feat: replace container image with install-nix-action

Author: CMCDragonkai

.github/actions/install-nix/action.yml

@@ -0,0 +1,41 @@
+name: 'Install Nix'
+description: 'Installs Nix on GitHub Actions for the supported platforms: Linux and macOS.'
+author: 'Domen Kožar'
+inputs:
+  extra_nix_config:
+    description: 'Gets appended to `/etc/nix/nix.conf` if passed.'
+  github_access_token:
+    description: 'Configure nix to pull from github using the given github token.'
+  install_url:
+    description: 'Installation URL that will contain a script to install Nix.'
+  install_options:
+    description: 'Additional installer flags passed to the installer script.'
+  nix_path:
+    description: 'Set NIX_PATH environment variable.'
+  enable_kvm:
+    description: 'Enable KVM for hardware-accelerated virtualization on Linux, if available.'
+    required: false
+    default: true
+branding:
+  color: 'blue'
+  icon: 'sun'
+runs:
+  using: 'composite'
+  steps:
+    - run: |
+        ${GITHUB_ACTION_PATH}/install-nix.sh
+        nix profile install nixpkgs#cacert nixpkgs#tzdata
+        TZDATA=$(nix eval --raw nixpkgs#tzdata.outPath)
+        CACERT=$(nix eval --raw nixpkgs#cacert.outPath)
+        echo "TZDIR=$TZDATA/share/zoneinfo" >> "$GITHUB_ENV"
+        echo "GIT_SSL_CAINFO=$CACERT/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
+        echo "NIX_SSL_CERT_FILE=$CACERT/etc/ssl/certs/ca-bundle.crt" >> "$GITHUB_ENV"
+      shell: bash
+      env:
+        INPUT_EXTRA_NIX_CONFIG: ${{ inputs.extra_nix_config }}
+        INPUT_GITHUB_ACCESS_TOKEN: ${{ inputs.github_access_token }}
+        INPUT_INSTALL_OPTIONS: ${{ inputs.install_options }}
+        INPUT_INSTALL_URL: ${{ inputs.install_url }}
+        INPUT_NIX_PATH: ${{ inputs.nix_path }}
+        INPUT_ENABLE_KVM: ${{ inputs.enable_kvm }}
+        GITHUB_TOKEN: ${{ github.token }}

