[testing] Replace script-based tool installation with nix #3691
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maru-ava
added
testing
maru-ava
force-pushed
the
nix
branch
7 times, most recently
from
b22db15 to
827d7ea
Compare
StephenButtolph
approved these changes
Feb 3, 2025
Previously, binary tools like promtail and prometheus (enabling log and metrics collection) and kube and kind (enabling local kube clusters) were installed using bash scripts. A script-based approach, while simple, requires tedious and error-prone copying and committing to other repos (e.g. subnet-evm and hypersdk) that need the same functionality. Possible to rewrite the scripts to golang which allows usage via `go run` or `go install`. Simple enough if the versions never change, but still requires retrieving binaries, verifying their hashes for security, and potentially dealing with tar archives. Still more complicated if it becomes necessary to ensure the desired version is the one in the path. Switching to [nix](https://nixos.org/), on the other hand, is an established way of solving the problem that doesn't involve maintaining code. Installing nix is a one-time operation not too different from homebrew, except that the result has more guarantees of reproducibility across linux and macos.
yacovm
reviewed
Feb 17, 2025
| @@ -51,6 +51,11 @@ jobs: | |||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: ./.github/actions/setup-go-for-project | |||
| - uses: cachix/install-nix-action@v30 | |||
| with: | |||
There was a problem hiding this comment.
why is this github token is needed while it was not needed in the previous version of this file?
There was a problem hiding this comment.
The previous version of this file was not installing tools with nix. Provision of a github token is common in github actions where things will be downloaded, and avoids the possibility of being rate-limited that is common to anonymous usage of a given installation action.
There was a problem hiding this comment.
I guess this is what I should have led with: https://github.com/cachix/install-nix-action?tab=readme-ov-file#inputs-specify-using-with
tl;dr specifying a github token allows the cachix action to download from github without fear of being rate-limited.
yacovm
approved these changes
Feb 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why this should be merged
Previously, binary tools like promtail and prometheus (enabling log and metrics collection) and kube and kind (enabling local kube clusters) were installed using bash scripts. A script-based approach, while simple, requires tedious and error-prone copying and committing to other repos (e.g. subnet-evm and hypersdk) that needed the same functionality.
Possible to rewrite the scripts to golang which allows usage via
go runorgo install. Simple enough if the versions never change, but still requires retrieving binaries, verifying their hashes for security, potentially dealing with tar archives. Still more complication if it becomes necessary to ensure the desired version is the one in the path.Switching to nix, on the other hand, is an established way of solving the problem that doesn't involve maintaining code. Installing nix is a one-time operation not too different from homebrew, except that the result has more guarantees of reproducibility across linux and macos.
How this works
How this was tested
CI, manually for direnv usage
Need to be documented in RELEASES.md?
N/A