ci: Custom GitHub Runners for Nix Builds (#1745)

* chores(ci): opted-out nix-fast-build

* chores(ci): set up nix-github-actions

* chores(ci): comment out vestigal testinfra-ami-build

* chores(ci): use custom github runners

* chores(ci): use nix-eval-jobs and sets AWS creds to /etc/nix/aws

* feat(ci): do not build if already cached

* chore: improve reproducibility of postgresql builds

Do not create postgresql package that depends on the runtime evaluation context as
that harms reproducibility.

* chore: remove nix-github-actions dependency

* feat(ci): split nix build workflow into separate extensions and checks jobs

Split the monolithic nix-build job into two workflows:
one for building PostgreSQL extensions and another for checks.

Building extensions can be resource-intensive and time-consuming, 
so isolating them allows for better resource allocation and parallelism.

Once they are built, the checks job can run tests and validations
on the already built extensions.

* feat(ci): extract nix build setup into reusable action and split builds by architecture

Extract AWS credential setup and nix build steps into a composite action
to reduce duplication. Split extension builds into separate jobs per
architecture (aarch64-linux, aarch64-darwin, x86_64-linux) and update
matrix generation to group packages by system.

* fix(ci): do not hide cached builds

* Revert "fix(ci): do not hide cached builds"

This reverts commit 9d41b1e.

* chore: Temporarily disable x86_64-linux builds

We don't have a self hosted runner for x86_64-linux at the moment

* fix: sort packages and filter out cached ones

* fix: do not skip checks-matrix if dependencies are skipped

* fix: do not return debug fields in GitHub Actions matrix output

* debugging

* fix(ci): use !cancelled() instead of always() for dependent job conditions

Replace always() with !cancelled() to prevent jobs from running when the workflow
is cancelled. Add explicit success/skip conditions for dependent jobs to ensure
proper workflow execution flow.

* fix(ci): stop chaining aws roles

We couldn't set duration to 18000 seconds when chaining roles.

* ci: run nixos test on aarch64-linux

* fix(ci): disable eval-cache and accept-flake-config

* ci: split checks build jobs by system architecture

Refactor GitHub Actions workflow to run build checks in parallel across different
architectures (aarch64-linux, aarch64-darwin) with separate job matrices.

* fix(ci): use correct architecture name in aarch64-linux builds

* fix(ci): do not try to build already cached checks

* fix(ci): simplify GitHub Actions workflow for Nix builds

Create a single nix-eval job to determine packages to build, removing
redundant extension and check matrices.

* Revert "chores(ci): comment out vestigal testinfra-ami-build"

This reverts commit e2db368.

* feat(ci): eval on blacksmith-32vcpu-ubuntu-2404

* feat: add ephemeral Nix install action for GitHub runners

* refactor(ci): extract nix eval into reusable workflow

* feat: enable x86_64-linux builds in CI

* feat: add PostgreSQL version to GitHub Actions job names

When building a postgres extension, the build matrix may include
multiple time the same extension for different PostgreSQL versions.
This change makes it easier to identify which job corresponds to which PostgreSQL
version in the workflow runs.

* fix: disable treefmt flake check

treefmt is already included in the pre-commit hooks check.

* feat: run actionlint on new GitHub Actions workflows

* chore: improve github matrix script type annotations

* feat: optimize CI runner selection based on package size

Dynamically assign larger runners (32vcpu) for Rust and PostGIS extensions
while using smaller runners (8vcpu) for standard packages.

* chore: fix package meta maintainers format

* chore: create a nix package for generating GitHub Actions matrix

Add pytest tests for the package
Add nix-eval-jobs in path for the package

* fix: configure runner according to the matrix job

The matrix job returns the type of runner, so we can configure the nix
installation step accordingly.

* Update nix-eval-jobs

Our changes were merged upstream, so we can now track the original
repository again.

* refactor(ci): standardize nix installation and disable cache push by default

- Replace DeterminateSystems/nix-installer-action with custom nix-install-ephemeral action across all workflows
- Change default push-to-cache from 'true' to 'false' to prevent unnecessary nix/aws configurations
- Explicitly enable push-to-cache only for nix-build and nix-eval workflows where caching is beneficial

* feat: use big-parallel to identify large packages

* fix(ci): ensure x86_64-linux build is considered in testinfra and test workflows

* fix: nix devShell inclusion condition

* fix(ci): eval should fail if github-matrix run fails

* fix(ci): remove redundant build psql bundle step

* fix: reduce ARM runner size from 8vcpu to 4vcpu for ephemeral builds

We might not need the full 8vcpu for aarch64-linux builds, so this
change reduces the runner size to 4vcpu to wait less for available
blacksmith runners.