.github/actions/install-nix/install-nix.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if nix_path="$(type -p nix)" ; then
+  echo "Aborting: Nix is already installed at ${nix_path}"
+  exit
+fi
+
+if [[ ($OSTYPE =~ linux) && ($INPUT_ENABLE_KVM == 'true') ]]; then
+  enable_kvm() {
+    echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-install-nix-action-kvm.rules
+    sudo udevadm control --reload-rules && sudo udevadm trigger --name-match=kvm
+  }
+
+  echo '::group::Enabling KVM support'
+  enable_kvm && echo 'Enabled KVM' || echo 'KVM is not available'
+  echo '::endgroup::'
+fi
+
+# GitHub command to put the following log messages into a group which is collapsed by default
+echo "::group::Installing Nix"
+
+# Create a temporary workdir
+workdir=$(mktemp -d)
+trap 'rm -rf "$workdir"' EXIT
+
+# Configure Nix
+add_config() {
+  echo "$1" >> "$workdir/nix.conf"
+}
+add_config "show-trace = true"
+# Set jobs to number of cores
+add_config "max-jobs = auto"
+if [[ $OSTYPE =~ darwin ]]; then
+  add_config "ssl-cert-file = /etc/ssl/cert.pem"
+fi
+# Allow binary caches for user
+add_config "trusted-users = root ${USER:-}"
+# Add a GitHub access token.
+# Token-less access is subject to lower rate limits.
+if [[ -n "${INPUT_GITHUB_ACCESS_TOKEN:-}" ]]; then
+  echo "::debug::Using the provided github_access_token for github.com"
+  add_config "access-tokens = github.com=$INPUT_GITHUB_ACCESS_TOKEN"
+# Use the default GitHub token if available.
+# Skip this step if running an Enterprise instance. The default token there does not work for github.com.
+elif [[ -n "${GITHUB_TOKEN:-}" && $GITHUB_SERVER_URL == "https://github.com" ]]; then
+  echo "::debug::Using the default GITHUB_TOKEN for github.com"
+  add_config "access-tokens = github.com=$GITHUB_TOKEN"
+else
+  echo "::debug::Continuing without a GitHub access token"
+fi
+# Append extra nix configuration if provided
+if [[ -n "${INPUT_EXTRA_NIX_CONFIG:-}" ]]; then
+  add_config "$INPUT_EXTRA_NIX_CONFIG"
+fi
+if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "experimental-features" ]]; then
+  add_config "experimental-features = nix-command flakes"
+fi
+# Always allow substituting from the cache, even if the derivation has `allowSubstitutes = false`.
+# This is a CI optimisation to avoid having to download the inputs for already-cached derivations to rebuild trivial text files.
+if [[ ! $INPUT_EXTRA_NIX_CONFIG =~ "always-allow-substitutes" ]]; then
+  add_config "always-allow-substitutes = true"
+fi
+
+# Nix installer flags
+installer_options=(
+  --no-channel-add
+  --darwin-use-unencrypted-nix-store-volume
+  --nix-extra-conf-file "$workdir/nix.conf"
+)
+
+# only use the nix-daemon settings if on darwin (which get ignored) or systemd is supported
+if [[ (! $INPUT_INSTALL_OPTIONS =~ "--no-daemon") && ($OSTYPE =~ darwin || -e /run/systemd/system) ]]; then
+  installer_options+=(
+    --daemon
+    --daemon-user-count "$(python3 -c 'import multiprocessing as mp; print(mp.cpu_count() * 2)')"
+  )
+else
+  # "fix" the following error when running nix*
+  # error: the group 'nixbld' specified in 'build-users-group' does not exist
+  add_config "build-users-group ="
+  sudo mkdir -p /etc/nix
+  sudo chmod 0755 /etc/nix
+  sudo cp "$workdir/nix.conf" /etc/nix/nix.conf
+fi
+
+if [[ -n "${INPUT_INSTALL_OPTIONS:-}" ]]; then
+  IFS=' ' read -r -a extra_installer_options <<< "$INPUT_INSTALL_OPTIONS"
+  installer_options=("${extra_installer_options[@]}" "${installer_options[@]}")
+fi
+
+echo "installer options: ${installer_options[*]}"
+
+# There is --retry-on-errors, but only newer curl versions support that
+curl_retries=5
+while ! curl -sS -o "$workdir/install" -v --fail -L "${INPUT_INSTALL_URL:-https://releases.nixos.org/nix/nix-2.25.2/install}"
+do
+  sleep 1
+  ((curl_retries--))
+  if [[ $curl_retries -le 0 ]]; then
+    echo "curl retries failed" >&2
+    exit 1
+  fi
+done
+
+sh "$workdir/install" "${installer_options[@]}"
+
+# Set paths
+echo "/nix/var/nix/profiles/default/bin" >> "$GITHUB_PATH"
+# new path for nix 2.14
+echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
+
+if [[ -n "${INPUT_NIX_PATH:-}" ]]; then
+  echo "NIX_PATH=${INPUT_NIX_PATH}" >> "$GITHUB_ENV"
+fi
+
+# Set temporary directory (if not already set) to fix https://github.com/cachix/install-nix-action/issues/197
+if [[ -z "${TMPDIR:-}" ]]; then
+  echo "TMPDIR=${RUNNER_TEMP}" >> "$GITHUB_ENV"
+fi
+
+# Close the log message group which was opened above
+echo "::endgroup::"

.github/workflows/application-js-cloudflare-feature-closed.yml

@@ -26,21 +26,19 @@ jobs:
   feature-closed-deployment-stop:
     name: "Feature Closed / Deployment Stop"
     runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/matrixai/github-runner
     concurrency:
       group: feature-closed-deployment-stop
       cancel-in-progress: false
     # Only run if the PR head is a feature branch
     # This means the feature branch PR is closed
     if: startsWith(inputs.featureBranch, 'feature')
     permissions:
-      packages: read
       contents: read
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Stop Deployment
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}

