Hotfix/cachix pin checks (#951)

F-WRunTime · web-flow · commit e23e477a3b53 · 2026-02-28T03:21:14.000Z
## Cachix Test Pin Workflow Updates - Addressing an issue when parsing the json blob incorrectly. Store paths returned by this call returns ALL associated pins to the kmir project and the associated architectures on that query. We look for 'latest' and compare is our desired artifact there, yes? done, else wait 5 seconds and try again. - The Cachix Test WF also now properly checks out the correct branch being modified and tested. Problem: Before it was checking out the target 'Git ref', if you're trying to fix / test changes to the script or the test WF it would pull the wrong code to run. This combo of script and WF allows now for developers to test / get a better view of what is on cachix, compare expectations to reality. - Release workflow should now also find the expected revision it just prodcued on cachix. ## NOTE - What remains in question. Is 120 seconds enough or do we need to allow more time for cachix to update and notify the pin was made. It is slow, how slow? Maybe longer than 2 minutes. Increase this wait time to 5 minutes if it fails again. For the most recent release I tested manually with the test workflow here: https://github.com/runtimeverification/mir-semantics/actions/runs/22501138031
diff --git a/.github/scripts/check-cachix-pin.sh b/.github/scripts/check-cachix-pin.sh
@@ -1,49 +1,86 @@
 #!/usr/bin/env bash
-set -xeuo pipefail
+set -euo pipefail
 
 # Kup relies on cachix registry k-framework-binary.
 CACHE="k-framework-binary"
-OWNER_REPO="$(git remote get-url origin | sed -E 's#(git@github.com:|https://github.com/)##; s#\.git$##')"
-REV="$(git rev-parse HEAD)"
-# Get the output of the nix build for kmir.
-OUT="$(nix build --no-link --json ".#kmir" | jq -r '.[0].outputs.out')"
-KEY="github:${OWNER_REPO}/${REV}#kmir"
+OWNER_REPO="${OWNER_REPO:-$(git remote get-url origin | sed -E 's#(git@github.com:|https://github.com/)##; s#\.git$##')}"
+REV="${REV:-${GITHUB_SHA:-$(git rev-parse HEAD)}}"
+UNAME_S="$(uname -s)"
+UNAME_M="$(uname -m)"
+case "${UNAME_S}-${UNAME_M}" in
+  Linux-x86_64) SYSTEM="x86_64-linux" ;;
+  Linux-aarch64 | Linux-arm64) SYSTEM="aarch64-linux" ;;
+  Darwin-x86_64) SYSTEM="x86_64-darwin" ;;
+  Darwin-arm64) SYSTEM="aarch64-darwin" ;;
+  *)
+    echo "Unsupported platform: ${UNAME_S}-${UNAME_M}" >&2
+    exit 1
+    ;;
+esac
+PIN_API_URL="https://app.cachix.org/api/v1/cache/${CACHE}/pin"
+CHECK_PACKAGES=(kmir kmir.rust)
 
 SUMMARY="${GITHUB_STEP_SUMMARY:-/dev/stdout}"
 
 {
   echo "## Cachix Publish Summary"
   echo "CACHE: $CACHE"
-  echo "OUT: $OUT"
-  echo "KEY: $KEY"
+  echo "OWNER_REPO: $OWNER_REPO"
+  echo "REV: $REV"
+  echo "SYSTEM: $SYSTEM"
+  echo "PACKAGES: ${CHECK_PACKAGES[*]}"
 } >> "$SUMMARY"
 
