commit ed64fca8cc2f1b2bd3e7415525ec8be4d597d139
parent a79b7705bd00980476ff56c3ba423363974ae1da
Author: triesap <tyson@radroots.org>
Date: Thu, 12 Mar 2026 20:41:28 +0000
ci: run workflows through flake apps
- install nix in github actions and route contract, coverage, release, and publish lanes through flake apps
- export sdk sync artifacts from the pinned nix environment and add a shared guards app for preflight checks
- replace ad hoc rust toolchain setup with flake-managed commands in oss workflows
- add scheduled flake.lock maintenance with an automated update pull request
Diffstat:
7 files changed, 94 insertions(+), 174 deletions(-)
diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml
@@ -30,16 +30,17 @@ jobs:
- name: checkout
uses: actions/checkout@v4
- - name: setup rust
- uses: dtolnay/rust-toolchain@stable
+ - name: install nix
+ uses: cachix/install-nix-action@v31
with:
- toolchain: 1.92.0
+ extra_nix_config: |
+ experimental-features = nix-command flakes
- - name: cache cargo
- uses: Swatinem/rust-cache@v2
+ - name: prime nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@main
- name: verify workspace
- run: cargo check --workspace
+ run: nix run .#check
- name: publish crates
env:
@@ -64,7 +65,7 @@ jobs:
fi
if [ -n "${crates_input}" ]; then
- ./publish-crates.sh "${mode}" "${crates_input}"
+ nix run .#publish-crates -- "${mode}" "${crates_input}"
else
- ./publish-crates.sh "${mode}"
+ nix run .#publish-crates -- "${mode}"
fi
diff --git a/.github/workflows/release-preflight.yml b/.github/workflows/release-preflight.yml
@@ -10,22 +10,20 @@ jobs:
- name: checkout
uses: actions/checkout@v4
- - name: guard committed ts artifacts
- run: ./scripts/ci/guard_committed_ts_artifacts.sh
-
- - name: install rust toolchain
- uses: dtolnay/rust-toolchain@stable
+ - name: install nix
+ uses: cachix/install-nix-action@v31
with:
- toolchain: 1.92.0
+ extra_nix_config: |
+ experimental-features = nix-command flakes
- - name: install nightly rust toolchain
- run: rustup toolchain install nightly --profile minimal
+ - name: prime nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@main
- - name: install cargo llvm-cov
- uses: taiki-e/install-action@cargo-llvm-cov
+ - name: run repo guards
+ run: nix run .#guards
- name: run release preflight
- run: ./scripts/ci/release_preflight.sh
+ run: nix run .#release-preflight
- name: upload release preflight artifacts
uses: actions/upload-artifact@v4
diff --git a/.github/workflows/sdk-contract-ci.yml b/.github/workflows/sdk-contract-ci.yml
@@ -13,48 +13,17 @@ jobs:
- name: checkout
uses: actions/checkout@v4
- - name: guard committed ts artifacts
- run: ./scripts/ci/guard_committed_ts_artifacts.sh
-
- - name: guard legacy identifiers
- run: ./scripts/ci/guard_no_legacy_identifiers.sh
-
- - name: install rust toolchain
- uses: dtolnay/rust-toolchain@stable
+ - name: install nix
+ uses: cachix/install-nix-action@v31
with:
- toolchain: 1.92.0
-
- - name: cargo check
- run: |
- cargo check -q \
- -p xtask \
- -p radroots-core \
- -p radroots-types \
- -p radroots-events \
- -p radroots-trade \
- -p radroots-identity \
- -p radroots-replica-db-schema \
- -p radroots-events-codec \
- -p radroots-events-codec-wasm
-
- - name: cargo test
- run: |
- cargo test -q \
- -p xtask \
- -p radroots-core \
