Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: add test-demo workflow #719

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

ci: add test-demo workflow #719

wants to merge 1 commit into from
+101 −0

Conversation

imincik
Copy link
Contributor

@imincik imincik commented Apr 7, 2025

No description provided.

@imincik imincik moved this to In progress in Nix@NGI Apr 7, 2025
@imincik imincik linked an issue Apr 7, 2025 that may be closed by this pull request
Implement a CI test for the service demo workflow #698
Open
@imincik imincik force-pushed the ci-test-demo branch 3 times, most recently from a904153 to 2ff99a5 Compare April 7, 2025 07:32
@imincik
Copy link
Contributor Author

imincik commented Apr 7, 2025

Unrelated error messages

 fatal: cannot change to '/home/runner/.cache/nix/gitv3/0glrjg6yk3b68jqm6lz05qsv63iapg08p0aa3qx725qw1ygh94va': No such file or directory
warning: could not update cached head 'refs/heads/canon' for 'https://code.tvl.fyi/depot.git:/nix/yants.git'

eljamm
eljamm reviewed Apr 7, 2025
View reviewed changes
Copy link
Contributor

@eljamm eljamm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Static analysis for the workflow using zizmor:

$ zizmor .github/workflows/test-demo.yaml
6 findings (4 suppressed): 0 unknown, 0 informational, 0 low, 2 medium, 0 high

.github/workflows/test-demo.yaml
test:
runs-on: ubuntu-latest
steps:
- uses: 'actions/checkout@v4'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See zizmor - artipacked audit rule

Suggested change
- uses: 'actions/checkout@v4'
- uses: 'actions/checkout@v4'
with: { persist-credentials: false }

.github/workflows/test-demo.yaml
pull_request:
branches: [ main ]
workflow_dispatch:

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See zizmor - excessive permissions audit rule

Suggested change
permissions: {}

@imincik imincik force-pushed the ci-test-demo branch 4 times, most recently from 78af612 to b0042a2 Compare April 7, 2025 07:43
@imincik imincik closed this Apr 7, 2025
@github-project-automation github-project-automation bot moved this from In progress to Done in Nix@NGI Apr 7, 2025
@imincik imincik reopened this Apr 7, 2025
@github-project-automation github-project-automation bot moved this from Done to Blocked in Nix@NGI Apr 7, 2025
@imincik
Copy link
Contributor Author

imincik commented Apr 7, 2025

Just found

root@debian-sid:~# cat /etc/nix/nix.conf
# see https://nixos.org/manual/nix/stable/command-ref/conf-file

sandbox = true

@imincik imincik force-pushed the ci-test-demo branch 12 times, most recently from 5ba8f17 to 31d4a0f Compare April 7, 2025 12:38
@imincik imincik force-pushed the ci-test-demo branch 2 times, most recently from 635d2ae to b8a16b3 Compare April 8, 2025 06:45
@imincik imincik moved this from Blocked to In progress in Nix@NGI Apr 8, 2025
@imincik
Copy link
Contributor Author

imincik commented Apr 8, 2025
edited
Loading

Debian 12 (latest stable), Ubuntu 24.04 (latest LTS) and Ubuntu 24.10 (latest release) is failing on

error: path '/nix/store/m0qqag8jp56zydqjzh5vva1p2azh1g5x-linux-6.12.21-modules-shrunk/lib' is not in the Nix store

which is discussed here and here and might be caused by NixOS/nixpkgs#372931 .

@imincik imincik force-pushed the ci-test-demo branch 3 times, most recently from 787da80 to e09852b Compare April 8, 2025 08:01
@imincik
Copy link
Contributor Author

imincik commented Apr 8, 2025
edited
Loading

Debian 12 (latest stable), Ubuntu 24.04 (latest LTS) and Ubuntu 24.10 (latest release) is failing on

error: path '/nix/store/m0qqag8jp56zydqjzh5vva1p2azh1g5x-linux-6.12.21-modules-shrunk/lib' is not in the Nix store

which is discussed here and here and might be caused by NixOS/nixpkgs#372931 .

