Skip to content

Commit 694bb1c

Browse files
committed
WIP: build: use stable nix to build git-bug and subpackages
This change refactors all tooling to use stable nix to build the project's packages (the git-bug binary and web ui). Support for the experimental features of nix that were previously in use were removed: `flakes` and `nix-command`. This requires updating many different parts of the development toolchain, namely: CI, internal tools, and documentation. As a result of this, onboarding has been simplified (as users no longer need to add support for the experimental features), nix is now exclusively being used to build in CI, and is the recommended golden path outside of CI (for correctness guarantees, at least). A `release-binaries` drv has been added that builds git-bug for a variety of platforms to support moving away from gox (and add support for `darwin/arm64`). When evaluating the treefmt configuration, optimizations were realized: - zizmor is being used instead of pinact for performing analysis of pipelines defined in //.github/workflows. as a result of this, changes were made to improve pipeline security - codespell configuration has been updated to include hidden files by default, and to skip over additional generated fileas - treefmt verbosity was changed so that additional information is shown during its execution - treefmt will no longer emit messages about unmatched files by default (but will if debug logging is enabled) This is one of the rare cases in which I'll submit a change that crosses multiple logical boundaries and closes several issues at once, but the nature of this change opened up the possibility to do so fairly neatly. I hope that this brings about a simpler experience for contributors to this project, and for downstream consumers (packagers and source-builders). Closes: #1491 Closes: #1418 Closes: #1508 Change-Id: I3fb65c84c9c1a98b045548802d5710de9b117b2e # Conflicts: # Makefile
1 parent c098c21 commit 694bb1c

36 files changed

Lines changed: 1311 additions & 753 deletions

.codespellrc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
[codespell]
2-
skip = .git,.venv,*.svg,*/package-lock.json,go.mod,go.sum,./misc/completion/*
2+
check-hidden = true
3+
skip = CHANGELOG.md,.direnv/*,.git,*.svg,*/package-lock.json,go.mod,go.sum,misc/completion/*/,webui/node_modules/*
34
# ot,fo,te - used as short variable names
45
# optionall - OptionAll but codespell is case insensitive
56
# testing - TestIn

.envrc

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,25 @@
1-
# this is required for versions of direnv older than 2.29.0, since they do not
2-
# support `use flake`, and is recommended in all cases, since it caches the
3-
# environment and prevents dependencies from being garbage-collected by nix.
1+
# ensure that nix-direnv is available at the minimum specified version (or
2+
# greater). this supports caching of the dev shell, which greatly reduces the
3+
# loading time of activations after the first.
44
if ! has nix_direnv_version || ! nix_direnv_version 3.0.5; then
55
source_url \
66
"https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.5/direnvrc" \
77
"sha256-RuwIS+QKFj/T9M2TFXScjBsLR6V3A17YVoEW/Q6AZ1w="
88
fi
99

10-
# allow extending this .envrc with a user-defined .envrc.local
10+
# allow extending this .envrc with a user-defined .envrc.local. note that if
11+
# this exists, it is automatically watched for changes
1112
source_env_if_exists .envrc.local
1213

13-
# load the development shell defined in the flake.nix file
14-
# note: this automatically watches the following files:
15-
# - flake.nix
16-
# - flake.lock
17-
use flake
14+
# ancillary files to watch for changes. these files are included in the
15+
# development shell and as such, the shell should be reloaded after changes
16+
watch_file shell-hook.bash
17+
watch_file ci/default.nix
1818

19-
# files to watch
20-
watch_file .envrc.local
21-
watch_file flake-hook.bash
19+
# load the development shell defined in the flake.nix file
20+
# note that this automatically watches the following files:
21+
# $HOME/.direnvrc
22+
# $HOME/.config/direnv/direnvrc
23+
# shell.nix
24+
# default.nix
25+
use nix

.github/workflows/build-and-test.yml

Lines changed: 29 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,23 @@ name: build-and-test
33

44
on:
55
workflow_call:
6+
secrets:
7+
github-test-token:
8+
required: true
9+
github-token-private:
10+
required: true
11+
github-token-public:
12+
required: true
13+
gitlab-api-token:
14+
required: true
15+
gitlab-project-id:
16+
required: true
617

718
permissions:
819
contents: read
920

1021
jobs:
11-
with-go:
22+
git-bug:
1223
strategy:
1324
matrix:
1425
go-version: [1.24.2]
@@ -17,6 +28,8 @@ jobs:
1728
steps:
1829
- name: Check out code
1930
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
31+
with:
32+
persist-credentials: false
2033

