Skip to content
mvm

CI/CD ephemeral builder

CI should prefer disposable runtime guests and explicit build artifacts.

Basic CI shape

Section titled “Basic CI shape”
Terminal window
export MVM_DATA_DIR="$PWD/.mvm-ci"


mvmctl doctor --json
mvmctl build ./ci-worker --json
mvmctl run --timeout 600 --receipt /tmp/mvm-run-receipt.json -- ./scripts/test.sh

Keep generated receipts as build artifacts when they are useful for audit or debugging. Do not persist the full runtime state unless the job explicitly needs a cache.

Cache policy

Section titled “Cache policy”

It is reasonable to cache:

  • Nix store/substituter state in the builder environment;
  • downloaded release artifacts after verification;
  • manifest build slots for trusted branches.

Avoid caching:

  • guest runtime directories from untrusted jobs;
  • snapshots that may contain secrets or source code;
  • broad host directories mounted read-write into the guest.

Cleanup

Section titled “Cleanup”
Terminal window
mvmctl down
mvmctl manifest prune --orphans --dry-run
mvmctl cache prune --orphan-builds

Use dry-run first on shared runners.