Package moq-gst for release via Nix-built tarballs#1453
Conversation
Adds a tagged GitHub release pipeline for the moq-gst GStreamer plugin (Linux + macOS), and converts the libmoq pipeline's Linux/macOS jobs to build inside Nix as well so artifacts are reproducible against flake.lock instead of GitHub runner image drift. New derivations in nix/overlay.nix lay out libmoq's static archive plus header, pkg-config, and CMake config files in the layout downstream consumers already expect, and produce moq-gst's cdylib with nix-store paths stripped (patchelf on Linux, install_name_tool rewrites on macOS plus rpaths for the three common GStreamer install locations) so the plugin loads against the user's system GStreamer at runtime. Windows libmoq stays on cargo since Nix isn't practical on the Windows runner; the universal-apple-darwin matrix entry is removed now that native per-arch macOS runners exist. https://claude.ai/code/session_01658i2aBWSxEZvVggb1aLkU
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughThis pull request establishes Nix-based reproducible builds for the 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (4)
.github/workflows/moq-gst.yml (3)
64-66: ⚡ Quick winPrevent credential persistence in artifacts.
The checkout step does not set
persist-credentials: false, which means GitHub credentials could persist and potentially leak via artifacts.🔒 Proposed security improvement
- uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/moq-gst.yml around lines 64 - 66, The checkout action is missing persist-credentials: false which can allow GitHub credentials to be retained and leaked; update the actions/checkout@v6 step to include the input persist-credentials: false (alongside the existing fetch-depth: 0) so credentials are not persisted to the workspace or artifacts.
30-30: ⚖️ Poor tradeoffConsider pinning GitHub Actions to commit hashes.
The workflow uses mutable version tags (
@v6,@main,@v7) instead of immutable commit hashes, which could lead to unexpected behavior if action maintainers update the tags. While this is a common practice for maintainability, pinning to specific commit SHAs provides stronger supply-chain security guarantees.Also applies to: 34-35, 51-51
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/moq-gst.yml at line 30, The workflow currently references mutable action tags (e.g., actions/checkout@v6, actions/setup-node@v*, actions/upload-artifact@v7 and any occurrences of `@main`) — replace those with the corresponding immutable commit SHAs for each action to pin them; locate uses of actions/checkout, actions/setup-node, actions/upload-artifact (and any other `@main/`@v* usages) in the workflow and update the ref to the specific full commit SHA from the action's repo release you intend to use, then run the workflow to verify behavior remains unchanged.
30-32: ⚡ Quick winPrevent credential persistence in artifacts.
The checkout step does not set
persist-credentials: false, which means GitHub credentials could persist and potentially leak via build artifacts.🔒 Proposed security improvement
- uses: actions/checkout@v6 with: fetch-depth: 0 + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/moq-gst.yml around lines 30 - 32, The checkout step using actions/checkout@v6 currently lacks persist-credentials configuration which can leave GitHub credentials in the workspace; update the checkout invocation (the actions/checkout@v6 step) to include persist-credentials: false under its with: block so credentials are not persisted to the workspace or artifacts, e.g. add the line persist-credentials: false alongside fetch-depth.rs/moq-gst/build.sh (1)
48-50: ⚡ Quick winConsider cleaning up the temporary directory.
The temporary directory created by
mktemp -dis not cleaned up before the script exits. While the OS will eventually remove it, explicitly cleaning up improves resource management.♻️ Proposed cleanup
Add a trap to clean up on exit:
+TEMP_DIR="$(mktemp -d)" +trap 'rm -rf "$TEMP_DIR"' EXIT +RESULT_LINK="$TEMP_DIR/result" -RESULT_LINK="$(mktemp -d)/result" nix build "$WORKSPACE_DIR#moq-gst" --out-link "$RESULT_LINK"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@rs/moq-gst/build.sh` around lines 48 - 50, The script creates a temporary directory via RESULT_LINK="$(mktemp -d)/result" but never removes it; update build.sh to register a trap that removes the temporary directory on EXIT (and on error signals) so RESULT_LINK (or its parent tmp dir created by mktemp -d) is deleted when the script finishes; ensure the trap references the same RESULT_LINK variable (and checks it exists) and is set before running nix build so cleanup runs even on failure.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/libmoq.yml:
- Around line 41-46: The workflow currently references DeterminateSystems
actions using the unstable refs "DeterminateSystems/nix-installer-action@main"
and "DeterminateSystems/magic-nix-cache-action@main"; change these to the stable
released tags by updating the action refs to
"DeterminateSystems/nix-installer-action@v22" and
"DeterminateSystems/magic-nix-cache-action@v13" respectively (update the two
occurrences where the actions are used in the Install Nix and Configure Nix
cache steps).
