ci: build inside a nix develop shell with just#19
Conversation
Pin the toolchain (node, typescript, tfx-cli, azure-cli, jq, pinact) in a flake devShell so CI and local builds share one reproducible environment instead of installing tools ad-hoc. tfx-cli is not in nixpkgs, so build it from upstream Microsoft/tfs-cli in nix/tfx-cli.nix. Workflows now install Nix and use `nix develop --command bash` as the default shell, dropping the manual node setup and `npm install -g` steps. Actions are pinned to commit SHAs via `make pin-actions` (pinact).
Use just as the command runner; add it to the devShell (replacing gnumake) and update workflows to call just build / just publish-release.
Add curl/sd to the devShell and expose packages.tfx-cli. `just update` runs flake update, bumps tfx-cli to the latest upstream commit with recomputed hashes (update-tfx/rehash-tfx), and re-pins actions, each step wrapped in `nix develop --command` so it runs from a bare shell.
airadier
left a comment
airadier
left a comment
There was a problem hiding this comment.
Nice, well-scoped infra migration (Makefile → justfile, tools pinned in a Nix devShell, workflows running under nix develop). I verified flake.nix is well-formed — the // { overlay merge is present, so no syntax issue there.
One blocking item and a few non-blocking recommendations, left as inline comments.
🔴 Blocking — please change:
.envrcinstructs developers to put env vars andactsecrets (Azure tokens) in.env/.secrets, but neither file is in.gitignore. Since the workflows themselvesgit add ., this is a real path to committing live credentials. One-line fix.
🟡 Non-blocking, but recommended:
2. azure/login authenticates the runner's az, while the token step now runs under nix develop with the nixpkgs az — a version skew that could break token retrieval / release.
3. rehash-tfx can silently leave an empty hash on failure.
4. magic-nix-cache-action is deprecated/sunset by Determinate Systems — worth confirming it still caches.
Everything else (nixpkgs-unstable + just update reproducibility, the unused token output in the PR check) is fine / pre-existing.
- gitignore .env/.secrets so the .envrc-suggested secret files can't be committed by the workflows' git add . - pin the token-retrieval steps to the runner's az (shell: bash) so the binary that reads ~/.azure matches the one azure/login wrote it with - fail loudly in rehash-tfx instead of leaving an empty hash on parse error
2 participants
Pin the CI toolchain in a flake devShell so CI and local builds share one reproducible environment instead of installing tools ad-hoc. Workflows now install Nix and use
nix develop --command bashas the default shell.Migrate Makefile -> justfile (just replaces gnumake in the shell).
just updatebumps the flake inputs, tfx-cli, and re-pins actions; actions are pinned to SHAs via pinact (just pin-actions). node_20 is EOL in nixpkgs -> devShell uses node_22; azure/login bumped to v3.