runtimeverification · automergerpr-permission-manager · Feb 28, 2026 · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026
diff --git a/.github/scripts/check-cachix-pin.sh b/.github/scripts/check-cachix-pin.sh
@@ -1,49 +1,86 @@
 #!/usr/bin/env bash
-set -xeuo pipefail
+set -euo pipefail
 
 # Kup relies on cachix registry k-framework-binary.
 CACHE="k-framework-binary"
-OWNER_REPO="$(git remote get-url origin | sed -E 's#(git@github.com:|https://github.com/)##; s#\.git$##')"
-REV="$(git rev-parse HEAD)"
-# Get the output of the nix build for kmir.
-OUT="$(nix build --no-link --json ".#kmir" | jq -r '.[0].outputs.out')"
-KEY="github:${OWNER_REPO}/${REV}#kmir"
+OWNER_REPO="${OWNER_REPO:-$(git remote get-url origin | sed -E 's#(git@github.com:|https://github.com/)##; s#\.git$##')}"
+REV="${REV:-${GITHUB_SHA:-$(git rev-parse HEAD)}}"
+UNAME_S="$(uname -s)"
+UNAME_M="$(uname -m)"
+case "${UNAME_S}-${UNAME_M}" in
+  Linux-x86_64) SYSTEM="x86_64-linux" ;;
+  Linux-aarch64 | Linux-arm64) SYSTEM="aarch64-linux" ;;
+  Darwin-x86_64) SYSTEM="x86_64-darwin" ;;
+  Darwin-arm64) SYSTEM="aarch64-darwin" ;;
+  *)
+    echo "Unsupported platform: ${UNAME_S}-${UNAME_M}" >&2
+    exit 1
+    ;;
+esac
+PIN_API_URL="https://app.cachix.org/api/v1/cache/${CACHE}/pin"
+CHECK_PACKAGES=(kmir kmir.rust)
 
 SUMMARY="${GITHUB_STEP_SUMMARY:-/dev/stdout}"
 
 {
   echo "## Cachix Publish Summary"
   echo "CACHE: $CACHE"
-  echo "OUT: $OUT"
-  echo "KEY: $KEY"
+  echo "OWNER_REPO: $OWNER_REPO"
+  echo "REV: $REV"
+  echo "SYSTEM: $SYSTEM"
+  echo "PACKAGES: ${CHECK_PACKAGES[*]}"
 } >> "$SUMMARY"
 
-# Verify push + pin together. Both can become visible with some delay.
-HASH="$(basename "$OUT" | cut -d- -f1)"
-PUSH_NARINFO_URL="https://${CACHE}.cachix.org/${HASH}.narinfo"
-PIN_API_URL="https://app.cachix.org/api/v1/cache/${CACHE}/pin"
+# Verify push + pin together for each package. Both can become visible with delay.
 PIN_VISIBILITY_TIMEOUT_SECONDS=120 # 2 minutes
 PIN_VISIBILITY_INTERVAL_SECONDS=5 # 5 seconds
 PIN_VISIBILITY_ATTEMPTS=$((PIN_VISIBILITY_TIMEOUT_SECONDS / PIN_VISIBILITY_INTERVAL_SECONDS))
 for i in $(seq 1 "$PIN_VISIBILITY_ATTEMPTS"); do
-  PUSH_STATUS="$(curl -sS -o /dev/null -w '%{http_code}' "$PUSH_NARINFO_URL")" || PUSH_STATUS="000"
-  if curl -fsSL "$PIN_API_URL" | jq -e --arg k "$KEY" 'any(.[]; .name == $k)' > /dev/null; then
+  PIN_JSON="$(curl -fsSL "${PIN_API_URL}?q=${REV}")"
+  ALL_OK=1
+
+  for PKG in "${CHECK_PACKAGES[@]}"; do
+    KEY="github:${OWNER_REPO}/${REV}#packages.${SYSTEM}.${PKG}"
+    STORE_PATH="$(
+      echo "$PIN_JSON" \
+        | jq -r --arg k "$KEY" 'map(select(.name == $k)) | first | (.lastRevision.storePath // .storePath // .store_path // .path // "")'
+    )"
+    if [ -z "$STORE_PATH" ]; then
+      PIN_STATUS="pin-missing"
+      PUSH_STATUS="000"
+      ALL_OK=0
+      {
+        echo "key-${PKG}: ${KEY}"
+        echo "pin-status-${PKG}: ${PIN_STATUS}"
+        echo "push-http-${PKG}: ${PUSH_STATUS}"
+      }
+      continue
+    fi
+
     PIN_STATUS="pin-ok"
-  else
-    PIN_STATUS="pin-missing"
-  fi
+    HASH="$(basename "$STORE_PATH" | cut -d- -f1)"
+    PUSH_NARINFO_URL="https://${CACHE}.cachix.org/${HASH}.narinfo"
+    PUSH_STATUS="$(curl -sS -o /dev/null -w '%{http_code}' "$PUSH_NARINFO_URL")" || PUSH_STATUS="000"
+    if [ "$PUSH_STATUS" != "200" ]; then
+      ALL_OK=0
+    fi
 
