Skip to content

ci: Custom GitHub Runners for Nix Builds #1745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 58 commits into
base: develop
Choose a base branch
from
Open

ci: Custom GitHub Runners for Nix Builds #1745

wants to merge 58 commits into from
+1,024 −96

Conversation

@yvan-sraka
Copy link
Collaborator

@yvan-sraka yvan-sraka commented Aug 11, 2025
edited by jfroche
Loading

This PR implements a migration from GitHub's standard runners to a hybrid infrastructure combining self-hosted and ephemeral Blacksmith runners for building Nix packages.
The implementation includes runner selection, dynamic build matrix generation, and optimized caching strategies to improve build performance and cost efficiency.

Problem Statement

The previous CI implementation had several limitations:

  1. Monolithic build process: A single job attempted to build all packages across all architectures
  2. Inefficient resource allocation: All packages used the same runner type regardless of build complexity
  3. Limited parallelization: Builds couldn't be efficiently distributed across different runner types
  4. Redundant builds: No mechanism to skip packages already available in the binary cache
  5. Poor cost optimization: Large, expensive builds ran on the same infrastructure as small, quick builds
  6. Poor job output clarity: No separation of build results made it hard to identify issues

Solution Architecture

High-Level Design

┌─────────────────┐
│   nix-eval      │  Evaluates flake, generates build matrix
│   (Blacksmith)  │  Identifies cached vs. uncached packages
└────────┬────────┘  Identifies large packages
         │
         ├──────────────┬──────────────┬
         │              │              │              
         v              v              v              
┌────────────────┐ ┌────────────────┐ ┌────────────────┐
│ aarch64-linux  │ │ aarch64-darwin │ │ x86_64-linux   │
│ Self-hosted/   │ │ Self-hosted    │ │ Blacksmith     │
│ Blacksmith     │ │ (macOS)        │ │ Ephemeral      │
└────────────────┘ └────────────────┘ └────────────────┘

Architecture Components

  1. Nix Evaluation Phase (nix-eval.yml):

    • Runs on powerful ephemeral runner (32vcpu)
    • Evaluates all flake outputs using nix-eval-jobs
    • Checks cache status for each package
    • Generates optimized build matrices per architecture

  2. Build Phases (separate jobs per architecture):

    • aarch64-linux: Self-hosted or Blacksmith ARM runners
    • aarch64-darwin: Self-hosted macOS runners
    • x86_64-linux: Blacksmith ephemeral runners

  3. Runner Selection Logic:

    • KVM-required packages → Self-hosted runners with KVM support
    • Large packages (Rust, PostGIS) → 32vcpu runners
    • Standard packages → 8vcpu runners
    • Darwin packages → Self-hosted macOS runners

Key Components

1. Dynamic Matrix Generation (github-matrix Package)

Location: nix/packages/github-matrix/

Core Responsibilities:

  • Evaluates Nix flake outputs using nix-eval-jobs (https://github.com/nix-community/nix-eval-jobs)
  • Determines package dependencies and build order using topological sorting
  • Identifies cached packages to skip redundant builds
  • Assigns appropriate runners based on package requirements
  • Generates GitHub Actions-compatible JSON matrices

Package Size Detection:

  • Uses requiredSystemFeatures = ["big-parallel"] in package definitions
  • Automatically allocates 32vcpu runners for:
    • Rust-based extensions (pg_graphql, pg_jsonschema, wrappers)
    • PostGIS (complex C++ builds)
    • pgvector with heavy dependencies

Output Format:

{
  "aarch64_linux": {
    "include": [
      {
        "attr": "checks.aarch64-linux.pg_graphql_15",
        "name": "pg_graphql-15.7",
        "system": "aarch64-linux",
        "runs_on": {"labels": ["blacksmith-32vcpu-ubuntu-2404-arm"]},
        "postgresql_version": "15"
      }
    ]
  },
  "x86_64_linux": {...},
  "aarch64_darwin": {...}
}

2. Custom Nix Installation Actions

Unify Nix installation across different runner types with two reusable GitHub Actions.

