Test build w/push to Cachix. #3
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
…counts Signed-off-by: Brady Zhang <brady.zhang@appian.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: François Rigaut <francois.rigaut@orange.com>
Signed-off-by: François Rigaut <francois.rigaut@orange.com>
Renovate's post-upgrade tasks now use Nix commands on main: - 'nix run .#generate' for Go dependency updates - 'nix run .#lint' for golangci-lint updates Release branches continue to use Earthly for these tasks since they haven't been migrated to Nix. The renovate.yml workflow is updated to allow both 'nix' and 'earthly' commands in post-upgrade tasks. Signed-off-by: Nic Cope <nicc@rk0n.org>
With Nix now handling builds, these files are no longer needed: - Earthfile: All targets are replaced by Nix flake derivations and apps - tools/go.mod and tools/go.sum: Build tool dependencies are now pinned in flake.nix via gomod2nix - buf.lock and buf.yaml deps: Protobuf dependencies are now managed by Nix; buf.yaml is kept for lint configuration only Signed-off-by: Nic Cope <nicc@rk0n.org>
This commit updates contributor-facing documentation to reflect the switch from Earthly to Nix: - contributing/README.md: Rewrite development environment setup to use nix.sh, with optional instructions for native Nix installation - test/e2e/README.md: Update E2E test instructions to use Nix commands - .github/PULL_REQUEST_TEMPLATE.md: Change reviewable check from 'earthly +reviewable' to 'nix flake check' - .coderabbit.yaml: Review flake.nix instead of Earthfile - .gitignore: Add Nix result symlinks - contributing/guide-api-promotion.md: Update reference to Nix Signed-off-by: Nic Cope <nicc@rk0n.org>
This is required for kind to work. I had it previously but must've removed it before committing the file. Signed-off-by: Nic Cope <nicc@rk0n.org>
The OCI image previously used gcr.io/distroless/static as its base. This required manually maintaining the image digest and per-architecture NAR hashes in flake.nix whenever distroless released updates. This commit builds an equivalent base image using pure Nix: - CA certificates from pkgs.cacert - Timezone data from pkgs.tzdata - Network protocol names from pkgs.iana-etc (/etc/services, /etc/protocols) - Custom /etc/passwd and /etc/group with nonroot user (UID 65532) - Writable /tmp with sticky bit This removes the dependency on Google's distroless build pipeline. Base image contents now update via flake.lock against nixpkgs stable, which receives security backports. This also eliminates the manual hash update workflow - there are no longer per-architecture hashes to track. Signed-off-by: Nic Cope <nicc@rk0n.org>
The Earthfile generates Helm chart documentation via helm-docs in its helm-generate target. This commit adds helm-docs to nix run .#generate and nix flake check so the Nix implementation has feature parity. This also simplifies check derivations by using the shared devTools list for nativeBuildInputs rather than specifying tools individually. Signed-off-by: Nic Cope <nicc@rk0n.org>
The Earthfile provides hack and unhack targets that create a kind cluster with Crossplane for local development. This commit adds an equivalent nix run .#hack app. The app creates a kind cluster named crossplane-hack, loads the pre-built Crossplane image, and installs via Helm. It's idempotent - running it again rebuilds and redeploys. If the cluster exists but is unhealthy (e.g., DinD restarted), it automatically recreates it. Unlike other apps, hack cannot be run via ./nix.sh run .#hack. The kind cluster must outlive the nix.sh container, so either: 1. Run ./nix.sh develop to enter the dev shell, then nix run .#hack from inside it. The cluster lives in DinD and persists while the shell is open. 2. Install Nix natively and run nix run .#hack directly. The cluster lives on the host's Docker daemon. Signed-off-by: Nic Cope <nicc@rk0n.org>
The default shell when running './nix.sh develop' was bare - a plain bash prompt with no completions, no history persistence, and missing common terminal utilities like 'clear'. This commit adds several quality-of-life improvements: - Colorful prompt using Crossplane logo colors (salmon→yellow→teal) - Persistent bash history in /nix/.bash_history across container runs - Tab completion for kubectl, helm, and kind - 'k' alias for kubectl with completion - ncurses package for 'clear' and 'tput' - Help text showing how to install extra tools via nix-env - Pass through TERM from host for proper terminal handling - Skip docker/rsync install when already present (silences noise) Signed-off-by: Nic Cope <nicc@rk0n.org>
