NilFoundation
diff --git a/‎.github/actions/setup-nix-macos/action.yml‎
Lines changed: 118 additions & 0 deletions b/‎.github/actions/setup-nix-macos/action.yml‎
Lines changed: 118 additions & 0 deletions
diff --git a/‎.github/workflows/build_artifacts.yml‎
Lines changed: 18 additions & 51 deletions b/‎.github/workflows/build_artifacts.yml‎
Lines changed: 18 additions & 51 deletions
diff --git a/‎.github/workflows/cluster_ci.yml‎
Lines changed: 33 additions & 0 deletions b/‎.github/workflows/cluster_ci.yml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎.github/workflows/lint_and_build.yml‎
Lines changed: 64 additions & 0 deletions b/‎.github/workflows/lint_and_build.yml‎
Lines changed: 64 additions & 0 deletions
@@ -0,0 +1,118 @@
+name: "Setup Nix (macOS)"
+description: "Install Nix, hook S3 cache; macOS only"
+
+inputs:
+  aws_region:
+    description: "AWS region"
+    required: true
+    default: eu-west-2
+  aws_role_to_assume:
+    description: AWS role to assume
+    required: true
+    default: "arn:aws:iam::070427263827:role/github-actions/gha_nix_cache"
+  s3_location_nix_cache:
+    description: S3 Nix cache location
+    required: true
+    default: "s3://nil-githhub-actions-nix-cache-qrba32i47dik503juihjai4x"
+  nix_cache_key_pub:
+    description: Nix cache public key
+    required: true
+    default: "nil-nix-cache:LX95txIkFncQOsRIXc3KjQkdjikbxDlSFISV/s9+aps="
+  nix_cache_key_pub_ssm_parameter:
+    description: Path to nix_cache_key_pub SSM parameter
+    required: true
+    default: "arn:aws:ssm:eu-west-2:070427263827:parameter/github-action-runners/nil-githhub-actions/runners/config/nix_cache_key_pub"
+  nix_cache_key_sec_ssm_parameter:
+    description: Path to nix_cache_key_sec SSM parameter
+    required: true
+    default: "arn:aws:ssm:eu-west-2:070427263827:parameter/github-action-runners/nil-githhub-actions/runners/config/nix_cache_key_sec"
+  github_access_token:
+    description: Configure nix to pull from github using the given github token.
+
+runs:
+  using: "composite"
+  steps:
+    - name: Try configure AWS credentials via OIDC
+      continue-on-error: true
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.aws_role_to_assume }}
+        aws-region: ${{ inputs.aws_region }}
+        role-duration-seconds: 7200 # 2h
+        retry-max-attempts: 3
+
+    - name: Decide write flag
+      id: calculate_write_flag
+      run: if [[ -n "$AWS_ACCESS_KEY_ID" ]]; then echo "has_write=1" >> "$GITHUB_OUTPUT"; fi
+      shell: bash
+
+    - name: Show AWS identity
+      if: steps.calculate_write_flag.outputs.has_write
+      run: aws sts get-caller-identity
+      shell: bash
+
+    # The source of truth for nix_cache_key_pub is SSM. But we cannot read values from it anonymously.
+    # Since this is a public key, it is acceptable to hardcode it directly in the workflow. Additionally, we can use
+    # OIDC authorized runs to verify that our hardcoded value is not outdated.
+    - name: Compare nix_cache_key_pub input with value saved in SSM
+      if: steps.calculate_write_flag.outputs.has_write
+      run: |
+        param=$(aws ssm get-parameter --name ${{ inputs.nix_cache_key_pub_ssm_parameter }} --with-decryption | jq -r '.Parameter.Value')
+        test "${{ inputs.nix_cache_key_pub }}" == "$param" || { \
+          echo "ERROR: nix_cache_key_pub input value does not match" \
+          "the reference stored in SSM ('$param'). The SSM value should be considered" \
+          "authoritative. Please update the input value in the workflow file.";
+          exit 1; \
+        }
+      shell: bash
+
+    - name: Get nix_cache_key_sec from SSM
+      if: steps.calculate_write_flag.outputs.has_write
+      id: get_nix_cache_key_sec
+      run: |
+        param=$(aws ssm get-parameter --name ${{ inputs.nix_cache_key_sec_ssm_parameter }} --with-decryption | jq -r '.Parameter.Value')
+        echo "$param" | sudo cp /dev/stdin /private/nix-signing-key
+      shell: bash
+
+    - name: Create /etc/nix/upload-to-cache.sh
+      if: steps.calculate_write_flag.outputs.has_write
+      run: |
+        sudo mkdir -p /etc/nix
+        sudo tee /etc/nix/upload-to-cache.sh <<EOL
+        #!/bin/bash
+
+        set -f # disable globbing
+        export IFS=' '
+        echo "Signing and uploading paths" \$OUT_PATHS
+
+        exec /nix/var/nix/profiles/default/bin/nix copy --to '${{ inputs.s3_location_nix_cache }}?region=${{ inputs.aws_region }}&secret-key=/private/nix-signing-key' \$OUT_PATHS
+        EOL
+        sudo chmod a+x /etc/nix/upload-to-cache.sh
+      shell: bash
+
+    - name: Expose AWS credentials to the nix-daemon
+      if: steps.calculate_write_flag.outputs.has_write
+      run: |
+        sudo launchctl setenv AWS_ACCESS_KEY_ID     "$AWS_ACCESS_KEY_ID"
+        sudo launchctl setenv AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
+        sudo launchctl setenv AWS_SESSION_TOKEN     "$AWS_SESSION_TOKEN"
+      shell: bash
+
+    # https://github.com/NixOS/nix/issues/2242#issuecomment-2336841344
