feat: optionally use remote builders

.github/actions/setup-nix/action.yml

@@ -10,6 +10,15 @@ inputs:
   extra-nix-config:
     type: string
     default: ""
+  builders:
+    type: string
+    default: ""
+  ssh-key:
+    type: string
+    default: ""
+  ssh-cert:
+    type: string
+    default: ""
 
 runs:
   using: composite
@@ -46,13 +55,30 @@ runs:
           /Users/runner/Library/Developer/CoreSimulator \
           /Users/runner/hostedtoolcache &
 
+    - name: prepare remote builder config
+      if: ${{ inputs.builders != '' && inputs.ssh-key != '' }}
+      env:
+        BUILDERS: ${{ inputs.builders }}
+        SSH_KEY: ${{ inputs.ssh-key }}
+        SSH_CERT: ${{ inputs.ssh-cert }}
+      shell: bash
+      run: |
+        set -euo pipefail
+        sudo mkdir -p /etc/nix/
+        echo -e "$BUILDERS" | sudo tee /etc/nix/machines
+        echo -e "$SSH_KEY" | sudo tee /etc/nix/ssh_id > /dev/null
+        echo -e "$SSH_CERT" | sudo tee /etc/nix/ssh_id-cert.pub > /dev/null
+        sudo chmod 400 /etc/nix/ssh_id{,-cert.pub}
+
     - name: install nix
       uses: cachix/install-nix-action@v31
       with:
         # Putting build-dir in /nix is a workaround for https://github.com/wimpysworld/nothing-but-nix/issues/18
         extra_nix_config: |
           accept-flake-config = true
           build-dir = /nix/build
+          builders = @/etc/nix/machines
+          builders-use-substitutes = true
           sandbox = ${{ inputs.sandbox }}
           system = ${{ inputs.system }}
           ${{ inputs.extra-nix-config }}

.github/workflows/build.yml

@@ -83,6 +83,9 @@ jobs:
             || (matrix.system == 'x86_64-darwin' && inputs.x86_64-darwin == 'yes_sandbox_relaxed'
             || matrix.system == 'aarch64-darwin' && inputs.aarch64-darwin == 'yes_sandbox_relaxed') && 'relaxed'
             || 'true' }}
+          builders: ${{ (vars.USE_BUILDERS == 'yes' || vars.USE_BUILDERS == 'always') && vars.BUILDERS || '' }}
+          ssh-key: ${{ (vars.USE_BUILDERS == 'yes' || vars.USE_BUILDERS == 'always') && secrets.SSH_KEY || '' }}
+          ssh-cert: ${{ (vars.USE_BUILDERS == 'yes' || vars.USE_BUILDERS == 'always') && secrets.SSH_CERT || '' }}
 
       - name: nix build
         run: nix build --keep-going -L ${{ inputs.packages }}

.github/workflows/review.yml

@@ -148,6 +148,9 @@ jobs:
             || (matrix.system == 'x86_64-darwin' && inputs.x86_64-darwin == 'yes_sandbox_relaxed'
             || matrix.system == 'aarch64-darwin' && inputs.aarch64-darwin == 'yes_sandbox_relaxed') && 'relaxed'
             || 'true' }}
+          builders: ${{ (vars.USE_BUILDERS == 'yes' || vars.USE_BUILDERS == 'always') && vars.BUILDERS || '' }}
+          ssh-key: ${{ (vars.USE_BUILDERS == 'yes' || vars.USE_BUILDERS == 'always') && secrets.SSH_KEY || '' }}
+          ssh-cert: ${{ (vars.USE_BUILDERS == 'yes' || vars.USE_BUILDERS == 'always') && secrets.SSH_CERT || '' }}
 
       - name: install packages
         run: |
@@ -157,7 +160,7 @@ jobs:
           elif [[ ${{ inputs.push-to-cache && vars.CACHIX_CACHE != '' }} = true ]]; then
             pkgs+=(cachix)
           fi
-          nix profile add "${pkgs[@]/#/.#}"
+          nix profile add "${pkgs[@]/#/.#}" --builders ''
 
       - name: clone nixpkgs
         uses: actions/checkout@v6
@@ -174,14 +177,15 @@ jobs:
             --no-exit-status \
             --no-headers \
             --print-result \
-            --build-args="-L" \
+            --build-args="-L $JOBS_ARG" \
             --pr-json="$PR_JSON" \
             $EXTRA_ARGS
         working-directory: nixpkgs
         env:
           GITHUB_TOKEN: ${{ github.token }}
           EXTRA_ARGS: ${{ inputs.extra-args }}
           PR_JSON: ${{ needs.prepare.outputs.pr }}
+          JOBS_ARG: ${{ vars.USE_BUILDERS == 'always' && '-j0' || '' }}
 
       - name: push results to cache
         if: ${{ inputs.push-to-cache && ((vars.ATTIC_SERVER != '' && vars.ATTIC_CACHE != '') || vars.CACHIX_CACHE != '') }}

