Use nixbuild.net as a remote nix builder on CI (#81)

GitHub Actions Runners only have 7GB of memory which is proving to be too small to built ic-hs. So instead of building nix derivations on a runner locally we configure the runner to build derivations remotely on nixbuild.net.

The above requires access to a private SSH key, which is used to authenticate with nixbuild.net. This key is not accessible on PRs originating from forks because that would allow leaking the key. For those PRs we don't configure nixbuild.net as a remote builder and build locally instead.

Author: basvandijk

.github/workflows/release.yml

@@ -11,16 +11,40 @@ jobs:
       matrix:
         os:
         - ubuntu-latest
-        - macos-latest
-        # TODO: - windows-latest
+
+        # TODO: nixbuild.net currently does not have x86_64-darwin nor aarch64-darwin support but they're working on it:
+        #
+        # | I do have another question: do you support x86_64-darwin builds and
+        # | ideally aarch64-darwin as well (I just got a new M1 MacBook)?
+        #
+        # Our long-term goal is to support x86_64-darwin and aarch64-darwin, but
+        # we don't do it today. The reason is that we really like all builds to
+        # run inside our virtualized sandbox (with our own virtual file system),
+        # since it gives us full control and also lots of insights about the
+        # builds. We have not yet ported this sandbox to MacOS, but it is
+        # definitely something we want to do.
+        #
+        # We actually _have_ aarch64-darwin machines in our build cluster,
+        # running build sandboxes for aarch64-linux. We use a mix of Hetzner
+        # instances (https://www.hetzner.com/dedicated-rootserver/mac-mini-m1)
+        # and self-hosted M1 machines for this. The aarch64-linux support is EA
+        # in nixbuild.net, so we are still experimenting a bit.
+        #
+        # - macos-latest
       fail-fast: false
     runs-on: ${{ matrix.os }}
+    env:
+      SSH_KEY_FOR_NIXBUILD: secrets.SSH_KEY_FOR_NIXBUILD
     steps:
     - uses: actions/checkout@v2
-    - uses: cachix/install-nix-action@v16
+    - uses: nixbuild/nix-quick-install-action@v13
+      with:
+        nix_conf: experimental-features = nix-command
+    - name: Configure Nix to use nixbuild.net as a remote builder
+      if: env.SSH_KEY_FOR_NIXBUILD != ''
+      uses: nixbuild/nixbuild-action@v10
       with:
-        extra_nix_config: |
-          experimental-features = nix-command
+        nixbuild_ssh_key: ${{ secrets.SSH_KEY_FOR_NIXBUILD }}
     - run: nix-env -iA nix-build-uncached -f nix/
     - uses: cachix/cachix-action@v10
       with:
@@ -55,7 +79,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v2
-    - uses: cachix/install-nix-action@v16
+    - uses: nixbuild/nix-quick-install-action@v13
+    - uses: nixbuild/nixbuild-action@v10
+      with:
+        nixbuild_ssh_key: ${{ secrets.SSH_KEY_FOR_NIXBUILD }}
     - uses: cachix/cachix-action@v10
       with:
         name: ic-hs-test

README.md

@@ -190,6 +190,14 @@ It’s necessary to wrap all lines with the `r $ …` for now; this sets the
 endpoint parameter.
 
 
+Continuous Integration
+----------------------
+
+We use GitHub Actions to trigger builds of the jobs defined in `./default.nix`. However the builds themselves are run on the [nixbuild.net](https://nixbuild.net/) service since it provides more capacity and is more efficient than GitHub runners.
+
+Please use the artifacts produced by GitHub Actions and nixbuild.net at your own risk or consider building independently from source.
+
+
 Running
 -------