flake.nix index 1db2603..e9a84e0 100644 --- a/flake.nix +++ b/flake.nix @@ -54,9 +54,6 @@ { buildInputs = [ pkgs.nix - pkgs.mdformat - pkgs.treefmt - inputs'.treefmt-nix.formatter ]; __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; @@ -79,9 +76,6 @@ { buildInputs = [ pkgs.nix - pkgs.mdformat - pkgs.treefmt - inputs'.treefmt-nix.formatter ]; __noChroot = true; NIX_CONFIG = "experimental-features = nix-command flakes"; From 8b30fa7120913b277666ecde191dcd0242b77c6c Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 20:18:48 +0100 Subject: [PATCH 13/17] poke gha From 4d2d2fc42f84dbe242f877b18017f1fde3543147 Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 21:19:27 +0100 Subject: [PATCH 14/17] run all ze systems --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e68ec2..7d01ef9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,7 @@ jobs: contents: "read" with: visibility: public + fail-fast: false flake-checker: runs-on: ubuntu-latest steps: From 53bead5b7140a83ffb7766f446a2136408bdd39e Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Fri, 21 Mar 2025 21:39:58 +0100 Subject: [PATCH 15/17] enable sandbox again --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d01ef9..c68de90 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ concurrency: cancel-in-progress: true jobs: DeterminateCI: - uses: dataheld/ci/.github/workflows/workflow.yml@no-sandbox + uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main permissions: id-token: "write" contents: "read" From 72fd3e0dd49a1385ed273101dc2a34affa3e43fa Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Mon, 24 Mar 2025 15:43:55 +0100 Subject: [PATCH 16/17] don't symlink envrc --- .envrc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) mode change 120000 => 100644 .envrc diff --git a/.envrc b/.envrc deleted file mode 120000 index 0b67630..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -template/.envrc \ No newline at end of file diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..a93dec4 --- /dev/null +++ b/.envrc @@ -0,0 +1,6 @@ +#!/bin/bash + +if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" +fi +use flake From 26125b4f3a7b527af6d12a5b34d96a59fc7a78aa Mon Sep 17 00:00:00 2001 From: Maximilian Held Date: Mon, 24 Mar 2025 22:29:58 +0100 Subject: [PATCH 17/17] add ci to template --- templates/base/.github/workflows/ci.yml | 22 +++++++++++++++++ .../.github/workflows/nix_maintenance.yml | 24 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 templates/base/.github/workflows/ci.yml create mode 100644 templates/base/.github/workflows/nix_maintenance.yml diff --git a/templates/base/.github/workflows/ci.yml b/templates/base/.github/workflows/ci.yml new file mode 100644 index 0000000..f4ff3fa --- /dev/null +++ b/templates/base/.github/workflows/ci.yml @@ -0,0 +1,22 @@ +name: CI +on: + pull_request: + workflow_dispatch: + push: +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +jobs: + DeterminateCI: + uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main + permissions: + id-token: "write" + contents: "read" + with: + fail-fast: false + flake-checker: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Check Nix flake Nixpkgs inputs + uses: DeterminateSystems/flake-checker-action@v9 diff --git a/templates/base/.github/workflows/nix_maintenance.yml b/templates/base/.github/workflows/nix_maintenance.yml new file mode 100644 index 0000000..41a2484 --- /dev/null +++ b/templates/base/.github/workflows/nix_maintenance.yml @@ -0,0 +1,24 @@ +name: Maintenance +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * 0" # runs weekly on Sunday at 01:00 +jobs: + nix-maintenance: + name: Nix Maintenance + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: DeterminateSystems/nix-installer-action@main + with: + determinate: true + - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/update-flake-lock@main + with: + pr-title: "Update flake.lock" + pr-labels: | + dependencies + automated + - uses: DeterminateSystems/flake-checker-action@main + with: + fail-mode: true