Conversation
📝 WalkthroughWalkthroughAdds Rust linker flags for static linking, removes x86_64 macOS CI runners and related artifact steps, refactors flake.nix to per-system static packages and cross-target env wiring, and extends NarInfo to include serialized provenance. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Comment |
cole-h
force-pushed
the
provenance
branch
7 times, most recently
from
6307624 to
7c49df1
Compare
Flake lock file updates:
• Updated input 'crane':
'https://api.flakehub.com/f/pinned/ipetkov/crane/0.22.0/019b5c0a-2426-7f76-9483-6c098deea0f1/source.tar.gz' (2025-12-26)
→ 'https://api.flakehub.com/f/pinned/ipetkov/crane/0.23.0/019bb818-93a1-7efd-a881-7420c5d6d4e6/source.tar.gz' (2026-01-13)
• Updated input 'nix':
'github:DeterminateSystems/nix-src/c9f71f3' (2026-02-06)
→ 'github:DeterminateSystems/nix-src/5217e30' (2026-02-10)
• Updated input 'nixpkgs':
'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.921484%2Brev-fb7944c166a3b630f177938e478f0378e64ce108/019b84e0-82f8-7204-a1a2-bfd69a1af2b2/source.tar.gz' (2026-01-02)
→ 'https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.942779%2Brev-d6c71932130818840fc8fe9509cf50be8c64634f/019c3fb4-003d-710c-9b72-1d2bb1b28de3/source.tar.gz' (2026-02-08)
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Fix all issues with AI agents
In @.cargo/config.toml:
- Around line 1-12: The global [build] rustflags are too broad and currently
apply to non-musl targets; remove the rustflags from [build] and instead add
those flags ("-Clink-arg=-fuse-ld=lld" and "-Crelocation-model=static", plus
"-Clink-arg=-lgcc" where needed) under per-target sections
[target.x86_64-unknown-linux-musl] and [target.aarch64-unknown-linux-musl]; also
correct the mistaken target name (replace any reference to
aarch64-unknown-linux-musl vs aarch64-unknown-linux-gnu consistently — ensure
you use aarch64-unknown-linux-gnu where that is the actual supported target and
only place the musl flags under the musl target stanzas).
In `@flake.nix`:
- Around line 9-10: The flake references
inputs.nix.packages.${system}.nix-*-static (nix-util-static, nix-store-static,
nix-main-static, nix-expr-static) unconditionally which breaks for
aarch64-darwin; update flake.nix to either remove aarch64-darwin from
supportedSystems or conditionally select those static packages only when the
target system supports them (e.g., when system startsWith "x86_64-linux" or
"aarch64-linux" / using a helper like hasNixSrcFor = builtins.elem system
availableSystems) so that the lookups of
inputs.nix.packages.${system}.nix-util-static, nix-store-static,
nix-main-static, and nix-expr-static are avoided on macOS.
In `@magic-nix-cache/src/gha.rs`:
- Around line 251-254: The provenance field is silently dropping serialization
errors due to using serde_json::to_string(v).ok(); change the closure used for
path_info.provenance to call serde_json::to_string(v) and, on Err(e), emit a
tracing::error! (or warn!) with the error and identifying context (e.g., the
path_info or other id) and return None, otherwise return Some(serialized).
Update the provenance assignment in the struct construction where
path_info.provenance is mapped so it logs failures instead of discarding them
silently and add any needed tracing import.
🧹 Nitpick comments (1)
.github/workflows/build.yaml (1)
25-27: Document the removal of Intel Mac (x86_64-darwin) build support.The CI matrix now builds only for ARM64 macOS (
aarch64-darwin), with Intel Mac support removed entirely. While this appears intentional, the README doesn't reflect this platform limitation. Consider updatingREADME.mdto clarify that macOS support is for Apple Silicon only, or document this breaking change in release notes so users know to build from source or use Rosetta 2 for Intel Macs.
