From 466d23deaabd3121dd02c3ce7ea82324895f8133 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Fri, 11 Dec 2020 13:26:07 +0100 Subject: [PATCH] ci: extract build-to-cachix.sh Needed by the following commits. Also, don't use the cachix cache as a substituter for local, non-CI builds. This obviates the need for the 'untrusted' warning in build.sh. --- ci/build-to-cachix.sh | 50 ++++++++++++++++++++++++++++++++++++ ci/build.sh | 60 +++++-------------------------------------- 2 files changed, 57 insertions(+), 53 deletions(-) create mode 100755 ci/build-to-cachix.sh diff --git a/ci/build-to-cachix.sh b/ci/build-to-cachix.sh new file mode 100755 index 0000000..ab99535 --- /dev/null +++ b/ci/build-to-cachix.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash + +# Build a single-output derivation and store it in 'cachixCache'. +# Skip the build if it is already cached. +# Accepts the same arguments as nix-instantiate. + +set -euo pipefail + +CACHIX_SIGNING_KEY=${CACHIX_SIGNING_KEY:-} +cachixCache=nix-bitcoin + +trap 'echo Error at line $LINENO' ERR + +atExit() { + rm -rf $tmpDir + if [[ -v cachixPid ]]; then kill $cachixPid; fi +} +tmpDir=$(mktemp -d -p /tmp) +trap atExit EXIT + +## Instantiate + +time nix-instantiate "$@" --add-root $tmpDir/drv --indirect > /dev/null +printf "instantiated "; realpath $tmpDir/drv + +outPath=$(nix-store --query $tmpDir/drv) +if nix path-info --store https://$cachixCache.cachix.org $outPath &>/dev/null; then + echo "$outPath has already been built successfully." + exit 0 +fi + +## Build + +if [[ -v CIRRUS_CI ]]; then + cachix use $cachixCache +fi + +if [[ $CACHIX_SIGNING_KEY ]]; then + # Speed up task by uploading store paths as soon as they are created + cachix push $cachixCache --watch-store & + cachixPid=$! +fi + +nix-build --out-link $tmpDir/result $tmpDir/drv >/dev/null + +if [[ $CACHIX_SIGNING_KEY ]]; then + cachix push $cachixCache $outPath +fi + +echo $outPath diff --git a/ci/build.sh b/ci/build.sh index 8a69c5a..a1f8653 100755 --- a/ci/build.sh +++ b/ci/build.sh @@ -3,44 +3,21 @@ # This script can also be run locally for testing: # scenario=default ./build.sh # -# WARNING: This script fetches contents from an untrusted $cachixCache to your local nix-store. -# # When variable CIRRUS_CI is unset, this script leaves no persistent traces on the host system. set -euo pipefail scenario=${scenario:-} -CACHIX_SIGNING_KEY=${CACHIX_SIGNING_KEY:-} -cachixCache=nix-bitcoin -trap 'echo Error at line $LINENO' ERR - -if [[ -v CIRRUS_CI ]]; then - tmpDir=/tmp - if [[ $scenario ]]; then - if [[ ! -e /dev/kvm ]]; then - >&2 echo "No KVM available on VM host." - exit 1 - fi - # Enable KVM access for nixbld users - chmod o+rw /dev/kvm +if [[ -v CIRRUS_CI && $scenario ]]; then + if [[ ! -e /dev/kvm ]]; then + >&2 echo "No KVM available on VM host." + exit 1 fi -else - atExit() { - rm -rf $tmpDir - if [[ -v cachixPid ]]; then kill $cachixPid; fi - } - tmpDir=$(mktemp -d -p /tmp) - trap atExit EXIT - # Prevent cachix from writing to HOME - export HOME=$tmpDir + # Enable KVM access for nixbld users + chmod o+rw /dev/kvm fi -cachix use $cachixCache -cd "${BASH_SOURCE[0]%/*}" - -## Build - echo "$NIX_PATH ($(nix eval --raw nixpkgs.lib.version))" if [[ $scenario ]]; then @@ -49,27 +26,4 @@ else buildExpr="import ./build.nix" fi -time nix-instantiate -E "$buildExpr" --add-root $tmpDir/drv --indirect > /dev/null -printf "instantiated "; realpath $tmpDir/drv - -outPath=$(nix-store --query $tmpDir/drv) -if nix path-info --store https://$cachixCache.cachix.org $outPath &>/dev/null; then - echo "$outPath" has already been built successfully. - exit 0 -fi - -# Cirrus doesn't expose secrets to pull-request builds, -# so skip cache uploading in this case -if [[ $CACHIX_SIGNING_KEY ]]; then - # Speed up task by uploading store paths as soon as they are created - cachix push $cachixCache --watch-store & - cachixPid=$! -fi - -nix-build --out-link $tmpDir/result $tmpDir/drv >/dev/null - -if [[ $CACHIX_SIGNING_KEY ]]; then - cachix push $cachixCache $outPath -fi - -echo $outPath +"${BASH_SOURCE[0]%/*}/build-to-cachix.sh" -E "$buildExpr"