Migrate build system from Earthly to Nix

[negz]

Description of your changes

Matches crossplane/crossplane#6999 for crossplane-runtime.

Earthly's maintainers announced last year that they would no longer actively develop it. This PR replaces Earthly with a Nix flake.

./nix.sh run .#test         # Run unit tests
./nix.sh run .#lint         # Run linters
./nix.sh run .#generate     # Run code generation
./nix.sh run .#tidy         # Run go mod tidy
./nix.sh flake check        # Run all checks hermetically, like CI

The Renovate config is split into modular files so main uses Nix while release branches continue using Earthly. Code generation moves from apis/apis.go to a dedicated generate.go at the repo root, with buf config files also at root.

I have:

• Read and followed Crossplane's contribution process.
• Run ./nix.sh flake check to ensure this PR is ready for review.
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

Transitions CI from Earthly to Nix/Cachix, adds a containerized Nix wrapper, introduces a flake.nix Nix Flakes configuration, and modernizes Go code using Go 1.22+ stdlib utilities while adding some deprecation comments and minor test/lint adjustments.

Changes

Cohort / File(s)	Summary
Nix Infrastructure flake.nix, nix.sh	Add Nix Flakes configuration (multi-system checks, apps, devShells) and a Docker-backed nix.sh wrapper to run Nix without local installation.
CI/CD Workflow & Scripts .github/workflows/ci.yml, .github/renovate-entrypoint.sh, .github/workflows/renovate.yml, .github/workflows/renovate.yml	Replace Earthly steps with Nix/Cachix workflow; add Nix install/config and Cachix caching; update renovate env/allowed commands; renovate-entrypoint.sh now uses bash strict mode and installs Nix/Earthly conditionally.
Repo Filters & PR Template .coderabbit.yaml, .github/PULL_REQUEST_TEMPLATE.md	Change path filter inclusion from **/Earthfile to **/flake.nix and remove .tmp-earthly-out exclusion; update pre-review command from earthly +reviewable to ./nix.sh flake check.
Build & Codegen Config buf.gen.yaml, apis/apis.go, generate.go	Remove go-grpc plugin from buf config; strip tooling/comments from apis.go; add generate.go with //go:generate directives and build-tag guarded codegen notes.
Linter config .golangci.yml	Disable wsl_v5, add goconst to exclusions, add staticcheck SA1019 exclusion for resource.Legacy.+.
Go Modernizations pkg/event/event.go, pkg/meta/meta.go, pkg/resource/predicates.go, pkg/parser/parser.go, pkg/logging/klog.go, pkg/reconciler/managed/changelogger_test.go, pkg/reference/*, pkg/resource/*	Use Go 1.22+ utilities: maps.Copy, slices.Contains, strings.SplitSeq, change variadic type to ...any, replace reflect.TypeOf usage, and refactor small loops/iterations.
Deprecation & Docs pkg/reconciler/managed/reconciler_deprecated.go, pkg/resource/interfaces.go, pkg/reconciler/managed/policies.go, pkg/reference/namespaced_reference.go, test files	Add deprecation comment blocks above public declarations, remove/adjust package-level comments and some nolint directives.
Miscellaneous small changes pkg/resource/unstructured/generate.go, pkg/resource/resource_test.go, pkg/reconciler/managed/reconciler_legacy_test.go, pkg/event/event_test.go	Remove legacy +build tag, minor test formatting adjustments, and minor comment removals.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant Dev as Developer
participant GH as GitHub Actions
participant CI as CI Job (nix)
participant Nix as Nix (nix.sh / flakes)
participant Cachix as Cachix
participant Art as Artifact Store / CodeQL / Trivy

Dev->>GH: push PR
GH->>CI: trigger workflow
CI->>Nix: Install Nix & configure (via setup steps)
CI->>Nix: Run `./nix.sh` / nix build checks (flake.nix)
Nix->>Cachix: fetch/store cached derivations
Nix->>CI: produce build outputs (generate, lint, test, coverage)
CI->>Art: run CodeQL/Trivy analyze and upload results

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Would you like me to focus the review on Nix/CI changes, Go stdlib modernizations, or lint/config updates first?

