nix-installer-action/src/index.ts
2024-05-15 20:45:00 +00:00

1005 lines
32 KiB
TypeScript
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

import * as actionsCore from "@actions/core";
import * as github from "@actions/github";
import * as actionsExec from "@actions/exec";
import { access, writeFile, readFile } from "node:fs/promises";
import { join } from "node:path";
import fs from "node:fs";
import { userInfo } from "node:os";
import stringArgv from "string-argv";
import * as path from "path";
import { IdsToolbox, inputs, platform } from "detsys-ts";
import { randomUUID } from "node:crypto";
// Nix installation events
const EVENT_INSTALL_NIX_FAILURE = "install_nix_failure";
const EVENT_INSTALL_NIX_START = "install_nix_start";
const EVENT_INSTALL_NIX_SUCCESS = "install_nix_start";
const EVENT_SETUP_KVM = "setup_kvm";
const EVENT_UNINSTALL_NIX = "uninstall";
// Docker events
const EVENT_CLEAN_UP_DOCKER_SHIM = "clean_up_docker_shim";
const EVENT_START_DOCKER_SHIM = "start_docker_shim";
// FlakeHub events
const EVENT_LOGIN_TO_FLAKEHUB = "login_to_flakehub";
// Other events
const EVENT_CONCLUDE_WORKFLOW = "conclude_workflow";
// Facts
const FACT_HAS_DOCKER = "has_docker";
const FACT_HAS_SYSTEMD = "has_systemd";
const FACT_IN_GITHUB_ACTIONS = "in_act";
const FACT_IN_NAMESPACE_SO = "in_namespace_so";
const FACT_NIX_INSTALLER_PLANNER = "nix_installer_planner";
class NixInstallerAction {
idslib: IdsToolbox;
platform: string;
nixPackageUrl: string | null;
backtrace: string | null;
extraArgs: string | null;
extraConf: string[] | null;
flakehub: boolean;
kvm: boolean;
githubServerUrl: string | null;
githubToken: string | null;
forceDockerShim: boolean | null;
init: string | null;
localRoot: string | null;
logDirectives: string | null;
logger: string | null;
sslCertFile: string | null;
proxy: string | null;
macCaseSensitive: string | null;
macEncrypt: string | null;
macRootDisk: string | null;
macVolumeLabel: string | null;
modifyProfile: boolean;
nixBuildGroupId: number | null;
nixBuildGroupName: string | null;
nixBuildUserBase: number | null;
nixBuildUserCount: number | null;
nixBuildUserPrefix: string | null;
planner: string | null;
reinstall: boolean;
startDaemon: boolean;
trustRunnerUser: boolean | null;
constructor() {
this.idslib = new IdsToolbox({
name: "nix-installer",
fetchStyle: "nix-style",
legacySourcePrefix: "nix-installer",
requireNix: "ignore",
});
this.platform = platform.getNixPlatform(platform.getArchOs());
this.nixPackageUrl = inputs.getStringOrNull("nix-package-url");
this.backtrace = inputs.getStringOrNull("backtrace");
this.extraArgs = inputs.getStringOrNull("extra-args");
this.extraConf = inputs.getMultilineStringOrNull("extra-conf");
this.flakehub = inputs.getBool("flakehub");
this.kvm = inputs.getBool("kvm");
this.forceDockerShim = inputs.getBool("force-docker-shim");
this.githubToken = inputs.getStringOrNull("github-token");
this.githubServerUrl = inputs.getStringOrNull("github-server-url");
this.init = inputs.getStringOrNull("init");
this.localRoot = inputs.getStringOrNull("local-root");
this.logDirectives = inputs.getStringOrNull("log-directives");
this.logger = inputs.getStringOrNull("logger");
this.sslCertFile = inputs.getStringOrNull("ssl-cert-file");
this.proxy = inputs.getStringOrNull("proxy");
