Re-implement Nix CI workflow on GitHub instead of CircleCI

.circleci/config.yml

@@ -92,16 +92,6 @@ workflows:
       - "oraclelinux-8":
           {}
 
-      - "nixos":
-          name: "<<matrix.pythonVersion>>"
-          nixpkgs: "nixpkgs-unstable"
-          matrix:
-            parameters:
-              pythonVersion:
-                - "python39"
-                - "python310"
-                - "python311"
-
       # Eventually, test against PyPy 3.8
       #- "pypy27-buster":
       #    {}
@@ -574,40 +564,6 @@ jobs:
         image: "tahoelafsci/fedora:35-py3"
         user: "nobody"
 
-  nixos:
-    parameters:
-      nixpkgs:
-        description: >-
-          Reference the name of a flake-managed nixpkgs input (see `nix flake
-          metadata` and flake.nix)
-        type: "string"
-      pythonVersion:
-        description: >-
-          Reference the name of a Python package in nixpkgs to use.
-        type: "string"
-
-    executor: "nix"
-
-    steps:
-      - "nix-build":
-          nixpkgs: "<<parameters.nixpkgs>>"
-          pythonVersion: "<<parameters.pythonVersion>>"
-          buildSteps:
-            - "run":
-                name: "Unit Test"
-                command: |
-                  source .circleci/lib.sh
-
-                  # Translate the nixpkgs selection into a flake reference we
-                  # can use to override the default nixpkgs input.
-                  NIXPKGS=$(nixpkgs_flake_reference <<parameters.nixpkgs>>)
-
-                  cache_if_able nix run \
-                    --override-input nixpkgs "$NIXPKGS" \
-                    .#<<parameters.pythonVersion>>-unittest -- \
-                    --jobs $UNITTEST_CORES \
-                    allmydata
-
   typechecks:
     docker:
       - <<: *DOCKERHUB_AUTH
@@ -737,74 +693,3 @@ executors:
       shell: "powershell.exe -ExecutionPolicy Bypass"
     resource_class: "windows.large"
 
-  nix:
-    docker:
-      # Run in a highly Nix-capable environment.
-      - <<: *DOCKERHUB_AUTH
-        image: "nixos/nix:2.16.1"
-    environment:
-      # CACHIX_AUTH_TOKEN is manually set in the CircleCI web UI and allows us
-      # to push to CACHIX_NAME.  CACHIX_NAME tells cachix which cache to push
-      # to.
-      CACHIX_NAME: "tahoe-lafs-opensource"
-      # Let us use features marked "experimental".  For example, most/all of
-      # the `nix <subcommand>` forms.
-      NIX_CONFIG: "experimental-features = nix-command flakes"
-
-commands:
-  nix-build:
-    parameters:
-      nixpkgs:
-        description: >-
-          Reference the name of a flake-managed nixpkgs input (see `nix flake
-          metadata` and flake.nix)
-        type: "string"
-      pythonVersion:
-        description: >-
-          Reference the name of a Python package in nixpkgs to use.
-        type: "string"
-      buildSteps:
-        description: >-
-          The build steps to execute after setting up the build environment.
-        type: "steps"
-
-    steps:
-      - "run":
-          # Get cachix for Nix-friendly caching.
-          name: "Install Basic Dependencies"
-          command: |
-            # Get some build environment dependencies and let them float on a
-            # certain release branch.  These aren't involved in the actual
-            # package build (only in CI environment setup) so the fact that
-            # they float shouldn't hurt reproducibility.
-            NIXPKGS="nixpkgs/nixos-23.05"
-            nix profile install $NIXPKGS#cachix $NIXPKGS#bash $NIXPKGS#jp
-
-            # Activate our cachix cache for "binary substitution".  This sets
-            # up configuration tht lets Nix download something from the cache
-            # instead of building it locally, if possible.
-            cachix use "${CACHIX_NAME}"
-
-      - "checkout"
-
-      - "run":
-          # The Nix package doesn't know how to do this part, unfortunately.
-          name: "Generate version"
-          command: |
-            nix-shell \
-              -p 'python3.withPackages (ps: [ ps.setuptools ])' \
-              --run 'python setup.py update_version'
-
-      - "run":
-          name: "Build Package"
-          command: |
-            source .circleci/lib.sh
-            NIXPKGS=$(nixpkgs_flake_reference <<parameters.nixpkgs>>)
-            cache_if_able nix build \
-              --verbose \
-              --print-build-logs \
-              --cores "$DEPENDENCY_CORES" \
-              --override-input nixpkgs "$NIXPKGS" \
-              .#<<parameters.pythonVersion>>-tahoe-lafs
-
-      - steps: "<<parameters.buildSteps>>"

