Replace the bespoke ci/publish.py attic-push logic with parity-lib's
mkAtticClosurePublish builder (attic-closure archetype, cluster#104,
emmett#44). Adds the parity input (locked at d265a79) and wires the
per-arch package closures through builders.mkAtticClosurePublish, with
the endpoint (nix-cache-upload.oleks.space) and passEntry
(infra/attic/ci_token) overridden so the attic push is byte-for-byte the
pre-parity behaviour.
.woodpecker/{amd64,arm64}.yaml thinned to PUBLISH=1 nix run .#publish /
.#publish-aarch64-linux so CI and a local run share one audited impl.
Dead ci/publish.py + ci/build.py removed.
pipeline-doctor: 9 passed / 0 failed / 0 warned.
attic-closure archetype: no parity-lib builder exists for attic pushes, so
wrap the existing per-arch package build in ci/publish.py (woodpecker-peek
pattern) and expose `nix run .#{stage,publish}-amd64` + `.#publish`.
Two-halves rule: STAGE nix-builds every package in the arch list into the
local store (emmett-buildable); PUBLISH additionally attic-pushes each
closure. Local runs DRY-RUN unless --push/PUBLISH=1; CI sets PUBLISH=1.
The .woodpecker/{amd64,arm64}.yaml now call the same ci/publish.py so CI
and local runs can't drift. arm64 stays node-bound (no emmett cross path),
so it has no local-parity app. ci/build.py becomes a forwarding shim.
Adds mcp-chrome as a flake input (mirroring the woodpecker-peek pattern)
and re-exposes two packages: mcp-chrome-wasm-simd (proven green, ~22 s)
and mcp-chrome-extension (KNOWN-BROKEN under nix-daemon; exposed for
local builds but kept out of the CI matrix to avoid red pipelines).
CI warms attic with mcp-chrome-wasm-simd on x86_64-linux and aarch64-linux
only; s390x cross and Darwin are out of scope.
Closesoleks/mcp-chrome#5.
Re-exposes oleks/woodpecker-peek as packages.<sys>.woodpecker-peek for
x86_64-linux and aarch64-linux, and adds it to ci/build.py so the
amd64/arm64 workflows push the closure to attic-infra-cache-k3s-1.
Consumers (emmett) then set services.woodpecker-peek.package = pkgs.woodpecker-peek
and pull the cached binary instead of rebuilding.
Add the renamed gitea-local-fork derivation to the Woodpecker
build matrix on x86_64 and aarch64 (the only platforms the
derivation supports — see flake.nix). Resulting closure is
pushed to attic-infra-cache-k3s-1 so subsequent
`just gitea-run` invocations resolve from cache rather than
recompile Go 1.26.3 locally.
Pipeline #41 died with exit 127 on `free -h` — procps isn't in the
nix-ci image. New info() helper runs the command and ignores the exit
code, so missing tools no longer abort the build. Also switched to
/proc/meminfo since it's always available on Linux.
google-antigravity pulls in google-chrome, which transitively builds
liberation-fonts; fontforge segfaults while generating the .ttf files
(pipeline #40). Package definitions stay in the flake for local
builds — re-enable in CI once upstream fontforge is fixed.
setup.sh now traces each command (set -ex) so /etc/hosts, nix.conf,
and netrc setup are visible in pipeline logs.
build.py replaces capture() with a streaming build() helper for
nix builds: stderr is inherited (live --print-build-logs output)
while stdout is captured for the out path. Also dumps nix version,
uname, disk, and memory at the start so failures have context.
- packages/xontribs.nix: xontrib-prompt-starship, -broot, -term-integrations
wheels for use with `programs.xonsh.extraPackages` (or xonsh.override)
- packages/hyprspace.nix + hyprspace flake input (flake=false): rebuild
plugin against the consumer's hyprland; exposed via overlays.hyprspace
- overlays/gcc15-fixes.nix: hotdoc/kitty/libsecret/xdg-desktop-portal/afdko
workarounds so fleet nodes on the same pin can opt in with one line
- flake.nix: lift overlays out of eachSystem to the root (overlays.default
was previously nested per-system, which doesn't match flake schema)
Move attic-client s390x cross-compilation from building/s390x/attic-client-s390x
and geesefs from building/s390x/geesefs-s390x into flake-hub. Replace ci/build.sh
with ci/build.xsh. All packages now built and pushed to attic via the existing
Woodpecker pipeline on push to main.
Oleks