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: migrating the build system from Earthly to Nix, which aligns directly with the changeset.
Description check	✅ Passed	The description is directly related to the changeset, providing context about why the migration is needed, what commands are available, and how the Renovate config is structured.
Breaking Changes	✅ Passed	No breaking changes to public/exported APIs detected. All modifications are internal refactoring and non-exported type updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

• ✨ 136.113.208.247/32 (new)
• 34.170.211.100/32
• 35.222.179.152/32

Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/reconciler/managed/reconciler_modern_test.go (2)

1873-1886: ⚠️ Potential issue | 🟡 Minor

Align management policy values with the test-case names

In the ManagementPolicyCreateCreateSuccessful and ManagementPolicyUpdateUpdateSuccessful cases (Line 1873-1885 and Line 2017-2026), the managed object is set to ManagementActionAll. If the intent is to exercise Create-only / Update-only behavior, should these use ManagementActionCreate and ManagementActionUpdate respectively? That would make the scenarios match the why in their names. Thanks!

Proposed adjustment

-							mg.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionAll})
+							mg.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionCreate})
-							want.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionAll})
+							want.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionCreate})

-							mg.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionAll})
+							mg.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionUpdate})
-							want.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionAll})
+							want.SetManagementPolicies(xpv1.ManagementPolicies{xpv1.ManagementActionUpdate})

Also applies to: 2017-2027

---

2174-2176: ⚠️ Potential issue | 🟡 Minor

Consider the purpose of test.EquateErrors() before switching to cmpopts.EquateErrors()

At lines 2175 and 2287, the test uses test.EquateErrors(). While the coding guidelines specify cmpopts.EquateErrors(), we should clarify whether switching is appropriate here: test.EquateErrors() is a deliberate custom helper in this codebase that compares both error type and error string, whereas cmpopts.EquateErrors() only checks errors.Is() semantics without comparing messages. If testing the exact error string is important (as the custom helper suggests), the current approach is intentional. Could you confirm whether the error message comparison is needed in this test, or if cmpopts.EquateErrors() would suffice?

🤖 Fix all issues with AI agents

In `@AGENTS.md`:
- Around line 71-75: The guidance line in AGENTS.md currently says "Use goCamel
case for JSON struct tags" which is a typo; update that line to read "Use
camelCase (lowerCamelCase) for JSON struct tags" so the recommendation is clear
and consistent; locate the Kubernetes Conventions section and replace the phrase
"goCamel case" with "camelCase (lowerCamelCase)".

In `@nix.sh`:
- Around line 28-55: Create a cleanup function (e.g., cleanup) that contains the
rsync/symlink-to-directory logic, the find ... -exec chown ... cleanup, and
removal of the marker; set a trap 'cleanup' EXIT immediately after creating
marker so cleanup always runs on success or failure of the subsequent nix "${@}"
call; ensure the trap does not swallow the original nix exit code (capture and
re-exit with it if you check/propagate exit status) and reference the existing
symbols: marker, the nix "${@}" invocation, the rsync block, and the find ...
-newer ... -exec chown ... sequence when moving logic into cleanup and
registering trap EXIT.

🧹 Nitpick comments (6)

.golangci.yml (1)

223-228: Consider scoping the SA1019 suppression by path to pkg/reconciler/ to limit its effect.
Thanks for documenting the legacy compatibility rationale. The current regex 'SA1019: resource\.Legacy.+ is deprecated:' is appropriately specific. Since resource.LegacyManaged and resource.LegacyProviderConfigUsage are only used in the pkg/reconciler/ subdirectory, adding path: pkg/reconciler/ to the exclusion rule would further isolate this suppression and reduce the risk of accidentally hiding unrelated deprecation warnings elsewhere. This is a minor improvement for future maintainability.

pkg/reference/namespaced_reference.go (1)

287-296: Nice use of generics for the sorting helper!

This is a clean, reusable implementation. I noticed that reference.go has a similar but non-generic sortMapByKeys function (specific to xpv1.Reference). Would it make sense to consolidate these into a single generic helper, or was the type-specific version in reference.go intentional for some reason?

No action required if this is deliberate—just curious about the reasoning! 🙂

pkg/reference/reference.go (1)

414-428: Consistent implementation with the namespaced variant—nice!

