Merge #225: Improve and document act support

ryanofsky · ryanofsky · commit c1838be565db · 2025-11-06T08:36:20.000-05:00
4e3f8fa doc: add instructions for using act (Sjors Provoost) 81712ff ci: disable KVM and sandbox inside act containers (Sjors Provoost) Pull request description: Facilitate using [act](https://github.com/nektos/act) with Docker / Podman as an alternative for using nix directly. I found this very useful for testing the sanitizer job against individual commits in #222. That is, once I finally got it to work... This disables `sandbox` and `filter-syscalls` (but not in the CI environment), which seems fine given that anyone building this code on their own machine has to trust it anyway. ACKs for top commit: ryanofsky: Code review ACK 4e3f8fa. Nice changes, and sorry for not reviewing this earlier. This seems like a useful feature and I plan to use it myself to test githuba ctions changes. Setting up the `/nix` subvolume in the instructions is also really nice since it should enable builds to run really quickly. Tree-SHA512: 0f18f1ce5662003c042099d2804af8c3b1867940c5db96fad63bad79c42d0c47503dd6c7a1e9b30092051e6fdd574b9e650f0ee0161dcca076b4819540876975
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -76,6 +76,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    env:
+      NIX_EXTRA_CONFIG_ACT: |
+        sandbox = false
+        filter-syscalls = false
+
     strategy:
       fail-fast: false
       matrix:
@@ -90,6 +95,10 @@ jobs:
         uses: cachix/install-nix-action@v31       # 2025-05-27, from https://github.com/cachix/install-nix-action/tags
         with:
           nix_path: nixpkgs=channel:nixos-25.05   # latest release
+          # Act executes inside an unprivileged container (Docker or Podman),
+          # so KVM support isn't available.
+          enable_kvm: "${{ github.actor != 'nektos/act' }}"
+          extra_nix_config: ${{ github.actor == 'nektos/act' && env.NIX_EXTRA_CONFIG_ACT || '' }}
 
       - name: Run CI script
         env:
diff --git a/ci/README.md b/ci/README.md
@@ -24,3 +24,29 @@ CI_CONFIG=ci/configs/olddeps.bash  ci/scripts/run.sh
 ```
 
 By default CI jobs will reuse their build directories. `CI_CLEAN=1` can be specified to delete them before running instead.
+
+### Running workflows with `act`
+
+You can run either the entire workflow or a single matrix entry locally. On
+macOS or Linux:
+
+1. Install [`act`](https://github.com/nektos/act) and either Docker or
+  Podman.
+2. Inside the Podman VM, create a named volume for the Nix store (ext4,
+  case-sensitive) so builds persist across runs. Recreate it any time you want
+  a clean cache:
+  ```bash
+  podman volume create libmultiprocess-nix
+  ```
+3. From the repo root, launch the workflow. The example below targets the
+  sanitize matrix entry; drop the `--matrix` flag to run every configuration.
+  ```bash
+  act \
+    --reuse \
+    -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:act-24.04 \
+    --container-options "-v libmultiprocess-nix:/nix" \
+    -j build \
+    --matrix config:sanitize
+  ```
+
+
