{"id":25772836,"url":"https://github.com/risicle/nix-build-task","last_synced_at":"2025-06-25T07:33:59.227Z","repository":{"id":38023335,"uuid":"336407948","full_name":"risicle/nix-build-task","owner":"risicle","description":"A reusable Concourse task for building Nix derivations","archived":false,"fork":false,"pushed_at":"2025-06-08T22:05:44.000Z","size":168,"stargazers_count":10,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-08T22:28:06.028Z","etag":null,"topics":["cachix","concourse","container-image","nix"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/risicle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-02-05T22:53:24.000Z","updated_at":"2025-06-08T22:05:38.000Z","dependencies_parsed_at":"2024-01-20T00:24:06.276Z","dependency_job_id":"2a17e119-3ac7-4354-9572-6680d5363fee","html_url":"https://github.com/risicle/nix-build-task","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/risicle/nix-build-task","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/risicle%2Fnix-build-task","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/risicle%2Fnix-build-task/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/risicle%2Fnix-build-task/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/risicle%2Fnix-build-task/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/risicle","download_url":"https://codeload.github.com/risicle/nix-build-task/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/risicle%2Fnix-build-task/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261827351,"owners_count":23215736,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cachix","concourse","container-image","nix"],"created_at":"2025-02-27T04:20:18.933Z","updated_at":"2025-06-25T07:33:59.176Z","avatar_url":"https://github.com/risicle.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nix-build-task\n\nThis is a reusable task (in the vein of\n[oci-build-task](https://github.com/vito/oci-build-task)) for building\n[Nix](https://nixos.org/) derivations in [Concourse](https://concourse-ci.org/)\npipelines.\n\n## Features\n\n- Image-handling support. Container images produced by the derivations (through\n  `dockerTools` or other means) can be used interchangably with those produced by\n  `oci-build-task`. This includes being `put` to the `registry-image` resource or\n  used immediately as a subsequent task image.\n- [Cachix](https://cachix.org/) support. Push and pull, allowing unneccessary rebuilds\n  to be avoided.\n- Outpath evaluation mode, making it possible to detect when changes will actually\n  result in a different build output without performing the build.\n- **No** `privileged` requirement. You _could_ run it with `privileged: true` if\n  you wanted extra guarantees that the results didn't have any undeclared dependencies\n  (see https://github.com/NixOS/docker#limitations for more information on this),\n  but this is a fairly niche requirement, needed for building badly behaved software.\n\n## Operation\n\nThe idea of `nix-build-task` is to aid in producing reproducible builds of your\nprojects, and in that spirit `nix-build-task` tries to be as \"hands-off\" as possible\nwith the nix expression it is building. The expectation is that expressions are\nself-contained and strictly bring-your-own-nixpkgs. This way the same build result can\nbe reliably achieved just as easily with or without `nix-build-task`, on a remote server\nor on a local development machine. See the guide on\n[pinning nixpkgs](https://nixos.org/guides/towards-reproducibility-pinning-nixpkgs.html)\nfor more detail on how to achieve this.\n\nA basic example task:\n\n```yaml\n  - task: build-my-project\n    image: nix-build-task-dockerhub\n    config:\n      platform: linux\n      image_resource:\n        type: registry-image\n        source:\n          repository: risicle/nix-build-task\n      inputs:\n        - name: my-project-git\n      outputs:\n        - name: built-project\n          path: output\n      params:\n        NIXFILE: my-project-git/project.nix\n        ATTR: foo\n      run:\n        path: /bin/build\n```\n\n`nix-build-task` will call `nix-build` on the file pointed to in the `NIXFILE` parameter,\noptionally targeting a specific attribute of that expression indicated by the `ATTR`\nparameter, and attempt to copy the `result`s to an output at the path `output`. The\noriginal nix output path of the derivation is written to `output/result.outpath`.