---
Nitpick comments:
In @.github/workflows/moq-gst.yml:
- Around line 64-66: The checkout action is missing persist-credentials: false
which can allow GitHub credentials to be retained and leaked; update the
actions/checkout@v6 step to include the input persist-credentials: false
(alongside the existing fetch-depth: 0) so credentials are not persisted to the
workspace or artifacts.
- Line 30: The workflow currently references mutable action tags (e.g.,
actions/checkout@v6, actions/setup-node@v*, actions/upload-artifact@v7 and any
occurrences of `@main`) — replace those with the corresponding immutable commit
SHAs for each action to pin them; locate uses of actions/checkout,
actions/setup-node, actions/upload-artifact (and any other `@main/`@v* usages) in
the workflow and update the ref to the specific full commit SHA from the
action's repo release you intend to use, then run the workflow to verify
behavior remains unchanged.
- Around line 30-32: The checkout step using actions/checkout@v6 currently lacks
persist-credentials configuration which can leave GitHub credentials in the
workspace; update the checkout invocation (the actions/checkout@v6 step) to
include persist-credentials: false under its with: block so credentials are not
persisted to the workspace or artifacts, e.g. add the line persist-credentials:
false alongside fetch-depth.
In `@rs/moq-gst/build.sh`:
- Around line 48-50: The script creates a temporary directory via
RESULT_LINK="$(mktemp -d)/result" but never removes it; update build.sh to
register a trap that removes the temporary directory on EXIT (and on error
signals) so RESULT_LINK (or its parent tmp dir created by mktemp -d) is deleted
when the script finishes; ensure the trap references the same RESULT_LINK
variable (and checks it exists) and is set before running nix build so cleanup
runs even on failure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e9528f3e-959d-4016-a8d7-1cd7ccac53c9
📒 Files selected for processing (9)
.github/workflows/cachix.yml.github/workflows/libmoq.yml.github/workflows/moq-gst.ymlCLAUDE.mdflake.nixnix/overlay.nixrs/libmoq/build.shrs/moq-gst/README.mdrs/moq-gst/build.sh
| - name: Install Nix | ||
| if: matrix.use_nix | ||
| uses: DeterminateSystems/nix-installer-action@main | ||
| - name: Configure Nix cache | ||
| if: matrix.use_nix | ||
| uses: DeterminateSystems/magic-nix-cache-action@main |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
DeterminateSystems nix-installer-action latest version
💡 Result:
As of May 23, 2026, the latest version of the DeterminateSystems/nix-installer-action is v22, which was released on March 29, 2026 [1][2]. It is important to distinguish between the different GitHub Actions provided by Determinate Systems: 1. nix-installer-action: This action is used to install the Nix package manager [1]. Its latest version is v22 [1][2]. 2. determinate-nix-action: This is a separate action specifically designed to synchronize with Determinate Nix releases [1][3]. It uses semantic versioning corresponding to Determinate Nix releases (e.g., v3.x.y) [1][4]. For users who wish to pin their CI workflows to a specific version, the repository recommends using the determinate-nix-action, which is updated and tagged for every Determinate Nix release [1][4]. The nix-installer-action itself is primarily used for installing upstream Nix [4].
Citations:
- 1: https://github.com/DeterminateSystems/nix-installer-action
- 2: https://github.com/DeterminateSystems/nix-installer-action/releases/tag/v22
- 3: https://github.com/determinatesystems/determinate-nix-action
- 4: https://github.com/determinateSystems/nix-installer?tab=readme-ov-file
🌐 Web query:
DeterminateSystems magic-nix-cache-action latest version
💡 Result:
The latest released version of DeterminateSystems/magic-nix-cache-action is v13 (released 2025-07-15T02:38:56Z) [1]. In GitHub Actions you can typically either: - pin to the latest release tag: DeterminateSystems/magic-nix-cache-action@v13 [1] - or track the moving default branch: DeterminateSystems/magic-nix-cache-action@main (example usage shown in the project README) [2].
Citations:
- 1: https://github.com/DeterminateSystems/magic-nix-cache-action
- 2: https://github.com/DeterminateSystems/magic-nix-cache/blob/main/README.md
Pin DeterminateSystems GitHub Actions to release tags instead of @main.
Tracking @main can pull breaking upstream changes or introduce supply-chain risk. Pin to the latest released tags: nix-installer-action@v22 and magic-nix-cache-action@v13.