this.macCaseSensitive = inputs.getStringOrNull("mac-case-sensitive");
this.macEncrypt = inputs.getStringOrNull("mac-encrypt");
this.macRootDisk = inputs.getStringOrNull("mac-root-disk");
this.macVolumeLabel = inputs.getStringOrNull("mac-volume-label");
this.modifyProfile = inputs.getBool("modify-profile");
this.nixBuildGroupId = inputs.getNumberOrNull("nix-build-group-id");
this.nixBuildGroupName = inputs.getStringOrNull("nix-build-group-name");
this.nixBuildUserBase = inputs.getNumberOrNull("nix-build-user-base");
this.nixBuildUserCount = inputs.getNumberOrNull("nix-build-user-count");
this.nixBuildUserPrefix = inputs.getStringOrNull("nix-build-user-prefix");
this.planner = inputs.getStringOrNull("planner");
this.reinstall = inputs.getBool("reinstall");
this.startDaemon = inputs.getBool("start-daemon");
this.trustRunnerUser = inputs.getBool("trust-runner-user");
}
async detectAndForceDockerShim(): Promise<void> {
const runnerOs = process.env["RUNNER_OS"];
// Detect if we're in a GHA runner which is Linux, doesn't have Systemd, and does have Docker.
// This is a common case in self-hosted runners, providers like [Namespace](https://namespace.so/),
// and especially GitHub Enterprise Server.
if (runnerOs !== "Linux") {
if (this.forceDockerShim) {
actionsCore.warning(
"Ignoring force-docker-shim which is set to true, as it is only supported on Linux.",
);
this.forceDockerShim = false;
}
return;
}
const systemdCheck = fs.statSync("/run/systemd/system", {
throwIfNoEntry: false,
});
if (systemdCheck?.isDirectory()) {
if (this.forceDockerShim) {
actionsCore.warning(
"Systemd is detected, but ignoring it since force-docker-shim is enabled.",
);
} else {
this.idslib.addFact(FACT_HAS_SYSTEMD, true);
return;
}
}
this.idslib.addFact(FACT_HAS_SYSTEMD, false);
actionsCore.debug(
"Linux detected without systemd, testing for Docker with `docker info` as an alternative daemon supervisor.",
);
this.idslib.addFact(FACT_HAS_DOCKER, false); // Set to false here, and only in the success case do we set it to true
let exitCode;
try {
exitCode = await actionsExec.exec("docker", ["info"], {
silent: true,
listeners: {
stdout: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
stderr: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
},
});
} catch {
actionsCore.debug("Docker not detected, not enabling docker shim.");
return;
}
if (exitCode !== 0) {
if (this.forceDockerShim) {
actionsCore.warning(
"docker info check failed, but trying anyway since force-docker-shim is enabled.",
);
} else {
return;
}
}
this.idslib.addFact(FACT_HAS_DOCKER, true);
if (
!this.forceDockerShim &&
(await this.detectDockerWithMountedDockerSocket())
) {
actionsCore.debug(
"Detected a Docker container with a Docker socket mounted, not enabling docker shim.",
);
return;
}
actionsCore.startGroup(
"Enabling the Docker shim for running Nix on Linux in CI without Systemd.",
);
if (this.init !== "none") {
actionsCore.info(`Changing init from '${this.init}' to 'none'`);
this.init = "none";
}
if (this.planner !== "linux") {
actionsCore.info(`Changing planner from '${this.planner}' to 'linux'`);
this.planner = "linux";
}
this.forceDockerShim = true;
actionsCore.endGroup();
}
// Detect if we are running under `act` or some other system which is not using docker-in-docker,
// and instead using a mounted docker socket.