2134
- name: Set up Go ${{ matrix.go-version }}
2235
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
@@ -27,16 +40,16 @@ jobs:
2740
run: make
2841

2942
- name: Test
30-
run: make test
43+
run: nix-shell --run 'go test -v -bench=. ./...'
3144
env:
3245
GITHUB_USER: ${{ env.TEST_USER_GITHUB }}
33-
GITHUB_TOKEN: ${{ secrets.TEST_TOKEN_GITHUB }}
34-
GITHUB_TOKEN_PRIVATE: ${{ secrets._GITHUB_TOKEN_PRIVATE }}
35-
GITHUB_TOKEN_PUBLIC: ${{ secrets._GITHUB_TOKEN_PUBLIC }}
36-
GITLAB_API_TOKEN: ${{ secrets.GITLAB_API_TOKEN }}
37-
GITLAB_PROJECT_ID: ${{ secrets.GITLAB_PROJECT_ID }}
46+
GITHUB_TOKEN: ${{ secrets.github-test-token }}
47+
GITHUB_TOKEN_PRIVATE: ${{ secrets.github-token-private }}
48+
GITHUB_TOKEN_PUBLIC: ${{ secrets.github-token-public }}
49+
GITLAB_API_TOKEN: ${{ secrets.gitlab-api-token }}
50+
GITLAB_PROJECT_ID: ${{ secrets.gitlab-project-id }}
3851

39-
with-node:
52+
web-ui:
4053
runs-on: ubuntu-latest
4154
strategy:
4255
matrix:
@@ -52,6 +65,8 @@ jobs:
5265

5366
- name: Check out code
5467
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
68+
with:
69+
persist-credentials: false
5570

5671
- uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
5772

@@ -73,9 +88,12 @@ jobs:
7388
runs-on: ${{ matrix.platform }}
7489
steps:
7590
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
91+
with:
92+
persist-credentials: false
7693

77-
- uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
78-
79-
- uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1.2.1
94+
- uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
95+
with:
96+
extra_nix_config: |
97+
experimental-features =
8098
8199
- run: nix flake check

.github/workflows/lint.yml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
---
2+
name: lint
3+
4+
on:
5+
workflow_call:
6+
7+
permissions: {}
8+
9+
defaults:
10+
run:
11+
shell: bash
12+
13+
jobs:
14+
check-formatting:
15+
runs-on: ubuntu-latest
16+
timeout-minutes: 3
17+
steps:
18+
- &checkout
19+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
20+
with:
21+
persist-credentials: false
22+
23+
- &install-nix
24+
uses: cachix/install-nix-action@2126ae7fc54c9df00dd18f7f18754393182c73cd # v31.9.1
25+
with:
26+
extra_nix_config: |
27+
experimental-features =
28+
29+
- name: Check that files are formatted
30+
run: |
31+
if ! nix-build ci --no-out-link -A checks.fmt; then
32+
echo "One or more files are not formatted correctly."
33+
echo "Please run the formatter by changing to the root directory and running one of:"
34+
echo " nix-shell --run treefmt"
35+
echo " nix develop --command treefmt"
36+
echo "Make sure your branch is up to date with trunk; rebase if not."
37+
echo "If you're having trouble, please reach out to us at #git-bug-general:matrix.org."
38+
exit 1
39+
fi
40+
41+
parse-nix-files:
42+
runs-on: ubuntu-latest
43+
timeout-minutes: 3
44+
steps:
45+
- *checkout
46+
- *install-nix
47+
- name: Parse nix files
48+
run: |-
49+
if ! nix-build ci --no-out-link -A checks.parse-nix-files; then
50+
printf "%s\n" \
51+
"One or more nix files are invalid.
52+
fi

.github/workflows/presubmit.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,14 @@ permissions:
2424
contents: read
2525

2626
jobs:
27+
lint:
28+
uses: ./.github/workflows/lint.yml
29+
2730
build-and-test:
2831
uses: ./.github/workflows/build-and-test.yml
29-
secrets: inherit
32+
secrets:
33+
github-test-token: ${{ secrets.TEST_TOKEN_GITHUB }}
34+
github-token-private: ${{ secrets._GITHUB_TOKEN_PRIVATE }}
35+
github-token-public: ${{ secrets._GITHUB_TOKEN_PUBLIC }}
36+
gitlab-api-token: ${{ secrets.GITLAB_API_TOKEN }}
37+
gitlab-project-id: ${{ secrets.GITLAB_PROJECT_ID }}

