Impure tests

You can have NixCI automatically run impure test using secrets and the internet.

Step 1: Configuration

To activate the impure testing mechanism, add a test section to your NixCI configuration.

For example, this example test configures the packages.x86_64-linux.impure-test package to be run as a test:

{
  test = {
    example = {
      branches = "default";
      package = "packages.x86_64-linux.impure-test";
    };
  };
}

In particular, NixCI will nix run packages.x86_64-linux.impure-test , which will execute the package's meta.mainProgram .

Step 2: Secrets

NixCI can provide secrets necessary for your test.

Secrets are declared in the nix-ci.test.<name>.secrets list.

Once a secret is declared, it is required for that test.

You can set a secret's value in the Secrets overview of your repository.

For example, this test is declared to require the FORGE_ACCESS_TOKEN to be set.

{
  test = {
    example = {
      branches = "default";
      package = "packages.x86_64-linux.impure-test";
      secrets = ["FORGE_ACCESS_TOKEN"];
    };
  };
}

During the test, the FORGE_ACCESS_TOKEN environment variable will be set to the secret.

SSH Keys

NixCI has special support for SSH keys.

You could provide SSH keys with the secrets as described above but it can be difficult to get libcrypto to load an SSH key. NixCI can take care of this for you.

In this example, the CI_SSH_KEY secret is declared to contain an SSH key with the given public key.

{
  test = {
    example = {
      branches = "default";
      package = "packages.x86_64-linux.impure-test";
      ssh-keys = [{
        public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJSjGhDsCpOGTldxNvLP3NCM1eLMNxjHKKg4y2my1PS";
        secret = "CI_SSH_KEY";
      }];
    };
  };
}

During the test, the CI_SSH_KEY environment variable will be set to a file path of the given SSH key.

You can then use the -i option to use it: 

ssh -i "$CI_SSH_KEY"

Reference schema

test: # optional
  # default: {}
  # Test Configurations
  <key>: 
    # TestConfiguration
    enable: # optional
      # default: true
      # enable this test
      <boolean>
    package: # required
      # package of which the main program will be run
      <string>
    system: # optional
      # system on which the test will be run
      <string>
    branches: # optional
      # default: any
      # branches from which may be tested
      # any of
      [ # Deploy from any branch
        any
      , # The same as "any"
        all
      , # Only deploy from the default branch
        default
      , # Deploy from any of this list of branches
        - <string>
      ]
    secrets: # optional
      # default: []
      # secrets provided to the test
      - <string>
    ssh-keys: # optional
      # default: []
      # ssh keys provided to the test
      - # SshKeyConfiguration
        secret: # required
          # name of the secret on NixCI to use as the private key
          <string>
        public-key: # required
          # public key of the ssh key
          <string>