Bump patchset: v51 -> v52

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/build_nix.yaml

@@ -0,0 +1,38 @@
+name: Cloud Hypervisor Build (Nix)
+on: [push, pull_request, merge_group]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: cachix/install-nix-action@v31
+      # We restore Nix evaluation and Nix tarball cache, speeding up the CI.
+      # This does not cover any Nix artifacts from the Nix store.
+      - name: Restore Nix cache
+        uses: actions/cache@v5
+        with:
+          path: ~/.cache/nix
+          key: nix-cache-${{ github.job }}
+      # Nix binary cache
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      # Dedicated step to separate all the
+      # "copying path '/nix/store/...' from 'https://cache.nixos.org'."
+      # messages from the actual build output.
+      - name: Prepare Nix Store
+        run: nix develop --command bash -c "nix --version"
+      - name: Check Nix format
+        run: nix fmt -- --ci
+      - name: Check Nix Flake
+        run: nix flake check -L
+      - name: Build Cloud Hypervisor
+        run: |
+          nix build -L .#default
+          nix build -L .#cloud-hypervisor

.github/workflows/ci.yaml

@@ -106,44 +106,6 @@ jobs:
       - name: Lint git commit messages
         run: |
           gitlint --commits "origin/$GITHUB_BASE_REF.."
-  lychee:
-    name: lychee
-    needs: [preflight]
-    if: needs.preflight.outputs.docs == 'true' || needs.preflight.outputs.full == 'true'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Get changed files in PR
-        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
-        with:
-          base_sha: ${{ github.event.pull_request.base.sha }}
-      - name: Verify Changed Files
-        run: |
-          set -eufo pipefail
-          echo "--- tj-actions/changed-files Outputs ---"
-          echo "any_changed: ${{ steps.changed-files.outputs.any_changed }}"
-          echo "all_changed_files: ${{ steps.changed-files.outputs.all_changed_files }}"
-          echo "added_files: ${{ steps.changed-files.outputs.added_files }}"
-          echo "modified_files: ${{ steps.changed-files.outputs.modified_files }}"
-          echo "deleted_files: ${{ steps.changed-files.outputs.deleted_files }}"
-          echo "renamed_files: ${{ steps.changed-files.outputs.renamed_files }}"
-          echo "----------------------------------------"
-          if [ -n "${{ steps.changed-files.outputs.all_changed_files }}" ]; then
-            echo "Detected changes: all_changed_files output is NOT empty."
-          else
-            echo "No changes detected: all_changed_files output IS empty."
-          fi
-      - name: Link Availability Check (Diff Only)
-        if: ${{ steps.changed-files.outputs.all_changed_files != '' }}
-        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0
-        with:
-          args: --verbose --config .lychee.toml ${{ steps.changed-files.outputs.all_changed_files }}
-          failIfEmpty: false
-          fail: true
   taplo:
     name: taplo
     needs: [preflight]
@@ -314,16 +276,10 @@ jobs:
       fail-fast: false
       matrix:
         rust:
-          - beta
           - stable
         target:
-          - aarch64-unknown-linux-gnu
-          - aarch64-unknown-linux-musl
           - x86_64-unknown-linux-gnu
-          - x86_64-unknown-linux-musl
         include:
-          - rust: beta
-            experimental: true
           - rust: stable
             experimental: false
     steps:
@@ -462,12 +418,8 @@ jobs:
       matrix:
         rust:
           - stable
-          - beta
-          - nightly
-          - "1.89.0" # MSRV — keep quoted.
         target:
           - x86_64-unknown-linux-gnu
-          - x86_64-unknown-linux-musl
     steps:
       - name: Code checkout
         uses: actions/checkout@v6
@@ -510,223 +462,6 @@ jobs:
         run: cargo build --locked --all --release --target=${{ matrix.target }}
       - name: Check build did not modify any files
         run: test -z "$(git status --porcelain)"
-  # garm-jammy + gnu: runs on PR and MQ. Other 3 matrix entries are in
-  # integration-x86-64-mq (sibling, MQ-only, runs in parallel).
-  integration-x86-64-pr:
-    name: integration-x86-64-pr
-    needs: [preflight, dco, quality, build]
-    if: >-
-      needs.preflight.outputs.full == 'true' && needs.dco.result == 'success' && needs.quality.result == 'success' && needs.build.result == 'success'
-    timeout-minutes: 80
-    env:
-      # Our runner has 16 cores (nproc).
-      # We limit parallelism only to avoid exhausting disk space and memory
-      # resources, not to save CPU resources.
-      PARALLEL_INTEGRATION_TESTS_NUM: 12
-    runs-on: garm-jammy-16
-    steps:
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Install Docker
-        run: |
-          set -eufo pipefail
-          sudo apt-get update
-          sudo apt-get -y install ca-certificates curl gnupg
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
-          sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-          sudo apt-get update
-          sudo apt install -y docker-ce docker-ce-cli
-      - name: Prepare for VDPA
-        run: scripts/prepare_vdpa.sh
-      - name: Run unit tests
-        run: scripts/dev_cli.sh tests --unit --libc gnu
-      - name: Load openvswitch module
-        run: sudo modprobe openvswitch
-      - name: Run integration tests
-        timeout-minutes: 60
-        run: scripts/dev_cli.sh tests --integration --libc gnu
-  # MQ-only: the 3 matrix entries that integration-x86-64-pr does not cover.
-  integration-x86-64-mq:
-    name: integration-x86-64-mq
-    needs: [preflight, dco, quality, build]
-    if: >-
-      github.event_name == 'merge_group' && needs.preflight.outputs.full == 'true' && needs.dco.result == 'success' && needs.quality.result == 'success' && needs.build.result == 'success'
-    timeout-minutes: 80
-    env:
-      # