feat(sccache): enable sccache for pgrx builds with per-PG-version cache keys

jfroche · yvan-sraka · commit 0024ea837eff · 2026-02-23T20:16:28.000+01:00
- Add sccache to buildPgrxExtension.nix nativeBuildInputs
- Enable sccache conditionally when /nix/var/cache/sccache is available
- Configure Nix with auto-allocate-uids and max-jobs=1 for consistent UID mapping
- Add cache_key field to github-matrix output for stickydisk grouping
- Fix postgresql_version extraction for packages with extra path levels
- Use per-postgres-version cache keys to reduce stickydisk conflicts
- Chown cache to UID 872415232 (auto-allocate-uids base) before builds
diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
@@ -53,4 +53,7 @@ runs:
           trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
           ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
           ${{ inputs.enable-sccache-sandbox-path == 'true' && 'extra-sandbox-paths = /nix/var/cache/sccache?' || '' }}
-          max-jobs = 4
+          max-jobs = 1
+          auto-allocate-uids = true
+          use-cgroups = true
+          experimental-features = nix-command flakes cgroups auto-allocate-uids
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -40,7 +40,7 @@ jobs:
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: useblacksmith/stickydisk@v1
         with:
-          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
           path: /nix/var/cache/sccache
       - name: Install nix (ephemeral)
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
@@ -57,10 +57,9 @@ jobs:
       - name: Allow sccache cache write access
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         run: |
-          sudo chgrp nixbld /nix/var/cache/sccache
-          sudo chmod 777 /nix/var/cache/sccache
-          sudo chmod g+s /nix/var/cache/sccache
-          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          sudo chown -R 872415232 /nix/var/cache/sccache
+          sudo chmod -R 2777 /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -85,7 +84,7 @@ jobs:
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: useblacksmith/stickydisk@v1
         with:
-          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
           path: /nix/var/cache/sccache
       - name: Install nix (ephemeral)
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
@@ -102,10 +101,9 @@ jobs:
       - name: Allow sccache cache write access
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         run: |
-          sudo chgrp nixbld /nix/var/cache/sccache
-          sudo chmod 777 /nix/var/cache/sccache
-          sudo chmod g+s /nix/var/cache/sccache
-          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          sudo chown -R 872415232 /nix/var/cache/sccache
+          sudo chmod -R 2777 /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -176,7 +174,7 @@ jobs:
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: useblacksmith/stickydisk@v1
         with:
-          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
           path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
@@ -190,10 +188,9 @@ jobs:
       - name: Allow sccache cache write access
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         run: |
-          sudo chgrp nixbld /nix/var/cache/sccache
-          sudo chmod 777 /nix/var/cache/sccache
-          sudo chmod g+s /nix/var/cache/sccache
-          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          sudo chown -R 872415232 /nix/var/cache/sccache
+          sudo chmod -R 2777 /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -218,7 +215,7 @@ jobs:
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: useblacksmith/stickydisk@v1
         with:
-          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
           path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
@@ -232,10 +229,9 @@ jobs:
       - name: Allow sccache cache write access
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         run: |
-          sudo chgrp nixbld /nix/var/cache/sccache
-          sudo chmod 777 /nix/var/cache/sccache
-          sudo chmod g+s /nix/var/cache/sccache
-          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          sudo chown -R 872415232 /nix/var/cache/sccache
+          sudo chmod -R 2777 /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
diff --git a/nix/cargo-pgrx/buildPgrxExtension.nix b/nix/cargo-pgrx/buildPgrxExtension.nix
@@ -169,7 +169,7 @@ let
         echo "sccache: cache directory available, enabling"
         export RUSTC_WRAPPER="${sccache}/bin/sccache"
         export SCCACHE_DIR="/nix/var/cache/sccache"
-        export SCCACHE_CACHE_SIZE="500G"
+        export SCCACHE_CACHE_SIZE="50G"
       else
         echo "sccache: cache directory not available, skipping"
       fi
diff --git a/nix/packages/github-matrix/github_matrix.py b/nix/packages/github-matrix/github_matrix.py
@@ -58,6 +58,7 @@ class GitHubActionPackage(TypedDict):
     system: System
     runs_on: RunsOnConfig
     postgresql_version: NotRequired[str]
+    cache_key: NotRequired[str]
 
 
 class NixEvalError(TypedDict):
@@ -213,8 +214,7 @@ def run_nix_eval_jobs(
 
 def is_extension_pkg(pkg: NixEvalJobsOutput) -> bool:
     """Check if the package is a postgresql extension package."""
-    attrs = pkg["attr"].split(".")
-    return attrs[-2] == "exts"
+    return ".exts." in pkg["attr"]
 
 
 # thank you buildbot-nix https://github.com/nix-community/buildbot-nix/blob/985d069a2a45cf4a571a4346107671adc2bd2a16/buildbot_nix/buildbot_nix/build_trigger.py#L297
@@ -251,6 +251,31 @@ def is_kvm_pkg(pkg: NixEvalJobsOutput) -> bool:
     return "kvm" in pkg.get("requiredSystemFeatures", [])
 