.github/workflows/nix.yml

@@ -0,0 +1,87 @@
+name: Nix
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/nix.yml'
+      - 'flake.*'
+      - 'setup.cfg'
+      - '*.nix'
+      - '*.py'
+      - '*.ini'
+  pull_request:
+    paths:
+      - '.github/workflows/nix.yml'
+      - 'flake.*'
+      - 'setup.cfg'
+      - '*.nix'
+      - '*.py'
+      - '*.ini'
+
+jobs:
+  packaging:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - 312
+        nixpkgs:
+          - nixos-24_11
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Install nix
+        id: install_nix
+        uses: nixbuild/nix-quick-install-action@v28
+
+      - name: Restore and cache Nix store for nixpkgs-${{ matrix.nixpkgs }}
+        uses: nix-community/cache-nix-action@v5
+        with:
+          # restore and save a cache using this key
+          primary-key: python${{ matrix.python-version }}-nixpkgs-${{ matrix.nixpkgs }}-${{ hashFiles('flake.*', '*.nix') }}
+          # if there's no cache hit, restore a cache by this prefix
+          restore-prefixes-first-match: nixpkgs-${{ matrix.nixpkgs }}-
+          # collect garbage until Nix store size (in bytes) is at most this number
+          # before trying to save a new cache
+          gc-max-store-size-linux: 1073741824
+          # do purge caches
+          purge: true
+          # purge all versions of the cache
+          purge-prefixes: python${{ matrix.python-version }}-nixpkgs-${{ matrix.nixpkgs }}-
+          # created more than 0 seconds ago relative to the start of the `Post Restore` phase
+          purge-created: 0
+          # except the version with the `primary-key`, if it exists
+          purge-primary-key: never
+
+      - name: Build package
+        env:
+          # CircleCI build environment looks like it has a zillion and a half cores.
+          # Don't let Nix autodetect this high core count because it blows up memory
+          # usage and fails the test run.  Pick a number of cores that suits the build
+          # environment we're paying for (the free one!).
+          DEPENDENCY_CORES: 3
+        run: |
+          nix build \
+            --verbose \
+            --print-build-logs \
+            --cores "$DEPENDENCY_CORES" \
+            .#python${{ matrix.python-version }}-tahoe-lafs
+
+      - name: Unit test
+        env:
+          # Once dependencies are built, we can allow some more concurrency for our own
+          # test suite.
+          UNITTEST_CORES: 8
+        run: |
+          nix run \
+            .#python${{ matrix.python-version }}-unittest -- \
+            --jobs $UNITTEST_CORES \
+            allmydata

flake.nix

@@ -1,14 +1,6 @@
 {
   description = "Tahoe-LAFS, free and open decentralized data store";
 
-  nixConfig = {
-    # Supply configuration for the build cache updated by our CI system.  This
-    # should allow most users to avoid having to build a large number of
-    # packages (otherwise necessary due to our Python package overrides).
-    substituters = ["https://tahoe-lafs-opensource.cachix.org"];
-    trusted-public-keys = ["tahoe-lafs-opensource.cachix.org-1:eIKCHOPJYceJ2gb74l6e0mayuSdXqiavxYeAio0LFGo="];
-  };
-
   inputs = {
     # A couple possible nixpkgs pins.  Ideally these could be selected easily
     # from the command line but there seems to be no syntax/support for that.
@@ -20,25 +12,12 @@
     # requirements.  We could decide in the future that supporting multiple
     # releases of NixOS at a time is worthwhile and then pins like these will
     # help us test each of those releases.
-    "nixpkgs-22_11" = {
-      url = github:NixOS/nixpkgs?ref=nixos-22.11;
-    };
-    "nixpkgs-23_05" = {
-      url = github:NixOS/nixpkgs?ref=nixos-23.05;
-    };
-
-    # We depend on a very new python-cryptography which is not yet available
-    # from any release branch of nixpkgs.  However, it is contained in a PR
-    # currently up for review.  Point our nixpkgs at that for now.
-    "nixpkgs-unstable" = {
-      url = github:NixOS/nixpkgs?ref=pull/244135/head;
+    "nixpkgs-24_11" = {
+      url = github:NixOS/nixpkgs?ref=nixos-24.11;
     };
 
-    # Point the default nixpkgs at one of those.  This avoids having getting a
-    # _third_ package set involved and gives a way to provide what should be a
-    # working experience by default (that is, if nixpkgs doesn't get
-    # overridden).
-    nixpkgs.follows = "nixpkgs-unstable";
+    # Point the default nixpkgs at one of those.
+    nixpkgs.follows = "nixpkgs-24_11";
 
     # Also get flake-utils for simplified multi-system definitions.
     flake-utils = {