diff --git a/.circleci/config.yml b/.circleci/config.yml
index 15ef1fb3f083a535fe6cba7db6cca03db0c5989d..4cb017e96e66ed558b786ab5375e725c3bbe3f4e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -137,9 +137,12 @@ jobs:
linux-tests: &LINUX_TESTS
docker:
# Run in a highly Nix-capable environment.
- - image: "nixorg/nix:circleci"
+ - image: "nixos/nix:latest"
environment:
+ # CACHIX_AUTH_TOKEN is manually set in the CircleCI web UI and allows us to push to CACHIX_NAME.
+ CACHIX_NAME: "privatestorage-opensource"
+
# Specify a revision of PrivateStorageio/nixpkgs to run against. This
# essentially pins the majority of the software involved in the build.
# This revision is selected arbitrarily (it's just new enough to define
@@ -147,75 +150,18 @@ jobs:
# somewhat current as of the time of this comment. We can bump it to a
# newer version when that makes sense. Meanwhile, the platform won't
# shift around beneath us unexpectedly.
- NIXPKGS_REV: "730129887a84a8f84f3b78ffac7add72aeb551b6"
+ NIX_PATH: "nixpkgs=https://github.com/PrivateStorageio/nixpkgs/archive/730129887a84a8f84f3b78ffac7add72aeb551b6.tar.gz"
steps:
- run:
- # Get NIX_PATH set for the rest of the job so that the revision of
- # nixpkgs we selected will be used everywhere Nix pulls in software.
- # There is no way to set an environment variable containing the
- # value of another environment variable on CircleCI except to use
- # the `BASE_ENV` feature as we do here.
- name: "Setup NIX_PATH Environment Variable"
+ name: "Set up Cachix"
command: |
- echo "export NIX_PATH=nixpkgs=https://github.com/PrivateStorageio/nixpkgs/archive/$NIXPKGS_REV.tar.gz" >> $BASH_ENV
+ nix-env -iA nixpkgs.cachix nixpkgs.bash
+ cachix use "${CACHIX_NAME}"
+ nix path-info --all > /tmp/store-path-pre-build
- "checkout"
- - "run":
- # CircleCI won't let us interpolate NIXPKGS_REV into a cache key.
- # Only CircleCI's own environment variables or variables set via the
- # web interface in a "context" can be interpolated into cache keys.
- # However, we can interpolate the checksum of a file... Since we
- # don't care about the exact revision, we just care that a new
- # revision gives us a new string, we can write the revision to a
- # file and then put the checksum of that file into the cache key.
- # This way, we don't have to maintain the nixpkgs revision in two
- # places and risk having them desynchronize.
- name: "Prepare For Cache Key"
- command: |
- echo "${NIXPKGS_REV}" > nixpkgs.rev
-
- - restore_cache:
- # Get all of Nix's state relating to the particular revision of
- # nixpkgs we're using. It will always be the same. CircleCI
- # artifacts and nixpkgs store objects are probably mostly hosted in
- # the same place (S3) so there's not a lot of difference for
- # anything that's pre-built. For anything we end up building
- # ourselves, though, this saves us all of the build time (less the
- # download time).
- #
- # Read about caching dependencies: https://circleci.com/docs/2.0/caching/
- name: "Restore Nix Store Paths"
- keys:
- # Construct cache keys that allow sharing as long as nixpkgs
- # revision is unchanged.
- #
- # If nixpkgs changes then potentially a lot of cached packages for
- # the base system will be invalidated so we may as well drop them
- # and make a new cache with the new packages.
- - zkapauthorizer-nix-store-v4-{{ checksum "nixpkgs.rev" }}-ourdeps
- - zkapauthorizer-nix-store-v4-{{ checksum "nixpkgs.rev" }}-
- - zkapauthorizer-nix-store-v4-
-
- - run:
- name: "Build challenge-bypass-ristretto"
- command: |
- # Pre-build this because doing so is somewhat memory intensive and
- # we want to turn off concurrency for this part. We want to be
- # able to leave concurrency on for the rest of the build, though,
- # where it doesn't cause problems and speeds things up.
- nix-build --cores 1 --max-jobs 1 \
- --arg callPackage '(import <nixpkgs> { }).callPackage' \
- ./python-challenge-bypass-ristretto.nix
-
- - save_cache:
- name: "Cache Nix Store Paths"
- when: "always"
- key: zkapauthorizer-nix-store-v4-{{ checksum "nixpkgs.rev" }}
- paths:
- - "/nix"
-
- run:
name: "Run Test Suite"
command: |
@@ -234,28 +180,30 @@ jobs:
--arg collectCoverage true \
--attr doc
- - save_cache:
- name: "Cache Nix Store Paths"
+ - run:
+ name: "Push to Cachix"
when: "always"
- key: zkapauthorizer-nix-store-v4-{{ checksum "nixpkgs.rev" }}-ourdeps
- paths:
- - "/nix"
+ command: |
+ # Cribbed from
+ # https://circleci.com/blog/managing-secrets-when-you-have-pull-requests-from-outside-contributors/
+ if [ -n "$CIRCLE_PR_NUMBER" ]; then
+ # I'm sure you're thinking "CIRCLE_PR_NUMBER must just be the
+ # number of the PR being built". Sorry, dear reader, you have
+ # guessed poorly. It is also conditionally set based on whether
+ # this is a PR from a fork or not.
+ #
+ # https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables
+ echo "Skipping Cachix push for forked PR."
+ else
+ # https://docs.cachix.org/continuous-integration-setup/circleci.html
+ bash -c "comm -13 <(sort /tmp/store-path-pre-build | grep -v '\.drv$') <(nix path-info --all | grep -v '\.drv$' | sort) | cachix push $CACHIX_NAME"
+ fi
- run:
name: "Report Coverage"
command: |
./.circleci/report-coverage.sh
- # A variation of linux-tests that is only run once a week and is given
- # enough resources that it can build not only ZKAPAuthorizer but all its
- # dependencies within the limited time period imposed by CircleCI.
- linux-tests-big:
- # Everything is the same as the linux-tests job ...
- <<: *LINUX_TESTS
- # ... except more resources from the platform.
- resource_class: "xlarge"
-
-
workflows:
version: 2
everything:
@@ -272,19 +220,3 @@ workflows:
# https://circleci.com/docs/2.0/testing-ios/#supported-xcode-versions
- "12.3.0"
- "11.7.0"
-
- refresh-cache:
- jobs:
- - "linux-tests-big"
- triggers:
- - schedule:
- # Run the job once a week. CircleCI caches expired after 15 days so
- # this should always keep the latest version of our cache fresh and
- # prevent us from actually having to rebuild it very often.
- #
- # https://circleci.com/docs/2.0/workflows/#specifying-a-valid-schedule
- cron: "40 6 * * 4"
- filters:
- branches:
- only:
- - "master"