- -p radroots-types \
- -p radroots-events \
- -p radroots-trade \
- -p radroots-identity \
- -p radroots-replica-db-schema \
- -p radroots-events-codec \
- -p radroots-events-codec-wasm
+ extra_nix_config: |
+ experimental-features = nix-command flakes
- - name: validate sdk contract
- run: cargo run -q -p xtask -- sdk validate
+ - name: prime nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@main
- - name: export ts sdk artifacts
- run: cargo run -q -p xtask -- sdk export-ts --out target/sdk-export-ci
+ - name: run contract lane
+ run: nix run .#contract
- name: upload export manifest
uses: actions/upload-artifact@v4
diff --git a/.github/workflows/sdk-core-sync-pr.yml b/.github/workflows/sdk-core-sync-pr.yml
@@ -23,8 +23,17 @@ jobs:
- name: checkout
uses: actions/checkout@v4
- - name: guard committed ts artifacts
- run: ./scripts/ci/guard_committed_ts_artifacts.sh
+ - name: install nix
+ uses: cachix/install-nix-action@v31
+ with:
+ extra_nix_config: |
+ experimental-features = nix-command flakes
+
+ - name: prime nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@main
+
+ - name: run repo guards
+ run: nix run .#guards
- name: detect sync token
id: sync_token
@@ -39,25 +48,11 @@ jobs:
if: steps.sync_token.outputs.configured != 'true'
run: echo "radroots_sdk_sync_token is not configured; skipping sdk sync workflow"
- - name: install rust toolchain
- if: steps.sync_token.outputs.configured == 'true'
- uses: dtolnay/rust-toolchain@stable
- with:
- toolchain: 1.92.0
-
- name: export ts sdk artifacts
if: steps.sync_token.outputs.configured == 'true'
run: |
export_dir="${{ runner.temp }}/sdk-export"
- for crate_name in \
- radroots-core \
- radroots-types \
- radroots-events \
- radroots-trade \
- radroots-identity \
- radroots-events-codec-wasm; do
- cargo run -q -p xtask -- sdk export-ts-crate --crate "${crate_name}" --out "${export_dir}"
- done
+ nix run .#export-ts -- --out "${export_dir}"
test -f "${export_dir}/ts/export-manifest.json"
- name: check required export artifacts
diff --git a/.github/workflows/sdk-coverage-ci.yml b/.github/workflows/sdk-coverage-ci.yml
@@ -17,109 +17,17 @@ jobs:
- name: checkout
uses: actions/checkout@v4
- - name: install rust toolchain
- uses: dtolnay/rust-toolchain@stable
+ - name: install nix
+ uses: cachix/install-nix-action@v31
with:
- toolchain: 1.92.0
+ extra_nix_config: |
+ experimental-features = nix-command flakes
- - name: install nightly rust toolchain
- run: rustup toolchain install nightly --profile minimal
-
- - name: install cargo llvm-cov
- uses: taiki-e/install-action@cargo-llvm-cov
+ - name: prime nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@main
- name: run sdk coverage report set
- run: |
- set -euo pipefail
- mkdir -p target/sdk-coverage
- : > target/sdk-coverage/coverage-report-status.txt
- cargo run -q -p xtask -- sdk coverage workspace-crates > /tmp/radroots_workspace_coverage_crates.txt
- while IFS= read -r crate; do
- [ -n "${crate}" ] || continue
- safe_crate="${crate//-/_}"
- run_dir="target/sdk-coverage/${safe_crate}"
- mkdir -p "${run_dir}"
- status="ok"
-
- if ! cargo run -q -p xtask -- sdk coverage run-crate --crate "${crate}" --out "${run_dir}" --test-threads 1; then
- status="run-failed"
- fi
-
- if [ "${status}" = "ok" ] && ! cargo run -q -p xtask -- sdk coverage report \