.github/workflows/application-js-cloudflare-feature.yml

@@ -16,20 +16,21 @@ on:
       DEPLOY_SECRETS:
         required: true
 
+env:
+  NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+
 jobs:
   # Lint the code
   feature-lint:
     name: "Feature / Lint"
     runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/matrixai/github-runner
     permissions:
-      packages: read
       contents: read
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Run linting
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
@@ -42,16 +43,14 @@ jobs:
   feature-build:
     name: "Feature / Build"
     runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/matrixai/github-runner
     permissions:
-      packages: read
       contents: read
       actions: write
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Run build
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
@@ -70,8 +69,6 @@ jobs:
     name: "Feature / Deployment"
     runs-on: ubuntu-latest
     needs: feature-build
-    container:
-      image: ghcr.io/matrixai/github-runner
     concurrency:
       group: feature-deployment
       cancel-in-progress: false
@@ -89,17 +86,26 @@ jobs:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - uses: actions/download-artifact@v4
         with:
           name: public
           path: ./public
+      - name: Setup Deploy Secrets
+        run: |
+          echo "${{ inputs.DEPLOY_SECRETS }}" | jq -r 'to_entries | .[] | "\(.key)=\(.value)"' >> $GITHUB_ENV
       - name: Run deployment
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
+          name: "feature/${{ github.ref_name }}"
+          url: "https://${{ github.ref_name }}.dev.zeta.house"
         run: |
           echo 'Perform service deployment for feature'
+          echo "$SECRET1"
+          echo "$SECRET2"
+          echo "$SECRET3"
           nix develop .#ci --command bash -c $'
           npm run deploy -- \
             --feature "$GITHUB_REF_NAME" \
             --env "$GITHUB_REF_NAME"
-          '
+          '

.github/workflows/application-js-cloudflare-master.yml

@@ -21,16 +21,14 @@ jobs:
   master-build:
     name: "Master / Build"
     runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/matrixai/github-runner
     permissions:
-      packages: read
       contents: read
       actions: write
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Run build
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
@@ -49,13 +47,10 @@ jobs:
     name: "Master / Deployment"
     runs-on: ubuntu-latest
     needs: master-build
-    container:
-      image: ghcr.io/matrixai/github-runner
     concurrency:
       group: master-deployment
       cancel-in-progress: false
     permissions:
-      packages: read
       contents: read
     steps:
       - name: Checkout Actions
@@ -64,6 +59,7 @@ jobs:
           repository: MatrixAI/.github
           ref: ${{ inputs.ref }}
           path: tmp/.github
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Parse Secrets
         uses: ./tmp/.github/.github/actions/secrets-parse
         with:
@@ -82,4 +78,4 @@ jobs:
           echo 'Perform service deployment for master'
           nix develop .#ci --command bash -c $'
           npm run deploy -- --env master
-          '
+          '

.github/workflows/application-js-cloudflare-staging.yml

@@ -31,15 +31,13 @@ jobs:
   staging-lint:
     name: "Staging / Lint"
     runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/matrixai/github-runner
     permissions:
-      packages: read
       contents: read
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Run linting
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
@@ -53,7 +51,6 @@ jobs:
     name: "Staging / Merge Begin"
     runs-on: ubuntu-latest
     permissions:
-      packages: read
       contents: read
       pull-requests: write
     steps:
@@ -78,16 +75,14 @@ jobs:
   staging-build:
     name: "Staging / Build"
     runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/matrixai/github-runner
     permissions:
-      packages: read
       contents: read
       actions: write
     steps:
       - uses: actions/checkout@v4
         with:
           lfs: true
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Run build
         env:
           NIX_CONFIG: access-tokens = github.com=${{ secrets.NIXPKGS_PRIVATE_PAT }}
@@ -106,13 +101,10 @@ jobs:
     name: "Staging / Deployment"
     runs-on: ubuntu-latest
     needs: staging-build
-    container:
-      image: ghcr.io/matrixai/github-runner
     concurrency:
       group: staging-deployment
       cancel-in-progress: false
     permissions:
-      packages: read
       contents: read
     steps:
       - name: Checkout Actions
@@ -121,6 +113,7 @@ jobs:
           repository: MatrixAI/.github
           ref: ${{ inputs.ref }}
           path: tmp/.github
+      - uses: MatrixAI/.github/.github/actions/install-nix@master
       - name: Parse Secrets
         uses: ./tmp/.github/.github/actions/secrets-parse
         with:
@@ -153,7 +146,6 @@ jobs:
       group: staging-merge-finish
       cancel-in-progress: true
     permissions:
-      packages: read
       contents: write
       pull-requests: write
     steps:
@@ -176,4 +168,4 @@ jobs:
             --repo "$GITHUB_REPOSITORY"
           git checkout master
           git merge --ff-only "$GITHUB_SHA"
-          git push origin master
+          git push origin master