build(nix): add per-crate crane workspace builds#1652
Draft
SDAChess wants to merge 17 commits into
Draft
Conversation
SDAChess
requested review from
a team,
derekwaynecarr,
maxamillion and
mrunalp
as code owners
drew
reviewed
Jun 2, 2026
SDAChess
force-pushed
the
sscatton/nix-add-build-with-crane
branch
2 times, most recently
from
2adab70 to
3db6ac8
Compare
Collaborator
Author
|
/ok-to-test deea799 |
Collaborator
Author
|
/ok-to-test ab56476 |
Collaborator
Author
|
/ok-to-test 1036e11 |
Collaborator
Author
|
/ok-to-test 37097f1 |
SDAChess
force-pushed
the
sscatton/nix-add-build-with-crane
branch
from
37097f1 to
58bafc4
Compare
Collaborator
Author
|
/ok-to-test 58bafc4 |
SDAChess
force-pushed
the
sscatton/nix-add-build-with-crane
branch
from
58bafc4 to
1912489
Compare
Collaborator
Author
|
/ok-to-test 1912489 |
Collaborator
Author
|
/ok-to-test 8ac1241 |
Collaborator
Author
|
/ok-to-test 886053a |
elezar
reviewed
Jun 15, 2026
Member
There was a problem hiding this comment.
Does this mean that we've removed the e2e tests?
elezar
reviewed
Jun 15, 2026
| openshell-vfio-test | ||
| cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }} | ||
|
|
||
| lint: |
Member
There was a problem hiding this comment.
Does this mean that the lint step is run after the test step?
elezar
reviewed
Jun 15, 2026
| fi | ||
| exit 0 | ||
|
|
||
| python: |
Member
There was a problem hiding this comment.
Should we still run a python linter?
elezar
reviewed
Jun 15, 2026
| - name: Test | ||
| run: mise run test:python | ||
|
|
||
| markdown: |
Member
There was a problem hiding this comment.
I didn't see a markdown linter in the nix targets.
elezar
reviewed
Jun 15, 2026
| exit 1 | ||
| fi | ||
|
|
||
| license-headers: |
Member
There was a problem hiding this comment.
Is this the same as the spdx-headers nix check?
elezar
reviewed
Jun 15, 2026
drew
reviewed
Jun 16, 2026
| description = "OpenShell development environment"; | ||
|
|
||
| nixConfig = { | ||
| extra-substituters = [ "https://openshell.cachix.org" ]; |
Collaborator
There was a problem hiding this comment.
Can you expand on what this does?
Collaborator
Author
There was a problem hiding this comment.
This is responsible for the caching. This is a temporary hosted cache for you to try out the caching feature. Only CI can push to it but everyone can pull.
drew
reviewed
Jun 16, 2026
Comment on lines
+64
to
+71
| crates = { | ||
| openshell = workspaceCrates.openshell-cli.package; | ||
| openshell-gateway = workspaceCrates.openshell-server.package; | ||
| openshell-sandbox = workspaceCrates.openshell-sandbox.package; | ||
| openshell-driver-vm = workspaceCrates.openshell-driver-vm.package; | ||
| openshell-driver-kubernetes = workspaceCrates.openshell-driver-kubernetes.package; | ||
| openshell-driver-podman = workspaceCrates.openshell-driver-podman.package; | ||
| }; |
Collaborator
There was a problem hiding this comment.
This looks like a subset of our crates. What's special about these?
Collaborator
Author
There was a problem hiding this comment.
These are the only crates that produce binaries afaik.
drew
reviewed
Jun 16, 2026
Comment on lines
+99
to
+115
| openshell-bootstrap-test | ||
| openshell-cli-test | ||
| openshell-core-test | ||
| openshell-driver-docker-test | ||
| openshell-driver-kubernetes-test | ||
| openshell-driver-podman-test | ||
| openshell-driver-vm-test | ||
| openshell-ocsf-test | ||
| openshell-policy-test | ||
| openshell-prover-test | ||
| openshell-providers-test | ||
| openshell-router-test | ||
| openshell-sandbox-test | ||
| openshell-server-macros-test | ||
| openshell-server-test | ||
| openshell-tui-test | ||
| openshell-vfio-test |
Collaborator
There was a problem hiding this comment.
