feat: enable sccache for cargo-pgrx builds in GitHub Actions

jfroche · yvan-sraka · commit 1cc79e115e7f · 2026-02-18T10:08:35.000+01:00
Speed up rust builds by enabling sccache caching for cargo-pgrx builds in
GitHub Actions. We mount a persistent disk at /var/cache/sccache and
configure sccache to use it.
diff --git a/.github/actions/nix-install-ephemeral/action.yml b/.github/actions/nix-install-ephemeral/action.yml
@@ -5,6 +5,10 @@ inputs:
     description: 'Whether to push build outputs to the Nix binary cache'
     required: false
     default: 'false'
+  enable-sccache-sandbox-path:
+    description: 'Whether to expose /nix/var/cache/sccache in the Nix sandbox'
+    required: false
+    default: 'false'
   aws-region:
     description: 'AWS region for the Nix binary cache S3 bucket'
     required: false
@@ -48,4 +52,5 @@ runs:
           substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
           trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
           ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}
+          ${{ inputs.enable-sccache-sandbox-path == 'true' && 'extra-sandbox-paths = /nix/var/cache/sccache?' || '' }}
           max-jobs = 4
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -14,10 +14,6 @@ permissions:
   contents: write
   packages: write
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
 jobs:
   nix-eval:
     uses: ./.github/workflows/nix-eval.yml
@@ -40,17 +36,31 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          path: /nix/var/cache/sccache
       - name: Install nix (ephemeral)
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
           push-to-cache: 'true'
+          enable-sccache-sandbox-path: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Install nix (self-hosted)
         if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          sudo chgrp nixbld /nix/var/cache/sccache
+          sudo chmod 777 /nix/var/cache/sccache
+          sudo chmod g+s /nix/var/cache/sccache
+          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -71,17 +81,31 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          path: /nix/var/cache/sccache
       - name: Install nix (ephemeral)
         if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
           push-to-cache: 'true'
+          enable-sccache-sandbox-path: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Install nix (self-hosted)
         if: ${{ matrix.attr != '' && matrix.runs_on.group == 'self-hosted-runners-nix' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          sudo chgrp nixbld /nix/var/cache/sccache
+          sudo chmod 777 /nix/var/cache/sccache
+          sudo chmod g+s /nix/var/cache/sccache
+          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -148,14 +172,28 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
+          enable-sccache-sandbox-path: 'true'
           push-to-cache: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          sudo chgrp nixbld /nix/var/cache/sccache
+          sudo chmod 777 /nix/var/cache/sccache
+          sudo chmod g+s /nix/var/cache/sccache
+          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -176,14 +214,28 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-ephemeral
         with:
+          enable-sccache-sandbox-path: 'true'
           push-to-cache: 'true'
         env:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+      - name: Allow sccache cache write access
+        if: ${{ matrix.attr != '' && matrix.runs_on.group != 'self-hosted-runners-nix' }}
+        run: |
+          sudo chgrp nixbld /nix/var/cache/sccache
+          sudo chmod 777 /nix/var/cache/sccache
+          sudo chmod g+s /nix/var/cache/sccache
+          sudo setfacl -d -m u::rwX,g::rwX,o::rwX /nix/var/cache/sccache
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -217,15 +269,3 @@ jobs:
       (needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
       (needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
     uses: ./.github/workflows/test.yml
-
-  docker-image-test:
-    needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux]
-    if: |
-      !cancelled() &&
-      needs.nix-eval.result == 'success' &&
-      (needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
-      (needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success')
-    uses: ./.github/workflows/docker-image-test.yml
-    secrets:
-      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
-      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
diff --git a/nix/cargo-pgrx/buildPgrxExtension.nix b/nix/cargo-pgrx/buildPgrxExtension.nix
@@ -34,6 +34,7 @@
   stdenv,
   writeShellScriptBin,
   defaultBindgenHook,
+  sccache,
 }:
 
 # The idea behind: Use it mostly like rustPlatform.buildRustPackage and so
@@ -55,7 +56,7 @@
   postgresql,
   # enable override to generate bindings using bindgenHook.
   # Some older versions of cargo-pgrx use a bindgenHook that is not compatible with the
-  # current clang version present in stdenv
+  # current clang version present in stdenv
   bindgenHook ? defaultBindgenHook,
   # cargo-pgrx calls rustfmt on generated bindings, this is not strictly necessary, so we avoid the
   # dependency here. Set to false and provide rustfmt in nativeBuildInputs, if you need it, e.g.
@@ -157,12 +158,22 @@ let
         postgresql
         pkg-config
         bindgenHook
+        sccache
       ]
       ++ lib.optionals useFakeRustfmt [ fakeRustfmt ];
 
     buildPhase = ''
       runHook preBuild
 
+      if [[ -d "/nix/var/cache/sccache" && -w "/nix/var/cache/sccache" ]]; then
+        echo "sccache: cache directory available, enabling"
+        export RUSTC_WRAPPER="${sccache}/bin/sccache"
+        export SCCACHE_DIR="/nix/var/cache/sccache"
+        export SCCACHE_CACHE_SIZE="500G"
+      else
+        echo "sccache: cache directory not available, skipping"
+      fi
+
       echo "Executing cargo-pgrx buildPhase"
       ${preBuildAndTest}
       ${maybeEnterBuildAndTestSubdir}
@@ -183,6 +194,11 @@ let
         --features "${builtins.concatStringsSep " " buildFeatures}" \
         --out-dir "$out"
 
+      if [[ -n "''${RUSTC_WRAPPER:-}" ]]; then
+        echo "sccache stats:"
+        ${sccache}/bin/sccache --show-stats
+      fi
+
       ${maybeLeaveBuildAndTestSubdir}
 
       runHook postBuild