-# Verify push + pin together. Both can become visible with some delay.
-HASH="$(basename "$OUT" | cut -d- -f1)"
-PUSH_NARINFO_URL="https://${CACHE}.cachix.org/${HASH}.narinfo"
-PIN_API_URL="https://app.cachix.org/api/v1/cache/${CACHE}/pin"
+# Verify push + pin together for each package. Both can become visible with delay.
 PIN_VISIBILITY_TIMEOUT_SECONDS=120 # 2 minutes
 PIN_VISIBILITY_INTERVAL_SECONDS=5 # 5 seconds
 PIN_VISIBILITY_ATTEMPTS=$((PIN_VISIBILITY_TIMEOUT_SECONDS / PIN_VISIBILITY_INTERVAL_SECONDS))
 for i in $(seq 1 "$PIN_VISIBILITY_ATTEMPTS"); do
-  PUSH_STATUS="$(curl -sS -o /dev/null -w '%{http_code}' "$PUSH_NARINFO_URL")" || PUSH_STATUS="000"
-  if curl -fsSL "$PIN_API_URL" | jq -e --arg k "$KEY" 'any(.[]; .name == $k)' > /dev/null; then
+  PIN_JSON="$(curl -fsSL "${PIN_API_URL}?q=${REV}")"
+  ALL_OK=1
+
+  for PKG in "${CHECK_PACKAGES[@]}"; do
+    KEY="github:${OWNER_REPO}/${REV}#packages.${SYSTEM}.${PKG}"
+    STORE_PATH="$(
+      echo "$PIN_JSON" \
+        | jq -r --arg k "$KEY" 'map(select(.name == $k)) | first | (.lastRevision.storePath // .storePath // .store_path // .path // "")'
+    )"
+    if [ -z "$STORE_PATH" ]; then
+      PIN_STATUS="pin-missing"
+      PUSH_STATUS="000"
+      ALL_OK=0
+      {
+        echo "key-${PKG}: ${KEY}"
+        echo "pin-status-${PKG}: ${PIN_STATUS}"
+        echo "push-http-${PKG}: ${PUSH_STATUS}"
+      }
+      continue
+    fi
+
     PIN_STATUS="pin-ok"
-  else
-    PIN_STATUS="pin-missing"
-  fi
+    HASH="$(basename "$STORE_PATH" | cut -d- -f1)"
+    PUSH_NARINFO_URL="https://${CACHE}.cachix.org/${HASH}.narinfo"
+    PUSH_STATUS="$(curl -sS -o /dev/null -w '%{http_code}' "$PUSH_NARINFO_URL")" || PUSH_STATUS="000"
+    if [ "$PUSH_STATUS" != "200" ]; then
+      ALL_OK=0
+    fi
 
-  echo "push-http: ${PUSH_STATUS}" >> "$SUMMARY"
-  echo "pin-status: ${PIN_STATUS}" >> "$SUMMARY"
+    {
+      echo "key-${PKG}: ${KEY}"
+      echo "store-path-${PKG}: ${STORE_PATH}"
+      echo "pin-status-${PKG}: ${PIN_STATUS}"
+      echo "push-http-${PKG}: ${PUSH_STATUS}"
+    }
+  done
 
-  if [ "$PUSH_STATUS" = "200" ] && [ "$PIN_STATUS" = "pin-ok" ]; then
-    echo "cachix-status: push-and-pin-ok" >> "$SUMMARY"
+  if [ "$ALL_OK" = "1" ]; then
+    echo "cachix-status: push-and-pin-ok-for-all-packages" >> "$SUMMARY"
     exit 0
   fi
 
-  echo "cachix-check-attempt-${i}: not-ready, retrying in ${PIN_VISIBILITY_INTERVAL_SECONDS}s" >> "$SUMMARY"
+  echo "cachix-check-attempt-${i}: not-ready, retrying in ${PIN_VISIBILITY_INTERVAL_SECONDS}s"
   sleep "$PIN_VISIBILITY_INTERVAL_SECONDS"
 done
 
-echo "cachix-status: push-or-pin-missing-after-${PIN_VISIBILITY_TIMEOUT_SECONDS}s" >> "$SUMMARY"
+echo "cachix-status: push-or-pin-missing-after-${PIN_VISIBILITY_TIMEOUT_SECONDS}s-for-at-least-one-package" >> "$SUMMARY"
 exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -167,6 +167,8 @@ jobs:
         env:
           CACHIX_AUTH_TOKEN: '${{ secrets.CACHIX_PRIVATE_KFB_TOKEN }}'
           GC_DONT_GC: '1'
+          OWNER_REPO: '${{ github.repository }}'
+          REV: '${{ github.sha }}'
         with:
           packages: jq
           script: |
diff --git a/.github/workflows/test-cachix-pin.yml b/.github/workflows/test-cachix-pin.yml
@@ -15,14 +15,14 @@ jobs:
     steps:
       - name: 'Check out code'
         uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.ref }}
 
       - name: 'Verify cachix publish and pin'
         uses: workflow/nix-shell-action@v3
         env:
           CACHIX_AUTH_TOKEN: '${{ secrets.CACHIX_PRIVATE_KFB_TOKEN }}'
           GC_DONT_GC: '1'
+          OWNER_REPO: '${{ github.repository }}'
+          REV: '${{ inputs.ref }}'
         with:
           packages: jq
           script: bash .github/scripts/check-cachix-pin.sh