.github/workflows/release.yml

Lines changed: 29 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ permissions:
1414
contents: read
1515

1616
jobs:
17-
build-release:
17+
build-and-release:
1818
runs-on: "ubuntu-latest"
1919
permissions:
2020
# unfortunately, this is necessary for creating the release. there is a
@@ -24,31 +24,39 @@ jobs:
2424
# [0]: https://github.com/orgs/community/discussions/68252
2525
contents: write
2626
steps:
27-
- name: Check out code
28-
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
29-
30-
- name: Set up Go
31-
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
27+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3228
with:
33-
go-version: 1.24.2
34-
35-
- name: Build
36-
run: make
29+
persist-credentials: false
3730

3831
- name: Setup minimal git config
3932
run: |
40-
git config --global user.email "action@github.com"
41-
git config --global user.name "GitHub Action"
33+
git config --global user.email "bot@git-bug.org"
34+
git config --global user.name "git-bug"
4235
43-
- name: Test
44-
run: make test
36+
- name: Test with go
37+
run: nix-shell --run "go test -v -bench=. ./..."
4538

46-
- name: Build binaries
47-
run: make releases
39+
- name: Determine version string
40+
id: version-string
41+
run: |
42+
v=$(git describe --match='v*' --always --dirty --broken)
43+
echo "value=${v}" >> "$GITHUB_OUTPUT"
4844
49-
- uses: marvinpinto/action-automatic-releases@919008cf3f741b179569b7a6fb4d8860689ab7f0 # v1.2.1
45+
- name: Build release binaries
46+
env:
47+
VERSION: ${{ steps.version-string.outputs.value }}
48+
run: |
49+
nix-build -A release --argstr version "$VERSION"
50+
51+
# this is the symlink to the native output artifact, built by the
52+
# `default` derivation when the host system is linux or macos. because
53+
# this job runs on 64-bit linux, we manually rename it so that the
54+
# artifact uploaded to the GitHub Release is appropriately named for
55+
# end users
56+
mv ./result/bin/git-bug ./result/bin/git-bug-linux-amd64
57+
echo '- version built: `${VERSION}`' >> "$GITHUB_STEP_SUMMARY"
58+
59+
- uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
5060
with:
51-
repo_token: "${{ secrets.GITHUB_TOKEN }}"
52-
draft: true
53-
prerelease: false
54-
files: dist/*
61+
files: result/*
62+

.github/workflows/scan.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ jobs:
2222
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2323
with:
2424
fetch-depth: 2
25+
persist-credentials: false
2526

2627
- name: Initialize CodeQL
2728
uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16

.github/workflows/trunk.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,12 @@ permissions:
2121
jobs:
2222
build-and-test:
2323
uses: ./.github/workflows/build-and-test.yml
24-
secrets: inherit
24+
secrets:
25+
github-test-token: ${{ secrets.TEST_TOKEN_GITHUB }}
26+
github-token-private: ${{ secrets._GITHUB_TOKEN_PRIVATE }}
27+
github-token-public: ${{ secrets._GITHUB_TOKEN_PUBLIC }}
28+
gitlab-api-token: ${{ secrets.GITLAB_API_TOKEN }}
29+
gitlab-project-id: ${{ secrets.GITLAB_PROJECT_ID }}
2530

2631
benchmark:
2732
runs-on: ubuntu-latest
@@ -30,6 +35,8 @@ jobs:
3035
deployments: write
3136
steps:
3237
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
38+
with:
39+
persist-credentials: false
3340

3441
- uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
3542
with:

.gitignore

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,25 @@
1-
git-bug
2-
!/misc/completion/bash/git-bug
3-
!/misc/completion/fish/git-bug
4-
!/misc/completion/powershell/git-bug
5-
!/misc/completion/zsh/git-bug
6-
.gitkeep
7-
dist
8-
coverage.txt
1+
# go compiler output file
2+
/git-bug
3+
4+
# test binaries built with go test -c
5+
*.test
6+
7+
# code coverage and test artifacts
8+
*.out
9+
coverage.*
10+
*.coverprofile
11+
profile.cov
12+
13+
# editor configuration
914
.idea/
10-
.git_bak*
15+
.vscode/
1116

1217
# nix and direnv related tooling
1318
.envrc
1419
.envrc.local
1520
/.direnv/
1621
!/.envrc
1722

18-
# nix output directory from `nix build` commands
23+
# symlinks to nix-store output dirs, created by `nix-build`
1924
/result
25+
/result-*

0 commit comments

Comments
 (0)