The valueMap approach here mirrors the pattern in namespaced_reference.go, which is great for consistency. The same question about key collisions applies here: if two resources yield the same extracted value, only one reference will be retained in the map.

If this is intentional (perhaps extracted values are expected to be unique), a brief comment noting this assumption would help future readers understand the design decision.

.github/renovate-entrypoint.sh (1)

1-12: Consider adding a clarifying comment to explain why both tools are installed.

The renovate configuration is elegantly split—renovate-nix.json5 runs Nix post-upgrade tasks only on main (via matchBaseBranches), while renovate-earthly.json5 runs Earthly tasks only on release branches. Both toolchains are correctly installed unconditionally in this container since it may handle any branch during a single run.

A brief comment in the script explaining this design would help future maintainers understand why both installations are needed, since the current comments hint at branch-specific usage. Something like: "Both Nix and Earthly are installed since renovate config is branch-aware and determines which post-upgrade commands execute via matchBaseBranches filters."

.github/workflows/renovate.yml (1)

45-45: Consider narrowing the Renovate nix command allowlist.
Thanks for the update. Is there a reason to allow any nix command at this step (Line 45), or could we scope the regex to just the subcommands used in renovate-entrypoint.sh to reduce the command surface?

nix.sh (1)

92-105: Consider pinning the nixos/nix image for reproducibility.

Right now the Docker run uses the floating nixos/nix tag. If you’re not intentionally tracking latest, a pinned tag or digest will prevent surprise changes across dev machines. Is there a version you want to lock to?

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/ci.yml (1)

150-155: ⚠️ Potential issue | 🔴 Critical

Bug: Shell variable syntax won't expand in YAML context.

The ${GITHUB_REPOSITORY} uses shell variable interpolation syntax, but this isn't inside a run: block — it's a YAML with: parameter. GitHub Actions won't expand this, so the literal string ${GITHUB_REPOSITORY} will be passed to the action, likely causing the breaking change detection to fail.

Should this use GitHub's expression syntax instead?

Proposed fix

       - name: Detect Breaking Changes in Protocol Buffers
         uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1
         # We want to run this for the main branch, and PRs against main.
         if: ${{ github.ref == 'refs/heads/main' || github.base_ref == 'main' }}
         with:
-          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main"
+          against: "https://github.com/${{ github.repository }}.git#branch=main"

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

140-146: Consider SHA-pinning buf actions for consistency.

I noticed buf-setup-action and buf-lint-action use @v1 tags while other actions in this workflow (checkout, codeql, trivy) are pinned to specific commit SHAs. For supply-chain security consistency, would it make sense to pin these as well?

Not blocking, but it would align with the security posture demonstrated elsewhere in this file.

Example with SHA pinning

       - name: Setup Buf
-        uses: bufbuild/buf-setup-action@v1
+        uses: bufbuild/buf-setup-action@<SHA> # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

       - name: Lint Protocol Buffers
-        uses: bufbuild/buf-lint-action@v1
+        uses: bufbuild/buf-lint-action@<SHA> # v1

You can find the current SHA for v1 tags via gh api repos/bufbuild/buf-setup-action/git/ref/tags/v1 --jq .object.sha.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/reconciler/managed/reconciler_deprecated.go (1)

63-66: ⚠️ Potential issue | 🟡 Minor

Small copy-paste duplicate in TODO comments

Thanks for consolidating these deprecated APIs! I noticed there's a duplicate line here:

// type TypedNopDisconnecter[managed resource.Managed] = TypedNopDisconnector[managed]
// type TypedNopDisconnecter[managed resource.Managed] = TypedNopDisconnector[managed]

Was this intentional, or did one of these lines slip in by accident? Just want to make sure the TODO comment reflects the intended list of future generic aliases.

Suggested fix

 // TODO: these types of aliases are only allowed in Go 1.23 and above.
 // type TypedNopDisconnecter[managed resource.Managed] = TypedNopDisconnector[managed]
-// type TypedNopDisconnecter[managed resource.Managed] = TypedNopDisconnector[managed]
 // type TypedExternalConnectDisconnecterFns[managed resource.Managed] =  TypedExternalConnectDisconnectorFns[managed]

pkg/reference/reference.go (1)

414-427: ⚠️ Potential issue | 🟠 Major

Potential duplicate-value loss & nondeterministic pick when using a map.

