Build MacOS lre-rs image

.github/workflows/image.yaml

@@ -23,13 +23,17 @@ jobs:
       fail-fast: false
       matrix:
         image: [image, nativelink-worker-init, nativelink-worker-lre-cc, nativelink-worker-lre-rs]
-    name: Publish ${{ matrix.image }}
-    runs-on: ubuntu-24.04
+        os: [ubuntu-24.04]
+        include:
+          - os: macos-26
+            image: nativelink-worker-lre-rs
+    name: Publish ${{ matrix.image }} / ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
     permissions:
       packages: write
       id-token: write
       security-events: write
-    timeout-minutes: 30
+    timeout-minutes: 90
     steps:
       - name: Checkout
         uses: >- # v6.0.2
@@ -40,9 +44,34 @@ jobs:
         with:
           nativelink_attic_token: ${{ secrets.NATIVELINK_ATTIC_TOKEN }}
 
+      - name: Set up Docker
+        id: docker
+        uses: >- # v5.2.0
+          docker/setup-docker-action@0234bb73ccb40f0c430b795634f9247e2b5c2d23
+        if: runner.os == 'macOS' # already setup for Linux
+        env:
+          # m1 chips, as seen in the GitHub CI, don't support nested hardware virtualization.
+          #
+          # We need `-machine virt` to stop Lima from providing `accel=hvf`due to this
+          # [QEMU issue](https://gitlab.com/qemu-project/qemu/-/issues/2981).
+          #
+          # We also need `-cpu *` to stop Lima from providing `-cpu host` as:
+          # 1) `-cpu host` requires `kvm` or `hvf` (which we don't have)
+          # 2) `-cpu host` implies `host-phys-bits=on` which is borked in this environment
+          # From which CPU to actually emulate, we choose what will be the most performant.
+          #
+          # We accomplish both of these goals with the methodology from
+          # [this comment](https://github.com/lima-vm/lima/pull/3173#issuecomment-2623130310).
+          QEMU_SYSTEM_AARCH64: "qemu-system-aarch64 -machine virt -cpu max,pmu=off,sve=on,sve128=on,sme=off,pauth=off"
+
+      - name: Set docker host
+        if: runner.os == 'macOS' # already setup for Linux
+        run: |
+          echo "DOCKER_HOST=${{steps.docker.outputs.sock}}" >> "$GITHUB_ENV"
+
       - name: Test image
         run: |
-          nix run --fallback .#local-image-test ${{ matrix.image }}
+          nix run --fallback --impure .#local-image-test ${{ matrix.image }}
 
       - name: Upload image
         run: |

tools/public/default.nix

@@ -3,7 +3,9 @@
 
   # Note: Only put tools here that should be usable from external flakes.
   nativelink-tools = {
-    local-image-test = final.callPackage ./local-image-test.nix {};
+    local-image-test = final.callPackage ./local-image-test.nix {
+      skopeo = nix2container.packages.${final.stdenv.hostPlatform.system}.skopeo-nix2container;
+    };
     publish-ghcr = final.callPackage ./publish-ghcr.nix {};
     create-local-image = final.callPackage ./create-local-image.nix {};
 

tools/public/local-image-test.nix

@@ -2,11 +2,13 @@
   dive,
   trivy,
   writeShellScriptBin,
+  skopeo,
 }:
 writeShellScriptBin "local-image-test" ''
-  set -xeuo pipefail
+  set -euo pipefail
 
   echo "Testing image: $1"
+  set -x
 
   # Commit hashes would not be a good choice here as they are not
   # fully dependent on the inputs to the image. For instance, amending
@@ -15,9 +17,16 @@ writeShellScriptBin "local-image-test" ''
   # didn't change.
   IMAGE_TAG=$(nix eval .#$1.imageTag --raw)
   IMAGE_NAME=$(nix eval .#$1.imageName --raw)
+  IMAGE=$(nix eval .#$1 --raw)
 
-  nix run .#$1.copyTo \
-    docker-daemon:''${IMAGE_NAME}:''${IMAGE_TAG}
+  # Inlining from https://github.com/nlewo/nix2container/blob/76be9608a7f4d6c985d28b0e7be903ae2547df3e/default.nix#L88
+  # so we can add parameters to skopeo
+  # nix run .#$1.copyTo \
+  #   docker-daemon:''${IMAGE_NAME}:''${IMAGE_TAG}
+  nix build .#$1
+  # Double-check available disk before we run skopeo
+  df -h
+  ${skopeo}/bin/skopeo --insecure-policy copy --dest-daemon-host=''${DOCKER_HOST:-unix:///var/run/docker.sock} nix:''${IMAGE} docker-daemon:''${IMAGE_NAME}:''${IMAGE_TAG}
 
   # Ensure that the image has minimal closure size.
   # TODO(palfrey): The default allows 10% inefficiency. Since we control all

typos.toml

@@ -3,10 +3,12 @@
 conly = "conly"
 
 [default]
-# Old wrong spelling support
 extend-ignore-re = [
+  # Old wrong spelling support
   "alias = \"Cachable\"",
   "old_unique_qualifier_cachable_works",
+  # Argument in .github/workflows/image.yaml
+  "sme=off",
 ]
 
 [files]