# CI toolchain image for rdbms-playground. # # Purpose: a SMALL job-container image that # (a) satisfies the Gitea act_runner job-container contract — /bin/sleep (the # keep-alive entrypoint), bash (run: steps), node (JS actions such as # actions/checkout); a bare nixos/nix image has none of these and won't # even start (verified by the ci-probe run: "/bin/sleep: no such file"); and # (b) carries the project's pinned nix toolchain with the flake's devShell # pre-warmed, so CI runs `nix develop -c cargo ...` against a warm store. # # Base: node:22-bookworm-slim. Debian slim already provides bash + coreutils # (sleep); the node tag adds the actions runtime. Far smaller than the # catthehacker runner images (which bundle a whole GitHub-runner emulation we # don't need). FROM node:22-bookworm-slim # nix install + flake eval needs these. git because flakes prefer a VCS context # and tools shell out to it. Drop apt lists to keep the layer small. RUN apt-get update \ && apt-get install -y --no-install-recommends \ curl xz-utils ca-certificates git \ && rm -rf /var/lib/apt/lists/* # Single-user nix (--no-daemon): store at /nix owned by root, no daemon/systemd # needed — the correct mode for a container. The official installer refuses root # and shells out to `sudo` purely to create /nix; pre-creating it ourselves (we # ARE root) sidesteps both. Enable flakes globally so every nix invocation (and # the runner's steps) get nix-command + flakes without flags. # nix.conf is written FIRST so the installer's own `nix-env` profile step reads # it: `build-users-group =` (empty) makes single-user nix build as the calling # user (root) instead of demanding the nixbld group/users a daemon install would # create; flakes are enabled globally in the same file. RUN mkdir -m 0755 /nix && chown root:root /nix \ && mkdir -p /etc/nix \ && printf 'build-users-group =\nexperimental-features = nix-command flakes\n' > /etc/nix/nix.conf \ && curl --proto '=https' --tlsv1.2 -sSf -L https://nixos.org/nix/install -o /tmp/nix-install.sh \ && sh /tmp/nix-install.sh --no-daemon \ && rm /tmp/nix-install.sh ENV PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:$PATH # We set PATH directly instead of sourcing the profile, so also point nix at the # Debian CA bundle (already installed) for substituter HTTPS — otherwise the # profile-provided NIX_SSL_CERT_FILE is missing and store downloads fail. ENV NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt # Warm the flake's devShell into the store: realizes nixpkgs + the pinned Rust # toolchain (rustc/cargo/clippy/rustfmt) + cargo-sweep. Only the inputs that # determine the shell are copied, so this expensive layer is cached and only # re-runs when the flake or the toolchain pin changes — not on every source edit. # (devShell eval is lazy: packages.default — and thus Cargo.toml/Cargo.lock — is # never forced here, so it needn't be present.) WORKDIR /warm COPY flake.nix flake.lock rust-toolchain.toml ./ RUN nix develop -c rustc --version \ && nix develop -c cargo --version \ && nix develop -c cargo clippy --version \ && nix develop -c cargo fmt --version \ && nix develop -c cargo sweep --version WORKDIR / RUN rm -rf /warm # FOLLOW-UP optimisation (intentionally NOT done here, see CI notes): cargo # dependency + target caching. Each CI run still compiles the ~296-crate graph # from scratch and pulls crate sources from crates.io. A later pass can bake # `cargo fetch` (offline crate sources) and/or a warmed target dir, or wire # sccache, to cut run time. Correctness/first-green first; speed next.