feat: enable sccache for Darwin with sandbox write check

Configure sccache on aarch64-darwin self-hosted runners with persistent cache disk mounting and Nix sandbox access via extra-sandbox-paths. Add actual write test in buildPgrxExtension to verify sandbox access before enabling sccache. Use jfroche/nix-eval-jobs fork with its own nixpkgs to avoid lowdown compatibility issues.

Requires deploying sccache configuration to runners via self-hosted-nix-builders repo.

Author: yvan-sraka

.github/workflows/nix-build.yml

@@ -126,9 +126,26 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Configure sccache for Nix builds
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        run: |
+          # Ensure sccache directory exists
+          mkdir -p /nix/var/cache/sccache          
+          # Update Nix configuration to allow access to sccache directory in sandbox
+          if [ -w /etc/nix/nix.conf ]; then
+            tee -a /etc/nix/nix.conf > /dev/null <<EOF
+          extra-sandbox-paths = /nix/var/cache/sccache
+          EOF
+          fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash
@@ -149,9 +166,26 @@ jobs:
       - name: Checkout Repo
         if: ${{ matrix.attr != '' }}
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Mount sccache disk
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        uses: useblacksmith/stickydisk@v1
+        with:
+          key: ${{ github.repository }}-sccache-${{ runner.os }}-${{ runner.arch }}-${{ matrix.cache_key }}
+          path: /nix/var/cache/sccache
       - name: Install nix
         if: ${{ matrix.attr != '' }}
         uses: ./.github/actions/nix-install-self-hosted
+      - name: Configure sccache for Nix builds
+        if: ${{ matrix.attr != '' && matrix.postgresql_version }}
+        run: |
+          # Ensure sccache directory exists
+          mkdir -p /nix/var/cache/sccache          
+          # Update Nix configuration to allow access to sccache directory in sandbox
+          if [ -w /etc/nix/nix.conf ]; then
+            tee -a /etc/nix/nix.conf > /dev/null <<EOF
+          extra-sandbox-paths = /nix/var/cache/sccache
+          EOF
+          fi
       - name: nix build
         if: ${{ matrix.attr != '' }}
         shell: bash

flake.lock

@@ -165,12 +165,16 @@ let
     buildPhase = ''
       runHook preBuild
 
-
       if [[ -d "/nix/var/cache/sccache" && -w "/nix/var/cache/sccache" ]]; then
-        echo "sccache: cache directory available, enabling"
-        export RUSTC_WRAPPER="${sccache}/bin/sccache"
-        export SCCACHE_DIR="/nix/var/cache/sccache"
-        export SCCACHE_CACHE_SIZE="50G"
+        # Test if sccache can actually write to the directory (sandbox check)
+        if touch "/nix/var/cache/sccache/.test" 2>/dev/null && rm -f "/nix/var/cache/sccache/.test" 2>/dev/null; then
+          echo "sccache: cache directory available and writable in sandbox, enabling"
+          export RUSTC_WRAPPER="${sccache}/bin/sccache"
+          export SCCACHE_DIR="/nix/var/cache/sccache"
+          export SCCACHE_CACHE_SIZE="50G"
+        else
+          echo "sccache: cache directory not accessible in sandbox (needs extra-sandbox-paths configuration), skipping"
+        fi
       else
         echo "sccache: cache directory not available, skipping"
       fi