CI Jobs
This reference documents the CI jobs defined in .github/workflows/ci.yaml and how to run equivalent checks locally.
Overview
Section titled “Overview”The CI pipeline runs on push to main, pull requests, and manual dispatch.
Jobs are organized in a dependency graph to optimize execution time and catch failures early.
secrets-scan └── set-variables ├── preview-release-version (PR only) ├── preview-docs-deploy (PR only) ├── bootstrap-verification ├── secrets-workflow ├── flake-validation ├── cache-overlay-packages │ └── nix (matrix) └── typescript (matrix) └── production-release-packages (main only) └── production-docs-deploy (main only)Job reference
Section titled “Job reference”secrets-scan
Section titled “secrets-scan”Scans repository for hardcoded secrets using gitleaks.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest |
| Triggers | All (always runs first) |
| Local equivalent | nix run nixpkgs#gitleaks -- detect --verbose --redact |
Note: CI uses nix run nixpkgs#gitleaks directly rather than the justfile recipe.
set-variables
Section titled “set-variables”Determines deployment settings and discovers packages for matrix jobs.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest |
| Triggers | After secrets-scan |
| Local equivalent | just list-packages-json |
Outputs:
debug- Whether debug mode is enableddeploy_enabled- Whether docs deployment is enableddeploy_environment- Target environment (preview/production)packages- JSON array of packages for matrix jobsforce-ci- Whether to force execution
preview-release-version
Section titled “preview-release-version”Previews semantic-release version for each package (PR only).
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest |
| Triggers | Pull requests only |
| Matrix | Per package |
| Local equivalent | just preview-version main packages/<name> |
preview-docs-deploy
Section titled “preview-docs-deploy”Deploys documentation to preview environment.
| Attribute | Value |
|---|---|
| Runner | Via deploy-docs.yaml |
| Triggers | Pull requests only |
| Environment | preview |
| Local equivalent | just docs-deploy-preview |
Preview URL: https://b-<branch>-infra-docs.sciexp.workers.dev
bootstrap-verification
Section titled “bootstrap-verification”Validates Makefile bootstrap workflow on clean Ubuntu system.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest |
| Triggers | All |
| Local equivalent | make bootstrap && make verify && make setup-user |
Verifies:
- Nix installation via DeterminateSystems installer
- direnv configuration
- Age key generation for sops
secrets-workflow
Section titled “secrets-workflow”Tests sops-nix mechanics with ephemeral test keys.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest |
| Triggers | All |
| Local equivalent | Manual sops encrypt/decrypt test |
Creates ephemeral age keys, encrypts test secrets, and verifies decryption works correctly.
flake-validation
Section titled “flake-validation”Validates flake structure, justfile recipes, and runs nix flake check.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest |
| Triggers | All |
| Local equivalent | just check |
Verifies:
- Core justfile recipes exist (
activate,verify,check,lint) nix flake checkpasses (includes VM tests on Linux)
For faster local iteration: just check-fast excludes VM tests (~1-2 min vs ~7 min).
cache-overlay-packages
Section titled “cache-overlay-packages”Pre-caches resource-intensive overlay packages before main build.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest (x86_64), ubuntu-24.04-arm (aarch64) |
| Triggers | All |
| Matrix | x86_64-linux, aarch64-linux |
| Local equivalent | just cache-overlay-packages <system> |
Prevents disk space exhaustion during CI builds, especially for Rust packages.
Builds flake outputs via category-based matrix for disk space optimization.
| Attribute | Value |
|---|---|
| Runner | ubuntu-latest (x86_64), ubuntu-24.04-arm (aarch64) |
| Triggers | All |
| Depends on | cache-overlay-packages |
| Local equivalent | just ci-build-category <system> <category> [config] |
Matrix configurations:
| System | Category | Config | Description |
|---|---|---|---|
| x86_64-linux | packages | - | Overlay packages |
| x86_64-linux | checks-devshells | - | Checks and dev shells |
| x86_64-linux | home | - | Home-manager configs |
| x86_64-linux | nixos | cinnabar | NixOS server |
| x86_64-linux | nixos | electrum | NixOS server |
| aarch64-linux | packages | - | Overlay packages |
| aarch64-linux | checks-devshells | - | Checks and dev shells |
| aarch64-linux | home | - | Home-manager configs |
typescript
Section titled “typescript”Tests TypeScript packages (docs site).
| Attribute | Value |
|---|---|
| Runner | Via package-test.yaml |
| Triggers | All |
| Matrix | Per package |
| Local equivalent | just test-package <package> |
Runs:
bun installbun run test:unitbun run test:coveragebun run buildbun run test:e2e
production-release-packages
Section titled “production-release-packages”Releases packages via semantic-release on main branch.
| Attribute | Value |
|---|---|
| Runner | Via package-release.yaml |
| Triggers | Push to main/beta only |
| Matrix | Per package |
| Local equivalent | just release-package <package> (dry run) |
production-docs-deploy
Section titled “production-docs-deploy”Deploys documentation to production.
| Attribute | Value |
|---|---|
| Runner | Via deploy-docs.yaml |
| Triggers | Push to main only |
| Environment | production |
| Local equivalent | just docs-deploy-production |
Production URL: https://infra.cameronraysmith.net
Running CI locally
Section titled “Running CI locally”Full validation
Section titled “Full validation”# Run all checks (equivalent to flake-validation job)just check
# Fast checks only (skip VM tests)just check-fastPackage testing
Section titled “Package testing”# Test specific packagejust test-package docs
# Preview release versionjust preview-version main packages/docsBuild verification
Section titled “Build verification”# Build specific categoryjust ci-build-category x86_64-linux packagesjust ci-build-category x86_64-linux nixos cinnabar
# Build all outputs for current systemjust ci-build-localDocumentation
Section titled “Documentation”# Full docs test suitejust docs-test
# Preview deploymentjust docs-deploy-preview
# Link validationjust docs-linkcheckCaching
Section titled “Caching”CI uses per-job content-addressed caching to skip unchanged jobs. The caching is based on:
- Content hash of relevant source files
- GitHub Actions cache API
To force re-execution:
- Add the
force-cilabel to a PR - Use
force_run: truein workflow dispatch
See ADR-0016 for details.
Troubleshooting
Section titled “Troubleshooting”Common failures
Section titled “Common failures”flake-validation fails:
# Check locallyjust check
# For faster iterationjust check-fast x86_64-linuxnix build fails:
# Build specific category locallyjust ci-build-category <system> <category>
# Check disk spacedf -htypescript tests fail:
# Run tests locallyjust test-package docs
# Check coveragejust docs-test-coverageViewing logs
Section titled “Viewing logs”# View latest run logsjust ci-logs
# View only failed logsjust ci-logs-failed
# Debug specific jobjust ci-debug-job ci.yaml "nix (x86_64-linux, packages)"See also
Section titled “See also”- Testing Guide - How to run tests and testing philosophy
- Test Harness Reference - CI-local parity matrix
- Justfile Recipes - Local recipe reference
- CI Philosophy - Design principles
- Troubleshooting CI Cache - Cache issues