{"id":27958425,"url":"https://github.com/determinatesystems/ci","last_synced_at":"2025-05-07T18:23:46.579Z","repository":{"id":245508217,"uuid":"818392947","full_name":"DeterminateSystems/ci","owner":"DeterminateSystems","description":"Determinate CI is the one-stop shop for effortless Nix CI in GitHub Actions.","archived":false,"fork":false,"pushed_at":"2025-04-27T17:45:19.000Z","size":83,"stargazers_count":10,"open_issues_count":5,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-27T18:34:24.793Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DeterminateSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-21T18:47:11.000Z","updated_at":"2025-04-27T17:45:22.000Z","dependencies_parsed_at":"2024-06-22T13:45:31.556Z","dependency_job_id":"0070fa13-d0de-49a1-a918-7ecbb2d30a78","html_url":"https://github.com/DeterminateSystems/ci","commit_stats":null,"previous_names":["determinatesystems/ci"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fci","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fci/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fci/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DeterminateSystems%2Fci/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DeterminateSystems","download_url":"https://codeload.github.com/DeterminateSystems/ci/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252932307,"owners_count":21827271,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-07T18:23:45.806Z","updated_at":"2025-05-07T18:23:46.556Z","avatar_url":"https://github.com/DeterminateSystems.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Determinate CI\n\n\u003e [!NOTE]\n\u003e This Action is intended for users of [FlakeHub Cache][cache].\n\u003e [Sign up][signup] for a FlakeHub paid plan to get started.\n\nYour one-stop shop for effortless [Nix] CI in GitHub Actions.\n\n- Automatically builds on all the architectures your flake supports.\n- Caches all of your flake outputs using [FlakeHub Cache][cache].\n- Discovers and builds your entire flake using [flake schemas][flake-schemas].\n- [Publishes your flake][publishing] to [FlakeHub][flakehub] if you [opt in](#publishing-to-flakehub).\n\n\u003e [!WARNING]\n\u003e The Determinate CI workflow is an experiment.\n\u003e It may change significantly without warning.\n\u003e Please feel free to try it out, report bugs, and [let us know how it goes in our Discord][discord]!\n\u003e Stabilization to follow.\n\n## Usage\n\nCreate an Actions workflow in your project at `.github/workflows/ci.yml`, copy in this text...\n\n```yaml\non:\n pull_request:\n workflow_dispatch:\n push:\n branches:\n - main\n - master\n tags:\n - v?[0-9]+.[0-9]+.[0-9]+*\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}\n cancel-in-progress: true\n\njobs:\n DeterminateCI:\n uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main\n permissions:\n id-token: write\n contents: read\n```\n\n...and you're done!\nYou'll see something like this when your workflow has run successfully:\n\n![Screenshot of successful build](https://github.com/DeterminateSystems/ci/assets/76716/c2c6aa07-3fd3-4e66-9440-bef264b472da)\n\n## Configuration options\n\n| Parameter | Description | Default |\n| :----------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| `visibility` | `public`, `unlisted`, or `private` ([private flakes][private-flakes] are available only on a [FlakeHub paid plan][signup]) | |\n| `default-branch` | The [default Git branch][default-branch] for the repository | `${{ github.event.repository.default_branch }}` |\n| `enable-ssh-agent` | Whether to enable [`webfactory/ssh-agent`][ssh-agent] in the workflow. If you set this to `true` you need to supply a secret named `ssh-private-key`. | `false` |\n| `directory` | The root directory of your flake. | `.` |\n| `fail-fast` | Whether to cancel all in-progress jobs if any matrix job fails | `true` |\n| `runner-map` | A custom mapping of [Nix system types][nix-system] to desired Actions runners | `{ \"aarch64-darwin\": \"macos-latest\", \"x86_64-darwin\": \"macos-latest\", \"x86_64-linux\": \"ubuntu-latest\", \"i686-linux\": \"ubuntu-latest\", \"aarch64-linux\": \"ubuntu-latest\" }` |\n\n## Example configurations\n\nThe sections below show configurations for some common use cases.\n\n### Publishing to FlakeHub\n\nPublish to FlakeHub on every push to the default branch and on every tag.\nSpecify the flake's [visibility]:\n\n```yaml\non:\n pull_request:\n workflow_dispatch:\n push:\n branches:\n - main\n - master\n tags:\n - v?[0-9]+.[0-9]+.[0-9]+*\n\nconcurrency:\n group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}\n cancel-in-progress: true\n\njobs:\n DeterminateCI:\n uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main\n permissions:\n id-token: write\n contents: read\n with:\n visibility: public\n```\n\nFor [private flakes][private-flakes], set `visibility` to `private`.\n\n### Caching\n\nThis workflow uses [FlakeHub Cache][cache] as a [binary cache][binary-cache].\n\n\u003e [!NOTE]\n\u003e FlakeHub Cache only works if you're on a paid plan.\n\nIf you're not signed up for FlakeHub, the workflow will still pass but won't cache your flake outputs.\nIn this case, your logs will include a warning like this:\n\n```\nERROR magic_nix_cache: FlakeHub cache initialization failed: FlakeHub cache error: HTTP 401 Unauthorized: \"User is not authorized for this resource.