garnix-io / issues Goto Github PK

Currently during signup users get directed to github to install the app, and redirected back after the installation, which is when garnix gets their username and token, and finishes signup. This flow isn't ideal because some users might not want to install the app anywhere new - they might e.g. be collaborators on a project where garnix is already installed. (At the moment, they just get kind of confusingly stuck during signup)

Any attributes that are not built because they do not match the includes/excludes should be mentioned, with a link to documentation about how to change that. By default, certain packages (e.g. aarch64-darwin and aarch64-linux) are not built, and this can be confusing/surprising.

Additionally, there should be a mention of what attributes are considered at all.

Would it be feasible to add an experimental-features configuration field, which is passed to Nix? For example, my repo uses content-addressed derivations, so builds currently fail with

error: experimental Nix feature 'ca-derivations' is disabled; use '--extra-experimental-features ca-derivations' to override

Hey team. I've been using garnix on my fork of the notmuch mail indexer: github:league/notmuch and the most recent commits don't show the yellow dot, and don't appear in my dashboard on garnix.io. The repo is still enabled in garnix app, as far as I can tell.

However, there is something possibly suspicious further down that commit log. A commit from 14 October appears to have its build still in-progress (yellow dot). I don't know why it didn't time out, nor whether it would delay recognition of subsequent pushes. The page for that build just says "Waiting for logs."

Thanks so much, garnix is great.

Is there/ will there be a way to disable sandbox on certain flake outputs?

For eg., --option sandbox false would allow srid/haskell-flake#21 to pass in CI.

So far I've been excluding it in garnix.yaml:

builds:
  exclude:
    # https://github.com/srid/haskell-flake/issues/21
    - "checks.*.default-hls"

In some projects one might be not allowed a flake in the toplevel directory (i.e. political/policy reasons).
In our particular project we don't want to use the flake in the toplevel directory since we use unpinned nixpkgs.
Therefore it would be cool if we could specify in garnix.toml an alternative directory.

So that building can take advantage of public binary caches.

The vast majority of my user space software gets installed into shared homeConfigurations.* targets in my flake.nix file. Even more so than my system configuration, the homeConfigurations bit gets shared between all my systems. I have gui and non-gui targets and that's about it.

I've tried adding two of the homeConfigurations targets to my garnix.yaml file to enable building them, but they aren't built. The app doesn't give any output about not finding particular targets, as best I can tell, so I don't know why it's not building them. I also haven't seen any information about building home manager configurations in the garnix docs.

Repo it happens: https://github.com/srid/emanote-template

CI log: https://github.com/srid/emanote-template/runs/8058506408

package default [x86_64-linux] fails, but I can build it successfully on my local machine:

❯ nix build .#packages.x86_64-linux.default --json
warning: Using saved setting for 'extra-substituters = https://cache.garnix.io' from ~/.local/share/nix/trusted-settings.json.
warning: Using saved setting for 'extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=' from ~/.local/share/nix/trusted-settings.json.
[{"drvPath":"/nix/store/qz9w433nmbir1wvx9f983lc72nkgx7mx-emanote-static-website.drv","outputs":{"out":"/nix/store/mn8bn1bs1c1pmm79rmyvgkkrnwifc12q-emanote-static-website"}}]

❯ nix --option sandbox true build .#packages.x86_64-linux.default --json
warning: Using saved setting for 'extra-substituters = https://cache.garnix.io' from ~/.local/share/nix/trusted-settings.json.
warning: Using saved setting for 'extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=' from ~/.local/share/nix/trusted-settings.json.
[{"drvPath":"/nix/store/qz9w433nmbir1wvx9f983lc72nkgx7mx-emanote-static-website.drv","outputs":{"out":"/nix/store/mn8bn1bs1c1pmm79rmyvgkkrnwifc12q-emanote-static-website"}}]

