From a400ea42575470b1f95d0199a3cc87f788577dcb Mon Sep 17 00:00:00 2001
From: Bernardo Meurer Costa <beme@anthropic.com>
Date: Wed, 8 Oct 2025 00:04:37 +0000
Subject: [PATCH] ci: integrate vm_tests into main tests job

This consolidates the separate vm_tests job into the main tests job,
simplifying the CI workflow. VM tests now run as part of the regular
test matrix.
---
 .github/workflows/ci.yml    | 47 ++++++++-----------------------------
 ci/gha/tests/default.nix    | 28 ++++++++++++++++++++++
 ci/gha/vm-tests/wrapper.nix | 45 -----------------------------------
 3 files changed, 38 insertions(+), 82 deletions(-)
 delete mode 100644 ci/gha/vm-tests/wrapper.nix

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 00a808951..e82e59309 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -126,6 +126,14 @@ jobs:
           --argstr stdenv "${{ matrix.stdenv }}" \
           ${{ format('--arg withAWS {0}', matrix.withAWS) }} \
           ${{ format('--arg withCurlS3 {0}', matrix.withCurlS3) }}
+    - name: Run VM tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix vmTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}" \
+          ${{ format('--arg withAWS {0}', matrix.withAWS) }} \
+          ${{ format('--arg withCurlS3 {0}', matrix.withCurlS3) }}
+      if: ${{ matrix.os == 'linux' }}
     - name: Run flake checks and prepare the installer tarball
       run: |
         ci/gha/tests/build-checks
@@ -213,7 +221,7 @@ jobs:
           echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
 
   docker_push_image:
-    needs: [tests, vm_tests, check_secrets]
+    needs: [tests, check_secrets]
     permissions:
       contents: read
       packages: write
@@ -266,43 +274,8 @@ jobs:
         docker tag nix:$NIX_VERSION $IMAGE_ID:master
         docker push $IMAGE_ID:master
 
-  vm_tests:
-    needs: basic-checks
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          # TODO: remove once curl-based-s3 fully lands
-          - scenario: legacy s3
-            withAWS: true
-            withCurlS3: false
-          - scenario: curl s3
-            withAWS: false
-            withCurlS3: true
-    name: vm_tests (${{ matrix.scenario }})
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v5
-      - uses: ./.github/actions/install-nix-action
-        with:
-          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-          extra_nix_config:
-            experimental-features = nix-command flakes
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - name: Build VM tests
-        run: |
-          nix build -L \
-            --file ci/gha/vm-tests/wrapper.nix \
-            ${{ format('--arg withAWS {0}', matrix.withAWS) }} \
-            ${{ format('--arg withCurlS3 {0}', matrix.withCurlS3) }} \
-            functional_user \
-            githubFlakes \
-            nix-docker \
-            tarballFlakes
-
   flake_regressions:
-    needs: vm_tests
+    needs: tests
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout nix
diff --git a/ci/gha/tests/default.nix b/ci/gha/tests/default.nix
index bbcd7e6b7..d9115f92c 100644
--- a/ci/gha/tests/default.nix
+++ b/ci/gha/tests/default.nix
@@ -79,6 +79,14 @@ rec {
     }
   );
 
+  # Import NixOS tests using the instrumented components
+  nixosTests = import ../../../tests/nixos {
+    inherit lib pkgs;
+    nixComponents = nixComponentsInstrumented;
+    nixpkgs = nixFlake.inputs.nixpkgs;
+    inherit (nixFlake.inputs) nixpkgs-23-11;
+  };
+
   /**
     Top-level tests for the flake outputs, as they would be built by hydra.
     These tests generally can't be overridden to run with sanitizers.
@@ -229,4 +237,24 @@ rec {
     {
       inherit coverageProfileDrvs mergedProfdata coverageReports;
     };
+
+  vmTests = {
+  }
+  # FIXME: when the curlS3 implementation is complete, it should also enable these tests.
+  // lib.optionalAttrs (withAWS == true) {
+    # S3 binary cache store test only runs when S3 support is enabled
+    inherit (nixosTests) s3-binary-cache-store;
+  }
+  // lib.optionalAttrs (!withSanitizers && !withCoverage) {
+    # evalNixpkgs uses non-instrumented components from hydraJobs, so only run it
+    # when not testing with sanitizers to avoid rebuilding nix
+    inherit (hydraJobs.tests) evalNixpkgs;
+    # FIXME: CI times out when building vm tests instrumented
+    inherit (nixosTests)
+      functional_user
+      githubFlakes
+      nix-docker
+      tarballFlakes
+      ;
+  };
 }
diff --git a/ci/gha/vm-tests/wrapper.nix b/ci/gha/vm-tests/wrapper.nix
deleted file mode 100644
index 2ca80974c..000000000
--- a/ci/gha/vm-tests/wrapper.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? "x86_64-linux",
-  withAWS ? null,
-  withCurlS3 ? null,
-}:
-
-let
-  pkgs = nixFlake.inputs.nixpkgs.legacyPackages.${system};
-  lib = pkgs.lib;
-
-  # Create base nixComponents using the flake's makeComponents
-  baseNixComponents = nixFlake.lib.makeComponents {
-    inherit pkgs;
-  };
-
-  # Override nixComponents if AWS parameters are specified
-  nixComponents =
-    if (withAWS == null && withCurlS3 == null) then
-      baseNixComponents
-    else
-      baseNixComponents.overrideScope (
-        final: prev: {
-          nix-store = prev.nix-store.override (
-            lib.optionalAttrs (withAWS != null) { inherit withAWS; }
-            // lib.optionalAttrs (withCurlS3 != null) { inherit withCurlS3; }
-          );
-        }
-      );
-
-  # Import NixOS tests with the overridden nixComponents
-  tests = import ../../../tests/nixos {
-    inherit lib pkgs nixComponents;
-    nixpkgs = nixFlake.inputs.nixpkgs;
-    inherit (nixFlake.inputs) nixpkgs-23-11;
-  };
-in
-{
-  inherit (tests)
-    functional_user
-    githubFlakes
-    nix-docker
-    tarballFlakes
-    ;
-}