* feat: do not return empty matrices if no package has to be built

* feat: fail pipeline if nix evaluation fails

* Update nix/ext/pgvector.nix

Co-authored-by: samrose <samuel@supabase.io>

* fix: add skip job only for systems that don't have any job

* fix(github-matrix): handle evaluation errors without deadlock

Fix github-matrix that would hang when nix-eval-jobs encountered errors due to subprocess pipe deadlock - stderr buffer would fill while reading stdout.

This change ensure that evaluation errors are visible and the workflow fails properly while still showing which packages succeeded.

* feat(github-matrix): integrate github-action-utils for better error visibility

Integrates github-action-utils library to improve error and warning
visibility in GitHub Actions UI through workflow command annotations.

* feat(github-matrix): group evaluation errors by message

Refactor error handling to collect and group evaluation errors similar to warnings. Errors with the same message are now displayed together with a list of affected attributes.

* fix(github-matrix): improve multiline error display in GitHub Actions

Extract core error messages and format them better for GitHub Actions
annotations.

* fix(ci): skip run-testinfra and run-tests when nix-eval fails

Add nix-eval to needs dependencies and check its result in conditional expressions to prevent downstream test jobs from running when evaluation fails.

* chore(github-matrix): update message when there are no build for a system

* fix(github-matrix): backward compatibility for Result access

We are running an older version of the 'result' library that uses
'_value' instead of 'ok_value' to access the successful result of a
computation.

* refactor: migrate from packages to legacyPackages for PostgreSQL extensions

To be able to build extensions versions packages separately in CI, we
need to expose them in a nested structure. It is currently not possible
to do so with the flattened packages structure, as the individual
extension packages are not directly accessible.

In this change, we replace the flattened package structure with nested
legacyPackages to improve discoverability of individual extension
packages.

* refactor(nix): remove "-all" suffix from extension package names

Simplify extension package naming by removing the redundant "-all" suffix that was appended to pname attributes.

* refactor(ci): split nix build jobs into separate packages and checks workflows

To make sure we only build what is necessary, we start building packages first, 
then run checks once all packages are built successfully.

* feat: use 8 vCPU runner for aarch64 builds

Use the same 8 vCPU runner for aarch64 builds as used for x86_64 builds to improve build performance.

* feat(ci): test blacksmith stickydisk for eval

---------

Co-authored-by: Jean-François Roche <jfroche@pyxel.be>
Co-authored-by: samrose <samuel@supabase.io>

Author: 3 people

.github/actionlint.yaml

@@ -0,0 +1,5 @@
+self-hosted-runner:
+  labels:
+    - aarch64-darwin
+    - aarch64-linux
+    - blacksmith-32vcpu-ubuntu-2404

.github/actions/nix-install-self-hosted/action.yml

@@ -0,0 +1,30 @@
+name: 'Configure Nix on self hosted runners'
+description: 'Sets up AWS credentials to push to the Nix binary cache'
+inputs:
+  aws-role-duration:
+    description: 'AWS role session duration in seconds'
+    required: false
+    default: '18000'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: aws-creds
+      uses: aws-actions/configure-aws-credentials@v4.3.1
+      with:
+        disable-retry: true
+        aws-region: us-east-2
+        role-to-assume: arn:aws:iam::436098097459:role/nix-artifacts-deploy-role # supabase-dev
+        role-session-name: gha-oidc-${{ github.run_id }}
+        role-duration-seconds: ${{ inputs.aws-role-duration }}
+
+    - name: Write creds files
+      shell: bash
+      run: |
+        umask 006
+        cat > /etc/nix/aws/nix-aws-credentials <<EOF
+        [ci-uploader]
+        aws_access_key_id = ${AWS_ACCESS_KEY_ID}
+        aws_secret_access_key = ${AWS_SECRET_ACCESS_KEY}
+        aws_session_token = ${AWS_SESSION_TOKEN}
+        EOF

