feat: enable sccache for cargo-pgrx builds in GitHub Actions

.github/actions/nix-install-ephemeral/action.yml

@@ -5,6 +5,14 @@ inputs:
     description: 'Whether to push build outputs to the Nix binary cache'
     required: false
     default: 'false'
+  enable-sccache-sandbox-path:
+    description: 'Whether to expose /nix/var/cache/sccache in the Nix sandbox'
+    required: false
+    default: 'false'
+  max-jobs:
+    description: 'Maximum number of parallel Nix builds'
+    required: false
+    default: ''
   aws-region:
     description: 'AWS region for the Nix binary cache S3 bucket'
     required: false
@@ -48,4 +56,8 @@ runs:
           substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
           trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
           ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
-          max-jobs = 4
+          ${{ inputs.enable-sccache-sandbox-path == 'true' && 'extra-sandbox-paths = /nix/var/cache/sccache?' || '' }}
+          ${{ inputs.max-jobs != '' && format('max-jobs = {0}', inputs.max-jobs) || '' }}
+          ${{ inputs.enable-sccache-sandbox-path == 'true' && 'auto-allocate-uids = true' || '' }}
+          ${{ inputs.enable-sccache-sandbox-path == 'true' && 'use-cgroups = true' || '' }}
+          experimental-features = nix-command flakes ${{ inputs.enable-sccache-sandbox-path == 'true' && 'cgroups auto-allocate-uids' || '' }}

.github/workflows/nix-build.yml

@@ -14,10 +14,6 @@ permissions:
   contents: write
   packages: write
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 jobs:
   nix-eval:
     uses: ./.github/workflows/nix-eval.yml
@@ -40,17 +36,31 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix (ephemeral)
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
           push-to-cache: 'true'
+          enable-sccache-sandbox-path: ${{ matrix.postgresql_version && 'true' || 'false' }}
+          max-jobs: ${{ matrix.postgresql_version && '1' || '' }}
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Install nix (self-hosted)
         if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          if [ -d /nix/var/cache/sccache ]; then sudo chown -R 872415232 /nix/var/cache/sccache; fi
+          if [ -d /nix/var/cache/sccache ]; then sudo chmod -R 2777 /nix/var/cache/sccache; fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -71,17 +81,31 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix (ephemeral)
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
           push-to-cache: 'true'
+          enable-sccache-sandbox-path: ${{ matrix.postgresql_version && 'true' || 'false' }}
+          max-jobs: ${{ matrix.postgresql_version && '1' || '' }}
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Install nix (self-hosted)
         if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          if [ -d /nix/var/cache/sccache ]; then sudo chown -R 872415232 /nix/var/cache/sccache; fi
+          if [ -d /nix/var/cache/sccache ]; then sudo chmod -R 2777 /nix/var/cache/sccache; fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -102,9 +126,26 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Configure sccache for Nix builds
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        run: |
+          # Ensure sccache directory exists
+          mkdir -p /nix/var/cache/sccache          
+          # Update Nix configuration to allow access to sccache directory in sandbox
+          if [ -w /etc/nix/nix.conf ]; then
+            tee -a /etc/nix/nix.conf > /dev/null <<EOF
+          extra-sandbox-paths = /nix/var/cache/sccache
+          EOF
+          fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -125,9 +166,26 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Configure sccache for Nix builds
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        run: |
+          # Ensure sccache directory exists
+          mkdir -p /nix/var/cache/sccache          
+          # Update Nix configuration to allow access to sccache directory in sandbox
+          if [ -w /etc/nix/nix.conf ]; then
+            tee -a /etc/nix/nix.conf > /dev/null <<EOF
+          extra-sandbox-paths = /nix/var/cache/sccache
+          EOF
+          fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -148,14 +206,28 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
+          enable-sccache-sandbox-path: ${{ matrix.postgresql_version && 'true' || 'false' }}
+          max-jobs: ${{ matrix.postgresql_version && '1' || '' }}
           push-to-cache: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          if [ -d /nix/var/cache/sccache ]; then sudo chown -R 872415232 /nix/var/cache/sccache; fi
+          if [ -d /nix/var/cache/sccache ]; then sudo chmod -R 2777 /nix/var/cache/sccache; fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -176,14 +248,28 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
+          enable-sccache-sandbox-path: ${{ matrix.postgresql_version && 'true' || 'false' }}
+          max-jobs: ${{ matrix.postgresql_version && '1' || '' }}
           push-to-cache: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.postgresql_version && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          # With auto-allocate-uids, UID 872415232 (0x34000000) maps to nixbld inside sandbox
+          if [ -d /nix/var/cache/sccache ]; then sudo chown -R 872415232 /nix/var/cache/sccache; fi
+          if [ -d /nix/var/cache/sccache ]; then sudo chmod -R 2777 /nix/var/cache/sccache; fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -217,15 +303,3 @@ jobs:
       (needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
       (needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
     uses: ./.github/workflows/test.yml
-
-  docker-image-test:
-    needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux]
-    if: |
-      !cancelled() &&
-      needs.nix-eval.result == 'success' &&
-      (needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
-      (needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success')
-    uses: ./.github/workflows/docker-image-test.yml
-    secrets:
-      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
-      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}

flake.nix

@@ -20,7 +20,7 @@
     nix-editor.url = "github:snowfallorg/nix-editor";
     nix-eval-jobs.inputs.flake-parts.follows = "flake-parts";
     nix-eval-jobs.inputs.treefmt-nix.follows = "treefmt-nix";
-    nix-eval-jobs.url = "github:nix-community/nix-eval-jobs";
+    nix-eval-jobs.url = "github:jfroche/nix-eval-jobs/643e2ee809cf9131a1bea239e250a719f8723010";
     nix2container.inputs.nixpkgs.follows = "nixpkgs";
     nix2container.url = "github:nlewo/nix2container";
     # Pin to a specific nixpkgs version that has compatible v8 and curl versions