The Earthly-based CI workflow included CodeQL SAST scanning, but this was missing from the Nix migration. The Earthly implementation manually downloaded and ran CodeQL within Earthly's sandbox. This commit uses GitHub's native CodeQL action instead, which is simpler to maintain since GitHub handles CodeQL updates and caching. The build step runs via `nix develop` to ensure CodeQL traces a build using the same Go version specified in flake.nix, avoiding version duplication. Signed-off-by: Nic Cope <nicc@rk0n.org>
The Earthly-based CI reported unit test coverage to Codecov and E2E test flakes to BuildPulse. These integrations were missing from the Nix migration. This commit adds Codecov coverage upload to the unit-tests job, reading from the coverage.txt file produced by the test check. It also adds BuildPulse flake tracking to the e2e-tests job. The E2E app now writes JUnit XML to $TMPDIR/e2e-tests.xml so BuildPulse and the artifact upload can find it. This avoids conflicts with Nix's result symlink while keeping the repo root clean during local runs. Signed-off-by: Nic Cope <nicc@rk0n.org>
This commit adds a push-images app that loads each architecture's image tarball into Docker, tags it, and pushes to the specified registry. After pushing all arch-specific images, it creates and pushes a multi-arch manifest. CI uses this to push to DockerHub, GHCR, and Upbound on main and release branches. This requires a correct version string baked into the image. CI now sets buildVersion in flake.nix via sed before building. This ensures the version is part of Nix's input hash - different versions produce different cache keys. Without this, tagging a commit and rebuilding could return a cached artifact with the wrong version. Local builds fall back to devVersion (v0.0.0-timestamp-commit). Signed-off-by: Nic Cope <nicc@rk0n.org>
The Nix build lacked support for pushing artifacts to S3 and promoting
releases to channels. These operations were previously handled by Earthly
targets (ci-push-build-artifacts, ci-promote-build-artifacts, ci-promote-image)
that were removed when migrating to Nix.
This commit adds four new Nix apps:
- push-artifacts: Uploads binaries, images, and Helm charts to the
s3://crossplane-releases/build/{branch}/{version}/ staging area.
- promote-artifacts: Promotes staged artifacts to a release channel by
copying them to s3://crossplane-releases/{channel}/, updating the
Helm chart repository index at s3://crossplane-helm-charts/{channel}/,
and optionally updating the "current" pointer for non-prereleases.
- promote-images: Creates channel tags (e.g., "stable", "v1.18.0-stable")
on existing registry images using docker buildx imagetools.
- push-images: Updated to use devToolsPath for consistency with other apps.
The ci.yml workflow now uses these apps instead of inline bash. The
promote.yml workflow is recreated to use promote-images and promote-artifacts
for manual release promotion.
Signed-off-by: Nic Cope <nicc@rk0n.org>
The monolithic flake.nix file (900+ lines) mixed build definitions, scripts, and configuration, making it difficult to navigate and modify. This commit extracts functionality into separate modules: - flake.nix: Input declarations and output wiring - nix/build.nix: Go binary, OCI image, and Helm chart builders - nix/apps.nix: Interactive development commands (nix run .#<app>) - nix/checks.nix: CI checks (nix flake check) Apps and checks are separated because they run in different contexts: apps run interactively with filesystem access, while checks run in the Nix sandbox and need buildGoApplication for Go module setup. Each builder function declares exactly the tools it needs, ensuring explicit dependencies and isolated PATH environments. The refactor also removes unused inputs (nixpkgs-unstable, flake-utils) and adds documentation comments with links to Nix learning resources. Signed-off-by: Nic Cope <nicc@rk0n.org>
The Nix files in flake.nix and nix/ currently have no automated linting. This makes it easy for style issues and dead code to accumulate. This commit adds a nix-lint check using statix (static analysis), deadnix (unused binding detection), and nixfmt-rfc-style (RFC 166 formatting verification). It also adds nixfmt-rfc-style to the devShell so developers can format files when the check fails. The check currently fails due to existing style issues that will be addressed in a follow-up commit. Signed-off-by: Nic Cope <nicc@rk0n.org>
statix identified several style issues:
- W10: Empty `{ }:` patterns should use `_:` to indicate the argument is
ignored. This makes intent clearer.
