feat(lib): add foldImageLayers helper + formatter; refresh fleet pin
Lift the nix2container reproducible=false layer-chain helper (duplicated verbatim across ii-agent, ii-researcher, temporal-based-ci, mempalace image, ComfyUI) into parity.lib.foldImageLayers so the rationale lives in one place. Add nixfmt-rfc-style formatter and a foldImageLayers contract probe to the smoke check. Bump fleet-pins input to current HEAD.
This commit is contained in:
Oleks
Generated
+4
-4
@@ -59,11 +59,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1779533061,
|
"lastModified": 1780368078,
|
||||||
"narHash": "sha256-orWNYXtYURhEj3X4+xGMAhaEcKRvwXqTtJ8x2jV/M+Q=",
|
"narHash": "sha256-tLzA5XveUF4PfuKNz3KuhmVhuME3PX5zvtFa17hhQPU=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "b818e345ec4470e4b3e335bd2f864183c512116d",
|
"rev": "1626405d46ff3595b91c9e2d3ed9399f67c18b83",
|
||||||
"revCount": 13,
|
"revCount": 15,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.oleks.space/oleks/fleet-pins"
|
"url": "https://git.oleks.space/oleks/fleet-pins"
|
||||||
},
|
},
|
||||||
|
|||||||
@@ -28,9 +28,13 @@
|
|||||||
wrap =
|
wrap =
|
||||||
name: pkgs: args:
|
name: pkgs: args:
|
||||||
(builders pkgs).${name} args;
|
(builders pkgs).${name} args;
|
||||||
|
imageLayers = import ./lib/image-layers.nix;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
mkParityBuilders = builders;
|
mkParityBuilders = builders;
|
||||||
|
# Pkgs-independent nix2container layer-chain helper (lib/image-layers.nix):
|
||||||
|
# parity.lib.foldImageLayers buildLayer [ { deps = …; } … ]
|
||||||
|
inherit (imageLayers) foldImageLayers;
|
||||||
mkPyPiWheelPublish = wrap "mkPyPiWheelPublish";
|
mkPyPiWheelPublish = wrap "mkPyPiWheelPublish";
|
||||||
mkPyPiWheelPublishMulti = wrap "mkPyPiWheelPublishMulti";
|
mkPyPiWheelPublishMulti = wrap "mkPyPiWheelPublishMulti";
|
||||||
mkS390xNpmPublish = wrap "mkS390xNpmPublish";
|
mkS390xNpmPublish = wrap "mkS390xNpmPublish";
|
||||||
@@ -60,8 +64,15 @@
|
|||||||
text = ''exec bash ${./ci/pipeline-doctor.sh} "$@"'';
|
text = ''exec bash ${./ci/pipeline-doctor.sh} "$@"'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Smoke check: instantiate every builder with stub args so the apps eval.
|
# Smoke check: instantiate a builder with stub args so the apps eval, and
|
||||||
|
# exercise foldImageLayers with a stub buildLayer so its contract (each
|
||||||
|
# layer gets reproducible=false + the prior layers) can't silently break.
|
||||||
builders = import ./lib/builders.nix { inherit pkgs; };
|
builders = import ./lib/builders.nix { inherit pkgs; };
|
||||||
|
imageLayers = import ./lib/image-layers.nix;
|
||||||
|
layerProbe = imageLayers.foldImageLayers (c: c) [
|
||||||
|
{ deps = [ pkgs.hello ]; }
|
||||||
|
{ deps = [ pkgs.coreutils ]; }
|
||||||
|
];
|
||||||
smoke = pkgs.runCommand "parity-lib-smoke" { } ''
|
smoke = pkgs.runCommand "parity-lib-smoke" { } ''
|
||||||
: "${
|
: "${
|
||||||
builtins.toString (
|
builtins.toString (
|
||||||
@@ -74,6 +85,9 @@
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
}"
|
}"
|
||||||
|
${lib.optionalString (
|
||||||
|
builtins.length layerProbe != 2 || (builtins.elemAt layerProbe 1).reproducible
|
||||||
|
) ''echo "foldImageLayers contract broken" >&2; exit 1''}
|
||||||
touch $out
|
touch $out
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
@@ -90,6 +104,8 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
checks.smoke = smoke;
|
checks.smoke = smoke;
|
||||||
|
|
||||||
|
formatter = pkgs.nixfmt-rfc-style;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,37 @@
|
|||||||
|
# Pkgs-independent nix2container layer helpers, shared across the parity image
|
||||||
|
# repos (ii-agent, ii-researcher, temporal-based-ci, mempalace image,
|
||||||
|
# ComfyUI, …) so the reproducible=false rationale lives in exactly one place.
|
||||||
|
{
|
||||||
|
# foldImageLayers buildLayer layers
|
||||||
|
#
|
||||||
|
# buildLayer : nix2container's buildLayer function. Pass whichever attr the
|
||||||
|
# consumer's nix2container input exposes —
|
||||||
|
# `n2c.nix2container.buildLayer` or `n2c.buildLayer`.
|
||||||
|
# layers : list of buildLayer component attrsets (deps / copyToRoot /
|
||||||
|
# perms / …) in base→top order.
|
||||||
|
#
|
||||||
|
# Each layer is built referencing all prior layers, with reproducible = false.
|
||||||
|
# That is a DELIBERATE choice: it materialises each layer tar into the store so
|
||||||
|
# the image streams verbatim from any host (remote-builder + binary-cache safe)
|
||||||
|
# and avoids the cross-host "Digest did not match" that non-reproducible layer
|
||||||
|
# deps (fenix rust, libllvm, …) otherwise trigger via nix2container's lazy tar
|
||||||
|
# regeneration. Parity is asserted at the published digest, not byte-identical
|
||||||
|
# tars — mkNix2ContainerPublish enforces that contract downstream.
|
||||||
|
foldImageLayers =
|
||||||
|
buildLayer: layers:
|
||||||
|
let
|
||||||
|
mergeToLayer =
|
||||||
|
priorLayers: component:
|
||||||
|
priorLayers
|
||||||
|
++ [
|
||||||
|
(buildLayer (
|
||||||
|
component
|
||||||
|
// {
|
||||||
|
layers = priorLayers;
|
||||||
|
reproducible = false;
|
||||||
|
}
|
||||||
|
))
|
||||||
|
];
|
||||||
|
in
|
||||||
|
builtins.foldl' mergeToLayer [ ] layers;
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user