From d0662e31851ccb33d38a82938f2042fe013ecc33 Mon Sep 17 00:00:00 2001 From: Skryta Istota <6970043-hidden-being@users.noreply.gitlab.com> Date: Sun, 30 Nov 2025 11:44:23 +0100 Subject: [PATCH 01/11] fix(helpers): use builtin nix store location indicator --- lib/impl/helpers.nix | 2 +- tests/cilib_test.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/impl/helpers.nix b/lib/impl/helpers.nix index 48a79fc..754cead 100644 --- a/lib/impl/helpers.nix +++ b/lib/impl/helpers.nix @@ -50,7 +50,7 @@ in rec { filterJobVariables = shouldContain: job: concatMapAttrs ( name: value: - optionalAttrs ((hasInfix "/nix/store/" value) == shouldContain) { + optionalAttrs ((hasInfix builtins.storeDir value) == shouldContain) { ${name} = value; } ) diff --git a/tests/cilib_test.nix b/tests/cilib_test.nix index 78e99a3..b53308c 100644 --- a/tests/cilib_test.nix +++ b/tests/cilib_test.nix @@ -129,7 +129,7 @@ # sh '' set -euo pipefail - ${ntlib.helpers.path [pkgs.jq pkgs.gnugrep pkgs.coreutils]} + ${ntlib.helpers.path (with pkgs; [jq gnugrep coreutils])} echo "two keys, one json one pretty" jq 'keys | length == 2' "${pipeline}" | grep -q true echo "key[0] is exactly 'gitlab-ci:pipeline:test'" From 96e6fe59bffec37e89ef38d78d50c0a3de43ea44 Mon Sep 17 00:00:00 2001 From: Skryta Istota <6970043-hidden-being@users.noreply.gitlab.com> Date: Sun, 30 Nov 2025 14:14:14 +0100 Subject: [PATCH 02/11] ci: fix oci image used for dog fooding & forks --- .gitlab-ci.yml | 2 ++ nix/repo/ci.nix | 1 + 2 files changed, 3 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bff742c..e8c146c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -55,3 +55,5 @@ stages: - build-images - build - trigger +variables: + NIX_CI_IMAGE: $CI_REGISTRY_IMAGE/nix-ci:$CI_COMMIT_SHORT_SHA diff --git a/nix/repo/ci.nix b/nix/repo/ci.nix index a76c0d8..157ede7 100644 --- a/nix/repo/ci.nix +++ b/nix/repo/ci.nix @@ -10,6 +10,7 @@ in # the child pipeline can then use the built images to test them extraData = { stages = ["build-images" "build" "trigger"]; + variables.NIX_CI_IMAGE = "$CI_REGISTRY_IMAGE/nix-ci:$CI_COMMIT_SHORT_SHA"; "build:image" = { stage = "build-images"; parallel.matrix = [ From 1c9e7c77c5f17c6f15bc6b0f705b551ac5b70e2b Mon Sep 17 00:00:00 2001 From: technofab Date: Tue, 2 Dec 2025 15:09:27 +0100 Subject: [PATCH 03/11] chore: add test and docs for handling nix store paths in global variables --- docs/index.md | 11 +++++++++++ tests/cilib_test.nix | 22 ++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/docs/index.md b/docs/index.md index 214fbf3..14f7da3 100644 --- a/docs/index.md +++ b/docs/index.md @@ -9,3 +9,14 @@ This project provides a Nix flake module that allows you to generate your `.gitl - **Modularity:** Define and manage your CI configurations in a structured and modular way using Nix modules, making it easier to share and reuse CI logic across multiple projects. This documentation will guide you through setting up and using Nix GitLab CI for your projects. + +## Warnings + +To save you from frantically searching these docs if something doesn't work as expected, here are the most important warnings ;) + +!!! warning + + Do not put Nix store paths into global/pipeline variables. They will simply be passed through, + resulting in bad portability (if two runners have different archs for example, one cannot find the path). + If you need any Nix store path in env variables, always