background grid image
Image for post semaphore-ci
Jun 19, 2025 by Luc Perkins

FlakeHub now supports Semaphore CI

announcement
cacheenterpriseflakehubnixprivate-flakessemaphore

3 min read

Providing synchronized development environments across continuous integration/delivery (CI/CD) platforms and developer workstations has always been one of Nix’s most compelling use cases. And so we’re excited to announce that FlakeHub now supports Semaphore CI as our third major CI platform after GitHub Actions and GitLab CI.

Semaphore is a powerful open source CI/CD platform that you can run on your own infrastructure or in the cloud. It features a lovely UI for visualizing workflows, a built-in observability suite, and much more. We encourage you to check it out.

With this new support, you can now publish flakes, including private flakes, to FlakeHub and push store paths to FlakeHub Cache inside your Semaphore CI runs. Here is an Semaphore workflow configuration that does both:

.semaphore/semaphore.yml
version: v1.0
name: Push store paths to FlakeHub Cache and publish flake release on FlakeHub
agent:
  machine:
    type: f1-standard-4
    os_image: ubuntu2404
blocks:
73 collapsed lines
  - name:
    dependencies: []
    task:
      prologue:
        commands:
          # Get the latest version of the repository's source code from GitHub
          - checkout


      jobs:
        - name: Publish flake and cache package
          commands:
          # The flake's repository
          - export FLAKEHUB_PUSH_REPOSITORY="$(echo "${SEMAPHORE_ORGANIZATION_URL}" | cut -d "." -f1 | cut -d '/' -f3)/${SEMAPHORE_PROJECT_NAME}"


          # Environment variables for Magic Nix Cache, which automatically pushes Nix artifacts to FlakeHub Cache
          - export MAGIC_NIX_CACHE_CLOSURE_URL="https://install.determinate.systems/magic-nix-cache-closure/branch/main/X64-Linux?ci=semaphore"
          - export MNC_LISTEN="127.0.0.1:37515"


          # Install Determinate Nix and start the Nix daemon
          - curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --no-confirm --init systemd
          - . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh


          # Log in using the `determinate-nixd login` command (used by magic-nix-cache, substitutions)
          - echo "${SEMAPHORE_OIDC_TOKEN}" | determinate-nixd login token --token-file /dev/stdin


          # Acquire the `flakehub-push` executable
          - curl -L "${FLAKEHUB_PUSH_BINARY_URL}" | sudo tee /usr/bin/flakehub-push &>/dev/null
          - sudo chmod +x /usr/bin/flakehub-push


          # Acquire the `magic-nix-cache` executable
          - export MNC_CLSR="$(curl -L "${MAGIC_NIX_CACHE_CLOSURE_URL}" | xz -d | sudo "$(which nix-store)" --import | tail -n1 | head -n1)"
          - sudo ln -sf "${MNC_CLSR}/bin/magic-nix-cache" /usr/bin/magic-nix-cache
          - magic-nix-cache --help


          # Stage login credentials for `flakehub-push`
          - export FLAKEHUB_PUSH_OIDC_TOKEN="${SEMAPHORE_OIDC_TOKEN}"


          # Start Magic Nix Cache
          - export MNC_STARTUP_FILE="/tmp/mnc-startup"
          - nohup magic-nix-cache --listen "${MNC_LISTEN}" --startup-notification-file "${MNC_STARTUP_FILE}" &>/tmp/mnc.log &
          - |
              (
              STARTED=0
              for n in {1..6}; do
                if [ -e "${MNC_STARTUP_FILE}" ]; then
                  echo "magic-nix-cache daemon has successfully started up after ${n} attempt(s)"
                  STARTED=1
                  break
                else
                  echo "waiting on magic-nix-cache daemon; on attempt ${n}"
                  sleep 2
                fi
              done
              if [[ "${STARTED}" != "1" ]]; then
                echo "The daemon did not start up within 60 seconds; exiting"
                exit 1
              fi
              ) || true


          # Build a package output by the repository's Nix flake
          - nix build ".#packages.x86_64-linux.default"


          # Publish a flake release to FlakeHub if and only if it's a tag reference
          - |
            if [[ "${SEMAPHORE_GIT_REF_TYPE}" == "tag" ]]; then
              flakehub-push \
                --tag "$(cat "${SEMAPHORE_GIT_REF}" | cut -d '/' -f2)" \
                --visibility private \
                --include-output-paths
            fi


          # Stop Magic Nix Cache
          - curl -XPOST "http://${MNC_LISTEN}/api/workflow-finish"

For more detailed information, check out the Semaphore CI guide in the Determinate documentation. If you run into any trouble, get in touch with us on Discord or drop us an email at support@determinate.systems. Enjoy!

Share
Avatar for Luc Perkins
Written by Luc Perkins

Luc is a technical writer, software engineer, and Nix advocate who's always on the lookout for qualitatively better ways of building software. He originally hails from the Pacific Northwest but has recently taken to living abroad.

Would you like access to private flakes and FlakeHub Cache?

Sign up for FlakeHub