This is somewhat of an arbitrary location to start the 🧵, but one that that jumped out as I'm reviewing is how often we need to repeat crate names. Is that assessment right? Is this something we can improve on?
Collaborator
Author
There was a problem hiding this comment.
It depends, we can definitely store this in a variable. I just wanted to be as explicit as possible but we can definitely make it shorter.
SDAChess
force-pushed
the
sscatton/nix-add-build-with-crane
branch
from
886053a to
2fbf7e3
Compare
Add crane-based package outputs for the main OpenShell crates and a default symlinkJoin package. The new workspace helper derives each crate's transitive workspace dependency closure, builds from minimal source trees, and declares the assets each crate needs at compile time. Build each crate in three layers: 1. crates.io dependencies with crane buildDepsOnly 2. first-party workspace dependency libraries 3. the final real crate The workspace-libs layer builds the selected package with the same `-p <crate>` selection as final so Cargo feature unification matches, but overlays a crane-generated dummy source for the leaf crate. After that layer builds, remove the dummy leaf artifacts with `cargo clean --release -p <crate>` so the final layer cannot reuse or package stub outputs. This lets leaf edits reuse cached first-party libs while still compiling and linking the real leaf crate. Add explicit `[lib]` target names and `path = "src/lib.rs"` entries to workspace crates. The Nix source minimizer keeps every member Cargo.toml but omits source trees outside the selected crate closure; explicit target paths let Cargo resolve those member manifests without relying on auto-discovery of files that are intentionally absent. They also give crane's dummy source generation a stable target shape. Guard the openshell-core build script's `.git` rerun paths so Cargo does not mark core dirty in Nix source trees where `.git` is absent. Without this, core recompiled in the final layer and cascaded into its dependents. Known limitation: the VM driver package is wired into the flake, but the Nix build does not yet provide the compressed VM runtime artifacts that openshell-driver-vm embeds. For now that crate builds via its stub-resource fallback rather than producing a fully usable VM driver package. Ignore Nix `result*` symlinks created by local builds.
Signed-off-by: Simon Scatton <sscatton@nvidia.com>
Signed-off-by: Evan Lezar <elezar@nvidia.com>
SDAChess
force-pushed
the
sscatton/nix-add-build-with-crane
branch
from
adf92e7 to
eab1d5e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add crane-based package outputs for the main OpenShell crates and a default symlinkJoin package. The new workspace helper derives each crate's transitive workspace dependency closure, builds from minimal source trees, and declares the assets each crate needs at compile time.
Build each crate in three layers:
The workspace-libs layer builds the selected package with the same
-p <crate>selection as final so Cargo feature unification matches, but overlays a crane-generated dummy source for the leaf crate. After that layer builds, remove the dummy leaf artifacts withcargo clean --release -p <crate>so the final layer cannot reuse or package stub outputs. This lets leaf edits reuse cached first-party libs while still compiling and linking the real leaf crate.Add explicit
[lib]target names andpath = "src/lib.rs"entries to workspace crates. The Nix source minimizer keeps every member Cargo.toml but omits source trees outside the selected crate closure; explicit target paths let Cargo resolve those member manifests without relying on auto-discovery of files that are intentionally absent. They also give crane's dummy source generation a stable target shape.Guard the openshell-core build script's
.gitrerun paths so Cargo does not mark core dirty in Nix source trees where.gitis absent. Without this, core recompiled in the final layer and cascaded into its dependents.Known limitation: the VM driver package is wired into the flake, but the Nix build does not yet provide the compressed VM runtime artifacts that openshell-driver-vm embeds. For now that crate builds via its stub-resource fallback rather than producing a fully usable VM driver package.
Ignore Nix
result*symlinks created by local builds.Summary
Related Issue
Changes
Testing
mise run pre-commitpassesChecklist