Ephemeral Runners (nix-install-ephemeral)

Location: .github/actions/nix-install-ephemeral/

Purpose: Set up Nix on fresh Blacksmith runners where Nix is not pre-installed

Features:

  • Installs Nix 2.31.2 using cachix/install-nix-action
  • Configures binary cache substituters
  • Optionally sets up AWS credentials for cache pushing
  • Creates post-build hook for automatic cache uploads

Configuration:

- uses: ./.github/actions/nix-install-ephemeral
  with:
    push-to-cache: 'true'  # Enable for build jobs
  env:
    DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
    NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}

Cache Upload Mechanism:

  • Post-build hook automatically uploads successful builds to S3
  • Uses Nix signing keys for trusted binary cache
  • Hook script: /etc/nix/upload-to-cache.sh

Self-Hosted Runners (nix-install-self-hosted)

Location: .github/actions/nix-install-self-hosted/

Purpose: Configure AWS credentials on persistent self-hosted runners where Nix is pre-installed

Features:

  • Assumes AWS IAM role via OIDC
  • Writes credentials to /etc/nix/aws/nix-aws-credentials
  • Supports custom role duration (default 5 hours)

3. Reusable Nix Eval Workflow

Location: .github/workflows/nix-eval.yml

Purpose: Shared workflow for matrix generation

Features:

  • Callable from other workflows via workflow_call
  • Outputs structured JSON matrix
  • Runs on high-performance ephemeral runner
  • Handles optional AWS credentials for cache access

4. Restructured Build Workflow

Location: .github/workflows/nix-build.yml

New Structure:

jobs:
  nix-eval:
    # Generate build matrices
    uses: ./.github/workflows/nix-eval.yml

  nix-build-aarch64-linux:
    needs: nix-eval
    strategy:
      matrix: ${{ fromJSON(needs.nix-eval.outputs.matrix).aarch64_linux }}
    # Build ARM Linux packages

  nix-build-aarch64-darwin:
    needs: nix-eval
    strategy:
      matrix: ${{ fromJSON(needs.nix-eval.outputs.matrix).aarch64_darwin }}
    # Build macOS ARM packages

  nix-build-x86_64-linux:
    needs: nix-eval
    strategy:
      matrix: ${{ fromJSON(needs.nix-eval.outputs.matrix).x86_64_linux }}
    # Build x86_64 Linux packages

  run-testinfra:
    needs: [nix-build-aarch64-linux, ...]
    # Only run if all builds succeed or skip

  run-tests:
    needs: [nix-build-aarch64-linux, ...]
    # Run test suite

Key Improvements:

  1. Parallel Architecture Builds: Each architecture builds independently
  2. Smart Job Skipping: Uses !cancelled() with success/skip conditions
  3. Dynamic Job Names: Include PostgreSQL version for clarity

Related PRs

@yvan-sraka yvan-sraka requested review from jfroche and samrose August 11, 2025 10:11
@yvan-sraka yvan-sraka self-assigned this Aug 11, 2025
@yvan-sraka yvan-sraka requested review from a team as code owners August 11, 2025 10:11
@yvan-sraka yvan-sraka force-pushed the custom-github-runners branch from 8b61ad4 to 76aa79b Compare August 11, 2025 15:36
@yvan-sraka yvan-sraka mentioned this pull request Aug 19, 2025
Closed
@yvan-sraka yvan-sraka force-pushed the custom-github-runners branch from 76aa79b to c75bf58 Compare September 12, 2025 13:46
@yvan-sraka yvan-sraka force-pushed the custom-github-runners branch 16 times, most recently from 1eb74b8 to db1e5e4 Compare September 29, 2025 14:29
@jfroche jfroche force-pushed the custom-github-runners branch 5 times, most recently from 003d671 to 840005b Compare September 29, 2025 21:14
jfroche and others added 28 commits November 25, 2025 23:55
@jfroche
feat: enable x86_64-linux builds in CI
7e494cc
@jfroche
feat: add PostgreSQL version to GitHub Actions job names
a8f986e 
When building a postgres extension, the build matrix may include
multiple time the same extension for different PostgreSQL versions.
This change makes it easier to identify which job corresponds to which PostgreSQL
version in the workflow runs.
@jfroche
fix: disable treefmt flake check
1dc3a3a 
treefmt is already included in the pre-commit hooks check.
@jfroche
feat: run actionlint on new GitHub Actions workflows
aa842d2
@jfroche
chore: improve github matrix script type annotations
27fa055
@jfroche
feat: optimize CI runner selection based on package size
43b3157 
Dynamically assign larger runners (32vcpu) for Rust and PostGIS extensions
while using smaller runners (8vcpu) for standard packages.
@jfroche
chore: fix package meta maintainers format
f6a1894
@jfroche
chore: create a nix package for generating GitHub Actions matrix
124063d 
Add pytest tests for the package
Add nix-eval-jobs in path for the package
@jfroche
fix: configure runner according to the matrix job
b987c8e 
The matrix job returns the type of runner, so we can configure the nix
installation step accordingly.
@jfroche
Update nix-eval-jobs
1e03a64 
Our changes were merged upstream, so we can now track the original
repository again.
@jfroche
refactor(ci): standardize nix installation and disable cache push by …
13f5eb4 
…default