The issue narrowed down to

nix-build /nix/store/gzzg57bkfsqvb69spv9j4qmgwmkkbcpj-closure-info.drv
this derivation will be built:
  /nix/store/gzzg57bkfsqvb69spv9j4qmgwmkkbcpj-closure-info.drv
error: path '/nix/store/m0qqag8jp56zydqjzh5vva1p2azh1g5x-linux-6.12.21-modules-shrunk/lib' is not in the Nix store

@imincik
Copy link
Contributor Author

imincik commented Apr 8, 2025 

cat /nix/store/gzzg57bkfsqvb69spv9j4qmgwmkkbcpj-closure-info.drv
Derive([("out","/nix/store/3d4iddj5qmyck5gx58vqckli4yjjcg03-closure-info","","")],[("/nix/store/5h55gpcb1nljrqg6hzrp7bblgjk47h1s-coreutils-9.6.drv",["out"]),("/nix/store/94kf0r3wdw62kv8ygd3wf825jpyhnnc0-kmod-debian-aliases.conf-30+20230601-2.drv",["out"]),("/nix/store/a8g13ahvrlswraapvs08155jcbz80lv5-kmod-blacklist-31+20240202-2ubuntu8.drv",["out"]),("/nix/store/bhpkj057a27dxlq3ybdb5gg19l1zgwah-linux-6.12.21-modules-shrunk.drv",["out"]),("/nix/store/cfp8jh04f3jfdcjskw2p64ri3w6njndm-bash-5.2p37.drv",["out"]),("/nix/store/kkw5pkfm08wlv1558pgbca73rlgc78kx-jq-1.7.1.drv",["dev"]),("/nix/store/m0xmpjrzm5f44y1pncswxb2lfh5f5z0k-etc-modprobe.d-nixos.conf.drv",["out"]),("/nix/store/nh9lrra397qw7kld9q22sxs16pim2br6-stage-1-init.sh.drv",["out"]),("/nix/store/qajidah6nnj7y6gy8k47bi5201pqqkxi-stdenv-linux.drv",["out"])],["/nix/store/shkw4qm9qcw5sc5n1k5jznc83ny02r39-default-builder.sh","/nix/store/vj1c3wf9c11a0qs6p3ymfvrnsdgsdcbq-source-stdenv.sh"],"x86_64-linux","/nix/store/58br4vk3q5akf4g8lx0pqzfhn47k3j8d-bash-5.2p37/bin/bash",["-e","/nix/store/vj1c3wf9c11a0qs6p3ymfvrnsdgsdcbq-source-stdenv.sh","/nix/store/shkw4qm9qcw5sc5n1k5jznc83ny02r39-default-builder.sh"],[("__json","{\"buildCommand\":\"out=${outputs[out]}\\n\\nmkdir $out\\n\\nif [[ -n \\\"$empty\\\" ]]; then\\n  echo 0 > $out/total-nar-size\\n  touch $out/registration $out/store-paths\\nelse\\n  jq -r \\\".closure | map(.narSize) | add\\\" < \\\"$NIX_ATTRS_JSON_FILE\\\" > $out/total-nar-size\\n  jq -r '.closure | map([.path, .narHash, .narSize, \\\"\\\", (.references | length)] + .references) | add | map(\\\"\\\\(.)\\\\n\\\") | add' < \\\"$NIX_ATTRS_JSON_FILE\\\" | head -n -1 > $out/registration\\n  jq -r '.closure[].path' < \\\"$NIX_ATTRS_JSON_FILE\\\" > $out/store-paths\\nfi\\n\\n\",\"buildInputs\":[],\"builder\":\"/nix/store/58br4vk3q5akf4g8lx0pqzfhn47k3j8d-bash-5.2p37/bin/bash\",\"cmakeFlags\":[],\"configureFlags\":[],\"depsBuildBuild\":[],\"depsBuildBuildPropagated\":[],\"depsBuildTarget\":[],\"depsBuildTargetPropagated\":[],\"depsHostHost\":[],\"depsHostHostPropagated\":[],\"depsTargetTarget\":[],\"depsTargetTargetPropagated\":[],\"doCheck\":false,\"doInstallCheck\":false,\"empty\":false,\"env\":{},\"exportReferencesGraph\":{\"closure\":[\"/nix/store/lwppsfyv2zhhl1jf5k84spqbjfph7sp9-stage-1-init.sh\",\"/nix/store/m0qqag8jp56zydqjzh5vva1p2azh1g5x-linux-6.12.21-modules-shrunk/lib\",\"/nix/store/pfsx0ck1r306zhww6kalw527mf2c6d9v-kmod-blacklist-31+20240202-2ubuntu8/modprobe.conf\",\"/nix/store/pg53dimlhgpjhz8zwvvd8pw0sakck2kl-etc-modprobe.d-nixos.conf\",\"/nix/store/p4qnadn8aqc38wwfrsr3i68cdz357xlk-kmod-debian-aliases.conf-30+20230601-2\"]},\"mesonFlags\":[],\"name\":\"closure-info\",\"nativeBuildInputs\":[\"/nix/store/yh6qg1nsi5h2xblcr67030pz58fsaxx3-coreutils-9.6\",\"/nix/store/ld8ys81ch5fj94j0jrwbkgwwjxmbwdxh-jq-1.7.1-dev\"],\"outputChecks\":{\"out\":{}},\"outputs\":[\"out\"],\"patches\":[],\"preferLocalBuild\":true,\"propagatedBuildInputs\":[],\"propagatedNativeBuildInputs\":[],\"stdenv\":\"/nix/store/76dr5bsqnfxzfljs3q9nwhw5ri52z7gx-stdenv-linux\",\"strictDeps\":false,\"system\":\"x86_64-linux\"}"),("out","/nix/store/3d4iddj5qmyck5gx58vqckli4yjjcg03-closure-info")])