.github/workflows/nix-build.yml

@@ -14,77 +14,201 @@ permissions:
   contents: write
   packages: write
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 jobs:
-  build-run-image:
+  nix-eval:
+    uses: ./.github/workflows/nix-eval.yml
+    secrets:
+      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+  nix-build-packages-aarch64-linux:
+    name: >-
+      ${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
+      (aarch64-linux)
+    needs: nix-eval
+    runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_linux != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 5
+      matrix: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_linux }}
+    steps:
+      - name: Checkout Repo
+        if: ${{ matrix.attr != '' }}
+        uses: actions/checkout@v4
+      - name: Install nix (ephemeral)
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'true'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Install nix (self-hosted)
+        if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
+        uses: ./.github/actions/nix-install-self-hosted
+      - name: nix build
+        if: ${{ matrix.attr != '' }}
+        shell: bash
+        run: nix build --accept-flake-config -L .#${{ matrix.attr }}
+
+  nix-build-checks-aarch64-linux:
+    name: >-
+      ${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
+      (aarch64-linux)
+    needs: [nix-eval, nix-build-packages-aarch64-linux]
+    runs-on: ${{ matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_linux != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 5
+      matrix: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_linux }}
+    steps:
+      - name: Checkout Repo
+        if: ${{ matrix.attr != '' }}
+        uses: actions/checkout@v4
+      - name: Install nix (ephemeral)
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'true'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Install nix (self-hosted)
+        if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
+        uses: ./.github/actions/nix-install-self-hosted
+      - name: nix build
+        if: ${{ matrix.attr != '' }}
+        shell: bash
+        run: nix build --accept-flake-config -L .#${{ matrix.attr }}
+
+  nix-build-packages-aarch64-darwin:
+    name: >-
+      ${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
+      (aarch64-darwin)
+    needs: nix-eval
+    runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_darwin != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 5
+      matrix: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).aarch64_darwin }}
+    steps:
+      - name: Checkout Repo
+        if: ${{ matrix.attr != '' }}
+        uses: actions/checkout@v4
+      - name: Install nix
+        if: ${{ matrix.attr != '' }}
+        uses: ./.github/actions/nix-install-self-hosted
+      - name: nix build
+        if: ${{ matrix.attr != '' }}
+        shell: bash
+        run: nix build --accept-flake-config -L .#${{ matrix.attr }}
+
+  nix-build-checks-aarch64-darwin:
+    name: >-
+      ${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
+      (aarch64-darwin)
+    needs: [nix-eval, nix-build-packages-aarch64-darwin]
+    runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_darwin != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 5
+      matrix: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).aarch64_darwin }}
+    steps:
+      - name: Checkout Repo
+        if: ${{ matrix.attr != '' }}
+        uses: actions/checkout@v4
+      - name: Install nix
+        if: ${{ matrix.attr != '' }}
+        uses: ./.github/actions/nix-install-self-hosted
+      - name: nix build
+        if: ${{ matrix.attr != '' }}
+        shell: bash
+        run: nix build --accept-flake-config -L .#${{ matrix.attr }}
+
+  nix-build-packages-x86_64-linux:
+    name: >-
+      ${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
+      (x86_64-linux)
+    needs: nix-eval
+    runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).x86_64_linux != null }}
     strategy:
       fail-fast: false
-      matrix:
-        include:
-          - runner: blacksmith-32vcpu-ubuntu-2404
-            arch: amd64
-          - runner: blacksmith-32vcpu-ubuntu-2404-arm
-            arch: arm64
-          - runner: macos-latest-xlarge
-            arch: arm64
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 180
+      max-parallel: 5
+      matrix: ${{ fromJSON(needs.nix-eval.outputs.packages_matrix).x86_64_linux }}
     steps:
       - name: Checkout Repo
-        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: ./.github/actions/nix-install-ephemeral
+        if: ${{ matrix.attr != '' }}
+        uses: actions/checkout@v4
+      - name: Install nix
+        if: ${{ matrix.attr != '' }}
+        uses: ./.github/actions/nix-install-ephemeral
         with:
-          push-to-cache: ${{ github.secret_source == 'Actions' && 'true' || 'false' }}
+          push-to-cache: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
-      - name: Aggressive disk cleanup for DuckDB build
-        if: matrix.runner == 'macos-latest-xlarge'
-        run: |
-          nix --version
-          echo "=== BEFORE CLEANUP ==="
-          df -h
-          # Remove major space consumers
-          sudo rm -rf /usr/share/dotnet || true
-          sudo rm -rf /usr/local/lib/android || true
-          sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform || true
-          sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/watchOS.platform || true
-          sudo rm -rf /Applications/Xcode.app/Contents/Developer/Platforms/tvOS.platform || true
-          # Clean everything possible
-          sudo rm -rf /opt/ghc || true
-          sudo rm -rf /usr/local/share/boost || true
-          sudo rm -rf /opt/homebrew || true
-          sudo xcrun simctl delete all 2>/dev/null || true
-          # Aggressive cache cleanup
-          sudo rm -rf /System/Library/Caches/* 2>/dev/null || true
-          sudo rm -rf /Library/Caches/* 2>/dev/null || true
-          sudo rm -rf ~/Library/Caches/* 2>/dev/null || true
-          sudo rm -rf /private/var/log/* 2>/dev/null || true
-          sudo rm -rf /tmp/* 2>/dev/null || true
-          echo "=== AFTER CLEANUP ==="
-          df -h
-      -
-        name: Build psql bundle
-        run: >
-          nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48"
-          -- --skip-cached --no-nom ${{ matrix.runner == 'macos-latest-xlarge' && '--max-jobs 1' || '' }} --copy-to "s3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key"
-          --flake ".#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem')"
+      - name: nix build
+        if: ${{ matrix.attr != '' }}
+        shell: bash
+        run: nix build --accept-flake-config -L .#${{ matrix.attr }}
+
+  nix-build-checks-x86_64-linux:
+    name: >-
+      ${{ matrix.name }}${{ matrix.postgresql_version && format(' - Postgres {0}', matrix.postgresql_version) || '' }}
+      (x86_64-linux)
+    needs: [nix-eval, nix-build-packages-x86_64-linux]
+    runs-on: ${{ matrix.attr != '' && matrix.runs_on.group && matrix.runs_on || matrix.runs_on.labels }}
+    if: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).x86_64_linux != null }}
+    strategy:
+      fail-fast: false
+      max-parallel: 5
+      matrix: ${{ fromJSON(needs.nix-eval.outputs.checks_matrix).x86_64_linux }}
+    steps:
+      - name: Checkout Repo
+        if: ${{ matrix.attr != '' }}
+        uses: actions/checkout@v4
+      - name: Install nix
+        if: ${{ matrix.attr != '' }}
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'true'
         env:
-          AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
-          AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: nix build
+        if: ${{ matrix.attr != '' }}
+        shell: bash
+        run: nix build --accept-flake-config -L .#${{ matrix.attr }}
 
