DETERMINATE_NIX_KVM fixup, support Magic Nix Cache + FlakeHub Cache on Namespace runners (#72)

* Share /bin with nix for post-build-hooks

* test the magic nix cache

* wtf

* permissions

* Share /home and the network namespace too

* test the devshell

* Don't force-set kvm to 0 ... d'oh!

* dev shell support for aarch64-linux

* ?

* More testing /  debug

* Make it run anyway

* Bind /lib too so /bin/sh works ... sigh

* Disable gha-cache for tesing

* Kill the magic nix cache before reinstalling

* Don't set the extra environment variables extraniously

* Enable gha cache again

Author: grahamc

.github/workflows/ci.yml

@@ -16,15 +16,18 @@ jobs:
       - run: npm run all
       - run: git status --porcelain=v1
       - run: test $(git status --porcelain=v1 2>/dev/null | wc -l) -eq 0
-  run-x86_64-linux:
-    name: Run x86_64 Linux
+  run-test-suite:
+    name: Run test suite
     strategy:
       matrix:
         runner:
-            - ubuntu-latest
-            - nscloud-ubuntu-22.04-amd64-4x16
-            - namespace-profile-default-arm64
+          - ubuntu-latest
+          - nscloud-ubuntu-22.04-amd64-4x16
+          - namespace-profile-default-arm64
     runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v3
       - name: Install Nix
@@ -33,8 +36,15 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+      - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: echo $PATH
         run: echo $PATH
+
+      - name: Render the devshell
+        if: success() || failure()
+        run: |
+          nix develop --command date
+
       - name: Test `nix` with `$GITHUB_PATH`
         if: success() || failure()
         run: |
@@ -43,6 +53,7 @@ jobs:
           hello
           nix store gc
           nix run nixpkgs#hello
+
       - name: Test bash
         run: nix-instantiate -E 'builtins.currentTime' --eval
         if: success() || failure()
@@ -91,6 +102,9 @@ jobs:
   run-x86_64-darwin:
     name: Run x86_64 Darwin
     runs-on: macos-12
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v3
       - name: Install Nix
@@ -99,6 +113,7 @@ jobs:
           logger: pretty
           log-directives: nix_installer=trace
           backtrace: full
+      - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: echo $PATH
         run: echo $PATH
       - name: Test `nix` with `$GITHUB_PATH`
@@ -135,6 +150,10 @@ jobs:
           hello
           nix store gc
           nix run nixpkgs#hello
+      - name: Terminate the magic nix cache pre-reinstall
+        if: success() || failure()
+        run: |
+          pkill magic-nix-cache
       - name: Reinstall Nix
         uses: ./
         with:

dist/index.js

@@ -9,7 +9,7 @@
 
   outputs = { self, flake-schemas, nixpkgs }:
     let
-      supportedSystems = [ "x86_64-linux" "aarch64-darwin" ];
+      supportedSystems = [ "x86_64-linux" "aarch64-darwin" "aarch64-linux" "x86_64-darwin" ];
       forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
         pkgs = import nixpkgs { inherit system; };
       });

dist/index.js.map

@@ -513,8 +513,6 @@ class NixInstallerAction {
         actions_core.info("KVM is not available.");
         actions_core.exportVariable("DETERMINATE_NIX_KVM", "0");
       }
-
-      actions_core.exportVariable("DETERMINATE_NIX_KVM", "0");
     }
 
     // Normal just doing of the install
@@ -587,9 +585,16 @@ class NixInstallerAction {
           "run",
           "--detach",
           "--privileged",
+          "--network=host",
           "--userns=host",
           "--pid=host",
           "--mount",
+          "type=bind,src=/bin,dst=/bin,readonly",
+          "--mount",
+          "type=bind,src=/lib,dst=/lib,readonly",
+          "--mount",
+          "type=bind,src=/home,dst=/home,readonly",
+          "--mount",
           "type=bind,src=/tmp,dst=/tmp",
           "--mount",
           "type=bind,src=/nix,dst=/nix",