Thanks for the deterministic ordering work here. One concern: keying by req.Extract(to) will collapse duplicates. If two resources share the same extracted value (e.g., external names), the later entry wins and which one wins depends on List order (not guaranteed), so results can be nondeterministic and valid duplicates are dropped. Is the extracted value guaranteed unique in this resolver? If not, consider sorting a slice of pairs instead of a map (and optionally tie‑break by name/namespace) to preserve duplicates deterministically.

💡 Possible fix that preserves duplicates and determinism

-	valueMap := make(map[string]xpv1.Reference)
-
-	for _, to := range req.To.List.GetItems() {
-		if ControllersMustMatch(req.Selector) && !meta.HaveSameController(r.from, to) {
-			continue
-		}
-
-		valueMap[req.Extract(to)] = xpv1.Reference{Name: to.GetName()}
-	}
-
-	sortedKeys, sortedRefs := sortMapByKeys(valueMap)
-
-	rsp := MultiResolutionResponse{ResolvedValues: sortedKeys, ResolvedReferences: sortedRefs}
+	type pair struct {
+		value string
+		ref   xpv1.Reference
+	}
+	pairs := make([]pair, 0, len(req.To.List.GetItems()))
+
+	for _, to := range req.To.List.GetItems() {
+		if ControllersMustMatch(req.Selector) && !meta.HaveSameController(r.from, to) {
+			continue
+		}
+		pairs = append(pairs, pair{
+			value: req.Extract(to),
+			ref:   xpv1.Reference{Name: to.GetName()},
+		})
+	}
+
+	sort.Slice(pairs, func(i, j int) bool {
+		if pairs[i].value == pairs[j].value {
+			return pairs[i].ref.Name < pairs[j].ref.Name
+		}
+		return pairs[i].value < pairs[j].value
+	})
+
+	resolvedValues := make([]string, len(pairs))
+	resolvedRefs := make([]xpv1.Reference, len(pairs))
+	for i, p := range pairs {
+		resolvedValues[i] = p.value
+		resolvedRefs[i] = p.ref
+	}
+
+	rsp := MultiResolutionResponse{ResolvedValues: resolvedValues, ResolvedReferences: resolvedRefs}

🤖 Fix all issues with AI agents

In `@pkg/reconciler/managed/reconciler_modern_test.go`:
- Around line 1787-1788: The test contains a duplicated chained call to
WithObservedGeneration on the ReconcileSuccess condition; update the assertion
so it only calls WithObservedGeneration(42) once (i.e., change
want.SetConditions(xpv1.ReconcileSuccess().WithObservedGeneration(42).WithObservedGeneration(42))
to use a single WithObservedGeneration(42)), keeping the SetConditions and
xpv1.ReconcileSuccess() calls unchanged.
- Around line 1975-1976: The test sets conditions using
want.SetConditions(xpv1.ReconcileSuccess().WithObservedGeneration(42).WithObservedGeneration(42))
but calls WithObservedGeneration twice; remove the duplicate call so the
condition chain only includes a single WithObservedGeneration(42) (keep
want.SetConditions, xpv1.ReconcileSuccess and WithObservedGeneration as the
referenced symbols).

🧹 Nitpick comments (2)

.coderabbit.yaml (1)

52-61: Consider including other Nix files in review scope.
Thanks for adding flake.nix to the filters. With the Nix migration, do you also want nix/*.nix (e.g., nix/apps.nix, nix/checks.nix) reviewed? If so, a broader include would avoid missing those changes.

Suggested tweak

     - "**/Dockerfile*"
     - "**/flake.nix"
+    - "nix/**/*.nix"

.github/workflows/ci.yml (1)

74-84: Consider adding an explicit CodeQL autobuild step for clarity.

Go's CodeQL support includes built-in autobuild detection, so your workflow won't fail without an explicit step. However, for greater control and clarity, adding an autobuild step between init and analyze follows best practices and makes the build process explicit. Your current setup with Nix should work, but would this explicit step align with how your project's Go compilation typically happens?

