Merge pull request #158 from tinyland-inc/feat/custom-nix-runner-image

feat(runners): custom Nix runner image with xz-utils baked in

Author: Jesssullivan

.github/actions/nix-job/action.yml

@@ -18,14 +18,6 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install Nix prerequisites
-      if: runner.environment != 'github-hosted'
-      shell: bash
-      run: |
-        if ! command -v xz &>/dev/null; then
-          sudo apt-get update -qq && sudo apt-get install -y -qq xz-utils
-        fi
-
     - uses: cachix/install-nix-action@v30
       with:
         nix_path: nixpkgs=channel:nixos-24.11

.github/workflows/build-image.yml

@@ -12,6 +12,7 @@ on:
       - ".npmrc"
       - "app/Dockerfile"
       - "app/caddy/Dockerfile"
+      - "runners/Dockerfile.nix"
   workflow_dispatch:
 
 permissions:
@@ -114,3 +115,50 @@ jobs:
 
       - name: Sign image with cosign (keyless)
         run: cosign sign --yes ghcr.io/tinyland-inc/caddy-tailscale@${{ steps.build-caddy.outputs.digest }}
+
+  nix-runner:
+    name: Build Nix Runner
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        id: build-nix-runner
+        uses: docker/build-push-action@v6
+        with:
+          context: runners
+          file: runners/Dockerfile.nix
+          push: true
+          tags: |
+            ghcr.io/tinyland-inc/actions-runner-nix:latest
+            ghcr.io/tinyland-inc/actions-runner-nix:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          labels: |
+            org.opencontainers.image.source=https://github.com/tinyland-inc/GloriousFlywheel
+            org.opencontainers.image.description=GitHub Actions runner with Nix prerequisites (xz, curl, git, jq)
+
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/tinyland-inc/actions-runner-nix:${{ github.sha }}
+          format: table
+          exit-code: "1"
+          severity: CRITICAL
+          ignore-unfixed: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Sign image with cosign (keyless)
+        run: cosign sign --yes ghcr.io/tinyland-inc/actions-runner-nix@${{ steps.build-nix-runner.outputs.digest }}

runners/Dockerfile.nix

@@ -0,0 +1,25 @@
+# Custom ARC runner image for Nix workloads
+#
+# Extends the official GitHub Actions runner with tools needed for
+# Nix builds on our self-hosted Civo runner pool. No runtime apt-get
+# calls to external repos — everything baked in.
+#
+# Tools added:
+#   - xz-utils (NAR compression, required by nix-installer-action)
+#   - curl, git, jq (common CI utilities)
+#   - ca-certificates (TLS for Attic cache)
+
+FROM ghcr.io/actions/actions-runner:latest
+
+USER root
+
+RUN apt-get update -qq \
+    && apt-get install -y -qq --no-install-recommends \
+        xz-utils \
+        curl \
+        git \
+        jq \
+        ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+USER runner

tofu/modules/arc-runner/locals.tf

@@ -9,12 +9,12 @@ locals {
 
   # Default images per runner type
   # The runner image must include the GH Actions runner agent (/home/runner/run.sh).
-  # For nix runners, we use a custom image with Nix + xz pre-installed so that
-  # cachix/install-nix-action and nix-installer-action both work without extra deps.
+  # Nix runners use our custom image with xz-utils, curl, git, jq baked in so that
+  # cachix/install-nix-action works without runtime apt-get calls to external repos.
   runner_type_images = {
     docker = "ghcr.io/actions/actions-runner:latest"
     dind   = "ghcr.io/actions/actions-runner:latest"
-    nix    = "ghcr.io/actions/actions-runner:latest"
+    nix    = "ghcr.io/tinyland-inc/actions-runner-nix:latest"
   }
 
   # Tool images used as init containers to provide tooling (Nix store, etc.)