// In the case of the socket mount solution, the shim will cause issues since the given mount paths will
// equate to mount paths on the host, not mount paths to the docker container in question.
async detectDockerWithMountedDockerSocket(): Promise<boolean> {
let cgroupsBuffer;
try {
// If we are inside a docker container, the last line of `/proc/self/cgroup` should be
// 0::/docker/$SOME_ID
//
// If we are not, the line will likely be `0::/`
cgroupsBuffer = await readFile("/proc/self/cgroup", {
encoding: "utf-8",
});
} catch (e) {
actionsCore.debug(
`Did not detect \`/proc/self/cgroup\` existence, bailing on docker container ID detection:\n${e}`,
);
return false;
}
const cgroups = cgroupsBuffer.trim().split("\n");
const lastCgroup = cgroups[cgroups.length - 1];
const lastCgroupParts = lastCgroup.split(":");
const lastCgroupPath = lastCgroupParts[lastCgroupParts.length - 1];
if (!lastCgroupPath.includes("/docker/")) {
actionsCore.debug(
"Did not detect a container ID, bailing on docker.sock detection",
);
return false;
}
// We are in a docker container, now to determine if this container is visible from
// the `docker` command, and if so, if there is a `docker.socket` mounted.
const lastCgroupPathParts = lastCgroupPath.split("/");
const containerId = lastCgroupPathParts[lastCgroupPathParts.length - 1];
// If we cannot `docker inspect` this discovered container ID, we'll fall through to the `catch` below.
let stdoutBuffer = "";
let stderrBuffer = "";
let exitCode;
try {
exitCode = await actionsExec.exec("docker", ["inspect", containerId], {
silent: true,
listeners: {
stdout: (data: Buffer) => {
stdoutBuffer += data.toString("utf-8");
},
stderr: (data: Buffer) => {
stderrBuffer += data.toString("utf-8");
},
},
});
} catch (e) {
actionsCore.debug(
`Could not execute \`docker inspect ${containerId}\`, bailing on docker container inspection:\n${e}`,
);
return false;
}
if (exitCode !== 0) {
actionsCore.debug(
`Unable to inspect detected docker container with id \`${containerId}\`, bailing on container inspection (exit ${exitCode}):\n${stderrBuffer}`,
);
return false;
}
const output = JSON.parse(stdoutBuffer);
// `docker inspect $ID` prints an array containing objects.
// In our use case, we should only see 1 item in the array.
if (output.length !== 1) {
actionsCore.debug(
`Got \`docker inspect ${containerId}\` output which was not one item (was ${output.length}), bailing on docker.sock detection.`,
);
return false;
}
const item = output[0];
// On this array item we want the `Mounts` field, which is an array
// containing `{ Type, Source, Destination, Mode}`.
// We are looking for a `Destination` ending with `docker.sock`.
const mounts = item["Mounts"];
if (typeof mounts !== "object") {
actionsCore.debug(
`Got non-object in \`Mounts\` field of \`docker inspect ${containerId}\` output, bailing on docker.sock detection.`,
);
return false;
}
let foundDockerSockMount = false;
for (const mount of mounts) {
const destination = mount["Destination"];
if (typeof destination === "string") {
if (destination.endsWith("docker.sock")) {
foundDockerSockMount = true;
break;
}
}
}
return foundDockerSockMount;
}
private async executionEnvironment(): Promise<ExecuteEnvironment> {
const executionEnv: ExecuteEnvironment = {};
