From 8e950148406a2379d7941f73bd90d6cfddf67e78 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 7 Jun 2026 10:26:14 -0700 Subject: [PATCH] Fix CI toolchain selection --- ...nfrastructure-and-store-upload-pipeline.md | 10 +++++++++ flake.lock | 16 ++++++++------ flake.nix | 21 ++++++++++++++----- 3 files changed, 36 insertions(+), 11 deletions(-) diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index e34ff27..e3d0744 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -55,6 +55,16 @@ The same change also makes the forge itself the release authority: release tags cache is available. macOS runners should use the local Bazel disk/repository cache path and skip the `nsc` remote-cache auth probe, which is optional and can block without GNU timeout support. +- The Nix CI shell must not pin Apple builds to a Bazel major that disagrees + with `.bazelversion`. Prefer Bazelisk or a Bazel 9 package so the release + lane uses the repository-declared Bazel 9.1.0 toolchain. +- Moving tarball URLs are not acceptable for release-critical Nix inputs. The + forge worker lockfile must resolve nixpkgs through a fixed Git revision so + fresh workers do not fail when a branch tarball no longer matches a stored + NAR hash. +- The CI shell should prefer currently supported Node runtimes when nixpkgs + marks an older major insecure. Release workers must fail on product build + errors, not on avoidable toolchain end-of-life policy checks. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow. diff --git a/flake.lock b/flake.lock index 325f710..e2ce1a1 100644 --- a/flake.lock +++ b/flake.lock @@ -113,14 +113,18 @@ }, "nixpkgs": { "locked": { - "lastModified": 1773389992, - "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", - "type": "tarball", - "url": "https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable" + "lastModified": 1780243769, + "narHash": "sha256-x5UQuRsH3MqI0U9afaXSNqzTPSeZlRLvFAav2Ux1pNw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "331800de5053fcebacf6813adb5db9c9dca22a0c", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable" + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nsc-autoscaler": { diff --git a/flake.nix b/flake.nix index 8727747..54da819 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "Burrow development shell and forge host configuration"; inputs = { - nixpkgs.url = "tarball+https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "tarball+https://codeload.github.com/numtide/flake-utils/tar.gz/main"; agenix = { url = "github:ryantm/agenix"; @@ -39,17 +39,28 @@ }; lib = pkgs.lib; bazelPkg = - if lib.hasAttr "bazel_7" pkgs then - pkgs.bazel_7 + if lib.hasAttr "bazelisk" pkgs then + pkgs.bazelisk + else if lib.hasAttr "bazel_9" pkgs then + pkgs.bazel_9 else if lib.hasAttr "bazel" pkgs then pkgs.bazel else - pkgs.bazelisk; + pkgs.bazel_7; buildifierPkg = if lib.hasAttr "buildifier" pkgs then pkgs.buildifier else pkgs.bazel-buildtools; + nodejsPkg = + if lib.hasAttr "nodejs_22" pkgs then + pkgs.nodejs_22 + else if lib.hasAttr "nodejs_24" pkgs then + pkgs.nodejs_24 + else if lib.hasAttr "nodejs" pkgs then + pkgs.nodejs + else + pkgs.nodejs_20; optionalPackage = name: lib.optional (lib.hasAttr name pkgs) (lib.getAttr name pkgs); googleKmsPkcs11Package = if pkgs.stdenv.hostPlatform.isx86_64 && pkgs.stdenv.isLinux then @@ -125,7 +136,7 @@ EOF opentofu curl jq - nodejs_20 + nodejsPkg python3 openssl rsync