Fix CI toolchain selection
Some checks failed
Build Site / Next.js Build (push) Waiting to run
Lint Governance / BEP Metadata (push) Waiting to run
Cache: Publish Nix / Publish Nix Cache (push) Failing after 20s
Build Rust / Cargo Test (push) Has been cancelled

This commit is contained in:
Conrad Kramer 2026-06-07 10:26:14 -07:00
parent 06375ba328
commit 8e95014840
3 changed files with 36 additions and 11 deletions

View file

@ -55,6 +55,16 @@ The same change also makes the forge itself the release authority: release tags
cache is available. macOS runners should use the local Bazel disk/repository cache is available. macOS runners should use the local Bazel disk/repository
cache path and skip the `nsc` remote-cache auth probe, which is optional and cache path and skip the `nsc` remote-cache auth probe, which is optional and
can block without GNU timeout support. can block without GNU timeout support.
- The Nix CI shell must not pin Apple builds to a Bazel major that disagrees
with `.bazelversion`. Prefer Bazelisk or a Bazel 9 package so the release
lane uses the repository-declared Bazel 9.1.0 toolchain.
- Moving tarball URLs are not acceptable for release-critical Nix inputs. The
forge worker lockfile must resolve nixpkgs through a fixed Git revision so
fresh workers do not fail when a branch tarball no longer matches a stored
NAR hash.
- The CI shell should prefer currently supported Node runtimes when nixpkgs
marks an older major insecure. Release workers must fail on product build
errors, not on avoidable toolchain end-of-life policy checks.
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.

16
flake.lock generated
View file

@ -113,14 +113,18 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1773389992, "lastModified": 1780243769,
"narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", "narHash": "sha256-x5UQuRsH3MqI0U9afaXSNqzTPSeZlRLvFAav2Ux1pNw=",
"type": "tarball", "owner": "NixOS",
"url": "https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable" "repo": "nixpkgs",
"rev": "331800de5053fcebacf6813adb5db9c9dca22a0c",
"type": "github"
}, },
"original": { "original": {
"type": "tarball", "owner": "NixOS",
"url": "https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable" "ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nsc-autoscaler": { "nsc-autoscaler": {

View file

@ -2,7 +2,7 @@
description = "Burrow development shell and forge host configuration"; description = "Burrow development shell and forge host configuration";
inputs = { inputs = {
nixpkgs.url = "tarball+https://codeload.github.com/NixOS/nixpkgs/tar.gz/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "tarball+https://codeload.github.com/numtide/flake-utils/tar.gz/main"; flake-utils.url = "tarball+https://codeload.github.com/numtide/flake-utils/tar.gz/main";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
@ -39,17 +39,28 @@
}; };
lib = pkgs.lib; lib = pkgs.lib;
bazelPkg = bazelPkg =
if lib.hasAttr "bazel_7" pkgs then if lib.hasAttr "bazelisk" pkgs then
pkgs.bazel_7 pkgs.bazelisk
else if lib.hasAttr "bazel_9" pkgs then
pkgs.bazel_9
else if lib.hasAttr "bazel" pkgs then else if lib.hasAttr "bazel" pkgs then
pkgs.bazel pkgs.bazel
else else
pkgs.bazelisk; pkgs.bazel_7;
buildifierPkg = buildifierPkg =
if lib.hasAttr "buildifier" pkgs then if lib.hasAttr "buildifier" pkgs then
pkgs.buildifier pkgs.buildifier
else else
pkgs.bazel-buildtools; pkgs.bazel-buildtools;
nodejsPkg =
if lib.hasAttr "nodejs_22" pkgs then
pkgs.nodejs_22
else if lib.hasAttr "nodejs_24" pkgs then
pkgs.nodejs_24
else if lib.hasAttr "nodejs" pkgs then
pkgs.nodejs
else
pkgs.nodejs_20;
optionalPackage = name: lib.optional (lib.hasAttr name pkgs) (lib.getAttr name pkgs); optionalPackage = name: lib.optional (lib.hasAttr name pkgs) (lib.getAttr name pkgs);
googleKmsPkcs11Package = googleKmsPkcs11Package =
if pkgs.stdenv.hostPlatform.isx86_64 && pkgs.stdenv.isLinux then if pkgs.stdenv.hostPlatform.isx86_64 && pkgs.stdenv.isLinux then
@ -125,7 +136,7 @@ EOF
opentofu opentofu
curl curl
jq jq
nodejs_20 nodejsPkg
python3 python3
openssl openssl
rsync rsync