do it on the job level, there + it will automatically be computed at runtime, thus will always work no matter which runner it runs on. diff --git a/tests/cilib_test.nix b/tests/cilib_test.nix index b53308c..2322906 100644 --- a/tests/cilib_test.nix +++ b/tests/cilib_test.nix @@ -163,6 +163,28 @@ }; }).finalConfig; } + { + # it doesn't make much sense to have any nix store path in variables, but we ignore it for global variables + name = "ignore store paths in global variables"; + expected = { + variables = { + HELLO = "world"; + CURL = toString pkgs.curl; + }; + }; + actual = + (mkPipeline { + name = "test"; + nixConfig.enable = true; + pipeline = { + variables = { + HELLO = "world"; + CURL = toString pkgs.curl; + }; + jobs = {}; + }; + }).finalConfig; + } ]; }; } From 97fb4fafc3edb77b2bbfcf264be40e5b30b058af Mon Sep 17 00:00:00 2001 From: technofab Date: Tue, 2 Dec 2025 15:10:00 +0100 Subject: [PATCH 04/11] fix(jobPatched): handle non-nix jobs correctly fix mkJobPatched removing `cache` and `variables` from non-nix jobs See !15 for more --- lib/impl/jobPatched.nix | 13 ++++++------- tests/cilib_test.nix | 23 +++++++++++++++++++++-- 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/lib/impl/jobPatched.nix b/lib/impl/jobPatched.nix index c7134fb..367a374 100644 --- a/lib/impl/jobPatched.nix +++ b/lib/impl/jobPatched.nix @@ -11,13 +11,13 @@ in pipelineName, nixConfig, }: - (builtins.removeAttrs job ["variables" "cache"]) - // (optionalAttrs nixConfig.enable ( - (prependToBeforeScript ["source setup_nix_ci \"gitlab-ci:pipeline:${pipelineName}:job-deps:${key}\""] job) + if ! nixConfig.enable + then job + else + (builtins.removeAttrs job ["variables" "cache"]) + // (prependToBeforeScript ["source setup_nix_ci \"gitlab-ci:pipeline:${pipelineName}:job-deps:${key}\""] job) // (appendToAfterScript ["finalize_nix_ci"] job) - )) - // optionalAttrs nixConfig.enable ( - (let + // (let variables = (filterJobVariables false job) // optionalAttrs nixConfig.enableRunnerCache { @@ -40,4 +40,3 @@ in optionalAttrs (cache != []) { inherit cache; }) - ) diff --git a/tests/cilib_test.nix b/tests/cilib_test.nix index 2322906..3b76fb8 100644 --- a/tests/cilib_test.nix +++ b/tests/cilib_test.nix @@ -64,6 +64,22 @@ nixConfig.enable = false; }; } + { + name = "jobPatched nix disabled with variables and cache"; + expected = { + variables."HELLO" = "world"; + cache = [{key = "example";}]; + }; + actual = mkJobPatched { + key = "test"; + pipelineName = "test"; + job = { + variables."HELLO" = "world"; + cache = [{key = "example";}]; + }; + nixConfig.enable = false; + }; + } { name = "jobPatched without runner cache"; expected = { @@ -145,10 +161,13 @@ ''; } { - name = "handle store paths in variables"; + name = "ignore store paths in variables with nix disabled"; expected = { stages = ["test"]; - test.stage = "test"; + test = { + stage = "test"; + variables."TEST" = "${pkgs.hello}"; + }; }; actual = (mkPipeline { From 59f8bd169ae2733238455899fb3bace9cab99ff7 Mon Sep 17 00:00:00 2001 From: technofab Date: Tue, 2 Dec 2025 15:12:28 +0100 Subject: [PATCH 05/11] chore: bump version --- lib/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/VERSION b/lib/VERSION index cb2b00e..fd2a018 100644 --- a/lib/VERSION +++ b/lib/VERSION @@ -1 +1 @@ -3.0.1 +3.1.0 From 1e9ddff3003c1a1a349bc74b95ad222b288e3f3b Mon Sep 17 00:00:00 2001 From: technofab Date: Wed, 3 Dec 2025 