- W03/W04: Assignments like `x = x;` or `attr = foo.attr;` should use
inherit syntax (`inherit x;` or `inherit (foo) attr;`).
nixfmt found RFC 166 formatting deviations in apps.nix and build.nix.
Signed-off-by: Nic Cope <nicc@rk0n.org>
The Renovate configuration mixed Earthly-specific and common settings in a single file. As main branch transitions to Nix while release branches continue using Earthly, this becomes hard to maintain. This commit splits the configuration into separate files: - renovate-base.json5: Common settings (baseBranches, k8s dep rules, schedules, vulnerability alerts) - renovate-earthly.json5: Earthfile customManagers and post-upgrade tasks scoped to release branches - renovate-nix.json5: Nix manager enabled with monthly flake.lock updates, post-upgrade tasks for main branch The entrypoint script now installs both Earthly (for release branches) and Nix (for main) so post-upgrade tasks work regardless of which build tool the target branch uses. Signed-off-by: Nic Cope <nicc@rk0n.org>
This makes them match builds run outside of nix.sh more closely. Signed-off-by: Nic Cope <nicc@rk0n.org>
Signed-off-by: Nic Cope <nicc@rk0n.org>
We won't be able to store it in /nix most of the time. It'd only work inside of nix.sh, since in native Nix /nix is owned by root. In native Nix shell history should survive devshell restarts anyway. Inside the container we can fix it if it becomes an issue. Signed-off-by: Nic Cope <nicc@rk0n.org>
Signed-off-by: Nic Cope <nicc@rk0n.org>
When running `./nix.sh run .#hack`, the kind cluster is created inside the Docker container. Without staying in that container, the user can't interact with the cluster using kubectl, helm, etc. This commit adds a check for the NIX_SH_CONTAINER environment variable (set by nix.sh) and execs into `nix develop` after cluster setup. This gives the user an interactive shell with all the dev tools available while maintaining access to the cluster. When running natively (`nix run .#hack`), behavior is unchanged. Signed-off-by: Nic Cope <nicc@rk0n.org>
By default, writeShellApplication prepends runtimeInputs to PATH but still inherits the system PATH. This means apps can accidentally depend on tools like sed, grep, or coreutils that happen to exist on the build machine but aren't explicitly declared. This commit sets inheritPath = false on all writeShellApplication calls, ensuring scripts can only use explicitly declared tools. Several apps needed additional dependencies that were previously provided implicitly: - generate: coreutils, gnused (used by go generate tooling) - hack: coreutils, gnugrep, nix (for grep, rm, and nix develop) - promoteArtifacts: coreutils (for mktemp, rm) Signed-off-by: Nic Cope <nicc@rk0n.org>
Signed-off-by: Nic Cope <nicc@rk0n.org>
This way new users only need Docker for it to run. Signed-off-by: Nic Cope <nicc@rk0n.org>
This seems more useful than linking to Nix website itself. The one pager links to said website. Signed-off-by: Nic Cope <nicc@rk0n.org>
Signed-off-by: Nic Cope <nicc@rk0n.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of your changes
Building here to try use a Cachix auth token that doesn't exist upstream yet to populate the cache.
I have:
earthly +reviewableto ensure this PR is ready for review.Added or updated unit tests.Added or updated e2e tests.Linked a PR or a docs tracking issue to document this change.Addedbackport release-x.ylabels to auto-backport this PR.Followed the API promotion workflow if this PR introduces, removes, or promotes an API.Need help with this checklist? See the cheat sheet.