const runnerOs = process.env["RUNNER_OS"];
executionEnv.NIX_INSTALLER_NO_CONFIRM = "true";
executionEnv.NIX_INSTALLER_DIAGNOSTIC_ATTRIBUTION = JSON.stringify(
this.idslib.getCorrelationHashes(),
);
if (this.backtrace !== null) {
executionEnv.RUST_BACKTRACE = this.backtrace;
}
if (this.modifyProfile !== null) {
if (this.modifyProfile) {
executionEnv.NIX_INSTALLER_MODIFY_PROFILE = "true";
} else {
executionEnv.NIX_INSTALLER_MODIFY_PROFILE = "false";
}
}
if (this.nixBuildGroupId !== null) {
executionEnv.NIX_INSTALLER_NIX_BUILD_GROUP_ID = `${this.nixBuildGroupId}`;
}
if (this.nixBuildGroupName !== null) {
executionEnv.NIX_INSTALLER_NIX_BUILD_GROUP_NAME = this.nixBuildGroupName;
}
if (this.nixBuildUserPrefix !== null) {
executionEnv.NIX_INSTALLER_NIX_BUILD_USER_PREFIX =
this.nixBuildUserPrefix;
}
if (this.nixBuildUserCount !== null) {
executionEnv.NIX_INSTALLER_NIX_BUILD_USER_COUNT = `${this.nixBuildUserCount}`;
}
if (this.nixBuildUserBase !== null) {
executionEnv.NIX_INSTALLER_NIX_BUILD_USER_ID_BASE = `${this.nixBuildUserCount}`;
}
if (this.nixPackageUrl !== null) {
executionEnv.NIX_INSTALLER_NIX_PACKAGE_URL = `${this.nixPackageUrl}`;
}
if (this.proxy !== null) {
executionEnv.NIX_INSTALLER_PROXY = this.proxy;
}
if (this.sslCertFile !== null) {
executionEnv.NIX_INSTALLER_SSL_CERT_FILE = this.sslCertFile;
}
executionEnv.NIX_INSTALLER_DIAGNOSTIC_ENDPOINT =
this.idslib.getDiagnosticsUrl()?.toString() ?? "";
// TODO: Error if the user uses these on not-MacOS
if (this.macEncrypt !== null) {
if (runnerOs !== "macOS") {
throw new Error("`mac-encrypt` while `$RUNNER_OS` was not `macOS`");
}
executionEnv.NIX_INSTALLER_ENCRYPT = this.macEncrypt;
}
if (this.macCaseSensitive !== null) {
if (runnerOs !== "macOS") {
throw new Error(
"`mac-case-sensitive` while `$RUNNER_OS` was not `macOS`",
);
}
executionEnv.NIX_INSTALLER_CASE_SENSITIVE = this.macCaseSensitive;
}
if (this.macVolumeLabel !== null) {
if (runnerOs !== "macOS") {
throw new Error(
"`mac-volume-label` while `$RUNNER_OS` was not `macOS`",
);
}
executionEnv.NIX_INSTALLER_VOLUME_LABEL = this.macVolumeLabel;
}
if (this.macRootDisk !== null) {
if (runnerOs !== "macOS") {
throw new Error("`mac-root-disk` while `$RUNNER_OS` was not `macOS`");
}
executionEnv.NIX_INSTALLER_ROOT_DISK = this.macRootDisk;
}
if (this.logger !== null) {
executionEnv.NIX_INSTALLER_LOGGER = this.logger;
}
if (this.logDirectives !== null) {
executionEnv.NIX_INSTALLER_LOG_DIRECTIVES = this.logDirectives;
}
// TODO: Error if the user uses these on MacOS
if (this.init !== null) {
if (runnerOs === "macOS") {
throw new Error(
"`init` is not a valid option when `$RUNNER_OS` is `macOS`",
);
}
executionEnv.NIX_INSTALLER_INIT = this.init;
}
if (this.startDaemon !== null) {
if (this.startDaemon) {
executionEnv.NIX_INSTALLER_START_DAEMON = "true";
} else {
executionEnv.NIX_INSTALLER_START_DAEMON = "false";
}
}
let extraConf = "";
if (this.githubServerUrl !== null && this.githubToken !== null) {
const serverUrl = this.githubServerUrl.replace("https://", "");
extraConf += `access-tokens = ${serverUrl}=${this.githubToken}`;
extraConf += "\n";
}
if (this.trustRunnerUser !== null) {
const user = userInfo().username;
if (user) {
extraConf += `trusted-users = root ${user}`;
