Determinate CI

The one-stop shop for effortless Nix CI in GitHub Actions.

• Automatically builds on all the architectures your flake supports.
• Built-in, free caching using Magic Nix Cache and optionally FlakeHub Cache.
• Discovers and builds your entire flake using Flake Schemas.
• Easily opt-in to publishing to FlakeHub.

Status: The Determinate CI workflow is an experiment. It may change significantly without warning. Please feel free to try it out, report bugs, and let us know how it goes in our Discord! Stabilization to follow.

Usage

Create a workflow in your project at .github/workflows/ci.yml, and copy in this text:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
    tags:
      - "v?[0-9]+.[0-9]+.[0-9]+*"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  DeterminateCI:
    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
    permissions:
      id-token: "write"
      contents: "read"

and you're done, you'll get something like this:

Publishing to FlakeHub

Publish to FlakeHub on every push to the default branch, and every tag. Specify the flake's visibility:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main
      - master
    tags:
      - "v?[0-9]+.[0-9]+.[0-9]+*"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  DeterminateCI:
    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
    permissions:
      id-token: "write"
      contents: "read"
    with:
      visibility: public

Caching

To speed up builds, the workflow uses FlakeHub Cache as a cache.

Note

FlakeHub Cache only works if you're on a paid plan.

If you're not signed up for FlakeHub, the workflow will still pass, but may be slower. In this case, your logs will include a warning like this:

ERROR magic_nix_cache: FlakeHub cache initialization failed: FlakeHub cache error: HTTP 401 Unauthorized: "User is not authorized for this resource."

Advanced Usage

Custom Runner Types

The default runner map uses ubuntu-latest for x86 Linux, and macos-latest for macOS. Take advantage of larger GitHub runners by providing a custom runner map:

jobs:
  DeterminateCI:
    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
    permissions:
      id-token: "write"
      contents: "read"
    with:
      runner-map: |
        {
          "aarch64-darwin": "macos-latest-xlarge",
          "aarch64-linux": "UbuntuLatest32Cores128GArm",
          "i686-linux": "UbuntuLatest32Cores128G",
          "x86_64-darwin": "macos-latest-xlarge",
          "x86_64-linux": "UbuntuLatest32Cores128G"
        }

SSH Private Keys

Configure an SSH agent with a secret private key for private repository support.

jobs:
  DeterminateCI:
    uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main
    permissions:
      id-token: "write"
      contents: "read"
    with:
      enable-ssh-agent: true
    secrets:
      ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

Notes

Use of this workflow uses a collection of GitHub Action by Determinate Systems, which are covered by the Determinate Systems privacy policy and terms of service.