chore: enable CI

.github/workflows/push_build_devShells.yaml

@@ -0,0 +1,134 @@
+---
+name: "push: build and cache devShells"
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  artifacts:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    permissions:
+      id-token: write
+      contents: write
+
+    strategy:
+      matrix:
+        platform:
+          - x86_64
+          - aarch64
+      fail-fast: true
+
+    steps:
+    - name: "Check out repository"
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Configure aws
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
+        aws-region: eu-central-1
+
+    - uses: nixbuild/nix-quick-install-action@v26
+      with:
+        nix_version: 2.16.2
+        nix_conf: |
+          experimental-features = nix-command flakes
+          sandbox = false
+          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
+          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
+          builders-use-substitutes = true
+
+    - name: "Verify if we need to build"
+      id: verify-build
+      run: |
+        export build_dry_run_output=$(make build-dry-run ARCH=${{ matrix.platform }})
+        export drvPath=$(echo "$build_dry_run_output" | grep -oE '"out":.*"' | awk -F\" '{ print $4 }')
+        nix store verify --store s3://nhost-nix-cache?region=eu-central-1 $drvPath \
+          && export BUILD_NEEDED=no \
+          || export BUILD_NEEDED=yes
+        echo BUILD_NEEDED=$BUILD_NEEDED >> $GITHUB_OUTPUT
+
+    - name: "Setup nix-remote-builder"
+      uses: dbarrosop/[email protected]
+      id: nix-remote-builder
+      with:
+        name: ${{ inputs.NAME }}-${{ inputs.GIT_REF }}
+        ami: ami-0a6fe6f4f55f8421a
+        instance-type: 't4g.xlarge'
+        region: "eu-central-1"
+        availability-zone: "eu-central-1c"
+        ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+      if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
+
+    - name: "Setup nix-remote-builder in nix.conf"
+      run: |
+          echo "builders = ssh://${{ steps.nix-remote-builder.outputs.publicDnsName }} aarch64-linux;" >> ~/.config/nix/nix.conf
+      if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
+
+    - name: Cache nix store
+      uses: actions/cache@v4
+      with:
+        path: |
+          /nix/store/**
+          /nix/var/nix/*/*
+          /nix/var/nix/db/*
+          /nix/var/nix/db/*/**
+          !/nix/var/nix/daemon-socket/socket
+          !/nix/var/nix/userpool/*
+          !/nix/var/nix/gc.lock
+          !/nix/var/nix/db/big-lock
+          !/nix/var/nix/db/reserved
+        key: nix-${{ inputs.NAME }}-build-${{ runner.os }}-${{ matrix.platform }}-${{ hashFiles('nix/**.nix', 'flake.nix', 'flake.lock', '${{ inputs.PROJECT }}/**.nix') }}
+        restore-keys: nix-${{ inputs.NAME }}-build-${{ runner.OS }}-${{ matrix.platform }}-main
+      if: ${{ steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
+
+    - uses: docker/setup-qemu-action@v3
+      if: ${{ ( matrix.platform == 'aarch64' ) }}
+
+    - name: "Wait for remote builder to be ready"
+      run: |
+        set +e
+        max_attempts=6
+        retry_interval=10
+
+        attempt=1
+        while [ "$attempt" -le "$max_attempts" ]; do
+            echo "Checking SSH connection (attempt $attempt)..."
+            nc -zv ${{ steps.nix-remote-builder.outputs.publicDnsName }} 22
+            if [ $? -eq 0 ]; then
+                echo "success"
+                break
+            else
+                echo "SSH connection failed."
+                if [ "$attempt" -lt "$max_attempts" ]; then
+                    echo "Retrying in $retry_interval seconds..."
+                    sleep "$retry_interval"
+                else
+                    echo "Exceeded maximum connection attempts."
+                    exit 1
+                fi
+            fi
+            ((attempt++))
+        done
+      if: ${{ ( matrix.platform == 'aarch64' ) && steps.verify-build.outputs.BUILD_NEEDED == 'yes' }}
+
+    - name: "Build"
+      run: |
+        make build ARCH=${{ matrix.platform }}
+
+    - name: "Cache nix store on s3"
+      run: |
+        echo ${{ secrets.NIX_CACHE_PRIV_KEY }} > cache-priv-key.pem
+        nix store sign --key-file cache-priv-key.pem --all
+        find /nix/store -maxdepth 1 -name "*-*" -type d | xargs -n 1000 nix copy --to s3://nhost-nix-cache\?region=eu-central-1
+      if: always()
+
+    - run: rm cache-priv-key.pem || echo "file not found"
+      if: always()