} else {
extraConf += `trusted-users = root`;
}
extraConf += "\n";
}
if (this.flakehub) {
try {
const flakeHubNetrcFile = await this.flakehubLogin();
extraConf += `netrc-file = ${flakeHubNetrcFile}`;
extraConf += "\n";
} catch (e) {
actionsCore.warning(`Failed to set up FlakeHub: ${e}`);
}
}
if (this.extraConf !== null && this.extraConf.length !== 0) {
extraConf += this.extraConf.join("\n");
extraConf += "\n";
}
executionEnv.NIX_INSTALLER_EXTRA_CONF = extraConf;
if (process.env["ACT"] && !process.env["NOT_ACT"]) {
this.idslib.addFact(FACT_IN_GITHUB_ACTIONS, true);
actionsCore.info(
"Detected `$ACT` environment, assuming this is a https://github.com/nektos/act created container, set `NOT_ACT=true` to override this. This will change the setting of the `init` to be compatible with `act`",
);
executionEnv.NIX_INSTALLER_INIT = "none";
}
if (process.env["NSC_VM_ID"] && !process.env["NOT_NAMESPACE"]) {
this.idslib.addFact(FACT_IN_NAMESPACE_SO, true);
actionsCore.info(
"Detected Namespace runner, assuming this is a https://namespace.so created container, set `NOT_NAMESPACE=true` to override this. This will change the setting of the `init` to be compatible with Namespace",
);
executionEnv.NIX_INSTALLER_INIT = "none";
}
return executionEnv;
}
private async executeInstall(binaryPath: string): Promise<number> {
const executionEnv = await this.executionEnvironment();
actionsCore.debug(
`Execution environment: ${JSON.stringify(executionEnv, null, 4)}`,
);
const args = ["install"];
if (this.planner) {
this.idslib.addFact(FACT_NIX_INSTALLER_PLANNER, this.planner);
args.push(this.planner);
} else {
this.idslib.addFact(FACT_NIX_INSTALLER_PLANNER, getDefaultPlanner());
args.push(getDefaultPlanner());
}
if (this.extraArgs) {
const extraArgs = stringArgv(this.extraArgs);
args.concat(extraArgs);
}
this.idslib.recordEvent(EVENT_INSTALL_NIX_START);
const exitCode = await actionsExec.exec(binaryPath, args, {
env: {
...executionEnv,
...process.env, // To get $PATH, etc
},
});
if (exitCode !== 0) {
this.idslib.recordEvent(EVENT_INSTALL_NIX_FAILURE, {
exitCode,
});
throw new Error(`Non-zero exit code of \`${exitCode}\` detected`);
}
this.idslib.recordEvent(EVENT_INSTALL_NIX_SUCCESS);
return exitCode;
}
async install(): Promise<void> {
const existingInstall = await this.detectExisting();
if (existingInstall) {
if (this.reinstall) {
// We need to uninstall, then reinstall
actionsCore.info(
"Nix was already installed, `reinstall` is set, uninstalling for a reinstall",
);
await this.executeUninstall();
} else {
// We're already installed, and not reinstalling, just set GITHUB_PATH and finish early
await this.setGithubPath();
actionsCore.info("Nix was already installed, using existing install");
return;
}
}
if (this.kvm) {
actionsCore.startGroup("Configuring KVM");
if (await this.setupKvm()) {
actionsCore.endGroup();
actionsCore.info("\u001b[32m Accelerated KVM is enabled \u001b[33m⚡");
actionsCore.exportVariable("DETERMINATE_NIX_KVM", "1");
} else {
actionsCore.endGroup();
actionsCore.info("KVM is not available.");
actionsCore.exportVariable("DETERMINATE_NIX_KVM", "0");
}
}
// Normal just doing of the install
actionsCore.startGroup("Installing Nix");
const binaryPath = await this.fetchBinary();