   run-testinfra:
-    needs: build-run-image
-    if: ${{ success() }}
+    needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux, nix-build-packages-aarch64-darwin, nix-build-checks-aarch64-darwin, nix-build-packages-x86_64-linux, nix-build-checks-x86_64-linux]
+    if: |
+      !cancelled() &&
+      needs.nix-eval.result == 'success' &&
+      (needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
+      (needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success') &&
+      (needs.nix-build-packages-aarch64-darwin.result == 'skipped' || needs.nix-build-packages-aarch64-darwin.result == 'success') &&
+      (needs.nix-build-checks-aarch64-darwin.result == 'skipped' || needs.nix-build-checks-aarch64-darwin.result == 'success') &&
+      (needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
+      (needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
     uses: ./.github/workflows/testinfra-ami-build.yml
     secrets:
       DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
 
   run-tests:
-    needs: build-run-image
-    if: ${{ success() }}
+    needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux, nix-build-packages-aarch64-darwin, nix-build-checks-aarch64-darwin, nix-build-packages-x86_64-linux, nix-build-checks-x86_64-linux]
+    if: |
+      !cancelled() &&
+      needs.nix-eval.result == 'success' &&
+      (needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
+      (needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success') &&
+      (needs.nix-build-packages-aarch64-darwin.result == 'skipped' || needs.nix-build-packages-aarch64-darwin.result == 'success') &&
+      (needs.nix-build-checks-aarch64-darwin.result == 'skipped' || needs.nix-build-checks-aarch64-darwin.result == 'success') &&
+      (needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
+      (needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
     uses: ./.github/workflows/test.yml

.github/workflows/nix-eval.yml

@@ -0,0 +1,54 @@
+name: Nix Eval
+
+on:
+  workflow_call:
+    outputs:
+      packages_matrix:
+        description: 'Generated build matrix for packages'
+        value: ${{ jobs.eval.outputs.packages_matrix }}
+      checks_matrix:
+        description: 'Generated build matrix for checks'
+        value: ${{ jobs.eval.outputs.checks_matrix }}
+    secrets:
+      DEV_AWS_ROLE:
+        required: false
+      NIX_SIGN_SECRET_KEY:
+        required: false
+
+jobs:
+  eval:
+    runs-on: blacksmith-32vcpu-ubuntu-2404
+    outputs:
+      packages_matrix: ${{ steps.set-matrix.outputs.packages_matrix }}
+      checks_matrix: ${{ steps.set-matrix.outputs.checks_matrix }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'true'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Restart Nix Daemon
+        run: |
+          sudo mv /nix/var/nix/daemon-socket/socket /tmp
+      - name: Mount Nix cache disk
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-nix-cache-eval-${{ runner.os }}
+          path: /nix
+      - name: Restart Nix Daemon
+        run: |
+          sudo systemctl restart nix-daemon.service nix-daemon.socket
+      - id: set-matrix
+        name: Generate Nix Matrix
+        run: |
+          set -Eeu -o pipefail
+          nix run --accept-flake-config .\#github-matrix -- checks legacyPackages
+
+          sudo systemctl stop nix-daemon.socket || true
+          sudo systemctl stop nix-daemon.service || true
+          sudo pkill -9 nix-daemon || true
+          sleep 2