Build against Determinate Secure Packages

[edolstra]

Motivation

The top-level flake still builds against upstream Nixpkgs. But packaging/secure-packages/flake.nix overrides that to use DSP.

Context

Summary by CodeRabbit

• Chores

  • Flexible build workflow: configurable flake target and optional artifact upload gating
  • New conditional build job for extra x86_64 verification that reuses the build workflow and skips publishing artifacts
  • Added packaging flake to support the configurable flake target

• Tests

  • Adjusted test helper invocation for broader compatibility across environments

• Documentation

  • Corrected anchors, excluded additional broken fragments, and updated daemon reference links

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds configurable flake and upload_artifacts inputs to the shared build workflow, updates all build/test targets to use the chosen flake, introduces packaging/secure-packages/flake.nix, integrates a new CI merge_group job that disables artifact upload, and includes a small test helper and docs fixes.

Changes

Build Workflow Parameterization

Layer / File(s)	Summary
Secure-packages flake foundation packaging/secure-packages/flake.nix	New flake with inputs from repository root and pinned nixpkgs, outputs passthrough to nix input.
Build workflow inputs and target updates .github/workflows/build.yml	Added flake (default ./packaging/secure-packages) and upload_artifacts (default true) workflow inputs. Updated main build, debug, static build, nix flake check, VM smoke/all derivation selection, flake regression, and manual build steps to use ${{ inputs.flake }}#.... Artifact upload is conditional on inputs.upload_artifacts.
CI integration .github/workflows/ci.yml	Added build_x86_64-linux_no_dsp job for merge_group events using the parameterized build workflow with upload_artifacts: false. Updated fallbackPathsNix build to reference ./packaging/secure-packages#fallbackPathsNix.

Test Harness and Docs

Layer / File(s)	Summary
Script argument ordering tests/functional/json.sh	Reordered script invocation to pass -c with the escaped command before /dev/null for util-linux compatibility.
Manual and release-note anchors doc/manual/package.nix, doc/manual/source/release-notes/rl-2.34.md, src/libstore/include/nix/store/local-store.hh, src/nix/unix/store-roots-daemon.md	Extended Lychee exclude list for print.html fragments and updated use-roots-daemon/state-dir anchors and a systemd socket link to target the local-store/nix3-daemon docs.

Sequence Diagram

sequenceDiagram
  participant GitHubActions as GitHubActions
  participant BuildWF as .github/workflows/build.yml
  participant SecureFlake as packaging/secure-packages/flake.nix
  GitHubActions->>BuildWF: workflow_call(inputs.flake, inputs.upload_artifacts)
  BuildWF->>SecureFlake: nix build / nix flake check using inputs.flake#target
  BuildWF->>GitHubActions: upload artifacts (if inputs.upload_artifacts)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• cole-h

"A rabbit hops through flakes and flows,
I tweak the paths where the CI goes,
Artifacts gated, targets unfurled,
A tiny flake to steady the world,
Hooray for builds that softly glow!" 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding support to build against Determinate Secure Packages via a new flake configuration and CI workflow updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch secure-packages

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Deployed on https://6a1807ef0ca4f71b39e7af6b--determinate-nix.netlify.app

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

99-117: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add build_x86_64-linux_no_dsp to the success job's needs list.

The build_x86_64-linux_no_dsp job is excluded from the success job's needs array, even though it runs on merge_group events and performs comprehensive testing (including VM and regression tests). If this job fails during a merge, the overall success status won't reflect that failure. All other build jobs are included in the needs list—this one should be too.

  success:
    runs-on: ubuntu-latest
    needs:
      - eval
      - build_x86_64-linux
      - build_x86_64-linux_no_dsp
      - build_aarch64-linux
      - build_aarch64-darwin

GitHub Actions handles conditionally-skipped jobs gracefully: when build_x86_64-linux_no_dsp is skipped on non-merge_group events, it won't block the success job.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 99 - 117, Update the "success" job's
needs array to include the missing job name build_x86_64-linux_no_dsp so the job
depends on it like the other build jobs; specifically modify the needs list
inside the success job (the block labeled success and its needs key) to add -
build_x86_64-linux_no_dsp alongside eval, build_x86_64-linux,
build_aarch64-linux, and build_aarch64-darwin so failures in
build_x86_64-linux_no_dsp are considered by the success job.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 99-117: Update the "success" job's needs array to include the
missing job name build_x86_64-linux_no_dsp so the job depends on it like the
other build jobs; specifically modify the needs list inside the success job (the
block labeled success and its needs key) to add - build_x86_64-linux_no_dsp
alongside eval, build_x86_64-linux, build_aarch64-linux, and
build_aarch64-darwin so failures in build_x86_64-linux_no_dsp are considered by
the success job.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc869b6f-8797-42a0-91e3-ae8e1ab00e92

📥 Commits

Reviewing files that changed from the base of the PR and between dcda71e and 69f1872.