await this.executeInstall(binaryPath);
actionsCore.endGroup();
if (this.forceDockerShim) {
await this.spawnDockerShim();
}
await this.setGithubPath();
}
async spawnDockerShim(): Promise<void> {
actionsCore.startGroup(
"Configuring the Docker shim as the Nix Daemon's process supervisor",
);
const images: { [key: string]: string } = {
X64: path.join(__dirname, "/../docker-shim/amd64.tar.gz"),
ARM64: path.join(__dirname, "/../docker-shim/arm64.tar.gz"),
};
const runnerArch = process.env["RUNNER_ARCH"];
let arch;
if (runnerArch === "X64") {
arch = "X64";
} else if (runnerArch === "ARM64") {
arch = "ARM64";
} else {
throw Error("Architecture not supported in Docker shim mode.");
}
actionsCore.debug("Loading image: determinate-nix-shim:latest...");
{
const exitCode = await actionsExec.exec(
"docker",
["image", "load", "--input", images[arch]],
{
silent: true,
listeners: {
stdout: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
stderr: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
},
},
);
if (exitCode !== 0) {
throw new Error(
`Failed to build the shim image, exit code: \`${exitCode}\``,
);
}
}
{
actionsCore.debug("Starting the Nix daemon through Docker...");
this.idslib.recordEvent(EVENT_START_DOCKER_SHIM);
const exitCode = await actionsExec.exec(
"docker",
[
"--log-level=debug",
"run",
"--detach",
"--privileged",
"--network=host",
"--userns=host",
"--pid=host",
"--mount",
"type=bind,src=/bin,dst=/bin,readonly",
"--mount",
"type=bind,src=/lib,dst=/lib,readonly",
"--mount",
"type=bind,src=/home,dst=/home,readonly",
"--mount",
"type=bind,src=/tmp,dst=/tmp",
"--mount",
"type=bind,src=/nix,dst=/nix",
"--mount",
"type=bind,src=/etc,dst=/etc,readonly",
"--restart",
"always",
"--init",
"--name",
`determinate-nix-shim-${this.idslib.getUniqueId()}-${randomUUID()}`,
"determinate-nix-shim:latest",
],
{
silent: true,
listeners: {
stdline: (data: string) => {
actionsCore.saveState("docker_shim_container_id", data.trimEnd());
},
stdout: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
stderr: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
},
},
);
if (exitCode !== 0) {
throw new Error(
`Failed to start the Nix daemon through Docker, exit code: \`${exitCode}\``,
);
}
}
actionsCore.endGroup();
return;
}
async cleanupDockerShim(): Promise<void> {
const containerId = actionsCore.getState("docker_shim_container_id");
if (containerId !== "") {
actionsCore.startGroup("Cleaning up the Nix daemon's Docker shim");
let cleaned = false;
try {
await actionsExec.exec("docker", ["rm", "--force", containerId]);
cleaned = true;
} catch {
actionsCore.warning("failed to cleanup nix daemon container");
}
if (!cleaned) {
actionsCore.info("trying to pkill the container's shim process");
try {
await actionsExec.exec("pkill", [containerId]);
cleaned = true;
} catch {
actionsCore.warning(
"failed to forcibly kill the container's shim process",
);
}
}
if (cleaned) {
this.idslib.recordEvent(EVENT_CLEAN_UP_DOCKER_SHIM);
} else {
actionsCore.warning(
"Giving up on cleaning up the nix daemon container",
);
}
actionsCore.endGroup();
}
}
async setGithubPath(): Promise<void> {
// Interim versions of the `nix-installer` crate may have already manipulated `$GITHUB_PATH`, as root even! Accessing that will be an error.
