use engage for gitlab CI

from https://gitlab.com/famedly/conduit/-/merge_requests/564

Signed-off-by: strawberry <strawberry@puppygock.gay>

.gitignore

@@ -70,4 +70,7 @@ cached_target
 /.direnv
 
 test-conduit/
-test-conduit.toml
+test-conduit.toml
+
+# Gitlab CI cache
+/.gitlab-ci.d

.gitlab-ci.yml

@@ -1,242 +1,67 @@
 stages:
-  - build
-  - build docker image
-  - test
-  - upload artifacts
+  - ci
+  - artifacts
 
 variables:
-  # Make GitLab CI go fast:
-  GIT_SUBMODULE_STRATEGY: recursive
-  FF_USE_FASTZIP: 1
-  CACHE_COMPRESSION_LEVEL: fastest
+  # Makes some things print in color
+  TERM: ansi
 
-# --------------------------------------------------------------------- #
-#  Create and publish docker image                                      #
-# --------------------------------------------------------------------- #
+before_script:
+  # Enable nix-command and flakes
+  - if command -v nix > /dev/null; then echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi
 
-.docker-shared-settings:
-  stage: "build docker image"
-  needs: []
-  tags: [ "docker" ]
-  variables:
-    # Docker in Docker:
-    DOCKER_BUILDKIT: 1
-  image:
-    name: docker.io/docker
-  services:
-    - name: docker.io/docker:dind
-      alias: docker
+  # Add nix-community binary cache
+  - if command -v nix > /dev/null; then echo "extra-substituters = https://nix-community.cachix.org" >> /etc/nix/nix.conf; fi
+  - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> /etc/nix/nix.conf; fi
+
+  # Install direnv and nix-direnv
+  - if command -v nix > /dev/null; then nix-env -iA nixpkgs.direnv nixpkgs.nix-direnv; fi
+
+  # Allow .envrc
+  - if command -v nix > /dev/null; then direnv allow; fi
+
+  # Set CARGO_HOME to a cacheable path
+  - export CARGO_HOME="$(git rev-parse --show-toplevel)/.gitlab-ci.d/cargo"
+
+ci:
+  stage: ci
+  image: nixos/nix:2.19.2
   script:
-    - apk add openssh-client
-    - eval $(ssh-agent -s)
-    - mkdir -p ~/.ssh && chmod 700 ~/.ssh
-    - printf "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config
-    - sh .gitlab/setup-buildx-remote-builders.sh
-    # Authorize against this project's own image registry:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
-    # Build multiplatform image and push to temporary tag:
-    - >
-      docker buildx build 
-      --platform "linux/arm/v7,linux/arm64,linux/amd64"
-      --pull
-      --tag "$CI_REGISTRY_IMAGE/temporary-ci-images:$CI_JOB_ID"
-      --push
-      --provenance=false
-      --file "Dockerfile" .
-    # Build multiplatform image to deb stage and extract their .deb files:
-    - >
-      docker buildx build 
-      --platform "linux/arm/v7,linux/arm64,linux/amd64"
-      --target "packager-result"
-      --output="type=local,dest=/tmp/build-output"
-      --provenance=false
-      --file "Dockerfile" .
-    # Build multiplatform image to binary stage and extract their binaries:
-    - >
-      docker buildx build 
-      --platform "linux/arm/v7,linux/arm64,linux/amd64"
-      --target "builder-result"
-      --output="type=local,dest=/tmp/build-output"
-      --provenance=false
-      --file "Dockerfile" .
-    # Copy to GitLab container registry:
-    - >
-      docker buildx imagetools create
-      --tag "$CI_REGISTRY_IMAGE/$TAG"
-      --tag "$CI_REGISTRY_IMAGE/$TAG-bullseye"
-      --tag "$CI_REGISTRY_IMAGE/$TAG-commit-$CI_COMMIT_SHORT_SHA"
-      "$CI_REGISTRY_IMAGE/temporary-ci-images:$CI_JOB_ID"
-    # if DockerHub credentials exist, also copy to dockerhub:
-    - if [ -n "${DOCKER_HUB}" ]; then docker login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" "$DOCKER_HUB"; fi
-    - >
-      if [ -n "${DOCKER_HUB}" ]; then 
-      docker buildx imagetools create
-      --tag "$DOCKER_HUB_IMAGE/$TAG"
-      --tag "$DOCKER_HUB_IMAGE/$TAG-bullseye"
-      --tag "$DOCKER_HUB_IMAGE/$TAG-commit-$CI_COMMIT_SHORT_SHA"
-      "$CI_REGISTRY_IMAGE/temporary-ci-images:$CI_JOB_ID"
-      ; fi
-    - mv /tmp/build-output ./
+    - direnv exec . engage
+  cache:
+    key: nix
+    paths:
+      - target
+      - .gitlab-ci.d
+
+docker:
+  stage: artifacts
+  image: nixos/nix:2.19.2
+  script:
+    - nix build .#oci-image
+
+    # Make the output less difficult to find
+    - cp result docker-image.tar.gz
   artifacts:
     paths:
-      - "./build-output/" 
+      - docker-image.tar.gz
 