Suggested change
- name: Install Nix
if: matrix.use_nix
- uses: DeterminateSystems/nix-installer-action@main
+ uses: DeterminateSystems/nix-installer-action@v22
- name: Configure Nix cache
if: matrix.use_nix
- uses: DeterminateSystems/magic-nix-cache-action@main
+ uses: DeterminateSystems/magic-nix-cache-action@v13📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Install Nix | |
| if: matrix.use_nix | |
| uses: DeterminateSystems/nix-installer-action@main | |
| - name: Configure Nix cache | |
| if: matrix.use_nix | |
| uses: DeterminateSystems/magic-nix-cache-action@main | |
| - name: Install Nix | |
| if: matrix.use_nix | |
| uses: DeterminateSystems/nix-installer-action@v22 | |
| - name: Configure Nix cache | |
| if: matrix.use_nix | |
| uses: DeterminateSystems/magic-nix-cache-action@v13 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 43-43: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 46-46: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 46-46: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): enables caching by default
(cache-poisoning)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/libmoq.yml around lines 41 - 46, The workflow currently
references DeterminateSystems actions using the unstable refs
"DeterminateSystems/nix-installer-action@main" and
"DeterminateSystems/magic-nix-cache-action@main"; change these to the stable
released tags by updating the action refs to
"DeterminateSystems/nix-installer-action@v22" and
"DeterminateSystems/magic-nix-cache-action@v13" respectively (update the two
occurrences where the actions are used in the Install Nix and Configure Nix
cache steps).
The mktemp -d directory holding the nix --out-link result was never removed. CI runners are ephemeral so this never mattered there, but local invocations leave one stale dir in /tmp per build. https://claude.ai/code/session_01658i2aBWSxEZvVggb1aLkU
2 participants
Summary
.github/workflows/moq-gst.yml: builds the GStreamer plugin on everymoq-gst-v*tag forx86_64/aarch64Linux + macOS vianix build .#moq-gst, then assembles tarballs and attaches them to a GitHub release.nix/overlay.nixgainslibmoqandmoq-gstderivations and they're re-exported fromflake.nix. The libmoq derivation lays out the staticlib plus header, pkg-config, and CMake config files in the same on-disk shape the existing release tarballs already publish (so downstreamfind_package(moq)consumers don't notice). The moq-gst derivation strips nix-store paths from the produced cdylib so it loads against the user's system GStreamer:patchelf --remove-rpath(DT_NEEDED stays as the stable SONAMElibgstreamer-1.0.so.0, which any distro with GStreamer 1.24+ resolves).install_name_tool -change /nix/store/... @rpath/...for each gstreamer dylib reference, plus three pre-baked rpaths covering brew on Apple Silicon, brew on Intel, and the official.pkgframework install. Users who put GStreamer somewhere else can setDYLD_FALLBACK_LIBRARY_PATH.rs/libmoq/build.shrewritten to a thinnix buildwrapper on Linux/macOS; Windows keeps the existing direct cargo path because Nix on the Windows runner isn't practical. Theuniversal-apple-darwinmatrix entry is dropped now that we have native per-arch macOS runners.rs/moq-gst/build.sh(new) is the equivalent thin wrapper for the plugin:nix build+ tarball assembly with README + LICENSE files..github/workflows/libmoq.ymlswitches Linux/macOS jobs to the Nix path (DeterminateSystems/nix-installer-action+magic-nix-cache-action) and pointsaarch64-unknown-linux-gnuat the nativeubuntu-24.04-armrunner.cachix.ymladdslibmoq-v*andmoq-gst-v*triggers and builds both packages, so Cachix users (cachix use kixelated) get pre-built artifacts.rs/moq-gst/README.mdgets an Install section walking through download + install location per platform.CLAUDE.mdadds a CI tooling note steering future release pipelines towardnix build .#pkgfor reproducibility instead of relying onapt/brewpackages on the runner.Test plan
Before merging, verify the new workflow end-to-end without committing to a real tag:
workflow_dispatch:to.github/workflows/moq-gst.ymlon this branch and trigger it; confirm all four matrix jobs go green and that artifacts upload.moq-gst-v0.0.0-test) and confirm thereleasejob creates a draft release with four.tar.gzfiles. Delete the test tag/release after.libmoq.ymlto make sure the nix-converted Linux/macOS jobs still produce tarballs equivalent to the previous cargo-built ones (diff layout against an existing libmoq release).Local sanity (needs Nix + GStreamer):
nix build .#libmoq, then verifyresult/lib/libmoq.a,result/include/moq.h,result/lib/pkgconfig/moq.pc,result/lib/cmake/moq/moq-config.cmakeall exist.nix build .#moq-gst, thenpatchelf --print-rpath result/lib/libgstmoq.sois empty on Linux, andldd result/lib/libgstmoq.soresolveslibgstreamer-1.0.so.0against/usr/lib/...rather than nix store. On macOS,otool -Lshows@rpath/...andotool -l | grep -A2 LC_RPATHlists the three pre-baked locations../rs/moq-gst/build.sh --output /tmp/dist→ extract the tarball,export GST_PLUGIN_PATH=$(pwd)/.../lib,gst-inspect-1.0 moqlistsmoqsinkandmoqsrc.First real release:
git tag moq-gst-v0.2.3 && git push origin moq-gst-v0.2.3. Confirm all four artifacts attach. Download one on a clean machine with a stock GStreamer install and rungst-inspect-1.0 moq.https://claude.ai/code/session_01658i2aBWSxEZvVggb1aLkU
Generated by Claude Code