try {
const nixVarNixProfilePath = "/nix/var/nix/profiles/default/bin";
const homeNixProfilePath = `${process.env["HOME"]}/.nix-profile/bin`;
actionsCore.addPath(nixVarNixProfilePath);
actionsCore.addPath(homeNixProfilePath);
actionsCore.info(
`Added \`${nixVarNixProfilePath}\` and \`${homeNixProfilePath}\` to \`$GITHUB_PATH\``,
);
} catch {
actionsCore.info(
"Skipping setting $GITHUB_PATH in action, the `nix-installer` crate seems to have done this already. From `nix-installer` version 0.11.0 and up, this step is done in the action. Prior to 0.11.0, this was only done in the `nix-installer` binary.",
);
}
}
async flakehubLogin(): Promise<string> {
this.idslib.recordEvent(EVENT_LOGIN_TO_FLAKEHUB);
const netrcPath = `${process.env["RUNNER_TEMP"]}/determinate-nix-installer-netrc`;
const jwt = await actionsCore.getIDToken("api.flakehub.com");
await writeFile(
netrcPath,
[
`machine api.flakehub.com login flakehub password ${jwt}`,
`machine flakehub.com login flakehub password ${jwt}`,
].join("\n"),
);
actionsCore.info("Logging in to FlakeHub.");
// the join followed by a match on ^... looks silly, but extra_config
// could contain multi-line values
if (this.extraConf?.join("\n").match(/^netrc-file/m)) {
actionsCore.warning(
"Logging in to FlakeHub conflicts with the Nix option `netrc-file`.",
);
}
return netrcPath;
}
async executeUninstall(): Promise<number> {
this.idslib.recordEvent(EVENT_UNINSTALL_NIX);
const exitCode = await actionsExec.exec(
`/nix/nix-installer`,
["uninstall"],
{
env: {
NIX_INSTALLER_NO_CONFIRM: "true",
...process.env, // To get $PATH, etc
},
},
);
if (exitCode !== 0) {
throw new Error(`Non-zero exit code of \`${exitCode}\` detected`);
}
return exitCode;
}
async detectExisting(): Promise<boolean> {
const receiptPath = "/nix/receipt.json";
try {
await access(receiptPath);
// There is a /nix/receipt.json
return true;
} catch {
// No /nix/receipt.json
return false;
}
}
private async setupKvm(): Promise<boolean> {
this.idslib.recordEvent(EVENT_SETUP_KVM);
const currentUser = userInfo();
const isRoot = currentUser.uid === 0;
const maybeSudo = isRoot ? "" : "sudo";
const kvmRules = "/etc/udev/rules.d/99-determinate-nix-installer-kvm.rules";
try {
const writeFileExitCode = await actionsExec.exec(
"sh",
[
"-c",
`echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | ${maybeSudo} tee ${kvmRules} > /dev/null`,
],
{
silent: true,
listeners: {
stdout: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
stderr: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
},
},
);
if (writeFileExitCode !== 0) {
throw new Error(
`Non-zero exit code of \`${writeFileExitCode}\` detected while writing '${kvmRules}'`,
);
}
const debugRootRunThrow = async (
action: string,
command: string,
args: string[],
): Promise<void> => {
if (!isRoot) {
args = [command, ...args];
command = "sudo";
}
const reloadExitCode = await actionsExec.exec(command, args, {
silent: true,
listeners: {
stdout: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
stderr: (data: Buffer) => {
const trimmed = data.toString("utf-8").trimEnd();
if (trimmed.length >= 0) {
actionsCore.debug(trimmed);
}
},
},
});
if (reloadExitCode !== 0) {
throw new Error(
`Non-zero exit code of \`${reloadExitCode}\` detected while ${action}.`,
);
}
};
await debugRootRunThrow("reloading udev rules", "udevadm", [
"control",
"--reload-rules",
]);
await debugRootRunThrow("triggering udev against kvm", "udevadm", [