-  echo "push-http: ${PUSH_STATUS}" >> "$SUMMARY"
-  echo "pin-status: ${PIN_STATUS}" >> "$SUMMARY"
+    {
+      echo "key-${PKG}: ${KEY}"
+      echo "store-path-${PKG}: ${STORE_PATH}"
+      echo "pin-status-${PKG}: ${PIN_STATUS}"
+      echo "push-http-${PKG}: ${PUSH_STATUS}"
+    }
+  done
 
-  if [ "$PUSH_STATUS" = "200" ] && [ "$PIN_STATUS" = "pin-ok" ]; then
-    echo "cachix-status: push-and-pin-ok" >> "$SUMMARY"
+  if [ "$ALL_OK" = "1" ]; then
+    echo "cachix-status: push-and-pin-ok-for-all-packages" >> "$SUMMARY"
     exit 0
   fi
 
-  echo "cachix-check-attempt-${i}: not-ready, retrying in ${PIN_VISIBILITY_INTERVAL_SECONDS}s" >> "$SUMMARY"
+  echo "cachix-check-attempt-${i}: not-ready, retrying in ${PIN_VISIBILITY_INTERVAL_SECONDS}s"
   sleep "$PIN_VISIBILITY_INTERVAL_SECONDS"
 done
 
-echo "cachix-status: push-or-pin-missing-after-${PIN_VISIBILITY_TIMEOUT_SECONDS}s" >> "$SUMMARY"
+echo "cachix-status: push-or-pin-missing-after-${PIN_VISIBILITY_TIMEOUT_SECONDS}s-for-at-least-one-package" >> "$SUMMARY"
 exit 1
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -167,6 +167,8 @@ jobs:
         env:
           CACHIX_AUTH_TOKEN: '${{ secrets.CACHIX_PRIVATE_KFB_TOKEN }}'
           GC_DONT_GC: '1'
+          OWNER_REPO: '${{ github.repository }}'
+          REV: '${{ github.sha }}'
         with:
           packages: jq
           script: |

diff --git a/.github/workflows/test-cachix-pin.yml b/.github/workflows/test-cachix-pin.yml
@@ -15,14 +15,14 @@ jobs:
     steps:
       - name: 'Check out code'
         uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.ref }}
 
       - name: 'Verify cachix publish and pin'
         uses: workflow/nix-shell-action@v3
         env:
           CACHIX_AUTH_TOKEN: '${{ secrets.CACHIX_PRIVATE_KFB_TOKEN }}'
           GC_DONT_GC: '1'
+          OWNER_REPO: '${{ github.repository }}'
+          REV: '${{ inputs.ref }}'
         with:
           packages: jq
           script: bash .github/scripts/check-cachix-pin.sh