| [build] | ||
| rustflags = [ | ||
| "-Clink-arg=-fuse-ld=lld", | ||
| "-Crelocation-model=static", | ||
| ] | ||
|
|
||
| [target.aarch64-unknown-linux-musl] | ||
| rustflags = [ | ||
| "-Clink-arg=-fuse-ld=lld", | ||
| "-Crelocation-model=static", | ||
| "-Clink-arg=-lgcc", | ||
| ] |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# Explore the repository structure
find . -type f -name "*.toml" | head -20Repository: DeterminateSystems/magic-nix-cache
Length of output: 163
🏁 Script executed:
# Check for CI configuration
find . -type f \( -name "*.yml" -o -name "*.yaml" \) | grep -E "(github|gitlab|circleci)" | head -10Repository: DeterminateSystems/magic-nix-cache
Length of output: 339
🏁 Script executed:
# Look at the full Cargo.toml to understand what the project builds
fd "Cargo.toml" -type f | head -1 | xargs catRepository: DeterminateSystems/magic-nix-cache
Length of output: 248
🏁 Script executed:
# Check for any build-related documentation or scripts
find . -type f \( -name "README*" -o -name "BUILD*" -o -name "CONTRIBUTING*" \) | head -10Repository: DeterminateSystems/magic-nix-cache
Length of output: 111
🏁 Script executed:
# Check the main Cargo.toml
cat ./Cargo.tomlRepository: DeterminateSystems/magic-nix-cache
Length of output: 265
🏁 Script executed:
# Check the build.yaml workflow to see what targets are built
cat ./.github/workflows/build.yamlRepository: DeterminateSystems/magic-nix-cache
Length of output: 1804
🏁 Script executed:
# Check the .cargo/config.toml file itself
cat ./.cargo/config.tomlRepository: DeterminateSystems/magic-nix-cache
Length of output: 296
🏁 Script executed:
# Look for any references to Darwin or other targets in the codebase
rg "(darwin|macos|aarch64|x86_64|gnu|musl)" -i --type toml -A 2 -B 2Repository: DeterminateSystems/magic-nix-cache
Length of output: 5714
🏁 Script executed:
# Check if there's a flake.nix that might define the actual build targets
find . -name "flake.nix" -o -name "flake.lock" | xargs ls -la 2>/dev/nullRepository: DeterminateSystems/magic-nix-cache
Length of output: 200
🏁 Script executed:
# Look at flake.nix if it exists
fd "flake.nix" -type f | xargs cat 2>/dev/null | head -100Repository: DeterminateSystems/magic-nix-cache
Length of output: 248
🏁 Script executed:
# Check if there are any shell.nix or default.nix files
fd "(shell|default)\.nix" -type f | xargs cat 2>/dev/nullRepository: DeterminateSystems/magic-nix-cache
Length of output: 248
🏁 Script executed:
# Search for any cross-compilation or target configuration in the repo
rg "(x86_64|aarch64|musl|gnu|darwin)" --type toml --type nix -C 2 | head -80Repository: DeterminateSystems/magic-nix-cache
Length of output: 2784
🏁 Script executed:
# Read the flake.nix to understand the build targets
cat ./flake.nixRepository: DeterminateSystems/magic-nix-cache
Length of output: 4422
🏁 Script executed:
# Check for any other CI workflows that mention targets
cat ./.github/workflows/release-tags.ymlRepository: DeterminateSystems/magic-nix-cache
Length of output: 2196
🏁 Script executed:
# Check if the current config actually breaks anything by looking at any build issues or comments in history
git log --oneline --all -20 -- .cargo/config.tomlRepository: DeterminateSystems/magic-nix-cache
Length of output: 178
🏁 Script executed:
# Search for any issues or discussions about linker flags in commits or comments
git log --all -p -- .cargo/config.toml | head -100Repository: DeterminateSystems/magic-nix-cache
Length of output: 2498
Scope and clarify static build rustflags to their target(s).
The global [build] rustflags apply to all targets (aarch64-darwin, x86_64-linux, aarch64-linux), while the flags are intended only for static/musl builds. Additionally, the [target.aarch64-unknown-linux-musl] section references a target not in the project's supported systems; the actual target is aarch64-unknown-linux-gnu.