"trigger",
"--name-match=kvm",
]);
return true;
} catch {
if (isRoot) {
await actionsExec.exec("rm", ["-f", kvmRules]);
} else {
await actionsExec.exec("sudo", ["rm", "-f", kvmRules]);
}
return false;
}
}
private async fetchBinary(): Promise<string> {
if (!this.localRoot) {
return await this.idslib.fetchExecutable();
} else {
const localPath = join(this.localRoot, `nix-installer-${this.platform}`);
actionsCore.info(`Using binary ${localPath}`);
return localPath;
}
}
async reportOverall(): Promise<void> {
try {
this.idslib.recordEvent(EVENT_CONCLUDE_WORKFLOW, {
conclusion: await this.getWorkflowConclusion(),
});
} catch (e) {
actionsCore.debug(`Error submitting post-run diagnostics report: ${e}`);
}
}
private async getWorkflowConclusion(): Promise<
undefined | "success" | "failure" | "cancelled" | "unavailable" | "no-jobs"
> {
if (this.githubToken == null) {
return undefined;
}
try {
const octokit = github.getOctokit(this.githubToken);
const jobs = await octokit.paginate(
octokit.rest.actions.listJobsForWorkflowRun,
{
owner: github.context.repo.owner,
repo: github.context.repo.repo,
/* eslint-disable camelcase */
run_id: github.context.runId,
},
);
actionsCore.debug(`awaited jobs: ${jobs}`);
const job = jobs
.filter((candidate) => candidate.name === github.context.job)
.at(0);
if (job === undefined) {
return "no-jobs";
}
const outcomes = (job.steps ?? []).map((j) => j.conclusion ?? "unknown");
// Possible values: success, failure, cancelled, or skipped
// from: https://docs.github.com/en/actions/learn-github-actions/contexts
if (outcomes.includes("failure")) {
// Any failures fails the job
return "failure";
}
if (outcomes.includes("cancelled")) {
// Any cancellations cancels the job
return "cancelled";
}
// Assume success if no jobs failed or were canceled
return "success";
} catch (e) {
actionsCore.debug(`Error determining final disposition: ${e}`);
return "unavailable";
}
}
}
type ExecuteEnvironment = {
// All env vars are strings, no fanciness here.
RUST_BACKTRACE?: string;
NIX_INSTALLER_MODIFY_PROFILE?: string;
NIX_INSTALLER_NIX_BUILD_GROUP_NAME?: string;
NIX_INSTALLER_NIX_BUILD_GROUP_ID?: string;
NIX_INSTALLER_NIX_BUILD_USER_PREFIX?: string;
NIX_INSTALLER_NIX_BUILD_USER_COUNT?: string;
NIX_INSTALLER_NIX_BUILD_USER_ID_BASE?: string;
NIX_INSTALLER_NIX_PACKAGE_URL?: string;
NIX_INSTALLER_PROXY?: string;
NIX_INSTALLER_SSL_CERT_FILE?: string;
NIX_INSTALLER_DIAGNOSTIC_ENDPOINT?: string;
NIX_INSTALLER_DIAGNOSTIC_ATTRIBUTION?: string;
NIX_INSTALLER_ENCRYPT?: string;
NIX_INSTALLER_CASE_SENSITIVE?: string;
NIX_INSTALLER_VOLUME_LABEL?: string;
NIX_INSTALLER_ROOT_DISK?: string;
NIX_INSTALLER_INIT?: string;
NIX_INSTALLER_START_DAEMON?: string;
NIX_INSTALLER_NO_CONFIRM?: string;
NIX_INSTALLER_EXTRA_CONF?: string;
NIX_INSTALLER_LOG_DIRECTIVES?: string;
NIX_INSTALLER_LOGGER?: string;
};
function getDefaultPlanner(): string {
const envOs = process.env["RUNNER_OS"];
if (envOs === "macOS") {
return "macos";
} else if (envOs === "Linux") {
return "linux";
} else {
throw new Error(`Unsupported \`RUNNER_OS\` (currently \`${envOs}\`)`);
}
}
function main(): void {
const installer = new NixInstallerAction();
installer.idslib.onMain(async () => {
await installer.detectAndForceDockerShim();
await installer.install();
});
installer.idslib.onPost(async () => {
await installer.cleanupDockerShim();
await installer.reportOverall();
});
installer.idslib.execute();
}
main();