Nix info,

❯ nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.53, NixOS, 22.11 (Raccoon), 22.11.20220721.a65b5b3`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.10.3`
 - channels(root): `"nixos-22.11pre392433.8f485713f5e"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
 - ```

https://github.com/EmaApps/ema-template/actions/runs/3733203286/jobs/6333727221

I tried restarting the build, but the error occurs on a different derivation.

error: hash mismatch importing path '/nix/store/x3xa7h9wg6phf5a83is1vp4a663c61sq-auto-update-0.1.6';
         specified: sha256:0ylfgvbw5v9v0z5mzfa139zc96qkncp2lc4ri65pbk74zla09xyb
         got:       sha256:1rsprx5vgsidjil565s12nz0ah89vv0126gsd0652pac9pi6fvpd
error: some substitutes for the outputs of derivation '/nix/store/k4a2l67vwlkgvwagzmbflbbiykgrb9bd-auto-update-0.1.6.drv' failed (usually happens due to networking issues); try '--fallback' to build derivation from source

I wish the garnix.io page would give me a bit of an overview, rather than just listing all the most recent builds.

Basically, just a list of the latest overall results (perhaps colorized) for the default branch on each repo I have enabled garnix for. And sorted by name, to make it easy to compare.

So that, I see something like

con-kitty/categorifier[088b8d61]         Failure
con-kitty/concat[68a24f40]               Failure
sellout/bash-strict-mode[b35a8027]       Success
sellout/emacs-extended-faces[fd111870]   Failure

and then I can click through each to see the detailed results.

The list of github "checks" that garnix will set on a commit is variable. It depends on the shape of the flake output.

Problem statement

In the github branch protection setting, I can tell github to only merge a PR if certain checks are passing. And I can add the checks that Garnix set during the last run in there.

The only issue is that the list of Garnix checks evolves over time. As I add more packages, I will get more checks. And there is no way to tell GitHub to ask for "all the checks". So I have to go back in there and update the list as it changes.

Proposed solution

Have Garnix also publish a "all the garnix checks passed" check. Then I only have to add that one to the GitHub branch protection setting.

Basically the title. I initially thought it is because of some configuration change I made recently. But it turns out the same is true for old commits which worked previously.

The Haskell flake template https://github.com/NixOS/templates/blob/master/haskell-hello/flake.nix suggests using

checks = self.packages;

to run tests, but this doesn't work on Garnix, due to nix show not working. It fails with

error: expected a derivation

As the title says.

Being reliant on a single point of failure, is fine for a beta, but I hope the service can be more, competitor, and self-hosting friendly in the future.

Sadly I don't have screenshots, but I can share my story:

I installed the github app, configured https://github.com/kamadorueda/alejandra to be built by garnix, then nothing happened, I did not see builds or results on my garnix mainpage

I wondered, hmm, why? so I followed the steps displayed in the garnix help, but they were related to the demo repository, which I was not using and therefore I felt a little bit lost

Then I merged a PR in https://github.com/kamadorueda/alejandra, which pushed a commit to the main branch, and then garnix showed the builds: success!

This issue is just to say: it works, but maybe I was too dumb, or maybe the getting started steps can be made more intuitive

Could the YAML file be used to configure this?

For example, to disable Garnix building gh-pages branch: https://github.com/srid/NixHaskellIndex/tree/gh-pages

I got this error all of sudden on Emanote:

https://github.com/EmaApps/emanote/runs/9443800979

The change itself was a trivial one: srid/emanote@ea28b6b

Currently, a flake with an input from a private github repo, as in

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
    puzzledb.url = "git+ssh://[email protected]:/robx/puzzledb-mirror.git?ref=nix";
...

fails to build on garnix with

Command 'nix eval .#nixosConfigurations --apply builtins.attrNames --json' failed with exit code 1. Stderr:
error: 'git+ssh://[email protected]:/robx/puzzledb-mirror.git?ref=nix' is not a valid URL

It's unclear to me whether that could/should be made to work as is; some documented way to allow building flakes that depend on private flakes via garnix would be nice though.

Suggestion from the discord thread is to change the flake to reference the private input with a https:// URL using a personal access token.

Specifically, this PR: Gabriella439/grace#45

I double-checked that I enabled Garnix for that repository in my GitHub application settings.

I also checked the logs on garnix.io and didn't see any logs related to that repository

Does your blog have a feed?
My feedreader can't find it.
