input-output-hk · skylar-simoncelli · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -82,7 +82,6 @@ jobs:
         run: |
           set -euo pipefail
           CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}"
-
           echo "--- Cache preflight ---"
           # Compute cache key again (same as restore/save)
           RUSTC_FULL="$({ nix develop -c rustc -V; } 2>/dev/null || { rustc -V; } 2>/dev/null || true)"
@@ -92,39 +91,35 @@ jobs:
             RUSTC_VER="unknown"
           fi
           if [[ -f Cargo.lock ]]; then
-            LOCK_LINE="$(sha256sum Cargo.lock)"
+            LOCK_LINE="$(nix develop -c sha256sum Cargo.lock)"
             LOCK_SHA="${LOCK_LINE%% *}"
           else
             echo "Cargo.lock missing; skipping manifest check."
             LOCK_SHA="nolock"
           fi
           CACHE="/tmp/rust-cache-${RUSTC_VER}-${LOCK_SHA}"
           [[ -d "$CACHE" ]] || { echo "No shared cache present for key: $CACHE"; exit 0; }
-
           MAN="$CACHE/.manifest"; READY="$CACHE/.ready"
-          WANT="$(printf '%s\n%s\n' "$RUSTC_VER" "$LOCK_SHA")"
+          WANT="$(nix develop -c printf '%s\n%s\n' "$RUSTC_VER" "$LOCK_SHA")"
           REASONS=()
-
           echo "[1/2] Checking manifest/ready..."
           if [[ ! -f "$READY" || ! -f "$MAN" ]]; then
             echo "manifest/ready missing"
             REASONS+=("manifest/ready missing")
           else
-            HAVE="$(head -n 2 "$MAN" || true)"
+            HAVE="$(nix develop -c head -n 2 "$MAN" || true)"
             if [[ "$WANT" != "$HAVE" ]]; then
               echo "manifest mismatch"
               REASONS+=("manifest mismatch")
             fi
           fi
-
           echo "[2/2] cargo fetch --locked..."
-          if ! nix develop -c bash -lc "cargo fetch --locked -q" 2> >(grep -v -E 'untrusted substituter|trusted-public-keys' >&2); then
+          if ! nix develop -c bash -c "cargo fetch --locked -q" 2> >(nix develop -c grep -v -E 'untrusted substituter|trusted-public-keys' >&2); then
             echo "cargo fetch failed → clearing registry/src + git/checkouts, then re-fetching"
-            rm -rf "$CARGO_HOME"/registry/src/* "$CARGO_HOME"/git/checkouts/* || true
-            nix develop -c cargo fetch --locked 2> >(grep -v -E 'untrusted substituter|trusted-public-keys' >&2)
+            nix develop -c rm -rf "$CARGO_HOME"/registry/src/* "$CARGO_HOME"/git/checkouts/* || true
+            nix develop -c cargo fetch --locked 2> >(nix develop -c grep -v -E 'untrusted substituter|trusted-public-keys' >&2)
             REASONS+=("re-fetched dependencies")
           fi
-
           echo "--- Preflight summary: ${REASONS[*]:-OK} ---"
 
       - name: Release cache lock
@@ -145,18 +140,16 @@ jobs:
       - name: Enable sccache (RUSTC_WRAPPER)
         run: |
           set -e
-          if nix develop -c bash -lc 'command -v sccache' >/dev/null 2>&1; then
-            echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=/tmp/sccache" >> "$GITHUB_ENV"
-            echo "SCCACHE_CACHE_SIZE=30G" >> "$GITHUB_ENV"
-            echo "CARGO_INCREMENTAL=0" >> "$GITHUB_ENV"
-            mkdir -p /tmp/sccache
-            nix develop -c sccache --stop-server || true
-            nix develop -c sccache --start-server || true
-            nix develop -c sccache --version || true
-          else
-            echo "sccache not in devshell; skipping wrapper."
-          fi
+          export SCCACHE_DIR=/tmp/sccache-${{ runner.name }}
+          export SCCACHE_CACHE_SIZE=0
+          echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+          echo "SCCACHE_DIR=$SCCACHE_DIR" >> "$GITHUB_ENV"
+          echo "SCCACHE_CACHE_SIZE=$SCCACHE_CACHE_SIZE" >> "$GITHUB_ENV"
+          echo "CARGO_INCREMENTAL=0" >> "$GITHUB_ENV"
+          mkdir -p "$SCCACHE_DIR"
+          nix develop -c sccache --stop-server || true
+          nix develop -c sccache --start-server || true
+          nix develop -c sccache --version || true
 