-docker:next:
-  extends: .docker-shared-settings
-  rules:
-    - if: '$BUILD_SERVER_SSH_PRIVATE_KEY && $CI_COMMIT_BRANCH == "next"'
-  variables:
-    TAG: "matrix-conduit:next"
-
-docker:master:
-  extends: .docker-shared-settings
-  rules:
-    - if: '$BUILD_SERVER_SSH_PRIVATE_KEY && $CI_COMMIT_BRANCH == "master"'
-  variables:
-    TAG: "matrix-conduit:latest"
-
-docker:tags:
-  extends: .docker-shared-settings
-  rules:
-    - if: "$BUILD_SERVER_SSH_PRIVATE_KEY && $CI_COMMIT_TAG"
-  variables:
-    TAG: "matrix-conduit:$CI_COMMIT_TAG"
-
-
-docker build debugging:
-  extends: .docker-shared-settings
-  rules:
-    - if: "$CI_MERGE_REQUEST_TITLE =~ /.*[Dd]ocker.*/"
-  variables:
-    TAG: "matrix-conduit-docker-tests:latest"
-
-# --------------------------------------------------------------------- #
-#  Run tests                                                            #
-# --------------------------------------------------------------------- #
-
-cargo check:
-  stage: test
-  image: docker.io/rust:1.75.0-bullseye
-  needs: []
-  interruptible: true
-  before_script:
-    - "rustup show && rustc --version && cargo --version" # Print version info for debugging
-    - apt-get update && apt-get -y --no-install-recommends install libclang-dev # dependency for rocksdb
+debian:
+  stage: artifacts
+  image: rust:1.75.0
   script:
-    - cargo check
+    - apt-get update && apt-get install -y --no-install-recommends libclang-dev
+    - cargo install cargo-deb
+    - cargo deb
 
-
-.test-shared-settings:
-  stage: "test"
-  needs: []
-  image: "registry.gitlab.com/jfowl/conduit-containers/rust-with-tools:latest"
-  tags: ["docker"]
-  variables:
-    CARGO_INCREMENTAL: "false" # https://matklad.github.io/2021/09/04/fast-rust-builds.html#ci-workflow
-  interruptible: true
-
-test:cargo:
-  extends: .test-shared-settings
-  before_script:
-    - apt-get update && apt-get -y --no-install-recommends install libclang-dev # dependency for rocksdb
-  script:
-    - rustc --version && cargo --version # Print version info for debugging
-    - "cargo test --color always --workspace --verbose --locked --no-fail-fast"
-
-test:clippy:
-  extends: .test-shared-settings
-  before_script:
-    - rustup component add clippy
-    - apt-get update && apt-get -y --no-install-recommends install libclang-dev # dependency for rocksdb
-  script:
-    - rustc --version && cargo --version # Print version info for debugging
-    - "cargo clippy --color always --verbose --message-format=json | gitlab-report -p clippy > $CI_PROJECT_DIR/gl-code-quality-report.json"
+    # Make the output less difficult to find
+    - mv target/debian/*.deb .
   artifacts:
-    when: always
-    reports:
-      codequality: gl-code-quality-report.json
-
-test:format:
-  extends: .test-shared-settings
-  before_script:
-    - rustup component add rustfmt
-  script:
-    - cargo fmt --all -- --check
-
-test:audit:
-  extends: .test-shared-settings
-  script:
-    - cargo audit --color always || true
-    - cargo audit --stale --json | gitlab-report -p audit > gl-sast-report.json
-  artifacts:
-    when: always
-    reports:
-      sast: gl-sast-report.json
-
-test:dockerlint:
-  stage: "test"
-  needs: []
-  image: "ghcr.io/hadolint/hadolint@sha256:6c4b7c23f96339489dd35f21a711996d7ce63047467a9a562287748a03ad5242" # 2.8.0-alpine
-  interruptible: true
-  script:
-    - hadolint --version
-    # First pass: Print for CI log:
-    - >
-      hadolint
-      --no-fail --verbose
-      ./Dockerfile
-    # Then output the results into a json for GitLab to pretty-print this in the MR:
-    - >
-      hadolint
-      --format gitlab_codeclimate
-      --failure-threshold error
-      ./Dockerfile > dockerlint.json
-  artifacts:
-    when: always
-    reports:
-      codequality: dockerlint.json
     paths:
-      - dockerlint.json
-  rules:
-    - if: '$CI_COMMIT_REF_NAME != "master"'
-      changes:
-        - docker/*Dockerfile
-        - Dockerfile
-        - .gitlab-ci.yml
-    - if: '$CI_COMMIT_REF_NAME == "master"'
-    - if: '$CI_COMMIT_REF_NAME == "next"'
+      - "*.deb"
+  cache:
+    key: debian
+    paths:
+      - target
+      - .gitlab-ci.d
 