Move the -fuse-ld=lld and -Crelocation-model=static flags to [target.x86_64-unknown-linux-musl] and [target.aarch64-unknown-linux-musl] instead of the global [build] section to clarify intent and avoid issues if targets expand in the future.
🔧 Suggested scoping
-[build]
-rustflags = [
- "-Clink-arg=-fuse-ld=lld",
- "-Crelocation-model=static",
-]
-
+[target.x86_64-unknown-linux-musl]
+rustflags = [
+ "-Clink-arg=-fuse-ld=lld",
+ "-Crelocation-model=static",
+]
+
[target.aarch64-unknown-linux-musl]
rustflags = [
"-Clink-arg=-fuse-ld=lld",
"-Crelocation-model=static",
"-Clink-arg=-lgcc",
]🤖 Prompt for AI Agents
In @.cargo/config.toml around lines 1 - 12, The global [build] rustflags are too
broad and currently apply to non-musl targets; remove the rustflags from [build]
and instead add those flags ("-Clink-arg=-fuse-ld=lld" and
"-Crelocation-model=static", plus "-Clink-arg=-lgcc" where needed) under
per-target sections [target.x86_64-unknown-linux-musl] and
[target.aarch64-unknown-linux-musl]; also correct the mistaken target name
(replace any reference to aarch64-unknown-linux-musl vs
aarch64-unknown-linux-gnu consistently — ensure you use
aarch64-unknown-linux-gnu where that is the actual supported target and only
place the musl flags under the musl target stanzas).
flake.nix
Outdated
| nix.url = "github:DeterminateSystems/nix-src"; | ||
| # nix.url = "https://flakehub.com/f/NixOS/nix/=2.27.*"; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd /tmp && find . -name "flake.nix" -type f 2>/dev/null | head -5Repository: DeterminateSystems/magic-nix-cache
Length of output: 60
🏁 Script executed:
cat -n flake.nix 2>/dev/null || find . -maxdepth 3 -name "flake.nix" -exec cat -n {} \;Repository: DeterminateSystems/magic-nix-cache
Length of output: 5521
🌐 Web query:
DeterminateSystems nix-src flake outputs darwin aarch64-darwin static packages
💡 Result:
DeterminateSystems/nix-src is a flake that exposes (at least) a per-system packages.<system>.default you can use as nix.package (i.e., the Determinate-patched Nix CLI build). A common pattern is: nix.package = inputs.determinate.packages.${pkgs.system}.default; as noted by users of the flake. [1]
Build the macOS Apple Silicon package (aarch64-darwin)
nix build github:DeterminateSystems/nix-src#packages.aarch64-darwin.default
# (often equivalent)
nix build github:DeterminateSystems/nix-src#packages.aarch64-darwin.defaultFlake packages are conventionally under packages.<system>.<name>. [2]
List what outputs/attributes actually exist (including any “static” ones)
Because “static” is not a standardized flake output name (it’s just a package name a flake might provide), the reliable way is to query the flake:
nix flake show github:DeterminateSystems/nix-srcOr list attribute names via nix eval, e.g.:
nix eval github:DeterminateSystems/nix-src#packages.aarch64-darwin --apply builtins.attrNames --json
nix eval github:DeterminateSystems/nix-src#packages --apply builtins.attrNames --json(These nix eval … builtins.attrNames patterns are a standard way to enumerate flake attrs.) [3]
About “static packages” on aarch64-darwin
If what you mean is “fully statically linked macOS binaries”: macOS generally doesn’t support fully static linking in the same way Linux+musl does, so flakes typically don’t provide truly-static Darwin variants. Practically, you usually build “static” for Linux targets (often via pkgsStatic / musl), not for *-darwin. (Use the commands above to confirm whether nix-src exposes any packages.aarch64-darwin.static-like output on your chosen revision.)