 
+def clean_package_for_output(pkg: NixEvalJobsOutput) -> GitHubActionPackage:
+    """Convert nix-eval-jobs output to GitHub Actions matrix package"""
+    runner = get_runner_for_package(pkg)
+    if runner is None:
+        raise ValueError(f"No runner configuration for system: {pkg['system']}")
+    returned_pkg: GitHubActionPackage = {
+        "attr": pkg["attr"],
+        "name": pkg["name"],
+        "system": pkg["system"],
+        "runs_on": runner,
+    }
+    if is_extension_pkg(pkg):
+        # Extract PostgreSQL version from attribute path
+        # e.g., legacyPackages.aarch64-linux.psql_17.exts.wrappers-pkgs.0_5_6
+        #   or  legacyPackages.aarch64-linux.psql_17.exts.pg_graphql
+        attrs = pkg["attr"].split(".")
+        exts_idx = attrs.index("exts")
+        pg_version = attrs[exts_idx - 1].split("_")[-1]
+        returned_pkg["postgresql_version"] = pg_version
+        returned_pkg["cache_key"] = f"pg{pg_version}"
+    else:
+        returned_pkg["cache_key"] = "shared"
+    return returned_pkg
+
+
 def get_runner_for_package(pkg: NixEvalJobsOutput) -> RunsOnConfig | None:
     """Determine the appropriate GitHub Actions runner for a package.
 
@@ -304,23 +329,6 @@ def main() -> None:
     packages, warnings_list, errors_list = run_nix_eval_jobs(cmd)
     gh_action_packages = sort_pkgs_by_closures(packages)
 
-    def clean_package_for_output(pkg: NixEvalJobsOutput) -> GitHubActionPackage:
-        """Convert nix-eval-jobs output to GitHub Actions matrix package"""
-        runner = get_runner_for_package(pkg)
-        if runner is None:
-            raise ValueError(f"No runner configuration for system: {pkg['system']}")
-        returned_pkg: GitHubActionPackage = {
-            "attr": pkg["attr"],
-            "name": pkg["name"],
-            "system": pkg["system"],
-            "runs_on": runner,
-        }
-        if is_extension_pkg(pkg):
-            # Extract PostgreSQL version from attribute path
-            attrs = pkg["attr"].split(".")
-            returned_pkg["postgresql_version"] = attrs[-3].split("_")[-1]
-        return returned_pkg
-
     # Group packages by system and type (checks vs packages)
     packages_by_system: Dict[System, List[GitHubActionPackage]] = defaultdict(list)
     checks_by_system: Dict[System, List[GitHubActionPackage]] = defaultdict(list)
diff --git a/nix/packages/github-matrix/tests/test_github_matrix.py b/nix/packages/github-matrix/tests/test_github_matrix.py
@@ -4,6 +4,7 @@
 
 from github_matrix import (
     NixEvalJobsOutput,
+    clean_package_for_output,
     get_runner_for_package,
     is_extension_pkg,
     is_kvm_pkg,
@@ -260,3 +261,80 @@ def test_dependency_order(self):
 
         result = sort_pkgs_by_closures([pkg1, pkg2])
         assert result == [pkg1, pkg2]
+
+
+class TestCleanPackageForOutput:
+    def test_extension_package_simple_path(self):
+        """Test extension package like pg_graphql with simple attr path"""
+        pkg: NixEvalJobsOutput = {
+            "attr": "legacyPackages.aarch64-linux.psql_17.exts.pg_graphql",
+            "attrPath": [
+                "legacyPackages",
+                "aarch64-linux",
+                "psql_17",
+                "exts",
+                "pg_graphql",
+            ],
+            "cacheStatus": "notBuilt",
+            "drvPath": "/nix/store/test.drv",
+            "name": "pg_graphql",
+            "system": "aarch64-linux",
+        }
+        result = clean_package_for_output(pkg)
+        assert result["postgresql_version"] == "17"
+        assert result["cache_key"] == "pg17"
+
+    def test_extension_package_versioned_path(self):
+        """Test extension package like wrappers with version suffix in attr path"""
+        pkg: NixEvalJobsOutput = {
+            "attr": "legacyPackages.aarch64-linux.psql_17.exts.wrappers-pkgs.0_5_6",
+            "attrPath": [
+                "legacyPackages",
+                "aarch64-linux",
+                "psql_17",
+                "exts",
+                "wrappers-pkgs",
+                "0_5_6",
+            ],
+            "cacheStatus": "notBuilt",
+            "drvPath": "/nix/store/test.drv",
+            "name": "wrappers-0.5.6",
+            "system": "aarch64-linux",
+        }
+        result = clean_package_for_output(pkg)
+        assert result["postgresql_version"] == "17"
+        assert result["cache_key"] == "pg17"
+
+    def test_extension_package_pg15(self):
+        """Test extension package with PostgreSQL 15"""
+        pkg: NixEvalJobsOutput = {
+            "attr": "legacyPackages.x86_64-linux.psql_15.exts.pg_cron",
+            "attrPath": [
+                "legacyPackages",
+                "x86_64-linux",
+                "psql_15",
+                "exts",
+                "pg_cron",
+            ],
+            "cacheStatus": "notBuilt",
+            "drvPath": "/nix/store/test.drv",
+            "name": "pg_cron",
+            "system": "x86_64-linux",
+        }
+        result = clean_package_for_output(pkg)
+        assert result["postgresql_version"] == "15"
+        assert result["cache_key"] == "pg15"
+
+    def test_non_extension_package(self):
+        """Test non-extension package gets shared cache key"""
+        pkg: NixEvalJobsOutput = {
+            "attr": "legacyPackages.x86_64-linux.psql_15",
+            "attrPath": ["legacyPackages", "x86_64-linux", "psql_15"],
+            "cacheStatus": "notBuilt",
+            "drvPath": "/nix/store/test.drv",
+            "name": "postgresql-15.0",
+            "system": "x86_64-linux",
+        }
+        result = clean_package_for_output(pkg)
+        assert "postgresql_version" not in result
+        assert result["cache_key"] == "shared"
