feat(flake.nix): switch dogfood dev image to buildNixShellImage from dockerTools

ThomasK33 · ThomasK33 · commit 32d343758b11 · 2025-01-22T11:57:20.000+01:00
Change-Id: I4e011fe3a19d9a1375fbfd5223c910e59d66a5d9
Signed-off-by: Thomas Kosiewski &lt;tk@coder.com&gt;
diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml
@@ -24,7 +24,7 @@ permissions:
 jobs:
   build_image:
     if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
@@ -34,6 +34,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
+      - name: Setup Nix
+        uses: DeterminateSystems/nix-installer-action@e50d5f73bfe71c2dd0aa4218de8f4afa59f8f81d # v16
+      - name: Setup GHA Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@6221693898146dc97e38ad0e013488a16477a4c4 # v9
+
       - name: Get branch name
         id: branch-name
         uses: tj-actions/branch-names@6871f53176ad61624f978536bbf089c574dc19a2 # v8.0.1
@@ -72,17 +77,23 @@ jobs:
           tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
 
       - name: Build and push Nix image
-        uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0
-        with:
-          project: b4q6ltmpzh
-          token: ${{ secrets.DEPOT_TOKEN }}
-          buildx-fallback: true
-          context: "."
-          file: "dogfood/contents/Dockerfile.nix"
-          pull: true
-          save: true
-          push: ${{ github.ref == 'refs/heads/main' }}
-          tags: "codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood-nix:latest"
+        run: |
+          nix build .#dev_image
+
+          # If github.ref is not refs/head/main then exit here early
+           if [ "${{ github.ref }}" != "refs/heads/main" ]; then
+             exit 0
+           fi
+
+          docker load -i result
+
+          CURRENT_SYSTEM=$(nix eval --impure --raw --expr 'builtins.currentSystem')
+
+          docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }}
+          docker image push codercom/oss-dogfood-nix:${{ steps.docker-tag-name.outputs.tag }}
+
+          docker image tag codercom/oss-dogfood-nix:latest-$CURRENT_SYSTEM codercom/oss-dogfood-nix:latest
+          docker image push codercom/oss-dogfood-nix:latest
 
   deploy_template:
     needs: build_image
diff --git a/Makefile b/Makefile
@@ -952,3 +952,6 @@ else
 	pnpm playwright:test
 endif
 .PHONY: test-e2e
+
+dogfood/contents/nix.hash: flake.nix flake.lock
+	sha256sum flake.nix flake.lock >./dogfood/contents/nix.hash
diff --git a/dogfood/contents/Dockerfile.nix b/dogfood/contents/Dockerfile.nix
diff --git a/dogfood/contents/main.tf b/dogfood/contents/main.tf
@@ -344,7 +344,7 @@ resource "docker_image" "dogfood" {
     data.docker_registry_image.dogfood.sha256_digest,
     sha1(join("", [for f in fileset(path.module, "files/*") : filesha1(f)])),
     filesha1("Dockerfile"),
-    filesha1("Dockerfile.nix"),
+    filesha1("nix.hash"),
   ]
   keep_locally = true
 }
diff --git a/dogfood/contents/nix.hash b/dogfood/contents/nix.hash
@@ -0,0 +1,2 @@
+7f76642cfe331925935c526e068788c30213e36df85b20214d517d1a2fdf3954  flake.nix
+2358e758b2369c744a3f38d5b6cd3a71e79fcb99bdbb3bdeb8d3a520cf46f19f  flake.lock
diff --git a/flake.nix b/flake.nix
@@ -17,8 +17,17 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixpkgs-pinned, flake-utils, drpc, pnpm2nix }:
-    flake-utils.lib.eachDefaultSystem (system:
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixpkgs-pinned,
+      flake-utils,
+      drpc,
+      pnpm2nix,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
         pkgs = import nixpkgs {
           inherit system;
@@ -32,17 +41,21 @@
           inherit system;
         };
 
+        formatter = pkgs.nixfmt-rfc-style;
+
         nodejs = pkgs.nodejs_20;
         pnpm = pkgs.pnpm_9.override {
-          inherit nodejs;  # Ensure it points to the above nodejs version
+          inherit nodejs; # Ensure it points to the above nodejs version
         };
 
         # Check in https://search.nixos.org/packages to find new packages.
         # Use `nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update`
         # to update the lock file if packages are out-of-date.
 
         # From https://nixos.wiki/wiki/Google_Cloud_SDK
-        gdk = pkgs.google-cloud-sdk.withExtraComponents ([ pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin ]);
+        gdk = pkgs.google-cloud-sdk.withExtraComponents [
+          pkgs.google-cloud-sdk.components.gke-gcloud-auth-plugin
+        ];
 
         proto_gen_go_1_30 = pkgs.buildGoModule rec {
           name = "protoc-gen-go";
@@ -63,14 +76,16 @@
         # The minimal set of packages to build Coder.
         devShellPackages = with pkgs; [
           # google-chrome is not available on aarch64 linux
-          (lib.optionalDrvAttr ( !stdenv.isLinux || !stdenv.isAarch64 ) google-chrome)
+          (lib.optionalDrvAttr (!stdenv.isLinux || !stdenv.isAarch64) google-chrome)
           # strace is not available on OSX
-          (lib.optionalDrvAttr ( !pkgs.stdenv.isDarwin ) strace)
+          (lib.optionalDrvAttr (!pkgs.stdenv.isDarwin) strace)
           bat
           cairo
           curl
           delve
+          dive
           drpc.defaultPackage.${system}
+          formatter
           fzf
           gcc
           gdk
@@ -129,13 +144,22 @@
 