.github/workflows/schedule_update_deps.yaml

@@ -0,0 +1,67 @@
+---
+name: "gen: update depenendencies"
+on:
+  schedule:
+    - cron: '0 2 27 * *'
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Configure aws
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: arn:aws:iam::${{ secrets.AWS_PRODUCTION_CORE_ACCOUNT_ID }}:role/github-actions-nhost-${{ github.event.repository.name }}
+        aws-region: eu-central-1
+
+    - uses: nixbuild/nix-quick-install-action@v26
+      with:
+        nix_version: 2.16.2
+        nix_conf: |
+          experimental-features = nix-command flakes
+          sandbox = false
+          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+          substituters = https://cache.nixos.org/?priority=40 s3://nhost-nix-cache?region=eu-central-1&priority=50
+          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ${{ secrets.NIX_CACHE_PUB_KEY }}
+
+    - name: Cache nix store
+      uses: actions/cache@v4
+      with:
+        path: /nix
+        key: nix-update-deps-${{ hashFiles('flakes.nix', 'flake.lock') }}
+
+    - name: Update nix flakes
+      run: nix flake update
+
+    - name: Create Pull Request
+      uses: peter-evans/create-pull-request@v5
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        commit-message: Update dependencies
+        committer: GitHub <[email protected]>
+        author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+        signoff: false
+        branch: automated/update-deps
+        delete-branch: true
+        title: '[Scheduled] Update dependencies'
+        body: |
+          Dependencies updated
+
+          Note - If you see this PR and the checks haven't run, close and reopen the PR. See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs
+        labels: |
+          dependencies
+        draft: false
+
+    - run: rm cache-priv-key.pem
+      if: always()

Makefile

@@ -0,0 +1,30 @@
+ifeq ($(shell uname -m),x86_64)
+  ARCH?=x86_64
+else ifeq ($(shell uname -m),arm64)
+  ARCH?=aarch64
+endif
+
+ifeq ($(shell uname -o),Darwin)
+  OS?=darwin
+else
+  OS?=linux
+endif
+
+ifeq ($(CI),true)
+  build-options=--option system $(ARCH)-linux --extra-platforms ${ARCH}-linux
+endif
+
+.PHONY: build
+build:  ## Build application and places the binary under ./result/bin
+	nix build $(build-options) \
+		--print-build-logs \
+		.\#devShells.$(ARCH)-$(OS).default
+
+
+.PHONY: build-dry-run
+build-dry-run:  ## Run nix flake check
+	nix build $(build-options) \
+		--dry-run \
+		--json \
+		--print-build-logs \
+		.\#devShells.$(ARCH)-$(OS).default

flake.nix

@@ -48,7 +48,7 @@
               gqlgenc
               oapi-codegen
               nhost-cli
-              postgresql_146
+              # postgresql_146
               postgresql_146-client
             ];
           };

overlays/nhost-cli.nix

@@ -6,6 +6,14 @@ let
       url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-darwin-arm64.tar.gz";
       sha256 = "0g7zq4qc2jvkj1kd9kd2y1j1hjbpcylg7p8v8v3nhnyvk9li0vgn";
     };
+    x86_64-darwin = rec {
+      url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-darwin-amd64.tar.gz";
+      sha256 = "0kh593iby5sfsdki2g52f3clkcmhaa3jcxiq3b0a47cw89vrnxic";
+    };
+    aarch64-linux = rec {
+      url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-linux-arm64.tar.gz";
+      sha256 = "0nr3wnkl4id4xzzypz9k5l52i221cv91310d2swd4a7ifn39v42q";
+    };
     x86_64-linux = rec {
       url = "https://github.com/nhost/cli/releases/download/${version}/cli-${version}-linux-amd64.tar.gz";
       sha256 = "13fr478klqbdbkdw3dwv1yhpz57zcj7jr2lp39cvac81187lgrz7";

overlays/nhost-cli.sh

@@ -0,0 +1,12 @@
+#1/usr/bin/env bash
+
+set -eou pipefail
+
+
+version="$1"
+echo "version: $version"
+
+nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-darwin-arm64.tar.gz
+nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-darwin-amd64.tar.gz
+nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-linux-arm64.tar.gz
+nix-prefetch-url --type sha256 https://github.com/nhost/cli/releases/download/"$version"/cli-"$version"-linux-amd64.tar.gz