\nMultiple attributes can be specified as `ATTR0` ... `ATTR\u003cn\u003e` and their results will be\ncopied to the respective output paths `output0` ... `output\u003cn\u003e`. `/bin/build` is the\nentry point to call in the `run.path`.\n\n## Params\n\n- `NIXFILE` (required): path to file containing nix expression.\n- `ATTR0` ... `ATTR\u003cn\u003e`: attributes to build. `result`s will be copied to `output0` ...\n  `output\u003cn\u003e`. `ATTR` is an alias of `ATTR0` and `output` is used for results if\n  `output0` is not found.\n- `OUTPUT0_PREPARE_IMAGE` ... `OUTPUT\u003cn\u003e_PREPARE_IMAGE`: set to a non-empty, non-falsey\n  value, will cause the result from the respective output to be prepared as a container\n  image to be used by e.g. concourse's `registry-image` resource. Set to the value\n  `unpack`, will go a step further and prepare the image for immediate use as a concourse\n  task image, equivalent to `oci-build-task`'s `UNPACK_ROOTFS` option.\n  `OUTPUT_PREPARE_IMAGE` is an alias of `OUTPUT0_PREPARE_IMAGE`.\n- `OUTPUT0_EXPORT_NAR` ... `OUTPUT\u003cn\u003e_EXPORT_NAR`: set to a non-empty, non-falsey value,\n  will cause the results from the respective output to be exported from the nix store\n  as a single `result.nar` file. Set to the value `runtime-closure`, will include the\n  full runtime closure of the results. `OUTPUT_EXPORT_NAR` is an alias of\n  `OUTPUT0_EXPORT_NAR`.\n- `BUILD_ARG_\u003cargname\u003e`: passed to `nix-build`'s `--arg` option, specifying an argument\n  to be passed to the nix expression in `NIXFILE`. Value interpreted as a nix expression.\n- `BUILD_ARGSTR_\u003cargname\u003e`: passed to `nix-build`'s `--argstr` option, specifying an\n  argument to be passed to the nix expression in `NIXFILE`. Value interpreted as a string.\n- `NIX_OPTION_\u003coptname\u003e`: passed to `nix-build`'s `--option` argument, allows overriding\n  a Nix configuration option.\n- `CACHIX_CACHE`: name of the [Cachix](https://cachix.org/) cache to attempt to pull\n  prebuilt binaries from and, if `CACHIX_CONF`, `CACHIX_SIGNING_KEY` or\n  `CACHIX_AUTH_TOKEN` are set, attempt to push built binaries to.\n- `CACHIX_CONF`: path to a `cachix.dhall` file with credentials for cachix cache.\n- `CACHIX_PUSH`: explicitly control whether to push build results to `CACHIX_CACHE`.\n  - Truthy values will enable pushing all built packages to cachix. This is the implied\n    default when any of the `CACHIX_CONF`, `CACHIX_SIGNING_KEY` or `CACHIX_AUTH_TOKEN`\n    params are set.\n  - Falsey values will disable pushing to cachix.\n  - The special value `outputs` will cause only the actual output packages and their\n    *runtime* dependencies to be pushed to cachix. This may be useful either to conserve\n    cache space or for people paranoid about pushing secrets that may be contained in\n    intermediate build products.\n- `CACHIX_PUSH_EXTRA_ARGS`: extra arguments to supply to cachix push commands.\n- `NIX_LOG_DIR`: if this is set to a relative path, `nix-build-task` will simply\n  interpret it as relative to the build directory and make it absolute, passing it\n  through to `nix-build`. This allows build logs to be sent to an output directory.\n\nNot explicitly handled by `nix-build-task`, but just happen to work by virtue of being\npassed as environment variables:\n\n- `CACHIX_SIGNING_KEY`: key for signing packages being pushed to `CACHIX_CACHE`.\n- `CACHIX_AUTH_TOKEN`: auth token for `CACHIX_CACHE`.\n- `NIX_CONF_DIR`: can be used to point at your own supplied `nix.conf` for overriding\n  many nix options at once. If you're going to do this, note that the `CACHIX_CACHE`\n  parameter will put its settings in `/etc/nix/nix.conf` and if you want this to still\n  have an effect you will want to use an `include` line to refer to it or manually\n  include your own equivalent settings.\n- `NIXPKGS_CONFIG`: can be used to point at your own supplied `config.nix`, where\n  nixpkgs-specific settings such as `allowUnfree`, `packageOverrides` and\n  `permittedInsecurePackages` can be configured. See\n  [the nixpkgs manual](https://nixos.org/manual/nixpkgs/stable/#chap-packageconfig)\n  for more information on these.\n\n## Examples\n\nMany examples of its use are contained in the testing jobs of the\n[build pipeline](./ci/build.yml). The same pipeline also shows how `nix-build-task` is\nused to build _itself_.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frisicle%2Fnix-build-task","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frisicle%2Fnix-build-task","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frisicle%2Fnix-build-task/lists"}