Sources:
[1] Reddit discussion showing inputs.determinate.packages.${pkgs.system}.default usage for nix-src flake outputs: https://www.reddit.com/r/NixOS/comments/1oh9u22/using_determinate_nix_fork_without_determinate_nixd/
[2] Nix flake output conventions (packages.<system>.<name>): https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake.html
[3] Attribute enumeration examples with nix eval … builtins.attrNames: https://fnordig.de/til/nix/list-attributes.html
🏁 Script executed:
# Check if there's any reference to nix-src in the repo that might indicate what it provides
rg "nix-src" -A 5 -B 5 --type nixRepository: DeterminateSystems/magic-nix-cache
Length of output: 463
Guard nix-*-static usage for non-Linux systems.
With aarch64-darwin in supportedSystems, the unconditional inputs.nix.packages.${system}.nix-*-static references on lines 65–68 will fail during flake evaluation. macOS does not support fully static linking, so nix-src does not provide nix-util-static, nix-store-static, nix-main-static, or nix-expr-static for aarch64-darwin.
Either remove aarch64-darwin from supportedSystems, or guard the static packages conditionally:
Example: Filter supported systems by nix-src availability
- supportedSystems = [
- "aarch64-linux"
- "x86_64-linux"
- "aarch64-darwin"
- ];
+ supportedSystems = builtins.filter
+ (s:
+ builtins.hasAttr s inputs.nix.packages
+ && builtins.hasAttr "nix-util-static" inputs.nix.packages.${s})
+ [
+ "aarch64-linux"
+ "x86_64-linux"
+ "aarch64-darwin"
+ ];🤖 Prompt for AI Agents
In `@flake.nix` around lines 9 - 10, The flake references
inputs.nix.packages.${system}.nix-*-static (nix-util-static, nix-store-static,
nix-main-static, nix-expr-static) unconditionally which breaks for
aarch64-darwin; update flake.nix to either remove aarch64-darwin from
supportedSystems or conditionally select those static packages only when the
target system supports them (e.g., when system startsWith "x86_64-linux" or
"aarch64-linux" / using a helper like hasNixSrcFor = builtins.elem system
availableSystems) so that the lookups of
inputs.nix.packages.${system}.nix-util-static, nix-store-static,
nix-main-static, and nix-expr-static are avoided on macOS.
| provenance: path_info | ||
| .provenance | ||
| .as_ref() | ||
| .and_then(|v| serde_json::to_string(v).ok()), |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n magic-nix-cache/src/gha.rs | sed -n '240,260p'Repository: DeterminateSystems/magic-nix-cache
Length of output: 684
🏁 Script executed:
cat -n magic-nix-cache/src/gha.rs | sed -n '1,50p'Repository: DeterminateSystems/magic-nix-cache
Length of output: 1873
🏁 Script executed:
grep -n "fn.*path_info" magic-nix-cache/src/gha.rsRepository: DeterminateSystems/magic-nix-cache
Length of output: 181
🏁 Script executed:
grep -n "tracing\|log" magic-nix-cache/src/gha.rs | head -20Repository: DeterminateSystems/magic-nix-cache
Length of output: 314
🏁 Script executed:
cat -n magic-nix-cache/src/gha.rs | sed -n '223,256p'Repository: DeterminateSystems/magic-nix-cache
Length of output: 1417
🏁 Script executed:
rg "struct ValidPathInfo|provenance:" -A 3 magic-nix-cache/src/Repository: DeterminateSystems/magic-nix-cache
Length of output: 319
🏁 Script executed:
rg "ValidPathInfo" magic-nix-cache/src/gha.rs | head -5Repository: DeterminateSystems/magic-nix-cache
Length of output: 237
🏁 Script executed:
grep -r "struct NarInfo" magic-nix-cache/src/Repository: DeterminateSystems/magic-nix-cache
Length of output: 60
🏁 Script executed:
cat magic-nix-cache/Cargo.tomlRepository: DeterminateSystems/magic-nix-cache
Length of output: 2099
🏁 Script executed:
rg "provenance" magic-nix-cache/src/ -B 2 -A 2Repository: DeterminateSystems/magic-nix-cache
Length of output: 432
🏁 Script executed:
rg "NarInfo\|struct.*Nar" --type rust -B 1 -A 5 | head -30Repository: DeterminateSystems/magic-nix-cache
Length of output: 60
🏁 Script executed:
rg "and_then.*ok()" magic-nix-cache/src/ -B 2 -A 1Repository: DeterminateSystems/magic-nix-cache
Length of output: 295
🏁 Script executed:
rg "unwrap_or_else|panic|warn|error" magic-nix-cache/src/gha.rs -B 1 -A 1 | head -40Repository: DeterminateSystems/magic-nix-cache
Length of output: 455
🏁 Script executed:
git log --oneline magic-nix-cache/src/gha.rs | head -5Repository: DeterminateSystems/magic-nix-cache
Length of output: 104
🏁 Script executed:
rg "serde_json::to_string" magic-nix-cache/src/ -B 2 -A 2Repository: DeterminateSystems/magic-nix-cache
Length of output: 690
Don't silently drop provenance on serialization failure.