README.md

@@ -9,6 +9,7 @@ Run [nixpkgs-review](https://github.com/Mic92/nixpkgs-review) in GitHub Actions
 - Optionally start an [Upterm](https://upterm.dev/) session after nixpkgs-review has finished to allow interactive testing/debugging via SSH
 - Push new packages to an [Attic](https://github.com/zhaofengli/attic) or [Cachix](https://www.cachix.org/) cache
 - After a successful review, automatically mark the PR as ready for review, approve it, or merge it (directly or via the [nixpkgs-merge-bot](https://github.com/NixOS/nixpkgs-merge-bot))
+- Optionally use [Nix remote builders](https://nix.dev/manual/nix/latest/advanced-topics/distributed-builds) (either in addition to or instead of the local GitHub Actions runner).
 - Add a "Run nixpkgs-review" shortcut to pull request pages in nixpkgs
 
 ## Setup
@@ -52,6 +53,42 @@ extra-substituters = https://nix-community.cachix.org
 extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
 ```
 
+### Remote Builders (optional)
+It is possible to configure nixpkgs-review-gha to use [remote builders](https://nix.dev/manual/nix/latest/advanced-topics/distributed-builds) either instead of or in addition to the local GitHub Actions runner.
+For this to work, the GitHub Actions runner needs to be able to connect to your remote builders via SSH, and you need to configure an SSH keypair for authentication.
+
+Set the following [secrets](../../settings/secrets/actions):
+
+- `SSH_KEY`: A private ssh key which is authorized to access your remote builders. You can generate one using `ssh-keygen -t ed25519 -f ssh_key -N '' -C ''`.
+- `SSH_CERT`: If you have configured an [SSH certificate authority](https://manpages.debian.org/unstable/openssh-client/ssh-keygen.1.en.html#CERTIFICATES), the certificate which authorizes your `SSH_KEY` to access the remote builders. You don't need to set this variable if you have authorized your `SSH_KEY` directly (i.e. added your public key to `authorized_keys` on the remote builder).
+  <details>
+  <summary>Example command to generate a shortlived certificate:</summary>
+
+  ```shell
+  ssh-keygen -Us $CA_PUBKEY_PATH \
+    -I nixpkgs-review-gha \
+    -n $REMOTE_USERNAME \
+    -O clear \
+    -O force-command="nix-daemon --stdio" \
+    -V +1h \
+    $PUBKEY_PATH
+  ```
+
+  </details>
+
+Set the following [variables](../../settings/variables/actions):
+
+- `BUILDERS`: A newline separated list of build machines in the same format as the [`builders` option in `nix.conf`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-builders). You will need to set the value of the third field (ssh identity) to `/etc/nix/ssh_id` which is where your `SSH_KEY` is placed. Your `SSH_CERT` should be picked up automatically, if you have configured one.
+- `USE_BUILDERS`: Either `no`, `yes`, or `always`. If set to `yes`, remote builders are used *in addition to* the GitHub Actions runner. If set to `always`, *only* remote builders are used and no builds happen on the runner. If set to `no`, remote builders are not used at all.
+
+For example, you can set `BUILDERS` to the following if you want to build on the [nix-community builders](https://nix-community.org/community-builders/). Keep in mind that these builders should generally [not be trusted](https://nix-community.org/community-builders/#notes-on-security-and-safety), so be careful with what you might push into the [binary caches](#push-to-attic-cache-optional) you configured above.
+
+```
+ssh-ng://[email protected] x86_64-linux /etc/nix/ssh_id 6 - benchmark,big-parallel,kvm,nixos-test,uid-range - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVsSVE1NHFBeTdEaDYzckJ1ZFlLZGJ6SkhycmJyck1YTFlsN1BrbWs4OEg=
+ssh-ng://[email protected] aarch64-linux /etc/nix/ssh_id 20 - benchmark,big-parallel,gccarch-armv7-a,gccarch-armv8-a,kvm,nixos-test,uid-range - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUc5dXlmaHlsaStCUnRrNjR5K25pcXRiK3NLcXVSR0daODdmNFlSYzhFRTE=
+ssh-ng://[email protected] x86_64-darwin,aarch64-darwin /etc/nix/ssh_id 2 - big-parallel - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUtNSGhsY243ZlVwVXVpT0ZlSWhEcUJ6Qk5Gc2JOcXErTnB6dUdYM2U2enY=
+```
+
 ### Shortcuts on nixpkgs PR pages (optional)
 Add [`shortcut.user.js`](shortcut.user.js) as a userscript in your browser for `https://github.com/` for example using the [User JavaScript and CSS chrome extension](https://chromewebstore.google.com/detail/user-javascript-and-css/nbhcbdghjpllgmfilhnhkllmkecfmpld) or [Violentmonkey](https://violentmonkey.github.io/).