20:47:39 +0100 Subject: [PATCH 06/11] fix(modules/job): fix variables with nix store paths getting dropped --- lib/impl/modules/job.nix | 2 +- tests/modules_test.nix | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/impl/modules/job.nix b/lib/impl/modules/job.nix index 295093d..fd4fc62 100644 --- a/lib/impl/modules/job.nix +++ b/lib/impl/modules/job.nix @@ -646,8 +646,8 @@ in rec { }; depsDrv = cilib.mkJobDeps { key = name; - job = config.finalConfig; nixConfig = config.nix; + inherit job; }; runnerDrv = cilib.mkJobRun { key = name; diff --git a/tests/modules_test.nix b/tests/modules_test.nix index e134293..8ccbd83 100644 --- a/tests/modules_test.nix +++ b/tests/modules_test.nix @@ -77,6 +77,27 @@ assert_file_contains ${package} '"EXAMPLE":"/nix/store/.*-hello-.*"' ''; } + { + name = "correctly inject variables containing nix store paths at runtime"; + type = "script"; + script = let + package = + (cilib.mkCI { + pipelines."test".jobs."test" = { + stage = ".pre"; + variables.EXAMPLE = "${pkgs.hello}"; + script = []; + }; + }).packages."gitlab-ci:pipeline:test:job-deps:test"; + in + # sh + '' + ${ntlib.helpers.path [pkgs.gnugrep]} + ${ntlib.helpers.scriptHelpers} + assert_file_contains ${package} 'export PATH=":$PATH";' + assert_file_contains ${package} 'export EXAMPLE="/nix/store/.*-hello-.*"' + ''; + } ]; }; } From 8a77208ebe29fe7b3ba60bec3d48868049f93013 Mon Sep 17 00:00:00 2001 From: technofab Date: Wed, 3 Dec 2025 21:02:46 +0100 Subject: [PATCH 07/11] chore: bump version --- lib/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/VERSION b/lib/VERSION index fd2a018..94ff29c 100644 --- a/lib/VERSION +++ b/lib/VERSION @@ -1 +1 @@ -3.1.0 +3.1.1 From 8eadfb56ba2fc2acd0689adef8f0b214f0a7c82a Mon Sep 17 00:00:00 2001 From: technofab Date: Fri, 5 Dec 2025 20:16:37 +0100 Subject: [PATCH 08/11] fix(modules): fold was deprecated, replace with foldr --- lib/impl/modules/root.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/impl/modules/root.nix b/lib/impl/modules/root.nix index 84fb5ba..bd99050 100644 --- a/lib/impl/modules/root.nix +++ b/lib/impl/modules/root.nix @@ -4,7 +4,7 @@ pipelineSubmodule, ... }: let - inherit (lib) mkOption types; + inherit (lib) mkOption types foldr; in rec { configSubmodule = { options = { @@ -65,7 +65,7 @@ in rec { }; }; config = { - packages = lib.fold (pipeline: acc: acc // pipeline) {} ( + packages = foldr (pipeline: acc: acc // pipeline) {} ( map (pipeline: pipeline.packages) (builtins.attrValues config.pipelines) ); soonix = config.config.soonix.finalConfig; From 555ae3de29c5edfaf2b11e122d0309d1f201fe62 Mon Sep 17 00:00:00 2001 From: technofab Date: Fri, 5 Dec 2025 20:21:26 +0100 Subject: [PATCH 09/11] chore: update flakes --- flake.lock | 12 ++++++------ nix/repo/flake.lock | 30 +++++++++++++++--------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 7c47f5c..60df9c4 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1756542300, - "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", + "lastModified": 1764667669, + "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", + "rev": "418468ac9527e799809c900eda37cbff999199b6", "type": "github" }, "original": { @@ -37,11 +37,11 @@ }, "locked": { "dir": "lib", - "lastModified": 1756370106, - "narHash": "sha256-l84ojcHuQWBwn4BRxQsMMfQpcq/Az/sHh/hSqFgVtyg=", + "lastModified": 