+    - name: macOS 15 eDSRecordAlreadyExists workaround
+      run: echo "NIX_FIRST_BUILD_UID=30001" >> "$GITHUB_ENV"
+      shell: bash
+
+    - name: Install Nix
+      uses: cachix/install-nix-action@v27
+      with:
+        github_access_token: ${{ inputs.github_access_token }}
+        extra_nix_config: |
+          max-jobs = 1
+          extra-substituters = ${{ inputs.s3_location_nix_cache }}?region=${{ inputs.aws_region }}
+          extra-trusted-public-keys = ${{ inputs.nix_cache_key_pub }}
+          ${{ steps.calculate_write_flag.outputs.has_write && 'post-build-hook = /etc/nix/upload-to-cache.sh' }}
+
+    - name: Show /etc/nix/nix.conf
+      run: cat /etc/nix/nix.conf
+      shell: bash
@@ -1,64 +1,31 @@
 name: Build artifacts
 
 on:
-  pull_request:
   workflow_dispatch:
-  merge_group:
   push:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  build_artifacts:
-    name: Build artifacts
-    runs-on: ["self-hosted", "aws_autoscaling"]
-    environment: prod
-    steps:
-      - name: checkout local actions
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Run formatters
-        run: |
-          ./scripts/sh_format_all.sh -n -c
-          ./scripts/nix_format_all.sh -n -c
-
-      - name: Generate required go files
-        run: nix develop -c make generated
-
-      - name: golangci-lint
-        run: nix develop -c make golangci-lint
-
-      - name: Run checklocks
-        run: nix develop -c make checklocks
-
-      - name: build
-        run: nix build -L
-
-      - name: Upload nil binary as artifact
-        if: github.event_name == 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: nil-linux-x64
-          path: |
-            result/bin/nil
-
-      - name: upload packages to s3
-        if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'workflow_dispatch'
-        env:
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
-        run: |
-          export PATH=/home/ec2-user/.local/bin:${PATH}
-          nix bundle --bundler . .#nil -L
-          sudo yum update -y
-          sudo yum install -y awscli python3-pip
-          pip3 install -U mkrepo
-          aws s3 cp "deb-package-nil/`ls deb-package-nil`" s3://nil-deb-repo/ubuntu/pool/main/d/nil/
-          mkrepo s3://nil-deb-repo/ubuntu
+  nix_check_macos:
+    name: macOS
+    uses: ./.github/workflows/nix_check_macos.yml
+    if: github.event_name == 'workflow_dispatch'
+    with:
+      upload_artifacts: true
+
+  lint_and_build:
+    name: Linux
+    uses: ./.github/workflows/lint_and_build.yml
+    secrets: inherit
+    with:
+      upload_artifacts: ${{ github.event_name == 'workflow_dispatch' }}
+      upload_packages_to_s3: true
@@ -0,0 +1,33 @@
+name: Cluster CI
+
+on:
+  pull_request:
+  workflow_dispatch:
+  merge_group:
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  nix_check_linux:
+    name: Linux
+    uses: ./.github/workflows/nix_check_linux.yml
+
+  nix_check_macos:
+    name: macOS
+    uses: ./.github/workflows/nix_check_macos.yml
+    with:
+      upload_artifacts: ${{ github.event_name == 'workflow_dispatch' }}
+
+  lint_and_build:
+    name: Lint and build
+    uses: ./.github/workflows/lint_and_build.yml
+    secrets: inherit
+    with:
+      upload_artifacts: ${{ github.event_name == 'workflow_dispatch' }}
+      upload_packages_to_s3: false
@@ -0,0 +1,64 @@
+on:
+  workflow_call:
+    inputs:
+      upload_artifacts:
+        description: "Upload binaries as artifacts"
+        required: false
+        default: false
+        type: boolean
+      upload_packages_to_s3:
+        description: "Upload packages to s3"
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  lint_and_build:
+    name: Lint and build
+    runs-on: ["self-hosted", "aws_autoscaling"]
+    environment: prod
+    steps:
+      - name: checkout local actions
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run formatters
+        run: |
+          ./scripts/sh_format_all.sh -n -c
+          ./scripts/nix_format_all.sh -n -c
+
+      - name: Generate required go files
+        run: nix develop -c make generated
+
+      - name: golangci-lint
+        run: nix develop -c make golangci-lint
+
+      - name: Run checklocks
+        run: nix develop -c make checklocks
+
+      - name: build
+        run: nix build -L
+
+      - name: Upload nil binary as artifact
+        if: inputs.upload_artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: nil-linux-x64
+          path: |
+            result/bin/nil
+
+      - name: upload packages to s3
+        if: inputs.upload_packages_to_s3
+        env:
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+        run: |
+          export PATH=/home/ec2-user/.local/bin:${PATH}
+          nix bundle --bundler . .#nil -L
+          sudo yum update -y
+          sudo yum install -y awscli python3-pip
+          pip3 install -U mkrepo
+          aws s3 cp "deb-package-nil/`ls deb-package-nil`" s3://nil-deb-repo/ubuntu/pool/main/d/nil/
+          mkrepo s3://nil-deb-repo/ubuntu