feat(ci): extract nix build setup into reusable action and split builds by architecture

Extract AWS credential setup and nix build steps into a composite action
to reduce duplication. Split extension builds into separate jobs per
architecture (aarch64-linux, aarch64-darwin, x86_64-linux) and update
matrix generation to group packages by system.

Author: jfroche

.github/actions/nix-build-setup/action.yml

@@ -0,0 +1,43 @@
+name: 'Nix Build Setup'
+description: 'Sets up AWS credentials and builds a Nix package'
+inputs:
+  attr:
+    description: 'The Nix attribute to build'
+    required: true
+  aws-role-duration:
+    description: 'AWS role session duration in seconds'
+    required: false
+    default: '3600'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: aws-oidc
+      uses: aws-actions/[email protected]
+      with:
+        aws-region: us-east-2
+        role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role # Shared Services
+        role-session-name: gha-oidc-${{ github.run_id }}
+    - name: aws-creds
+      uses: aws-actions/[email protected]
+      with:
+        disable-retry: true
+        aws-region: us-east-2
+        role-to-assume: arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
+        role-session-name: gha-oidc-${{ github.run_id }}
+        role-chaining: true
+        role-skip-session-tagging: true
+        role-duration-seconds: ${{ inputs.aws-role-duration }}
+    - name: Write creds files
+      shell: bash
+      run: |
+        umask 006
+        cat > /etc/nix/aws/nix-aws-credentials <<EOF
+        [ci-uploader]
+        aws_access_key_id = ${AWS_ACCESS_KEY_ID}
+        aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token = ${AWS_SESSION_TOKEN}
+        EOF
+    - name: nix build
+      shell: bash
+      run: nix build -L .#${{ inputs.attr }}

.github/workflows/nix-build.yml

@@ -30,50 +30,63 @@ jobs:
         run: |
           set -Eeu
           echo matrix="$(python scripts/github-matrix.py extensions)" >> "$GITHUB_OUTPUT"
+          # XXX debugging
+          exit 1
 
-  build-extensions:
-    name: ${{matrix.postgresql_version}}.${{ matrix.name }} (${{ matrix.system }})
+  build-extensions-aarch64-linux:
+    name: ${{matrix.postgresql_version}}.${{ matrix.name }} (aarch64-linux)
     needs: extensions-matrix
     runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.extensions-matrix.outputs.matrix).aarch64_linux != null }}
     strategy:
       fail-fast: false
       max-parallel: 3
-      matrix: ${{fromJSON(needs.extensions-matrix.outputs.matrix)}}
+      matrix: ${{ fromJSON(needs.extensions-matrix.outputs.matrix).aarch64_linux }}
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
-      - name: aws-oidc
-        uses: aws-actions/[email protected]
+      - name: Build Nix Package
+        uses: ./.github/actions/nix-build-setup
         with:
-          aws-region: us-east-2
-          role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role # Shared Services
-          role-session-name: gha-oidc-${{ github.run_id }}
-      - name: aws-creds
-        uses: aws-actions/[email protected]
+          attr: ${{ matrix.attr }}
+
+  build-extensions-aarch64-darwin:
+    name: ${{matrix.postgresql_version}}.${{ matrix.name }} (aarch64-darwin)
+    needs: extensions-matrix
+    runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.extensions-matrix.outputs.matrix).aarch64_darwin != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 3
+      matrix: ${{ fromJSON(needs.extensions-matrix.outputs.matrix).aarch64_darwin }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Build Nix Package
+        uses: ./.github/actions/nix-build-setup
         with:
-          disable-retry: true
-          aws-region: us-east-2
-          role-to-assume: arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
-          role-session-name: gha-oidc-${{ github.run_id }}
-          role-chaining: true
-          role-skip-session-tagging: true
-          role-duration-seconds: 3600
-      - name: Write creds files
-        run: |
-          umask 006
-          cat > /etc/nix/aws/nix-aws-credentials <<EOF
-          [ci-uploader]
-          aws_access_key_id = ${AWS_ACCESS_KEY_ID}
-          aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
-          aws_session_token = ${AWS_SESSION_TOKEN}
-          EOF
-      - name: nix build
-        run: |
-           nix build -L .#${{ matrix.attr }}
+          attr: ${{ matrix.attr }}
+
+  build-extensions-x86_64-linux:
+    name: ${{matrix.postgresql_version}}.${{ matrix.name }} (x86_64-linux)
+    needs: extensions-matrix
+    runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.extensions-matrix.outputs.matrix).x86_64_linux != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 3
+      matrix: ${{ fromJSON(needs.extensions-matrix.outputs.matrix).x86_64_linux }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Build Nix Package
+        uses: ./.github/actions/nix-build-setup
+        with:
+          attr: ${{ matrix.attr }}
 
 
   checks-matrix:
-    needs: [build-extensions]
+    needs: [build-extensions-aarch64-linux, build-extensions-aarch64-darwin, build-extensions-x86_64-linux]
     runs-on:
       group: self-hosted-runners-nix
       labels:
@@ -92,42 +105,18 @@ jobs:
 
   build-checks:
     name: ${{ matrix.name }} (${{ matrix.system }})
-    needs: [checks-matrix, build-extensions]
+    needs: [checks-matrix]
     runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
     strategy:
       fail-fast: false
       matrix: ${{fromJSON(needs.checks-matrix.outputs.matrix)}}
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
-      - name: aws-oidc
-        uses: aws-actions/[email protected]
+      - name: Build Nix Package
+        uses: ./.github/actions/nix-build-setup
         with:
-          aws-region: us-east-2
-          role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role # Shared Services
-          role-session-name: gha-oidc-${{ github.run_id }}
-      - name: aws-creds
-        uses: aws-actions/[email protected]
-        with:
-          disable-retry: true
-          aws-region: us-east-2
-          role-to-assume: arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
-          role-session-name: gha-oidc-${{ github.run_id }}
-          role-chaining: true
-          role-skip-session-tagging: true
-          role-duration-seconds: 3600
-      - name: Write creds files
-        run: |
-          umask 006
-          cat > /etc/nix/aws/nix-aws-credentials <<EOF
-          [ci-uploader]
-          aws_access_key_id = ${AWS_ACCESS_KEY_ID}
-          aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
-          aws_session_token = ${AWS_SESSION_TOKEN}
-          EOF
-      - name: nix build
-        run: |
-           nix build -L .#${{ matrix.attr }}
+          attr: ${{ matrix.attr }}
 
   run-tests:
     needs: build-checks

scripts/github-matrix.py

@@ -134,6 +134,7 @@ def run_nix_eval_jobs(
         for line in process.stdout:
             package = parse_nix_eval_line(line, drv_paths, target)
             if package and not package["already_cached"]:
+                print(f"Found package: {package['attr']}", file=sys.stderr)
                 yield package
 
         if process.returncode and process.returncode != 0:
@@ -177,7 +178,21 @@ def main() -> None:
             if is_extension_pkg(pkg)
         ]
 
-    gh_output = {"include": gh_action_packages}
+        # Group packages by system
+        grouped_by_system = {}
+        for pkg in gh_action_packages:
+            system = pkg["system"]
+            if system not in grouped_by_system:
+                grouped_by_system[system] = []
+            grouped_by_system[system].append(pkg)
+
+        # Create output with system-specific matrices
+        gh_output = {}
+        for system, packages in grouped_by_system.items():
+            gh_output[system.replace("-", "_")] = {"include": packages}
+    else:
+        gh_output = {"include": gh_action_packages}
+
     print(json.dumps(gh_output))