Switch to secure packages

[lucperkins]

Summary by CodeRabbit

• Chores

  • Linux CI runners upgraded to Ubuntu 24.04 and checkout action bumped to the latest major version across workflows.
  • macOS build targets removed from CI and release pipelines.
  • Build configuration source references updated and supported platforms reduced.
  • README examples updated to reflect the new checkout action version.

• New Features

  • Consolidated artifact retrieval into a reusable workflow step to persist prebuilt artifacts per platform.

[coderabbitai]

Walkthrough

Introduce a local composite action to download and persist prebuilt cache artifacts; replace per-platform download/copy steps with that action across release workflows; upgrade multiple GitHub Actions checkout usages to v5; change x86_64-linux runner to ubuntu-24.04; remove macOS entries from CI matrices and supportedSystems; update nixpkgs source.

Changes

Cohort / File(s)	Summary
Build CI matrix /.github/workflows/build.yaml	Change x86_64-linux runner from ubuntu-22.04 to ubuntu-24.04; remove x86_64-darwin matrix entry and macOS runner; upgrade checkout to actions/checkout@v5.
Release workflows /.github/workflows/release-branches.yml, /.github/workflows/release-prs.yml, /.github/workflows/release-tags.yml	Replace explicit per-platform actions/download-artifact + cp sequences with calls to the local composite action at /.github/actions/download-persist (inputs: arch, os); update actions/checkout to @v5; remove older copy steps.
Other workflows /.github/workflows/check-and-test.yaml, /.github/workflows/flakehub.yaml, /.github/workflows/update-flake-lock.yaml, /.github/workflows/*	Upgrade actions/checkout from v4 → v5 in multiple workflows; update actions/download-artifact versions and adjust YAML formatting/permissions where present.
Local composite action /.github/actions/download-persist.yaml	Add composite action that downloads magic-nix-cache-${{ inputs.arch }}-${{ inputs.os }} and copies magic-nix-cache.closure.xz into artifacts/${{ inputs.arch }}-${{ inputs.os }}.
Nix flake flake.nix	Update nixpkgs input/source to DeterminateSystems/secure/0; remove x86_64-darwin from supportedSystems.
Documentation README.md	Update examples referencing actions/checkout@v4 → actions/checkout@v5.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Workflow as Release Workflow
    participant LocalAction as ./.github/actions/download-persist
    participant GHStore as GitHub Artifact Store
    participant FS as Artifacts Directory

    Note over Workflow,LocalAction: New single-call flow per platform
    Workflow->>LocalAction: invoke(inputs: arch, os)
    LocalAction->>GHStore: download "magic-nix-cache-${arch}-${os}"
    GHStore-->>LocalAction: artifact archive
    LocalAction->>FS: copy magic-nix-cache.closure.xz → artifacts/${arch}-${os}
    LocalAction-->>Workflow: completed

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review focus:
  • /.github/actions/download-persist.yaml — verify artifact naming, downloaded path, and destination copy.
  • /.github/workflows/release-*.yml — confirm each arch/os invocation and artifact directory usage.
  • flake.nix — validate nixpkgs input and removal of x86_64-darwin for remaining platform-specific logic.
  • CI matrix changes in build.yaml and check-and-test.yaml — ensure runner/version alignment and no leftover macOS references.

Poem

🐰 I hopped through workflows, tidy and quick,
fetching caches with one gentle trick.
Ubuntu leapt forward, macOS stepped away,
flakes rearranged for a lighter day.
A rabbit's patch — snug, swift, and slick.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Switch to secure packages' is vague and does not accurately reflect the main changes in the PR, which involve removing macOS support, updating GitHub Actions versions, and refactoring workflows.	Consider a more specific title that captures the primary change, such as 'Update GitHub Actions, remove macOS support, and refactor workflows' or focus on the most significant change if consolidating is preferred.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch secure-packages

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2514963 and 723a225.

📒 Files selected for processing (1)

• .github/workflows/check-and-test.yaml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Nix and Rust checks

🔇 Additional comments (2)

.github/workflows/check-and-test.yaml (2)

11-11: PR objectives appear incomplete.

The PR objectives state "change x86_64-linux runner to ubuntu-24.04" and "remove macOS entries from CI matrices," but the code still contains:

• Line 11: ubuntu-22.04 (checks job)
• Line 51: ubuntu-22.04 (action-integration-test X64-Linux)
• Line 55: macos-latest-xlarge (action-integration-test ARM64-macOS)

Verify whether these lines should be updated to align with the PR objectives, or if the objectives need to be clarified.

Also applies to: 51-51, 55-55

---

16-16: Verify actions compatibility; download-artifact@v6 has behavioral breaking changes.

• actions/checkout@v5 moves to Node 24 and requires GitHub Actions runner v2.327.1 or newer; verify self-hosted runners if in use.
• actions/download-artifact@v6 changes path extraction for downloads by artifact ID, extracting directly to the target path instead of nested under the artifact name. Review downstream steps to ensure this output path change is compatible.
• actions/download-artifact@v6 disables fork searching by default (security patch). If your workflow relies on cross-fork artifact retrieval, add search-owner options to maintain earlier behavior.

Also applies to: 60-60, 63-63

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/actions/download-persist.yaml (1)

1-25: Add descriptions to action inputs for better documentation.

The action structure follows GitHub Actions best practices, but the input parameters lack description fields. While optional, these would improve clarity for future users of the action.

Apply this diff to add input descriptions:

 inputs:
   arch:
+    description: 'Architecture of the binary (X64 or ARM64)'
     type: choice
     options:
       - X64
       - ARM64
     required: true
   os:
+    description: 'Operating system of the binary (Linux or macOS)'
     type: choice
     options:
       - Linux
       - macOS
     required: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6551618 and d2811f3.

📒 Files selected for processing (4)

• .github/actions/download-persist.yaml (1 hunks)
• .github/workflows/release-branches.yml (1 hunks)
• .github/workflows/release-prs.yml (1 hunks)
• .github/workflows/release-tags.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Nix and Rust checks

🔇 Additional comments (2)

.github/workflows/release-branches.yml (1)

34-50: ****

The review comment is based on an incorrect assumption. The code is currently correct:

• Build matrix produces: X64-Linux, ARM64-Linux, ARM64-macOS
• Release workflows download: exactly these same three artifacts (ARM64 macOS + X64/ARM64 Linux)
• No platform mismatch exists between build.yaml and the release workflows

The workflows are consistent and will not fail. macOS (aarch64-darwin) remains in the build matrix and produces the ARM64-macOS artifact that the release workflows download.

Likely an incorrect or invalid review comment.

.github/workflows/release-prs.yml (1)

39-55: ****

The original review comment's premise is incorrect. macOS is not being removed from the build matrix—aarch64-darwin (ARM64-macOS) is still present in build.yaml. The three download-persist calls in release-prs.yml (lines 40-43, 46-49, 52-55) are valid and will succeed.

However, there is an unrelated issue: release-tags.yml line 56 attempts to rename a X64-macOS artifact that does not exist in the build matrix. Only ARM64-macOS is built for Darwin platforms.

Likely an incorrect or invalid review comment.

[RossComputerGuy]

CI still says there's pending checks for x86_64-darwin

[cole-h]

You changed the runner type in build.yaml but not here?