Use nix-fast-build to build all checks

jfroche · jfroche · commit 362fdc9b1be5 · 2025-06-17T15:00:44.000+02:00
CI build the required nix packages defined in flake checks. We use the
`nix-fast-build` tool to speed up the evaluation and build process.

We now use the same GitHub action to install nix.

We upload the build results to the cache using a post build hook.
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -43,37 +43,36 @@ jobs:
           python -c "import os; file = open('nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
         env:
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
-      - name: Log in to Docker Hub
-        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13' && github.secret_source == 'Actions'
-        uses: docker/login-action@v2
+      - name: Setup cache script
+        if: ${{ github.secret_source == 'Actions' }}
+        run: |
+          mkdir -p /etc/nix
+          cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
+          #!/usr/bin/env bash
+          set -eouf
+          export IFS=' '
+          echo /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=nix-secret-key' \$OUT_PATHS
+          EOF
+          chmod +x /etc/nix/upload-to-cache.sh
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@main
+        if: ${{ github.secret_source == 'Actions' }}
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Build psql bundle with nix
-        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
-        run: docker build -t base_nix -f docker/nix/Dockerfile .
-      - name: Run build psql bundle
-        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
-        run:  |
-          docker run -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} \
-                    -e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} \
-                    -e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} \
-                    base_nix bash -c "./workspace/docker/nix/build_nix.sh"
-      - name: Build psql bundle on macos
-        if: matrix.runner == 'macos-latest' || matrix.runner == 'macos-13'
+          extra-conf: |
+            substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+            post-build-hook = /etc/nix/upload-to-cache.sh
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@main
+        if: ${{ github.secret_source == 'None' }}
+        with:
+          extra-conf: |
+            substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+      - name: Build psql bundle
         run: |
-          curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install --no-confirm \
-          --extra-conf "substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com" \
-          --extra-conf "trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-          cp ./docker/nix/build_nix.sh ./build_nix.sh
-          sed -i '' '1s|^#!/bin/env bash|#!/usr/bin/env bash|' ./build_nix.sh
-          chmod +x ./build_nix.sh
-          ./build_nix.sh
+          ./docker/nix/build_nix.sh
         env:
           AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
           AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
-
-    name: build psql bundle on ${{ matrix.arch }}
-    
diff --git a/docker/nix/build_nix.sh b/docker/nix/build_nix.sh
@@ -6,40 +6,4 @@ if [ -d "/workspace" ]; then
     cd /workspace
 fi
 
-SYSTEM=$(nix-instantiate --eval -E builtins.currentSystem | tr -d '"')
-
-nix build .#checks.$SYSTEM.psql_15 -L --no-link
-nix build .#checks.$SYSTEM.psql_orioledb-17 -L --no-link
-nix build .#checks.$SYSTEM.psql_17 -L --no-link
-nix build .#psql_15/bin -o psql_15 -L
-nix build .#psql_orioledb-17/bin -o psql_orioledb_17 -L
-nix build .#psql_17/bin -o psql_17 -L
-nix build .#wal-g-2 -o wal-g-2 -L
-nix build .#wal-g-3 -o wal-g-3 -L
-
-# Copy to S3
-if [[ -n "${AWS_ACCESS_KEY_ID-}" && -n "${AWS_SECRET_ACCESS_KEY-}" ]]; then
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-2
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-3
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_orioledb_17
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_17
-fi
-
-if [ "$SYSTEM" = "aarch64-linux" ]; then
-    nix build .#postgresql_15_debug -o ./postgresql_15_debug
-    nix build .#postgresql_15_src -o ./postgresql_15_src
-    nix build .#postgresql_orioledb-17_debug -o ./postgresql_orioledb-17_debug
-    nix build .#postgresql_orioledb-17_src -o ./postgresql_orioledb-17_src
-    nix build .#postgresql_17_debug -o ./postgresql_17_debug
-    nix build .#postgresql_17_src -o ./postgresql_17_src
-
-    if [[ -n "${AWS_ACCESS_KEY_ID-}" && -n "${AWS_SECRET_ACCESS_KEY-}" ]]; then
-        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_15_debug-debug
-        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_15_src
-        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_orioledb-17_debug-debug
-        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_orioledb-17_src
-        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_17_debug-debug
-        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_17_src
-    fi
-fi
+nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" -- --skip-cached --no-nom --flake ".#checks"
diff --git a/flake.nix b/flake.nix
@@ -1382,6 +1382,9 @@
           psql_15 = makeCheckHarness basePackages.psql_15.bin;
           psql_17 = makeCheckHarness basePackages.psql_17.bin;
           psql_orioledb-17 = makeCheckHarness basePackages.psql_orioledb-17.bin;
+          inherit (basePackages) wal-g-2 wal-g-3;
+        } // pkgs.lib.optionalAttrs (system == "aarch64-linux") {
+          inherit (basePackages) postgresql_15_debug postgresql_15_src postgresql_orioledb-17_debug postgresql_orioledb-17_src postgresql_17_debug postgresql_17_src;
         };
 
         # Apps is a list of names of things that can be executed with 'nix run';