- --scope "${crate}" \
- --summary "${run_dir}/coverage-summary.json" \
- --lcov "${run_dir}/coverage-lcov.info" \
- --out "${run_dir}/coverage-gate-summary.json" \
- --fail-under-exec-lines 0 \
- --fail-under-functions 0 \
- --fail-under-regions 0 \
- --fail-under-branches 0; then
- status="report-failed"
- fi
-
- if [ "${status}" != "ok" ]; then
- cat > "${run_dir}/coverage-gate-summary.json" <<JSON
- {
- "scope": "${crate}",
- "thresholds": {
- "executable_lines": 0,
- "functions": 0,
- "regions": 0,
- "branches": 0,
- "branches_required": false
- },
- "measured": {
- "executable_lines_percent": 0,
- "executable_lines_source": "da",
- "functions_percent": 0,
- "branches_percent": null,
- "branches_available": false,
- "summary_lines_percent": 0,
- "summary_regions_percent": 0
- },
- "counts": {
- "executable_lines": {
- "covered": 0,
- "total": 0
- },
- "branches": {
- "covered": 0,
- "total": 0
- }
- },
- "result": {
- "pass": false,
- "fail_reasons": [
- "${status}"
- ]
- }
- }
-JSON
- fi
-
- echo "${crate}:${status}" >> target/sdk-coverage/coverage-report-status.txt
- done < /tmp/radroots_workspace_coverage_crates.txt
-
- - name: enforce blocking required coverage gates
- run: |
- set -euo pipefail
- cargo run -q -p xtask -- sdk coverage required-crates > /tmp/radroots_required_coverage_crates.txt
-
- while IFS= read -r crate; do
- [ -n "${crate}" ] || continue
- safe_crate="${crate//-/_}"
- crate_dir="target/sdk-coverage/${safe_crate}"
- cargo run -q -p xtask -- sdk coverage report \
- --scope "${crate}-blocking" \
- --summary "${crate_dir}/coverage-summary.json" \
- --lcov "${crate_dir}/coverage-lcov.info" \
- --out "${crate_dir}/coverage-gate-blocking.json" \
- --fail-under-exec-lines 100 \
- --fail-under-functions 100 \
- --fail-under-regions 100 \
- --fail-under-branches 100 \
- --require-branches
- done < /tmp/radroots_required_coverage_crates.txt
+ run: nix run .#coverage-report
- name: upload sdk coverage reports
uses: actions/upload-artifact@v4
diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
@@ -0,0 +1,40 @@
+name: update-flake-lock
+
+on:
+ workflow_dispatch:
+ schedule:
+ - cron: "0 9 * * 1"
+
+permissions:
+ contents: write
+ pull-requests: write
+
+jobs:
+ update:
+ runs-on: ubuntu-latest
+ steps:
+ - name: checkout
+ uses: actions/checkout@v4
+
+ - name: install nix
+ uses: cachix/install-nix-action@v31
+ with:
+ extra_nix_config: |
+ experimental-features = nix-command flakes
+
+ - name: prime nix cache
+ uses: DeterminateSystems/magic-nix-cache-action@main
+
+ - name: update flake lock
+ run: nix flake update
+
+ - name: create pull request
+ uses: peter-evans/create-pull-request@v7
+ with:
+ branch: ci/update-flake-lock
+ commit-message: "ci: update flake lock"
+ title: "ci: update flake lock"
+ body: |
+ - refresh pinned flake inputs
+ - update flake.lock with the latest upstream revisions
+ - generated by the scheduled lock maintenance workflow
diff --git a/nix/apps.nix b/nix/apps.nix
@@ -61,6 +61,15 @@ in
'';
};
+ guards = mkRepoApp {
+ name = "guards";
+ runtimeInputs = common.runtimeInputs.stable;
+ command = ''
+ ./scripts/ci/guard_committed_ts_artifacts.sh
+ ./scripts/ci/guard_no_legacy_identifiers.sh
+ '';
+ };
+
fmt = mkRepoApp {
name = "fmt";
runtimeInputs = common.runtimeInputs.stable ++ [
