ci: add throwaway runner-probe workflow
Diagnostic to determine how the ci-public runner executes jobs and where the nix toolchain is reachable (host vs default container vs a custom container:), so the real gate is built on facts. Delete once the gate lands.
This commit is contained in:
claude@clouddev1
@@ -0,0 +1,73 @@
|
||||
# THROWAWAY DIAGNOSTIC — delete once the real gate is wired.
|
||||
#
|
||||
# This answers the questions that decide the CI architecture, on facts rather
|
||||
# than guesses:
|
||||
# * How does this runner execute a plain job — directly on the host, or inside
|
||||
# a default container? (-> is "the ci server has nix" reachable from steps?)
|
||||
# * Is `nix` on PATH where steps run, and does a /nix store persist?
|
||||
# * Is a docker client/daemon reachable from a plain job (no DinD service)?
|
||||
# * Does a custom job `container:` work on this rootless runner, and can it pull
|
||||
# an image (nixos/nix) — i.e. is the "reusable nix image" model viable?
|
||||
#
|
||||
# Trigger: push to this branch, or run manually from the Actions UI.
|
||||
name: ci-probe
|
||||
on: [push, workflow_dispatch]
|
||||
|
||||
jobs:
|
||||
# --- Job 1: DEFAULT execution -------------------------------------------
|
||||
# No `container:` override — this is whatever environment the runner gives a
|
||||
# plain job. Tells us where steps actually run and what's already there.
|
||||
host:
|
||||
runs-on: ci-public
|
||||
steps:
|
||||
- name: identity & environment
|
||||
run: |
|
||||
echo "=== uname ==="; uname -a
|
||||
echo "=== os-release ==="; head -3 /etc/os-release 2>/dev/null || echo "(none)"
|
||||
echo "=== whoami / id ==="; whoami; id
|
||||
echo "=== containerized? ==="
|
||||
if [ -f /.dockerenv ]; then
|
||||
echo "/.dockerenv PRESENT -> steps run INSIDE a container"
|
||||
else
|
||||
echo "/.dockerenv absent"
|
||||
fi
|
||||
echo "--- /proc/1/cgroup (first lines) ---"; head -5 /proc/1/cgroup 2>/dev/null || echo "(none)"
|
||||
|
||||
- name: nix availability (the decisive check)
|
||||
run: |
|
||||
echo "=== which nix ==="; command -v nix || echo "nix NOT on PATH"
|
||||
echo "=== nix --version ==="; nix --version 2>/dev/null || echo "(no nix here)"
|
||||
echo "=== /nix store ==="; ls -ld /nix /nix/store 2>/dev/null || echo "(no /nix)"
|
||||
echo "=== store path count (persistence hint; high => warm/shared) ==="
|
||||
ls /nix/store 2>/dev/null | wc -l
|
||||
|
||||
- name: docker availability (without a DinD service)
|
||||
run: |
|
||||
echo "=== which docker ==="; command -v docker || echo "docker NOT on PATH"
|
||||
docker version 2>/dev/null || echo "(no docker client/daemon reachable from a plain job)"
|
||||
|
||||
- name: checkout — does the flake land here?
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: flake present in this checkout?
|
||||
run: ls -la flake.nix flake.lock rust-toolchain.toml 2>/dev/null || echo "(flake not on this branch's checkout)"
|
||||
|
||||
# --- Job 2: CUSTOM CONTAINER --------------------------------------------
|
||||
# Tests the "reusable nix image" model: run steps inside a pinned nix image.
|
||||
# Deliberately minimal — no checkout (the checkout action needs node, which a
|
||||
# bare nixos/nix image lacks; that's a separate concern). If this job's steps
|
||||
# run at all, custom job containers are viable on this runner.
|
||||
nix-container:
|
||||
runs-on: ci-public
|
||||
container:
|
||||
image: nixos/nix:latest
|
||||
steps:
|
||||
- name: nix inside a pinned container
|
||||
run: |
|
||||
echo "=== inside nixos/nix container ==="
|
||||
nix --version
|
||||
echo "--- identity ---"; whoami; id; uname -a
|
||||
echo "--- flakes enabled? ---"
|
||||
nix --extra-experimental-features 'nix-command flakes' flake --help >/dev/null 2>&1 \
|
||||
&& echo "flakes usable (with --extra-experimental-features)" \
|
||||
|| echo "flake subcommand not usable as invoked"
|
||||
Reference in New Issue
Block a user