Suggested improvement

      - name: Initialize CodeQL
        uses: github/codeql-action/init@439137e1b50c27ba9e2f9befc93e43091b449c34 # v3
        with:
          languages: go

+      - name: Autobuild
+        uses: github/codeql-action/autobuild@439137e1b50c27ba9e2f9befc93e43091b449c34 # v3
+
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@439137e1b50c27ba9e2f9befc93e43091b449c34 # v3

Alternatively, you can use build-mode: autobuild in the init step if you prefer a single configuration point.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/renovate-entrypoint.sh:
- Around line 5-14: The script unconditionally downloads Earthly from "latest"
without checksum and always installs both Earthly and Nix despite comments
implying branch-specific behavior; update the Earthly section to pin a specific
release (replace "latest" with a concrete version string used in the repo) and
verify its SHA256 checksum before making it executable, and either add
branch-aware conditional logic (check an environment variable like GITHUB_REF or
a passed-in BRANCH value) so Earthly is only installed for release branches and
Nix only for main, or change the comments to state both are intentionally
installed; references: the Earthly download path (/usr/local/bin/earthly) and
the apt-get install -y nix-bin call.

In @.github/workflows/ci.yml:
- Around line 57-84: The workflow is missing a CodeQL build step so Go
extraction will be empty; insert a step using github/codeql-action/autobuild
between the existing "Initialize CodeQL" (uses: github/codeql-action/init) and
"Perform CodeQL Analysis" (uses: github/codeql-action/analyze) steps so CodeQL
performs a Go autobuild (detects go.mod and extracts the DB) before analysis;
ensure the new step runs after init and before analyze and does not conflict
with Nix by relying on the autobuild action.

🧹 Nitpick comments (3)

pkg/meta/meta.go (1)

180-189: Optional: Consider using slices.DeleteFunc for consistency?

Just a thought for a potential follow-up — RemoveFinalizer could also benefit from the standard library treatment using slices.DeleteFunc. This would make the file consistent and also correctly handle the (admittedly unlikely) edge case of duplicate finalizers:

o.SetFinalizers(slices.DeleteFunc(f, func(e string) bool {
    return e == finalizer
}))

Totally fine to defer this if you'd prefer to keep the PR focused. What do you think?

.coderabbit.yaml (1)

52-61: Consider including all Nix files in the review scope.

Right now only flake.nix is included, so nix/*.nix won’t be reviewed. Was the narrow scope intentional? If not, broadening the pattern keeps the Nix tooling visible. Thanks!

♻️ Suggested tweak

-    - "**/flake.nix"
+    - "**/*.nix"

.golangci.yml (1)

224-229: Would scoping the legacy deprecation suppression be feasible?

If the deprecations are limited to specific packages, scoping by path: could avoid masking unrelated warnings. Is that something you’d want here? Thanks!

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/ci.yml:
- Line 155: The `with:` value for the buf-breaking-action currently uses
shell-style `${GITHUB_REPOSITORY}` which won't be expanded by Actions; change
the string passed to the action's `against:` input to use GitHub Actions
expressions (e.g. replace the literal `${GITHUB_REPOSITORY}` in the `against:
"https://github.com/${GITHUB_REPOSITORY}.git#branch=main"` setting with the
Actions expression for the repository, such as `${{ github.repository }}`, so
the buf-breaking-action receives the actual repo URL and branch).

🧹 Nitpick comments (1)

.github/workflows/renovate.yml (1)

45-45: Could we narrow the allowed nix commands?

Thanks for enabling Nix for Renovate. To keep the allowlist tight, would you be open to restricting the regex to only the subcommands Renovate actually runs (for example, nix run .#... and nix flake check)? That helps reduce the command surface area if configs drift.

🔒 Example of a narrower allowlist

-          RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^nix .+", "^earthly .+"]'
+          RENOVATE_ALLOWED_POST_UPGRADE_COMMANDS: '["^nix (run \\.#(test|lint|generate|tidy)|flake check)$", "^earthly .+"]'

[adamwg]

One note on the generate check; otherwise, this lgtm (and I think I'm starting to understand the nix language).

[adamwg]

lgtm