       - name: Formatting
         run: nix develop -c bash -c "cargo fmt --check"
@@ -430,49 +423,44 @@ jobs:
         run: |
           set -euo pipefail
           CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}"
-
           echo "--- Cache preflight ---"
-          # Compute cache key again
+          # Compute cache key again (same as restore/save)
           RUSTC_FULL="$({ nix develop -c rustc -V; } 2>/dev/null || { rustc -V; } 2>/dev/null || true)"
           if [[ -n "${RUSTC_FULL:-}" ]]; then
             RUSTC_VER="${RUSTC_FULL#rustc }"; RUSTC_VER="${RUSTC_VER%% *}"
           else
             RUSTC_VER="unknown"
           fi
           if [[ -f Cargo.lock ]]; then
-            LOCK_LINE="$(sha256sum Cargo.lock)"
+            LOCK_LINE="$(nix develop -c sha256sum Cargo.lock)"
             LOCK_SHA="${LOCK_LINE%% *}"
           else
             echo "Cargo.lock missing; skipping manifest check."
             LOCK_SHA="nolock"
           fi
           CACHE="/tmp/rust-cache-${RUSTC_VER}-${LOCK_SHA}"
           [[ -d "$CACHE" ]] || { echo "No shared cache present for key: $CACHE"; exit 0; }
-
           MAN="$CACHE/.manifest"; READY="$CACHE/.ready"
-          WANT="$(printf '%s\n%s\n' "$RUSTC_VER" "$LOCK_SHA")"
+          WANT="$(nix develop -c printf '%s\n%s\n' "$RUSTC_VER" "$LOCK_SHA")"
           REASONS=()
-
           echo "[1/2] Checking manifest/ready..."
           if [[ ! -f "$READY" || ! -f "$MAN" ]]; then
             echo "manifest/ready missing"
             REASONS+=("manifest/ready missing")
           else
-            HAVE="$(head -n 2 "$MAN" || true)"
+            HAVE="$(nix develop -c head -n 2 "$MAN" || true)"
             if [[ "$WANT" != "$HAVE" ]]; then
               echo "manifest mismatch"
               REASONS+=("manifest mismatch")
             fi
           fi
-
           echo "[2/2] cargo fetch --locked..."
-          if ! nix develop -c bash -lc "cargo fetch --locked -q" 2> >(grep -v -E 'untrusted substituter|trusted-public-keys' >&2); then
+          if ! nix develop -c bash -c "cargo fetch --locked -q" 2> >(nix develop -c grep -v -E 'untrusted substituter|trusted-public-keys' >&2); then
             echo "cargo fetch failed → clearing registry/src + git/checkouts, then re-fetching"
-            rm -rf "$CARGO_HOME"/registry/src/* "$CARGO_HOME"/git/checkouts/* || true
-            nix develop -c cargo fetch --locked 2> >(grep -v -E 'untrusted substituter|trusted-public-keys' >&2)
+            nix develop -c rm -rf "$CARGO_HOME"/registry/src/* "$CARGO_HOME"/git/checkouts/* || true
+            nix develop -c cargo fetch --locked 2> >(nix develop -c grep -v -E 'untrusted substituter|trusted-public-keys' >&2)
             REASONS+=("re-fetched dependencies")
           fi
-
           echo "--- Preflight summary: ${REASONS[*]:-OK} ---"
 
       - name: Release cache lock
@@ -504,18 +492,16 @@ jobs:
       - name: Enable sccache (RUSTC_WRAPPER)
         run: |
           set -e
-          if nix develop -c bash -lc 'command -v sccache' >/dev/null 2>&1; then
-            echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=/tmp/sccache" >> "$GITHUB_ENV"
-            echo "SCCACHE_CACHE_SIZE=30G" >> "$GITHUB_ENV"
-            echo "CARGO_INCREMENTAL=0" >> "$GITHUB_ENV"
-            mkdir -p /tmp/sccache
-            nix develop -c sccache --stop-server || true
-            nix develop -c sccache --start-server || true
-            nix develop -c sccache --version || true
-          else
-            echo "sccache not in devshell; skipping wrapper."
-          fi
+          export SCCACHE_DIR=/tmp/sccache-${{ runner.name }}
+          export SCCACHE_CACHE_SIZE=0
+          echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+          echo "SCCACHE_DIR=$SCCACHE_DIR" >> "$GITHUB_ENV"
+          echo "SCCACHE_CACHE_SIZE=$SCCACHE_CACHE_SIZE" >> "$GITHUB_ENV"
+          echo "CARGO_INCREMENTAL=0" >> "$GITHUB_ENV"
+          mkdir -p "$SCCACHE_DIR"
+          nix develop -c sccache --stop-server || true
+          nix develop -c sccache --start-server || true
+          nix develop -c sccache --version || true
 