           src = ./site/.;
           # Required for the `canvas` package!
-          extraBuildInputs = with pkgs; [
-            cairo
-            pango
-            pixman
-            libpng libjpeg giflib librsvg
-            python312Packages.setuptools
-          ] ++ ( lib.optionals stdenv.targetPlatform.isDarwin [ darwin.apple_sdk.frameworks.Foundation xcbuild ] );
+          extraBuildInputs =
+            with pkgs;
+            [
+              cairo
+              pango
+              pixman
+              libpng
+              libjpeg
+              giflib
+              librsvg
+              python312Packages.setuptools
+            ]
+            ++ (lib.optionals stdenv.targetPlatform.isDarwin [
+              darwin.apple_sdk.frameworks.Foundation
+              xcbuild
+            ]);
           installInPlace = true;
           distDir = "out";
         };
@@ -144,15 +168,20 @@
 
         # To make faster subsequent builds, you could extract the `.zst`
         # slim bundle into it's own derivation.
-        buildFat = osArch:
+        buildFat =
+          osArch:
           pkgs.buildGo122Module {
             name = "coder-${osArch}";
             # Updated with ./scripts/update-flake.sh`.
             # This should be updated whenever go.mod changes!
-            vendorHash = "sha256-DNQ3UPQoiiWEatMPj6B7QGGy9qOSvOmjADsrr+drCBY=";
+            vendorHash = "sha256-31GuIzqa3kuVIKQ7Fy6Xm/lHLlBRv7VOKpWSQoelnos=";
             proxyVendor = true;
             src = ./.;
-            nativeBuildInputs = with pkgs; [ getopt openssl zstd ];
+            nativeBuildInputs = with pkgs; [
+              getopt
+              openssl
+              zstd
+            ];
             preBuild = ''
               # Replaces /usr/bin/env with an absolute path to the interpreter.
               patchShebangs ./scripts
@@ -177,7 +206,9 @@
             '';
           };
       in
-      {
+      rec {
+        inherit formatter;
+
         devShells = {
           default = pkgs.mkShell {
             buildInputs = devShellPackages;
@@ -186,26 +217,36 @@
               export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
             '';
 
-            LOCALE_ARCHIVE = with pkgs; lib.optionalDrvAttr stdenv.isLinux "${glibcLocales}/lib/locale/locale-archive";
+            LOCALE_ARCHIVE =
+              with pkgs;
+              lib.optionalDrvAttr stdenv.isLinux "${glibcLocales}/lib/locale/locale-archive";
           };
         };
 
-        packages = {
-          proto_gen_go = proto_gen_go_1_30;
-          all = pkgs.buildEnv {
-            name = "all-packages";
-            paths = devShellPackages;
-          };
-          site = buildSite;
-
-          # Copying `OS_ARCHES` from the Makefile.
-          linux_amd64 = buildFat "linux_amd64";
-          linux_arm64 = buildFat "linux_arm64";
-          darwin_amd64 = buildFat "darwin_amd64";
-          darwin_arm64 = buildFat "darwin_arm64";
-          windows_amd64 = buildFat "windows_amd64.exe";
-          windows_arm64 = buildFat "windows_arm64.exe";
-        };
+        packages =
+          {
+            default = packages.${system};
+
+            site = buildSite;
+
+            # Copying `OS_ARCHES` from the Makefile.
+            x86_64-linux = buildFat "linux_amd64";
+            aarch64-linux = buildFat "linux_arm64";
+            x86_64-darwin = buildFat "darwin_amd64";
+            aarch64-darwin = buildFat "darwin_arm64";
+            x86_64-windows = buildFat "windows_amd64.exe";
+            aarch64-windows = buildFat "windows_arm64.exe";
+          }
+          // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
+            dev_image = pkgs.dockerTools.buildNixShellImage {
+              name = "codercom/oss-dogfood-nix";
+              tag = "latest-${system}";
+
+              drv = devShells.default.overrideAttrs (oldAttrs: {
+                buildInputs = oldAttrs.buildInputs ++ [ pkgs.nix ];
+              });
+            };
+          });
       }
     );
 }
diff --git a/scripts/update-flake.sh b/scripts/update-flake.sh
@@ -37,4 +37,6 @@ echo "protoc-gen-go version: $PROTOC_GEN_GO_REV"
 PROTOC_GEN_GO_SHA256=$(nix-prefetch-git https://github.com/protocolbuffers/protobuf-go --rev "$PROTOC_GEN_GO_REV" | jq -r .hash)
 sed -i "s#\(sha256 = \"\)[^\"]*#\1${PROTOC_GEN_GO_SHA256}#" ./flake.nix
 
+make dogfood/contents/nix.hash
+
 echo "Flake updated successfully!"

Original file line number	Diff line number	Diff line change
`@@ -344,7 +344,7 @@ resource "docker_image" "dogfood" {`
`344`	`344`	`data.docker_registry_image.dogfood.sha256_digest,`
`345`	`345`	`sha1(join("", [for f in fileset(path.module, "files/*") : filesha1(f)])),`
`346`	`346`	`filesha1("Dockerfile"),`
`347`		`- filesha1("Dockerfile.nix"),`
	`347`	`+ filesha1("nix.hash"),`
`348`	`348`	`]`
`349`	`349`	`keep_locally = true`
`350`	`350`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+7f76642cfe331925935c526e068788c30213e36df85b20214d517d1a2fdf3954 flake.nix`
	`2`	`+2358e758b2369c744a3f38d5b6cd3a71e79fcb99bdbb3bdeb8d3a520cf46f19f flake.lock`