If you don't have one, please consider adding one.

This is likely a somewhat recent regression, but if the flake.nix can't be evaluated for any reason, the logs are not being displayed. That's pretty bad!

Would the divnix/std deliberate, but useful output schema be in scope for garnix?

In turn I could implement std support.

https://github.com/divnix/std

Better docs being worked on.

For now, just hit the repl in the root and see how it works.

A metadata contract can be exposed on outputs.__std, if necessary.

IFD is currently not allowed. We could allow it, though probably with a less clean perspective on what will be built.

If for some reason a derivation is taking very long to build, it may be better to just cancel it, but currently there's no way to do that manually.

builds:
  include:
    - 'legacyPackages.x86_64-linux.*'
    - 'devShell.x86_64-linux'

It looks like it's expecting the exclude to be present:

DecodeConfigError {message = "Aeson exception:\nError in $: \n Previous branch failure: Error in $.builds: key "exclude" not found\nexpected Null, but encountered Object"}

Presumably there'd be something like a directory option in garnix.yaml.

Currently, unless the repo is public, only the people who triggered the build themselves can see it.

Provide badges for CI status.

Ideally, provide an endpoint that is compatible with shields.io. Allow filtering (e.g. garnix.io/repo/<repo>?format=shields.io&system=x86_64-linux&type=package for all x86_64-linux packages in the latest commit of master/main).

Useful query params to have:

• Commit
• Branch
• System
• Type

Garnix CI doesn't seem to detect nixosConfigurations that contain a ..

output of: nix flake show:

git+file:///home/victor/src/infrastructure?ref=refs%2fheads%2fmain&rev=e614e9ed3b0fb51616b7ce247e8765cfda4af9be
├───colmena: unknown
├───devShells
│   └───x86_64-linux
│       └───default: development environment 'nix-shell'
├───nixosConfigurations
│   ├───"bastion.hades": NixOS configuration
│   ├───"bastion.olympus": NixOS configuration
│   ├───"database.hades": NixOS configuration
│   ├───"database.olympus": NixOS configuration
│   ├───"dhcp.olympus": NixOS configuration
│   ├───"dns-1.olympus": NixOS configuration
│   ├───"dns-2.olympus": NixOS configuration
│   ├───"docker-registry-proxy.hades": NixOS configuration
│   ├───"docker-registry.hades": NixOS configuration
│   ├───"gitea.olympus": NixOS configuration
│   ├───"hedgedoc.olympus": NixOS configuration
│   ├───"jackett2.hades": NixOS configuration
│   ├───"keycloak.olympus": NixOS configuration
│   ├───"mailserver.olympus": NixOS configuration
│   ├───"mastodon.hades": NixOS configuration
│   ├───"minio.hades": NixOS configuration
│   ├───"minio.olympus": NixOS configuration
│   ├───"mosquitto.olympus": NixOS configuration
│   ├───"nginx.olympus": NixOS configuration
│   ├───null: NixOS configuration
│   ├───"outline.olympus": NixOS configuration
│   ├───"prowlarr.hades": NixOS configuration
│   ├───"radarr2.hades": NixOS configuration
│   ├───"rtorrent.hades": NixOS configuration
│   ├───"sonarr2.hades": NixOS configuration
│   ├───"synapse.olympus": NixOS configuration
│   ├───"unifi.hades": NixOS configuration
│   ├───"unifi.olympus": NixOS configuration
│   ├───"vault-0.hades": NixOS configuration
│   ├───"vault-1.olympus": NixOS configuration
│   ├───"vault.olympus": NixOS configuration
│   ├───"victoriametrics.olympus": NixOS configuration
│   └───"wireguard.olympus": NixOS configuration
└───packages
    └───x86_64-linux
        ├───apply-local: package 'apply-local'
        ├───default: package 'colmena-0.4.0-pre'
        └───iso: package 'nixos-22.11.20221009.e3c61a2-x86_64-linux.iso'

But garnix only seems to detect one of them:

Here is a link to an example pipeline: https://github.com/NULLx76/infrastructure/runs/8788941654

Garnix should force only a certain number of derivations being built at once per user. When the limit is reached, those derivations should be queued. Hercules CI has this feature and it would be a good idea to implement this.

I also accidentally caused Garnix to crash today.

The current setup is somewhat annoying since:

1. Enabling builds in a repo is not entirely obvious - you have to dig a bit to find the app, and then to enable it.
2. You can't have branches that don't build.

Instead, we can require that the app be enabled, and a garnix.yaml file be present. That way you can enable the app on all repos when configuring.

The builds are public via github already anyhow.

The M1 build fails as follows,

error: builder for '/nix/store/yv6qfknvp1x0baxcq525h47c3vfbgp3f-emanote-0.6.5.4.drv' failed with exit code 1;
       last 1 log lines:
       > sandbox-exec: pattern serialization length 77788 exceeds maximum (65535)
       For full logs, run 'nix log /nix/store/yv6qfknvp1x0baxcq525h47c3vfbgp3f-emanote-0.6.5.4.drv'.

https://garnix.io/build/r9qw3k0e

