From 1891fa1a56f929e26c4352726ddc4999bf89aab6 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Mon, 11 May 2026 17:18:00 -0400 Subject: [PATCH 1/2] fix(ci): replace --no-build with disk cleanup for nix-validate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #298 added `--no-build` to keep the linux runner from exhausting disk on darwin source substitution. That worked for nix-home (whose module-eval was made lazy in a follow-up PR), but broke nix-darwin and nix-ai checks that reference derivation outputs across platforms — `--no-build` disables the substitution context realisation those checks rely on, producing: error: path '-inputs' is not valid error: path '-wrap-claude-command-...drv' is not valid Switch strategy: keep `--all-systems` (so darwin-only broken packages are still caught at evaluation) but drop `--no-build` and free ~30GB on the runner via jlumbroso/free-disk-space (Android SDK, .NET, Haskell, Docker images). Tool-cache (Node/Python/Go) and large-packages stay intact for other workflow steps. Universally compatible with existing consumer checks. No per-repo changes needed. Assisted-by: Claude --- .github/workflows/_nix-validate.yml | 31 +++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/.github/workflows/_nix-validate.yml b/.github/workflows/_nix-validate.yml index 08eac92..577a008 100644 --- a/.github/workflows/_nix-validate.yml +++ b/.github/workflows/_nix-validate.yml @@ -34,6 +34,24 @@ jobs: - name: Checkout uses: actions/checkout@v6 + # Free ~30GB on the ubuntu-latest runner so `nix flake check --all-systems` + # has space to substitute darwin source paths (rustc-src, cctools, + # apple-sdk, etc.) without hitting "No space left on device". The default + # runner image has ~14GB free; nix-darwin / nix-ai darwin closures need + # noticeably more than that. Keeps tool-cache (Node/Python/Go) intact for + # downstream steps. Replaces an earlier --no-build attempt that broke + # consumer checks referencing derivation outputs across platforms. + - name: Free disk space + uses: jlumbroso/free-disk-space@main + with: + tool-cache: false + android: true + dotnet: true + haskell: true + large-packages: false + swap-storage: false + docker-images: true + # determinate-nix-action@v3 is ONLY a Nix installer (replaced nix-installer-action@v21). # It does NOT include flake checking — that was a separate action (flake-checker-action). # Flake evaluation is handled by `nix flake check` below, not by the installer. @@ -62,12 +80,13 @@ jobs: nix-linux-${{ runner.os }}- - name: Check flake - # --no-build: evaluate all systems' outputs without downloading/building - # derivations. Catches broken-package and evaluation errors cross-platform - # without exhausting disk on the linux runner (darwin packages like - # rustc-src, cctools, apple-sdk would otherwise be downloaded) or hitting - # "platform mismatch" build failures on aarch64-darwin-only derivations. - run: nix flake check --all-systems --no-build --print-build-logs --show-trace --keep-going + # --all-systems evaluates outputs for every declared system to catch + # darwin-only broken packages from the linux runner. Disk cleanup above + # ensures source-path substitution for darwin closures fits. --no-build + # is intentionally NOT used here: it disables substitution context for + # input flakes which breaks consumer checks that reference derivation + # outputs across platforms (e.g. nix-darwin/nix-ai module-eval). + run: nix flake check --all-systems --print-build-logs --show-trace --keep-going - name: Save Nix Store Cache if: github.event_name == 'push' && steps.nix-cache.outputs.cache-hit != 'true' From 93dfb86d1141fcca3f7f34d62ec303208bbbd7ec Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Mon, 11 May 2026 17:22:54 -0400 Subject: [PATCH 2/2] fix(ci): pin free-disk-space SHA and gate to ubuntu runners MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Address Copilot review feedback on #299: - Pin jlumbroso/free-disk-space to v1.3.1 (SHA 54081f138730…) instead of @main. The action is outside renovate-presets.json trusted orgs, so SHA pinning is required. - Gate the step with `if: startsWith(inputs.runner_label, 'ubuntu-')` so self-hosted runners (RunsOn, etc.) are never touched. Removing preinstalled components on a long-lived self-hosted runner would damage shared state. Assisted-by: Claude --- .github/workflows/_nix-validate.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/_nix-validate.yml b/.github/workflows/_nix-validate.yml index 577a008..64d1007 100644 --- a/.github/workflows/_nix-validate.yml +++ b/.github/workflows/_nix-validate.yml @@ -41,8 +41,13 @@ jobs: # noticeably more than that. Keeps tool-cache (Node/Python/Go) intact for # downstream steps. Replaces an earlier --no-build attempt that broke # consumer checks referencing derivation outputs across platforms. + # + # Gated to ubuntu-* runners only — never run on a self-hosted runner + # (RunsOn etc.), where removing preinstalled components would damage + # long-lived state. - name: Free disk space - uses: jlumbroso/free-disk-space@main + if: startsWith(inputs.runner_label, 'ubuntu-') + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: tool-cache: false android: true