-# --------------------------------------------------------------------- #
-#  Store binaries as package so they have download urls                 #
-# --------------------------------------------------------------------- #
-
-# DISABLED FOR NOW, NEEDS TO BE FIXED AT A LATER TIME:
-
-#publish:package:
-#  stage: "upload artifacts"
-#  needs:
-#    - "docker:tags"
-#  rules:
-#    - if: "$CI_COMMIT_TAG"
-#  image: curlimages/curl:latest
-#  tags: ["docker"]
-#  variables:
-#    GIT_STRATEGY: "none" # Don't need a clean copy of the code, we just operate on artifacts
-#  script:
-#    - 'BASE_URL="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/conduit-${CI_COMMIT_REF_SLUG}/build-${CI_PIPELINE_ID}"'
-#    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file build-output/linux_amd64/conduit "${BASE_URL}/conduit-x86_64-unknown-linux-gnu"'
-#    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file build-output/linux_arm_v7/conduit "${BASE_URL}/conduit-armv7-unknown-linux-gnu"'
-#    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file build-output/linux_arm64/conduit "${BASE_URL}/conduit-aarch64-unknown-linux-gnu"'
-#    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file build-output/linux_amd64/conduit.deb "${BASE_URL}/conduit-x86_64-unknown-linux-gnu.deb"'
-#    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file build-output/linux_arm_v7/conduit.deb "${BASE_URL}/conduit-armv7-unknown-linux-gnu.deb"'
-#    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file build-output/linux_arm64/conduit.deb "${BASE_URL}/conduit-aarch64-unknown-linux-gnu.deb"'
-
-# Avoid duplicate pipelines
-# See: https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines
-workflow:
-  rules:
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-    - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS"
-      when: never
-    - if: "$CI_COMMIT_BRANCH"
-    - if: "$CI_COMMIT_TAG"

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704819371,
-        "narHash": "sha256-oFUfPWrWGQTZaCM3byxwYwrMLwshDxVGOrMH5cVP/X8=",
+        "lastModified": 1705625727,
+        "narHash": "sha256-naMq6+TNLpEiBBjc0XaCbMLYJxJXWTZz4JGSpYGgIOM=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "5c234301a1277e4cc759c23a2a7a00a06ddd7111",
+        "rev": "8f515142e805dc377cf8edb0ff75d14a11307f89",
         "type": "github"
       },
       "original": {
@@ -28,11 +28,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1705126891,
-        "narHash": "sha256-RnCWzRghSpyxKs3kXgYPkZv6TvzV3Pmve1je6RQHe1o=",
+        "lastModified": 1705731714,
+        "narHash": "sha256-aMeN/ASG4n7RIIPLiy+txoMdDTvIcaRDX6acbeeRtEU=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "89a02ff13d98d54f0b3b41f9b8326eb26d7cdc2e",
+        "rev": "712f25ec7e1f5839d486b246a5afa5e31f5df6ff",
         "type": "github"
       },
       "original": {
@@ -46,11 +46,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
         "type": "github"
       },
       "original": {
@@ -59,13 +59,28 @@
         "type": "github"
       }
     },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1705332318,
+        "narHash": "sha256-kcw1yFeJe9N4PjQji9ZeX47jg0p9A0DuU4djKvg1a7I=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "3449dc925982ad46246cfc36469baf66e1b64f17",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1704722960,
-        "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
+        "lastModified": 1705677747,
+        "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
+        "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261",
         "type": "github"
       },
       "original": {
@@ -80,17 +95,18 @@
         "crane": "crane",
         "fenix": "fenix",
         "flake-utils": "flake-utils",
+        "nix-filter": "nix-filter",
         "nixpkgs": "nixpkgs"
       }
     },
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1704974004,
-        "narHash": "sha256-H3RdtMxH8moTInVmracgtF8bgFpaEE3zYoSkuv7PBs0=",
+        "lastModified": 1705697225,
+        "narHash": "sha256-eLMwix3LPsgqnbdLMWivBCSBrWnaAA50JtMNnInTopg=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "9d8889cdfcc3aa0302353fc988ed21ff9bc9925c",
+        "rev": "67cfbf231c1e2ba3129529de950d1c4ca7921404",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,6 +2,7 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
+    nix-filter.url = "github:numtide/nix-filter";
 
     fenix = {
       url = "github:nix-community/fenix";
@@ -18,6 +19,7 @@
     { self
     , nixpkgs
     , flake-utils
+    , nix-filter
 
     , fenix
     , crane