ci: build and test with pixi instead of CVMFS

[olantwin]

Summary

• All dependencies needed by this repo (geomodel 6.27.0 and its transitive closure: sqlite, xerces-c, nlohmann_json, eigen, geant4) are now published to the https://prefix.dev/ship channel via ship-conda-recipes, so CI no longer needs CVMFS access.
• New pixi.toml + committed pixi.lock define the build environment (cxx-compiler, cmake, ninja, make, git, sqlite, geomodel) and three tasks: configure, build, test (the latter two depend on the former).
• The workflow is rewritten to run on GitHub-hosted ubuntu-latest with prefix-dev/setup-pixi@v0.9.6 and a single pixi run test step — dropping the self-hosted runner, the registry.cern.ch/ship/gha-runner container, the three CVMFS volume mounts, and the LCG_109 / GeoModel 6.24.0-local2 source lines.

Test plan

• Local: pixi install && pixi run test on a plain shell (no LCG/distrobox) — 160/160 build targets, 25/25 ctests pass in ~13 s.
• CI: confirm the new Build and Test job runs on ubuntu-latest, installs the pixi env from the lock file, builds, and exits 0.

Summary by CodeRabbit

• Chores
  • Updated build and test infrastructure to use Pixi for centralized dependency and task management
  • Simplified CI/CD pipeline configuration for improved maintainability and consistency

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates the project's GitHub Actions CI pipeline from a self-hosted CERN-based container setup to a modern Pixi-managed workflow on ubuntu-latest. A new pixi.toml configuration file declares workspace metadata, build dependencies, and three tasks (configure, build, test), while the workflow is refactored to use the prefix-dev/setup-pixi action to install dependencies and invoke pixi run test in place of previous manual CMake and CTest execution.

Changes

Pixi-Based CI Workflow

Layer / File(s)	Summary
Pixi workspace configuration and workflow migration pixi.toml, .github/workflows/build-test.yml	A new pixi.toml declares the shipgeometry workspace with conda/pixi channels, build dependencies (compilers, sqlite, geomodel), and CMake/Ninja/CTest tasks. The GitHub Actions workflow is updated to use ubuntu-latest runner, install dependencies via prefix-dev/setup-pixi@v0.9.6 with caching, and run tests using pixi run test, replacing self-hosted CERN container and manual command execution.

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: replacing CVMFS-based CI with pixi-based environment management.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/use-pixi

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pixi.toml (1)

17-17: ⚡ Quick win

Tighten geomodel constraint to match the validated ABI line.

Line 17 currently allows any newer geomodel; that can break future lock refreshes against your known-good 6.27.x compatibility window.

Proposed change

-geomodel = ">=6.22"
+geomodel = ">=6.27,<6.28"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pixi.toml` at line 17, Tighten the geomodel version constraint in pixi.toml
so it doesn't allow future incompatible releases: change the current geomodel =
">=6.22" to include an upper bound that matches the validated ABI window (for
example geomodel = ">=6.22,<6.28") so the project stays within the known-good
6.27.x compatibility range.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-test.yml:
- Around line 17-21: Replace the mutable action tags with their full commit SHAs
and disable credential persistence for checkout: update the actions referenced
as actions/checkout (change tag to the full SHA) and prefix-dev/setup-pixi
(change tag to the full SHA) and add persist-credentials: false to the
actions/checkout step; ensure you reference the checkout step by
name/actions/checkout and the pixi setup step by prefix-dev/setup-pixi when
making these edits.

---

Nitpick comments:
In `@pixi.toml`:
- Line 17: Tighten the geomodel version constraint in pixi.toml so it doesn't
allow future incompatible releases: change the current geomodel = ">=6.22" to
include an upper bound that matches the validated ABI window (for example
geomodel = ">=6.22,<6.28") so the project stays within the known-good 6.27.x
compatibility range.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f524cef7-1884-4321-b84a-bc6fb4b816a8

📥 Commits

Reviewing files that changed from the base of the PR and between 342dee7 and f9c8f56.

⛔ Files ignored due to path filters (1)

• pixi.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .github/workflows/build-test.yml
• pixi.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-test.yml"
echo "=== File: $FILE ==="
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE" >&2
  exit 1
fi

nl -ba "$FILE" | sed -n '1,120p'
echo "=== Search for checkout options ==="
rg -n "actions/checkout@|persist-credentials|token|GITHUB_TOKEN" .github/workflows/build-test.yml || true
echo "=== Search for other checkout usages in workflows ==="
rg -n "uses:\s*actions/checkout@|persist-credentials" .github/workflows || true

Repository: ShipSoft/Geometry

Length of output: 170

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/build-test.yml"
echo "=== File: $FILE ==="
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE" >&2
  exit 1
fi

echo "=== Showing first 140 lines (for context) ==="
awk 'NR>=1 && NR<=140 {printf "%5d: %s\n", NR, $0}' "$FILE"

echo "=== Search within $FILE for checkout/setup-pixi usage and credential settings ==="
rg -n "uses:\s*actions/checkout@|uses:\s*prefix-dev/setup-pixi@|persist-credentials|GITHUB_TOKEN|token:" "$FILE" || true

echo "=== Search across workflows for checkout with persist-credentials ==="
rg -n "uses:\s*actions/checkout@|persist-credentials" .github/workflows || true

Repository: ShipSoft/Geometry

Length of output: 1110

---

🌐 Web query:

actions/checkout persist-credentials default value token in git config

💡 Result:

The default value for the persist-credentials input in actions/checkout is true [1][2]. When enabled (default), the action configures the GitHub Actions authentication token (or SSH key) to allow subsequent git commands in your workflow to run authenticated [1][3]. Recent versions of actions/checkout have improved security by storing these credentials in a separate file under $RUNNER_TEMP and using git includeIf directives, rather than writing the credentials directly into the local.git/config file as was done in earlier implementations [1][4]. This token or credential configuration is automatically cleaned up by the action during the post-job step [1][3]. If you wish to prevent this behavior, you can explicitly set persist-credentials: false in your workflow step [1][2].

Citations:

• 1: https://github.com/actions/checkout/?tab=readme-ov-file
• 2: actions/checkout@c170eef
• 3: https://github.com/actions/checkout/blob/85e6279cec87321a52edac9c87bce653a07cf6c2/README.md
• 4: actions/checkout@069c695

---

Pin action references to full SHAs and disable checkout credential persistence.

In .github/workflows/build-test.yml (Lines 17-21), actions/checkout@v6 (Line 17) and prefix-dev/setup-pixi@v0.9.6 (Line 19) are using mutable tags. actions/checkout defaults persist-credentials to true, so the GitHub token/credentials are configured for subsequent git commands; for repo-controlled build/test steps, set persist-credentials: false and pin both actions to full commit SHAs.

Proposed hardening

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@<FULL_LENGTH_COMMIT_SHA>
+        with:
+          persist-credentials: false

-      - uses: prefix-dev/setup-pixi@v0.9.6
+      - uses: prefix-dev/setup-pixi@<FULL_LENGTH_COMMIT_SHA>
         with:
           cache: true

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-test.yml around lines 17 - 21, Replace the mutable
action tags with their full commit SHAs and disable credential persistence for
checkout: update the actions referenced as actions/checkout (change tag to the
full SHA) and prefix-dev/setup-pixi (change tag to the full SHA) and add
persist-credentials: false to the actions/checkout step; ensure you reference
the checkout step by name/actions/checkout and the pixi setup step by
prefix-dev/setup-pixi when making these edits.