       - name: Build
         run: nix develop -c bash -c "cargo build --locked --profile=release"
@@ -823,49 +809,44 @@ jobs:
         run: |
           set -euo pipefail
           CARGO_HOME="${CARGO_HOME:-$HOME/.cargo}"
-
           echo "--- Cache preflight ---"
-          # Compute cache key again
+          # Compute cache key again (same as restore/save)
           RUSTC_FULL="$({ nix develop -c rustc -V; } 2>/dev/null || { rustc -V; } 2>/dev/null || true)"
           if [[ -n "${RUSTC_FULL:-}" ]]; then
             RUSTC_VER="${RUSTC_FULL#rustc }"; RUSTC_VER="${RUSTC_VER%% *}"
           else
             RUSTC_VER="unknown"
           fi
           if [[ -f Cargo.lock ]]; then
-            LOCK_LINE="$(sha256sum Cargo.lock)"
+            LOCK_LINE="$(nix develop -c sha256sum Cargo.lock)"
             LOCK_SHA="${LOCK_LINE%% *}"
           else
             echo "Cargo.lock missing; skipping manifest check."
             LOCK_SHA="nolock"
           fi
           CACHE="/tmp/rust-cache-${RUSTC_VER}-${LOCK_SHA}"
           [[ -d "$CACHE" ]] || { echo "No shared cache present for key: $CACHE"; exit 0; }
-
           MAN="$CACHE/.manifest"; READY="$CACHE/.ready"
-          WANT="$(printf '%s\n%s\n' "$RUSTC_VER" "$LOCK_SHA")"
+          WANT="$(nix develop -c printf '%s\n%s\n' "$RUSTC_VER" "$LOCK_SHA")"
           REASONS=()
-
           echo "[1/2] Checking manifest/ready..."
           if [[ ! -f "$READY" || ! -f "$MAN" ]]; then
             echo "manifest/ready missing"
             REASONS+=("manifest/ready missing")
           else
-            HAVE="$(head -n 2 "$MAN" || true)"
+            HAVE="$(nix develop -c head -n 2 "$MAN" || true)"
             if [[ "$WANT" != "$HAVE" ]]; then
               echo "manifest mismatch"
               REASONS+=("manifest mismatch")
             fi
           fi
-
           echo "[2/2] cargo fetch --locked..."
-          if ! nix develop -c bash -lc "cargo fetch --locked -q" 2> >(grep -v -E 'untrusted substituter|trusted-public-keys' >&2); then
+          if ! nix develop -c bash -c "cargo fetch --locked -q" 2> >(nix develop -c grep -v -E 'untrusted substituter|trusted-public-keys' >&2); then
             echo "cargo fetch failed → clearing registry/src + git/checkouts, then re-fetching"
-            rm -rf "$CARGO_HOME"/registry/src/* "$CARGO_HOME"/git/checkouts/* || true
-            nix develop -c cargo fetch --locked 2> >(grep -v -E 'untrusted substituter|trusted-public-keys' >&2)
+            nix develop -c rm -rf "$CARGO_HOME"/registry/src/* "$CARGO_HOME"/git/checkouts/* || true
+            nix develop -c cargo fetch --locked 2> >(nix develop -c grep -v -E 'untrusted substituter|trusted-public-keys' >&2)
             REASONS+=("re-fetched dependencies")
           fi
-
           echo "--- Preflight summary: ${REASONS[*]:-OK} ---"
 
       - name: Release cache lock
@@ -886,18 +867,16 @@ jobs:
       - name: Enable sccache (RUSTC_WRAPPER)
         run: |
           set -e
-          if nix develop -c bash -lc 'command -v sccache' >/dev/null 2>&1; then
-            echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
-            echo "SCCACHE_DIR=/tmp/sccache" >> "$GITHUB_ENV"
-            echo "SCCACHE_CACHE_SIZE=30G" >> "$GITHUB_ENV"
-            echo "CARGO_INCREMENTAL=0" >> "$GITHUB_ENV"
-            mkdir -p /tmp/sccache
-            nix develop -c sccache --stop-server || true
-            nix develop -c sccache --start-server || true
-            nix develop -c sccache --version || true
-          else
-            echo "sccache not in devshell; skipping wrapper."
-          fi
+          export SCCACHE_DIR=/tmp/sccache-${{ runner.name }}
+          export SCCACHE_CACHE_SIZE=0
+          echo "RUSTC_WRAPPER=sccache" >> "$GITHUB_ENV"
+          echo "SCCACHE_DIR=$SCCACHE_DIR" >> "$GITHUB_ENV"
+          echo "SCCACHE_CACHE_SIZE=$SCCACHE_CACHE_SIZE" >> "$GITHUB_ENV"
+          echo "CARGO_INCREMENTAL=0" >> "$GITHUB_ENV"
+          mkdir -p "$SCCACHE_DIR"
+          nix develop -c sccache --stop-server || true
+          nix develop -c sccache --start-server || true
+          nix develop -c sccache --version || true
 
       - name: Formatting
         run: nix develop -c bash -c "cargo fmt --check"

diff --git a/flake.nix b/flake.nix
@@ -57,7 +57,9 @@
               docker-compose
               earthly
               gawk
+              gnugrep
               gnumake
+              jq
               kubectl
               libiconv
               nixfmt-rfc-style
@@ -69,6 +71,8 @@
               python312Packages.pip
               python312Packages.virtualenv
               rustToolchain
+              rsync
+              sccache
               sops
               xxd
             ]