Note
This Action is intended for users of FlakeHub Cache. Sign up for a FlakeHub paid plan to get started.
Your one-stop shop for effortless Nix CI in GitHub Actions.
- Automatically builds on all the architectures your flake supports.
- Caches all of your flake outputs using FlakeHub Cache.
- Discovers and builds your entire flake using flake schemas.
- Publishes your flake to FlakeHub if you opt in.
Warning
The Determinate CI workflow is an experiment. It may change significantly without warning. Please feel free to try it out, report bugs, and let us know how it goes in our Discord! Stabilization to follow.
Create an Actions workflow in your project at .github/workflows/ci.yml, copy in this text...
on:
pull_request:
workflow_dispatch:
push:
branches:
- main
- master
tags:
- v?[0-9]+.[0-9]+.[0-9]+*
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
DeterminateCI:
uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
permissions:
id-token: write
contents: read...and you're done! You'll see something like this when your workflow has run successfully:
Publish to FlakeHub on every push to the default branch and on every tag. Specify the flake's visibility:
on:
pull_request:
workflow_dispatch:
push:
branches:
- main
- master
tags:
- v?[0-9]+.[0-9]+.[0-9]+*
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
DeterminateCI:
uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
permissions:
id-token: write
contents: read
with:
visibility: publicFor private flakes, set visibility to private.
This workflow uses FlakeHub Cache as a binary cache.
Note
FlakeHub Cache only works if you're on a paid plan.
If you're not signed up for FlakeHub, the workflow will still pass but won't cache your flake outputs. In this case, your logs will include a warning like this:
ERROR magic_nix_cache: FlakeHub cache initialization failed: FlakeHub cache error: HTTP 401 Unauthorized: "User is not authorized for this resource."
The default runner map uses ubuntu-latest for x86 Linux and macos-latest for macOS.
Take advantage of larger GitHub runners by providing a custom runner map:
jobs:
DeterminateCI:
uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
permissions:
id-token: write
contents: read
with:
runner-map: |
{
"aarch64-darwin": "macos-latest-xlarge",
"aarch64-linux": "UbuntuLatest32Cores128GArm",
"i686-linux": "UbuntuLatest32Cores128G",
"x86_64-darwin": "macos-latest-xlarge",
"x86_64-linux": "UbuntuLatest32Cores128G"
}Configure an SSH agent with a secret private key for private repository support.
jobs:
DeterminateCI:
uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
permissions:
id-token: write
contents: read
with:
enable-ssh-agent: true
secrets:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}This workflow uses a collection of GitHub Actions by Determinate Systems, all of which are covered by the Determinate Systems privacy policy and terms of service.