⛔ Files ignored due to path filters (1)

• packaging/secure-packages/flake.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• packaging/secure-packages/flake.nix
• tests/functional/json.sh

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build.yml (1)

135-140: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enumerate test derivations from the selected flake, not implicit ..

nix flake show --json (Line 135) currently inspects the checkout root flake, while Line 140 builds from ${{ inputs.flake }}. If those differ, the key set can drift and cause incorrect/missing builds.

Proposed fix

-              $(nix flake show --json \
+              $(nix flake show --json "${{ inputs.flake }}" \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 135 - 140, The pipeline that
enumerates test derivations calls `nix flake show --json` without an explicit
flake, which inspects the checkout root instead of the selected flake; change
the command to target the provided flake by invoking `nix flake show --json "${{
inputs.flake }}"` (preserve the existing jq pipeline that selects
`.hydraJobs.tests` and the string prefix `"${{ inputs.flake
}}`#hydraJobs.tests`."`) so the key set is derived from the same flake that is
later built.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 67: Replace the incorrect repository-root flake target in the Nix build
step: in the run command that builds "packages.${{ inputs.system }}.default
.#packages.${{ inputs.system }}.binaryTarball --no-link -L", change the second
target from ".#packages.${{ inputs.system }}.binaryTarball" to "${{ inputs.flake
}}`#packages`.${{ inputs.system }}.binaryTarball" so both targets consistently
reference the selected input flake.
- Around line 4-7: The workflow treats inputs.flake as an unvalidated free-form
string and mixes root `.` and `${{ inputs.flake }}` in nix commands; fix by (1)
constraining/sanitizing and always quoting `${{ inputs.flake }}` before use
(e.g., validate it matches an allowlist or a safe regex such as starting with
./, github:, or a known flake URI) and fail early if validation fails, (2)
replace any occurrences of the root `.` mixed with a flake expression so all
`nix build`/`nix flake` invocations consistently use the `${{ inputs.flake }}`
interpolation (fix the mixed `${{ inputs.flake }}#...default` vs
`.#...binaryTarball` usage), and (3) ensure `nix flake show` in the vm_tests_all
flow is invoked with `${{ inputs.flake }}` so enumeration matches the subsequent
build targets; update the run steps that call `nix build`/`nix flake`/`nix flake
show` to use the quoted, validated `${{ inputs.flake }}` variable.

---

Outside diff comments:
In @.github/workflows/build.yml:
- Around line 135-140: The pipeline that enumerates test derivations calls `nix
flake show --json` without an explicit flake, which inspects the checkout root
instead of the selected flake; change the command to target the provided flake
by invoking `nix flake show --json "${{ inputs.flake }}"` (preserve the existing
jq pipeline that selects `.hydraJobs.tests` and the string prefix `"${{
inputs.flake }}`#hydraJobs.tests`."`) so the key set is derived from the same
flake that is later built.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3c25661f-10c9-4d3b-a291-2ec3127416fb

📥 Commits

Reviewing files that changed from the base of the PR and between f6ca308 and e54a1ac.

⛔ Files ignored due to path filters (1)

• packaging/secure-packages/flake.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• doc/manual/package.nix
• doc/manual/source/release-notes/rl-2.34.md
• packaging/secure-packages/flake.nix
• src/libstore/include/nix/store/local-store.hh
• src/nix/unix/store-roots-daemon.md
• tests/functional/json.sh

✅ Files skipped from review due to trivial changes (3)

• doc/manual/source/release-notes/rl-2.34.md
• src/nix/unix/store-roots-daemon.md
• packaging/secure-packages/flake.nix

🚧 Files skipped from review as they are similar to previous changes (3)

• src/libstore/include/nix/store/local-store.hh
• .github/workflows/ci.yml
• doc/manual/package.nix