- Replace DeterminateSystems/nix-installer-action with custom nix-install-ephemeral action across all workflows
- Change default push-to-cache from 'true' to 'false' to prevent unnecessary nix/aws configurations
- Explicitly enable push-to-cache only for nix-build and nix-eval workflows where caching is beneficial
@jfroche
feat: use big-parallel to identify large packages
6c69933
@jfroche
fix(ci): ensure x86_64-linux build is considered in testinfra and tes…
537a44e 
…t workflows
@jfroche
fix: nix devShell inclusion condition
30a0f9c
@jfroche
fix(ci): eval should fail if github-matrix run fails
53da93d
@yvan-sraka @jfroche
fix(ci): remove redundant build psql bundle step
2b133c8
@jfroche
fix: reduce ARM runner size from 8vcpu to 4vcpu for ephemeral builds
afd1e7e 
We might not need the full 8vcpu for aarch64-linux builds, so this
change reduces the runner size to 4vcpu to wait less for available
blacksmith runners.
@yvan-sraka @jfroche
Revert "fix(ci): limit max-jobs of nix to 8 to prevent OOM while runn…
7f433d9 
…ing nix flake check (#1933)"

This reverts commit 5935952.
@jfroche
feat: do not return empty matrices if no package has to be built
3c1ae28
@jfroche
feat: fail pipeline if nix evaluation fails
2c44443
@yvan-sraka @samrose @jfroche
Update nix/ext/pgvector.nix
65e009a 
Co-authored-by: samrose <[email protected]>
@jfroche
fix: add skip job only for systems that don't have any job
69e24cb
@jfroche
fix(github-matrix): handle evaluation errors without deadlock
63398f0 
Fix github-matrix that would hang when nix-eval-jobs encountered errors due to subprocess pipe deadlock - stderr buffer would fill while reading stdout.

This change ensure that evaluation errors are visible and the workflow fails properly while still showing which packages succeeded.
@jfroche
feat(github-matrix): integrate github-action-utils for better error v…
2f17aa7 
…isibility

Integrates github-action-utils library to improve error and warning
visibility in GitHub Actions UI through workflow command annotations.
@jfroche
feat(github-matrix): group evaluation errors by message
5acfc8a 
Refactor error handling to collect and group evaluation errors similar to warnings. Errors with the same message are now displayed together with a list of affected attributes.
@jfroche
fix(github-matrix): improve multiline error display in GitHub Actions
1d35332 
Extract core error messages and format them better for GitHub Actions
annotations.
@jfroche
fix(ci): skip run-testinfra and run-tests when nix-eval fails
1429ccd 
Add nix-eval to needs dependencies and check its result in conditional expressions to prevent downstream test jobs from running when evaluation fails.
@jfroche
chore(github-matrix): update message when there are no build for a sy…
9b659e4 
…stem
@jfroche jfroche force-pushed the custom-github-runners branch from c1c4fd7 to 9b659e4 Compare November 25, 2025 22:56
@jfroche
fix(github-matrix): backward compatibility for Result access
efd8f49 
We are running an older version of the 'result' library that uses
'_value' instead of 'ok_value' to access the successful result of a
computation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hunleyd hunleyd hunleyd approved these changes

@jfroche jfroche Awaiting requested review from jfroche

@samrose samrose Awaiting requested review from samrose

Requested changes must be addressed to merge this pull request.

Assignees

@yvan-sraka yvan-sraka

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@yvan-sraka @samrose @hunleyd @jfroche