@imincik
Copy link
Contributor Author

imincik commented Apr 8, 2025

/nix/store/gzzg57bkfsqvb69spv9j4qmgwmkkbcpj-closure-info.drv is triggered by
/nix/store/7slj9692g2lpxg493a2nm91qr18kwy59-initrd-linux-6.12.21.drv .

@imincik
Copy link
Contributor Author

imincik commented Apr 8, 2025
edited
Loading

Found the issue. Older Nix versions are containing this regression.

Confirmed on Debian 12:

# test.nix

let
  pkgs = import (builtins.fetchTarball "https://github.com/nixos/nixpkgs/archive/nixos-unstable.tar.gz") {};
  foo = pkgs.runCommand "foo" {} ''
    mkdir -p $out/hi
  '';
  bar = pkgs.closureInfo {
    rootPaths = [ "${foo}/hi" ];
  };
in bar
nix-build test.nix

these 2 derivations will be built:
  /nix/store/6j38j4jw7hc85ivfm8lqzd68rs648lks-foo.drv
  /nix/store/7pvpmra0wr45gfwk4nlm9l1zs964rp9n-closure-info.drv
building '/nix/store/6j38j4jw7hc85ivfm8lqzd68rs648lks-foo.drv'...
error: path '/nix/store/0sqhavfz16amb1bl97gpgc9ivddcafv6-foo/hi' is not in the Nix store

@imincik imincik force-pushed the ci-test-demo branch 2 times, most recently from 89852f3 to 332735e Compare April 8, 2025 13:43
@fricklerhandwerk
Copy link
Contributor

fricklerhandwerk commented Apr 8, 2025
edited
Loading

Can we get a newer Nix package on Debian? Or simply skip Debian for now and leave a TODO to pick up once their next stable release is out?

@imincik imincik force-pushed the ci-test-demo branch 2 times, most recently from 3adbf08 to ba80a2c Compare April 9, 2025 07:19
@imincik
Copy link
Contributor Author

imincik commented Apr 9, 2025

Can we get a newer Nix package on Debian? Or simply skip Debian for now and leave a TODO to pick up once their next stable release is out?

The issue is that it fails on Ubuntu LTS and on latest Ubuntu (non LTS) as well.

@eljamm
Copy link
Contributor

eljamm commented Apr 9, 2025

This might be a bit too much, but can't we run a more recent Nix version using the Nix installed on those distros?

@imincik
Copy link
Contributor Author

imincik commented Apr 9, 2025

This might be a bit too much, but can't we run a more recent Nix version using the Nix installed on those distros?

Not sure if I understand. What exactly do you mean ?

@eljamm
Copy link
Contributor

eljamm commented Apr 9, 2025

The issue is with old Nix versions, right? What if we use those to install/use a more recent Nix, say nixVersions.latest. That should be possible, right?

@imincik imincik force-pushed the ci-test-demo branch 5 times, most recently from da244bc to f60cad8 Compare April 9, 2025 09:23
@imincik imincik force-pushed the ci-test-demo branch 2 times, most recently from 1f091e3 to 5a1d640 Compare April 9, 2025 10:24
@imincik
Copy link
Contributor Author

imincik commented Apr 9, 2025

Looks like the regression patch was backported to multiple Nix versions .

@imincik
Copy link
Contributor Author

imincik commented Apr 9, 2025

The issue is with old Nix versions, right? What if we use those to install/use a more recent Nix, say nixVersions.latest. That should be possible, right?

No, you can't change Nix version installed by Debian/Ubuntu that way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eljamm eljamm eljamm left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
Nix@NGI
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement a CI test for the service demo workflow
3 participants
@imincik @fricklerhandwerk @eljamm