Build against Determinate Secure Packages

[edolstra]

Motivation

The top-level flake still builds against upstream Nixpkgs. But packaging/secure-packages/flake.nix overrides that to use DSP.

Context

Summary by CodeRabbit

• Chores

  • Flexible build workflow: configurable flake target input and optional artifact upload
  • New conditional build job for extra x86_64 verification that skips publishing artifacts
  • Added packaging flake to support the configurable flake target

• Tests

  • Adjusted test helper invocation for broader compatibility across environments

• Documentation

  • Corrected anchors, excluded broken fragments, and updated daemon reference links

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6c624604-8f9c-4f88-96b2-233c228d041a

📥 Commits

Reviewing files that changed from the base of the PR and between f67520f and f6ca308.

📒 Files selected for processing (1)

• .github/workflows/build.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/build.yml

---

📝 Walkthrough

Walkthrough

This PR adds configurable flake and upload_artifacts inputs to the shared build workflow, updates all build/test targets to use the chosen flake, introduces packaging/secure-packages/flake.nix, integrates a new CI merge_group job that disables artifact upload, and includes a small test helper and docs fixes.

Changes

Build Workflow Parameterization

Layer / File(s)	Summary
Secure-packages flake foundation packaging/secure-packages/flake.nix	New flake with inputs from repository root and pinned nixpkgs, outputs passthrough to nix input.
Build workflow inputs and target updates .github/workflows/build.yml	Added flake (default ./packaging/secure-packages) and upload_artifacts (default true) workflow inputs. Updated main build, static build, flake check, VM smoke/all, regression test, and manual build steps to use ${{ inputs.flake }}#... targets. Artifact upload step is conditional on inputs.upload_artifacts.
CI integration .github/workflows/ci.yml	Added build_x86_64-linux_no_dsp job for merge_group events using the parameterized build workflow with upload_artifacts: false. Updated fallbackPathsNix build to reference ./packaging/secure-packages#fallbackPathsNix.

Test Harness and Docs

Layer / File(s)	Summary
Script argument ordering tests/functional/json.sh	Reordered script invocation to pass -c with the escaped command before /dev/null for util-linux compatibility.
Manual and release-note anchors doc/manual/package.nix, doc/manual/source/release-notes/rl-2.34.md, src/libstore/include/nix/store/local-store.hh, src/nix/unix/store-roots-daemon.md	Extend Lychee exclude list for print.html fragments and update use-roots-daemon/state-dir anchors and a systemd socket link to point to the correct local-store/nix3-daemon docs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• DeterminateSystems/nix-src#386: touches the build workflow artifact upload step and is related to upload gating.

Suggested reviewers

• cole-h

"A rabbit hops through flakes and flows,
I tweak the paths where the CI goes,
Artifacts gated, targets unfurled,
A tiny flake to steady the world,
Hooray for builds that softly glow!" 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: the pull request adds support for building against Determinate Secure Packages through a new flake configuration and parametrized workflow inputs.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch secure-packages

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 Deployed on https://6a0b8c8c34abe60ad1cea979--determinate-nix.netlify.app

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

99-117: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add build_x86_64-linux_no_dsp to the success job's needs list.

The build_x86_64-linux_no_dsp job is excluded from the success job's needs array, even though it runs on merge_group events and performs comprehensive testing (including VM and regression tests). If this job fails during a merge, the overall success status won't reflect that failure. All other build jobs are included in the needs list—this one should be too.

  success:
    runs-on: ubuntu-latest
    needs:
      - eval
      - build_x86_64-linux
      - build_x86_64-linux_no_dsp
      - build_aarch64-linux
      - build_aarch64-darwin

GitHub Actions handles conditionally-skipped jobs gracefully: when build_x86_64-linux_no_dsp is skipped on non-merge_group events, it won't block the success job.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 99 - 117, Update the "success" job's
needs array to include the missing job name build_x86_64-linux_no_dsp so the job
depends on it like the other build jobs; specifically modify the needs list
inside the success job (the block labeled success and its needs key) to add -
build_x86_64-linux_no_dsp alongside eval, build_x86_64-linux,
build_aarch64-linux, and build_aarch64-darwin so failures in
build_x86_64-linux_no_dsp are considered by the success job.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 99-117: Update the "success" job's needs array to include the
missing job name build_x86_64-linux_no_dsp so the job depends on it like the
other build jobs; specifically modify the needs list inside the success job (the
block labeled success and its needs key) to add - build_x86_64-linux_no_dsp
alongside eval, build_x86_64-linux, build_aarch64-linux, and
build_aarch64-darwin so failures in build_x86_64-linux_no_dsp are considered by
the success job.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc869b6f-8797-42a0-91e3-ae8e1ab00e92

📥 Commits

Reviewing files that changed from the base of the PR and between dcda71e and 69f1872.

⛔ Files ignored due to path filters (1)

• packaging/secure-packages/flake.lock is excluded by !**/*.lock

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• packaging/secure-packages/flake.nix
• tests/functional/json.sh