Same with devShell build: https://garnix.io/build/Q9PwG2Bb

Public view: https://github.com/srid/emanote/runs/6459904976

I discovered the docs by typing https://garnix.io/docs in the browser, but it's not linked to from the main page, and therefore not easily discoverable

Upon installing garnix, my home tab shows builds started a few months ago in a repo that I don't own (whose owner presumably has enabled garnix for all repos), and with which my only interaction is that I once pushed a commit to a PR branch in that repo (https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork).

This should not count as a sign that I am interested in seeing the builds from that repo.

I'm actually not sure if that's what is happening here, but I noticed that Garnix wasn't building this PR:

Gabriella439/nix-diff#64

… and I'm guessing that the reason why is because the PR's branch from another repository

Log: https://garnix.io/build/kamadorueda/alejandra/511c3f6a88b6964e1496fb6f441f4ae5e58bd3ea/alejandra-x86_64-apple-darwin

repo: kamadorueda/alejandra
commit: 511c3f6a88b6964e1496fb6f441f4ae5e58bd3ea
package: alejandra-x86_64-apple-darwin
status: Failure
started at: 2022-03-04T02:29:36.266444Z
finished at: 2022-03-04T02:29:36.8271Z
Logs
No logs available

Of course I suspect it is because darwin is an unsupported system

This issue is about that I don't see information in the website indicating why, there are no logs, just an anonymous 'failure'

I'm not sure if the problem is related to Darwin, but I had a PR build where evaluation succeeded but nothing was built, even though I was expecting something to build based on the configuration.

Note that I'm using a non-default configuration that explicitly opts into Darwin build products. See here for the PR:

https://github.com/Gabriella439/macos-builder/pull/2/files

… and here for the matching Garnix run:

https://github.com/Gabriella439/macos-builder/pull/2/checks?check_run_id=8786448740

Example job still in process for ~24h:

• https://github.com/EmaApps/emanote/runs/9180488778
• https://garnix.io/build/V9M2Vxkg

See the CI status in https://github.com/EmaApps/emanote/commits/master

I cannot click on alejandra-i686's success, but I can click on the running below and success above

I suppose the dots are overlapping with the button:

Log: https://garnix.io/build/kamadorueda/alejandra/511c3f6a88b6964e1496fb6f441f4ae5e58bd3ea/alejandra-x86_64-apple-darwin

repo: kamadorueda/alejandra
commit: 511c3f6a88b6964e1496fb6f441f4ae5e58bd3ea
package: alejandra-x86_64-apple-darwin
status: Failure
started at: 2022-03-04T02:29:36.266444Z
finished at: 2022-03-04T02:29:36.8271Z

Logs
No logs available

Garnix is creating builds on GitHub for unsupported systems:

As a user I would expect to either:

• Have all my packages built, at least for the systems supported by hydra.nixos.org:

  nix-repl> lib.systems.supported.hydra
  [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "armv6l-linux" "armv7l-linux" "i686-linux" "mipsel-linux" "aarch64-darwin" ]
  

  or at least tier1 and tier2:

  nix-repl> lib.systems.supported.tier1
  [ "x86_64-linux" ]
  
  nix-repl> lib.systems.supported.tier2
  [ "aarch64-linux" "x86_64-darwin" ]
  

• Hide the builds for unsupported systems

• Show the builds as another status than failed, maybe skipped?

When garnix is enabled for a repo, it’d be great to get an initial build without having to push further changes to the repo to trigger it.

Log: https://garnix.io/build/kamadorueda/alejandra/511c3f6a88b6964e1496fb6f441f4ae5e58bd3ea/alejandra-x86_64-unknown-linux-gnu

Escape sequences are not interpreted (this show should a green color)
and are not stripped (causing some gibberish in the log)

Ideally it should do interpreting or stripping, being stripping the simplest to implement, and interpreting the more delightful to the eye

�[0m�[0m�[1m�[32m   Compiling�[0m autocfg v1.1.0
�[0m�[0m�[1m�[32m   Compiling�[0m libc v0.2.119
�[0m�[0m�[1m�[32m   Compiling�[0m crossbeam-utils v0.8.7
�[0m�[0m�[1m�[32m   Compiling�[0m lazy_static v1.4.0
�[0m�[0m�[1m�[32m   Compiling�[0m cfg-if v1.0.0
�[0m�[0m�[1m�[32m   Compiling�[0m crossbeam-epoch v0.9.7
�[0m�[0m�[1m�[32m   Compiling�[0m serde v1.0.136
�[0m�[0m�[1m�[32m   Compiling�[0m cc v1.0.73
�[0m�[0m�[1m�[32m   Compiling�[0m memchr v2.4.1

I think I've just come across a strange bug with the macOS builder.

The command nix build .#devShells.aarch64-darwin.default --json when run in the garnix macOS machine fails: https://github.com/EmaApps/ema-template/runs/7378656982

But the same command ran locally (on my M1 Air) succeeds:

❯ nix build .#devShells.aarch64-darwin.default --json
[{"drvPath":"/nix/store/31znmqzpx6c62lgqnfqyg0ayj3d5blcw-ghc-shell-for-ema-template-0.1.0.0.drv","outputs":{"out":"/nix/store/k63x7xl65iz3xn3501j73rdaqn9wmq4m-ghc-shell-for-ema-template-0.1.0.0"}}]

Both the CI job and my local command were run from commit tree c14b7dd of srid/ema-template#25