1758738378, + "narHash": "sha256-NjzqdvQCDDdObEBH8x/vdhbdhrIB+N9E570uCdksGHY=", "owner": "rensa-nix", "repo": "core", - "rev": "9c1a29fa9ba7cbbb78b9e47eb8afbcd29303a3b4", + "rev": "abe19f9f13aff41de2b63304545c87d193d19ef4", "type": "gitlab" }, "original": { diff --git a/nix/repo/flake.lock b/nix/repo/flake.lock index 0627f8b..e5029e0 100644 --- a/nix/repo/flake.lock +++ b/nix/repo/flake.lock @@ -3,11 +3,11 @@ "devshell-lib": { "locked": { "dir": "lib", - "lastModified": 1755673398, - "narHash": "sha256-51MmR+Eo1+bKDd/Ss77wwTqi4yAR2xgmyCSEbKWSpj0=", + "lastModified": 1758204313, + "narHash": "sha256-ainbY0Oajb1HMdvy+A8QxF/P5qwcbEzJGEY5pzKdDdc=", "owner": "rensa-nix", "repo": "devshell", - "rev": "e76bef387e8a4574f9b6d37b1a424e706491af08", + "rev": "7d0c4bc78d9f017a739b0c7eb2f4e563118353e6", "type": "gitlab" }, "original": { @@ -20,11 +20,11 @@ "nixmkdocs-lib": { "locked": { "dir": "lib", - "lastModified": 1757055638, - "narHash": "sha256-KHYSkEreFe4meXzSdEbknC/HwaQSNClQkc8vzHlAsMM=", + "lastModified": 1763481845, + "narHash": "sha256-Bp0+9rDmlPWMcnKqGx+BG4+o5KO8FuDAOvXRnXrm3Fo=", "owner": "TECHNOFAB", "repo": "nixmkdocs", - "rev": "7840a5febdbeaf2da90babf6c94b3d0929d2bf74", + "rev": "73d59093df94a894d25bc4bf71880b6f00faa62f", "type": "gitlab" }, "original": { @@ -37,11 +37,11 @@ "nixtest-lib": { "locked": { "dir": "lib", - "lastModified": 1756812148, - "narHash": "sha256-0g8KNk4zoLApA51PBHOWqPLRYpprjrQuSzNCjfBQgu8=", + "lastModified": 1759340550, + "narHash": "sha256-EH9heYb/nHHzCpUGQGqVQnuyVGQ7D6MVMgJmzNvvmJ8=", "owner": "TECHNOFAB", "repo": "nixtest", - "rev": "5741109cc9ec2b6d41b56abd3f5bc51ed7a9a228", + "rev": "5a7053afcbb211b9cf8fe87f7892bb9f6b76b678", "type": "gitlab" }, "original": { @@ -63,11 +63,11 @@ "soonix-lib": { "locked": { "dir": "lib", - "lastModified": 1756797658, - "narHash": "sha256-4rkyP4oaoqG/FFVL7W8U+8hGer4tOBPff/2SeN5tJYQ=", + "lastModified": 1763323017, + "narHash": "sha256-MJyg37d+VMfRoFiVUj16FW+zkEwQXbgK9LoFF/SHoxA=", "owner": "TECHNOFAB", "repo": "soonix", - "rev": "3baef660cf8b87391d475a0455dd66fae0e60008", + "rev": "078034b01e4eaf1f9436d46721f7cbe0d96eb8b4", "type": "gitlab" }, "original": { @@ -80,11 +80,11 @@ "treefmt-nix": { "flake": false, "locked": { - "lastModified": 1756662192, - "narHash": "sha256-F1oFfV51AE259I85av+MAia221XwMHCOtZCMcZLK2Jk=", + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "1aabc6c05ccbcbf4a635fb7a90400e44282f61c4", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", "type": "github" }, "original": { From 8f88a53b5479773cd626420362631bc1da99e677 Mon Sep 17 00:00:00 2001 From: technofab Date: Thu, 11 Dec 2025 10:17:52 +0100 Subject: [PATCH 10/11] chore: bump version --- lib/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/VERSION b/lib/VERSION index 94ff29c..ef538c2 100644 --- a/lib/VERSION +++ b/lib/VERSION @@ -1 +1 @@ -3.1.1 +3.1.2 From 139912d9c6147f6309c253126c44e8a5fb02292f Mon Sep 17 00:00:00 2001 From: asimon Date: Tue, 16 Dec 2025 19:12:06 +0100 Subject: [PATCH 11/11] docs: fix Soonix URL in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1570632..c5e6b92 100644 --- a/README.md +++ b/README.md @@ -108,4 +108,4 @@ There is also `.#gitlab-ci:pipeline::job-deps:` which gener Some parts of this implementation are adapted/inspired from https://gitlab.com/Cynerd/gitlab-ci-nix -[docs-soonix]: https://nix-gitlab-ci.projects,tf/soonix "Soonix Integration" +[docs-soonix]: https://nix-gitlab-ci.projects.tf/soonix "Soonix Integration"