chores(ci): use nix-eval-jobs and sets AWS creds to /etc/nix/aws

yvan-sraka · yvan-sraka · commit 54eca247a104 · 2025-09-29T16:05:50.000+02:00
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -20,108 +20,74 @@ concurrency:
 
 jobs:
   nix-matrix:
-    runs-on: ubuntu-latest
+    runs-on:
+      group: self-hosted-runners-nix
+      labels:
+        - aarch64-darwin
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@v30
+      - name: Checkout Repo
+        uses: actions/checkout@v4
       - id: set-matrix
         name: Generate Nix Matrix
         run: |
           set -Eeu
+          # fast eval
+          nix-eval-jobs --flake '.#githubActions.matrix'
+          # capture the output
           matrix="$(nix eval --json '.#githubActions.matrix')"
           echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
 
   build-run-image:
     name: ${{ matrix.name }} (${{ matrix.system }})
     needs: nix-matrix
-    runs-on: ${{ matrix.os }}
+    runs-on:
+      group: ${{ matrix.os == 'blacksmith-32vcpu-ubuntu-2404' && '' || 'self-hosted-runners-nix' }}
+      labels:
+        - ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix: ${{fromJSON(needs.nix-matrix.outputs.matrix)}}
-    timeout-minutes: 180
     steps:
       - name: Checkout Repo
-        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+        uses: actions/checkout@v4
+      - name: aws-oidc
+        uses: aws-actions/configure-aws-credentials@v4.3.1
+        with:
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role # Shared Services
+          role-session-name: gha-oidc-${{ github.run_id }}
       - name: aws-creds
-        uses: aws-actions/configure-aws-credentials@v4
-        if: ${{ github.secret_source == 'Actions' }}
+        uses: aws-actions/configure-aws-credentials@v4.3.1
         with:
-          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
-          aws-region: "us-east-1"
-          output-credentials: true
-          role-duration-seconds: 7200
-      - name: Setup AWS credentials for Nix
-        if: ${{ github.secret_source == 'Actions' }}
-        run: |
-          sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
-          sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
-          sudo -H aws configure set aws_session_token $AWS_SESSION_TOKEN
-      - name: write secret key
-        # use python so we don't interpolate the secret into the workflow logs, in case of bugs
+          disable-retry: true
+          aws-region: us-east-2
+          role-to-assume: arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
+          role-session-name: gha-oidc-${{ github.run_id }}
+          role-chaining: true
+          role-skip-session-tagging: true
+          role-duration-seconds: 900 # TODO: switch to 18000 (5 hours)
+      - name: Write creds files
         run: |
-          sudo mkdir -p /etc/nix
-          sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
-        env:
-          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
-      - name: Setup cache script
-        if: ${{ github.secret_source == 'Actions' }}
-        run: |
-          cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
-          #!/usr/bin/env bash
-          set -euf
-          export IFS=' '
-          /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
+          umask 006
+          cat > /etc/nix/aws/nix-aws-credentials <<EOF
+          [ci-uploader]
+          aws_access_key_id = ${AWS_ACCESS_KEY_ID}
+          aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
+          aws_session_token = ${AWS_SESSION_TOKEN}
           EOF
-          sudo chmod +x /etc/nix/upload-to-cache.sh
-      - name: Install nix
-        uses: cachix/install-nix-action@v27
-        if: ${{ github.secret_source == 'Actions' }}
-        with:
-          install_url: https://releases.nixos.org/nix/nix-2.29.1/install
-          extra_nix_config: |
-            substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-            post-build-hook = /etc/nix/upload-to-cache.sh
-      - name: Install nix
-        uses: cachix/install-nix-action@v27
-        if: ${{ github.secret_source == 'None' }}
-        with:
-          install_url: https://releases.nixos.org/nix/nix-2.29.1/install
-          extra_nix_config: |
-            substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-      - name: Aggressive disk cleanup for DuckDB build
-        if: matrix.runner == 'macos-latest-xlarge'
+      - name: nix-fast-build
         run: |
-          nix --version
-          echo "=== BEFORE CLEANUP ==="
-          df -h
-          # Remove major space consumers
-          sudo rm -rf /usr/share/dotnet || true
-          sudo rm -rf /usr/local/lib/android || true
-          sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform || true
-          sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/watchOS.platform || true
-          sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/tvOS.platform || true
-          # Clean everything possible
-          sudo rm -rf /opt/ghc || true
-          sudo rm -rf /usr/local/share/boost || true
-          sudo rm -rf /opt/homebrew || true
-          sudo xcrun simctl delete all 2>/dev/null || true
-          # Aggressive cache cleanup
-          sudo rm -rf /System/Library/Caches/* 2>/dev/null || true
-          sudo rm -rf /Library/Caches/* 2>/dev/null || true
-          sudo rm -rf ~/Library/Caches/* 2>/dev/null || true
-          sudo rm -rf /private/var/log/* 2>/dev/null || true
-          sudo rm -rf /tmp/* 2>/dev/null || true
-          echo "=== AFTER CLEANUP ==="
-          df -h
-      - run: nix build -L '.#${{ matrix.attr }}'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
-          AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
+          declare -a args=(
+            '--no-nom'
+            '--skip-cached'
+            '--systems=${{ env.system }}'
+            '--option' 'accept-flake-config' 'true'
+            '--retries=3'
+          )
+          args+=('--flake=${{ env.flake }}#${{ matrix.attr }}')
+          nix run '${{ env.flake }}#nix-fast-build' -- "${args[@]}"
 
   run-tests:
     needs: build-run-image
diff --git a/nix/github-actions.nix b/nix/github-actions.nix
@@ -1,9 +1,9 @@
 { inputs, ... }:
 let
   githubPlatforms = {
-    "x86_64-linux" = "large-linux-x86";
-    "aarch64-linux" = "large-linux-arm";
-    "aarch64-darwin" = "macos-latest-xlarge";
+    "aarch64-linux" = "aarch64-linux";
+    "aarch64-darwin" = "aarch64-darwin";
+    "x86_64-linux" = "blacksmith-32vcpu-ubuntu-2404";
   };
 in
 {
