parallelize CI

.github/workflows/test.yml

@@ -23,21 +23,10 @@ jobs:
       with:
         name: mic92
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-    - name: Show nixpkgs version
-      run: nix-instantiate --eval -E '(import <nixpkgs> {}).lib.version'
-    - name: Run golangci-lint
-      run: nix-shell --pure --run "golangci-lint run"
-      if: matrix.nixPath == 'nixpkgs=channel:nixpkgs-unstable'
-    - name: Build nix packages
-      run: nix-build release.nix
-    - name: Run sops-pgp-hook tests
-      run: nix-shell --pure --run "NIX_PATH=nixpkgs=$(nix-instantiate --find-file nixpkgs) go test ./pkgs/sops-pgp-hook"
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
       if: matrix.os == 'ubuntu-latest'
-    - name: Run sops-install-secrets tests
-      run: nix-shell --pure --run "$(command -v sudo) unshare --mount --fork go test ./pkgs/sops-install-secrets"
-      if: matrix.os == 'ubuntu-latest'
-    - name: Run NixOS test
-      run: nix-build -A sops-install-secrets.tests
-      if: matrix.os == 'ubuntu-latest'
+    - name: Build nix packages
+      run: nix-build --no-out-link release.nix
+    - name: Run unit tests
+      run: nix-shell --no-out-link ./unit-tests.nix --argstr sudo "$(command -v sudo)" --pure --run 'true'

default.nix

@@ -1,13 +1,44 @@
 { pkgs ? import <nixpkgs> {} }: let
   vendorSha256 = "sha256-O0z+oEffOOZa/bn2gV9onLVbPBHsNDH2yq1CZPi8w58=";
-in rec {
-  sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {};
+
   sops-install-secrets = pkgs.callPackage ./pkgs/sops-install-secrets {
     inherit vendorSha256;
   };
-  sops-pgp-hook = pkgs.callPackage ./pkgs/sops-pgp-hook {};
+in rec {
+  sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {};
+  sops-pgp-hook = pkgs.callPackage ./pkgs/sops-pgp-hook { };
+  inherit sops-install-secrets;
 
   ssh-to-pgp = pkgs.callPackage ./pkgs/ssh-to-pgp {
     inherit vendorSha256;
   };
-}
+
+  inherit (sops-install-secrets);
+
+  # used in the CI only
+  sops-pgp-hook-test = pkgs.buildGoModule {
+    name = "sops-pgp-hook-test";
+    src = ./.;
+    inherit vendorSha256;
+    buildPhase = ''
+      go test -c ./pkgs/sops-pgp-hook
+      install -D sops-pgp-hook.test $out/bin/sops-pgp-hook.test
+    '';
+  };
+
+  unit-tests = pkgs.callPackage ./unit-tests.nix {};
+
+  lint = ssh-to-pgp.overrideAttrs (old: {
+    name = "golangci-lint";
+    nativeBuildInputs = old.nativeBuildInputs ++ [ pkgs.golangci-lint ];
+    buildPhase = ''
+      HOME=$TMPDIR golangci-lint run
+    '';
+    installPhase = ''
+      touch $out
+    '';
+    fixupPhase = ":";
+  });
+
+# integration tests
+} // pkgs.lib.optionalAttrs (pkgs.stdenv.isLinux) sops-install-secrets.tests

pkgs/sops-install-secrets/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, buildGoModule, path, pkgs, vendorSha256 }:
+{ stdenv, buildGoModule, path, pkgs, vendorSha256, go }:
 buildGoModule {
   pname = "sops-install-secrets";
   version = "0.0.1";
@@ -15,6 +15,14 @@ buildGoModule {
     inherit pkgs;
   };
 
+  outputs = [ "out" "unittest" ];
+
+  postBuild = ''
+    go test -c ./pkgs/sops-install-secrets
+    install -D ./sops-install-secrets.test $unittest/bin/sops-install-secrets.test
+    remove-references-to -t ${go} $unittest/bin/sops-install-secrets.test
+  '';
+
   inherit vendorSha256;
 
   meta = with stdenv.lib; {

pkgs/sops-install-secrets/main_test.go

@@ -46,6 +46,10 @@ func writeManifest(t *testing.T, dir string, m *manifest) string {
 }
 
 func testAssetPath() string {
+	assets := os.Getenv("TEST_ASSETS")
+	if assets != "" {
+		return assets
+	}
 	_, filename, _, _ := runtime.Caller(0)
 	return path.Join(path.Dir(filename), "test-assets")
 }

pkgs/sops-pgp-hook/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, makeSetupHook, gnupg, sops, go, nix }:
+{ stdenv, makeSetupHook, gnupg, sops, nix }:
 
 (makeSetupHook {
   substitutions = {

pkgs/sops-pgp-hook/hook_test.go

@@ -23,8 +23,11 @@ func ok(tb testing.TB, err error) {
 }
 
 func TestShellHook(t *testing.T) {
-	_, filename, _, _ := runtime.Caller(0)
-	assets := path.Join(path.Dir(filename), "test-assets")
+	assets := os.Getenv("TEST_ASSETS")
+	if assets == "" {
+		_, filename, _, _ := runtime.Caller(0)
+		assets = path.Join(path.Dir(filename), "test-assets")
+	}
 	tempdir, err := ioutil.TempDir("", "testdir")
 	ok(t, err)
 	defer os.RemoveAll(tempdir)

unit-tests.nix

@@ -0,0 +1,29 @@
+{ pkgs ? import <nixpkgs> {}
+, sudo ? "sudo"
+}:
+let
+  sopsPkgs = import ./. { inherit pkgs; };
+in pkgs.stdenv.mkDerivation {
+  name = "env";
+  nativeBuildInputs = with pkgs; [
+    bashInteractive
+    gnupg
+    utillinux
+    nix
+    sopsPkgs.sops-pgp-hook-test
+  ] ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest;
+  # allow to prefetch shell dependencies in build phase
+  dontUnpack = true;
+  installPhase = ''
+    echo $nativeBuildInputs > $out
+  '';
+  shellHook = ''
+    set -x
+    NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
+      sops-pgp-hook.test
+    ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
+      ${sudo} TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
+        unshare --mount --fork sops-install-secrets.test
+    ''}
+  '';
+}