ci: extract build-to-cachix.sh

Needed by the following commits.
Also, don't use the cachix cache as a substituter for local, non-CI
builds. This obviates the need for the 'untrusted' warning in build.sh.
This commit is contained in:
Erik Arvstedt 2020-12-11 13:26:07 +01:00
parent a70c3bf210
commit 466d23deaa
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
2 changed files with 57 additions and 53 deletions

50
ci/build-to-cachix.sh Executable file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Build a single-output derivation and store it in 'cachixCache'.
# Skip the build if it is already cached.
# Accepts the same arguments as nix-instantiate.
set -euo pipefail
CACHIX_SIGNING_KEY=${CACHIX_SIGNING_KEY:-}
cachixCache=nix-bitcoin
trap 'echo Error at line $LINENO' ERR
atExit() {
rm -rf $tmpDir
if [[ -v cachixPid ]]; then kill $cachixPid; fi
}
tmpDir=$(mktemp -d -p /tmp)
trap atExit EXIT
## Instantiate
time nix-instantiate "$@" --add-root $tmpDir/drv --indirect > /dev/null
printf "instantiated "; realpath $tmpDir/drv
outPath=$(nix-store --query $tmpDir/drv)
if nix path-info --store https://$cachixCache.cachix.org $outPath &>/dev/null; then
echo "$outPath has already been built successfully."
exit 0
fi
## Build
if [[ -v CIRRUS_CI ]]; then
cachix use $cachixCache
fi
if [[ $CACHIX_SIGNING_KEY ]]; then
# Speed up task by uploading store paths as soon as they are created
cachix push $cachixCache --watch-store &
cachixPid=$!
fi
nix-build --out-link $tmpDir/result $tmpDir/drv >/dev/null
if [[ $CACHIX_SIGNING_KEY ]]; then
cachix push $cachixCache $outPath
fi
echo $outPath

View File

@ -3,44 +3,21 @@
# This script can also be run locally for testing: # This script can also be run locally for testing:
# scenario=default ./build.sh # scenario=default ./build.sh
# #
# WARNING: This script fetches contents from an untrusted $cachixCache to your local nix-store.
#
# When variable CIRRUS_CI is unset, this script leaves no persistent traces on the host system. # When variable CIRRUS_CI is unset, this script leaves no persistent traces on the host system.
set -euo pipefail set -euo pipefail
scenario=${scenario:-} scenario=${scenario:-}
CACHIX_SIGNING_KEY=${CACHIX_SIGNING_KEY:-}
cachixCache=nix-bitcoin
trap 'echo Error at line $LINENO' ERR if [[ -v CIRRUS_CI && $scenario ]]; then
if [[ -v CIRRUS_CI ]]; then
tmpDir=/tmp
if [[ $scenario ]]; then
if [[ ! -e /dev/kvm ]]; then if [[ ! -e /dev/kvm ]]; then
>&2 echo "No KVM available on VM host." >&2 echo "No KVM available on VM host."
exit 1 exit 1
fi fi
# Enable KVM access for nixbld users # Enable KVM access for nixbld users
chmod o+rw /dev/kvm chmod o+rw /dev/kvm
fi
else
atExit() {
rm -rf $tmpDir
if [[ -v cachixPid ]]; then kill $cachixPid; fi
}
tmpDir=$(mktemp -d -p /tmp)
trap atExit EXIT
# Prevent cachix from writing to HOME
export HOME=$tmpDir
fi fi
cachix use $cachixCache
cd "${BASH_SOURCE[0]%/*}"
## Build
echo "$NIX_PATH ($(nix eval --raw nixpkgs.lib.version))" echo "$NIX_PATH ($(nix eval --raw nixpkgs.lib.version))"
if [[ $scenario ]]; then if [[ $scenario ]]; then
@ -49,27 +26,4 @@ else
buildExpr="import ./build.nix" buildExpr="import ./build.nix"
fi fi
time nix-instantiate -E "$buildExpr" --add-root $tmpDir/drv --indirect > /dev/null "${BASH_SOURCE[0]%/*}/build-to-cachix.sh" -E "$buildExpr"
printf "instantiated "; realpath $tmpDir/drv
outPath=$(nix-store --query $tmpDir/drv)
if nix path-info --store https://$cachixCache.cachix.org $outPath &>/dev/null; then
echo "$outPath" has already been built successfully.
exit 0
fi
# Cirrus doesn't expose secrets to pull-request builds,
# so skip cache uploading in this case
if [[ $CACHIX_SIGNING_KEY ]]; then
# Speed up task by uploading store paths as soon as they are created
cachix push $cachixCache --watch-store &
cachixPid=$!
fi
nix-build --out-link $tmpDir/result $tmpDir/drv >/dev/null
if [[ $CACHIX_SIGNING_KEY ]]; then
cachix push $cachixCache $outPath
fi
echo $outPath