serde_json::to_string(v).ok() discards errors, so provenance can disappear without visibility. Since tracing is already in use throughout the codebase, log failures when serialization fails:
🔧 Suggested fix
- provenance: path_info
- .provenance
- .as_ref()
- .and_then(|v| serde_json::to_string(v).ok()),
+ provenance: path_info.provenance.as_ref().and_then(|v| {
+ match serde_json::to_string(v) {
+ Ok(s) => Some(s),
+ Err(err) => {
+ tracing::warn!("failed to serialize provenance: {err}");
+ None
+ }
+ }
+ }),📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| provenance: path_info | |
| .provenance | |
| .as_ref() | |
| .and_then(|v| serde_json::to_string(v).ok()), | |
| provenance: path_info.provenance.as_ref().and_then(|v| { | |
| match serde_json::to_string(v) { | |
| Ok(s) => Some(s), | |
| Err(err) => { | |
| tracing::warn!("failed to serialize provenance: {err}"); | |
| None | |
| } | |
| } | |
| }), |
🤖 Prompt for AI Agents
In `@magic-nix-cache/src/gha.rs` around lines 251 - 254, The provenance field is
silently dropping serialization errors due to using
serde_json::to_string(v).ok(); change the closure used for path_info.provenance
to call serde_json::to_string(v) and, on Err(e), emit a tracing::error! (or
warn!) with the error and identifying context (e.g., the path_info or other id)
and return None, otherwise return Some(serialized). Update the provenance
assignment in the struct construction where path_info.provenance is mapped so it
logs failures instead of discarding them silently and add any needed tracing
import.
Flake lock file updates:
• Updated input 'nix':
'github:DeterminateSystems/nix-src/5217e30' (2026-02-10)
→ 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.16.0/019c589d-45e9-7337-9ff0-a8d78fecf63f/source.tar.gz' (2026-02-13)
There was a problem hiding this comment.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@flake.nix`:
- Around line 15-19: The flake unconditionally references
inputs.nix.packages.${system}.nix-*-static while also including "aarch64-darwin"
in supportedSystems, which can cause missing-attribute failures on Darwin;
update the flake to either remove "aarch64-darwin" from supportedSystems or
guard the static inputs by checking for their presence before using them (e.g.,
only add inputs.nix.packages.${system}.nix-util-static, .nix-store-static,
.nix-main-static, .nix-expr-static when those attrs exist for the given system),
making changes around the supportedSystems array and any places that construct
inputs using inputs.nix.packages.${system}.nix-*-static so the Darwin case is
skipped or protected.
|
|
||
| nix.url = "github:DeterminateSystems/nix-src"; | ||
| # nix.url = "https://flakehub.com/f/NixOS/nix/=2.27.*"; | ||
| nix.url = "https://flakehub.com/f/DeterminateSystems/nix-src/=3.16.*"; |
There was a problem hiding this comment.
I think we probably want /3.16, since 3.17 is acceptable, but we need at least 3.16.
There was a problem hiding this comment.
I'll merge as-is, but I'm pretty sure we don't want the =. DM'd :)
3 participants
Depends on DeterminateSystems/attic#10
Summary by CodeRabbit
New Features
Chores