\"\n```\n\n### Advanced usage\n\n#### GitHub Actions Runners\n\n##### Standard and larger runners\n\nBy default, the CI maps the Nix systems to their equivalent GitHub-hosted runners:\n\n| | macOS (Apple Silicon) | ARM Linux | macOS (Intel) | x86 Linux |\n| ------------------------------------------------- | ------------------------------------ | --------------------------- | ------------------------------------ | --------------------------- |\n| Flake `system` (Nix build platform) | `aarch64-darwin` | `aarch64-linux` | `x86_64-darwin` | `x86_64-linux` |\n| [GitHub Actions Runner][runners] (workflow label) | `macos-latest` (using Apple Silicon) | `ubuntu-latest` (using x86) | `macos-latest` (using Apple Silicon) | `ubuntu-latest` (using x86) |\n\n\u003e [!NOTE]\n\u003e There is also a [standard ARM Linux runner][runners-linux-arm] `ubuntu-24.04-arm`, currently in public preview and only supported on public repositories.\n\u003e To use it, supply your own runner map as shown below.\n\u003e To use ARM Linux runners on private repositories, you need non-standard runners, as shown below.\n\n##### Non-standard runners\n\nYou can also use several types of non-standard runners by providing a custom runner map.\nFor example, this runner map enables the [larger GitHub runners for macOS][runners-large-macos]:\n\n```yaml\njobs:\n DeterminateCI:\n uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main\n permissions:\n id-token: write\n contents: read\n with:\n runner-map: |\n {\n \"aarch64-darwin\": \"macos-latest-xlarge\",\n \"x86_64-darwin\": \"macos-latest-large\"\n }\n```\n\n\u003e [!TIP]\n\u003e Using `macos-latest-large` is currently the only way to run _current_ macOS on Intel architecture.\n\nThe other two types of runners are those provisioned on your own infrastructure, and [larger Ubuntu (not macOS) runners][runners-large] with bespoke specs (for example, 64 CPUs, 128GB RAM) hosted by GitHub.\nConfusingly, GitHub sometimes refers to both of these as \"self-hosted\" runners.\n\n\u003e [!IMPORTANT]\n\u003e Shared workflows such as the one used in this repo [can only access][workflow-access] non-standard runners if the workflow repo (this one) is owned by the same organisation (`DeterminateSystems`) or user.\n\u003e To use this repo with non-standard runners if you are not `DeterminateSystems`, fork the repository and replace the upstream workflow with your fork.\n\u003e\n\u003e ```diff\n\u003e jobs:\n\u003e DeterminateCI:\n\u003e - uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main\n\u003e + uses: $YOURORG/ci/.github/workflows/workflow.yml@main\n\u003e ```\n\u003e\n\u003e Replace `$YOURORG` with your own organisation or user.\n\u003e\n\u003e This limitation does not apply to larger macOS runners hosted by GitHub.\n\n#### Private SSH keys\n\nConfigure an SSH agent with a secret private key for private repository support.\n\n```yaml\njobs:\n DeterminateCI:\n uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main\n permissions:\n id-token: write\n contents: read\n with:\n enable-ssh-agent: true\n secrets:\n ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}\n```\n\n#### Continue on failure\n\nBy default, if any build in the matrix fails, the workflow will cancel all remaining in-progress jobs.\nYou can change this behavior by setting `fail-fast` to `false`:\n\n```yaml\njobs:\n DeterminateCI:\n uses: DeterminateSystems/ci/.github/workflows/workflow.yml@main\n permissions:\n id-token: write\n contents: read\n with:\n fail-fast: false\n```\n\n## Workflow outputs\n\nThe `DeterminateSystems/ci` workflow provides a number of outputs that you can use in dependent workflows.\n\n| Output | Description | Example |\n| :------------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |\n| `flake_name` | The name of the flake | `DeterminateSystems/flakehub-push` |\n| `flake_version` | The version of the published flake | `0.1.99+rev-2075013a3f3544d45a96f4b35df4ed03cd53779c` |\n| `flakeref_exact` | A precise flake reference that always resolves to this to this exact release. | `DeterminateSystems/flakehub-push/=0.1.99+rev-2075013a3f3544d45a96f4b35df4ed03cd53779c` |\n| `flakeref_at_least` | A loose reference to this release. Depending on this reference will require at least this version, and will also resolve to newer releases. This output is not sufficient for deployment pipelines, use flake_exact instead. | ``DeterminateSystems/flakehub-push/0.1.99+rev-2075013a3f3544d45a96f4b35df4ed03cd53779c` |\n\n## Notes\n\nThis workflow uses a collection of GitHub Actions by Determinate Systems, all of which are covered by the Determinate Systems [privacy policy][privacy] and [terms of service][tos].\n\n[binary-cache]: https://zero-to-nix.com/concepts/caching\n[cache]: https://flakehub.com/cache\n[default-branch]: https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch\n[flake-schemas]: https://github.com/DeterminateSystems/flake-schemas\n[flakehub]: https://flakehub.com/\n[discord]: https://determinate.systems/discord\n[nix]: https://zero-to-nix.com\n[nix-system]: https://zero-to-nix.com/concepts/system-specificity\n[privacy]: https://determinate.systems/policies/privacy\n[private-flakes]: https://docs.determinate.systems/flakehub/private-flakes\n[publishing]: https://docs.determinate.systems/flakehub/publishing\n[runners]: https://docs.github.com/en/actions/using-github-hosted-runners\n[runners-large]: https://docs.github.com/en/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners\n[runners-large-macos]: https://docs.github.com/en/actions/using-github-hosted-runners/using-larger-runners/about-larger-runners#about-macos-larger-runners\n[runners-linux-arm]: https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/\n[signup]: https://flakehub.com/signup\n[ssh-agent]: https://github.com/webfactory/ssh-agent\n[tos]: https://determinate.systems/policies/terms-of-service\n[visibility]: https://docs.determinate.systems/flakehub/concepts/visibility\n[workflow-access]: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#using-self-hosted-runners\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeterminatesystems%2Fci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeterminatesystems%2Fci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeterminatesystems%2Fci/lists"}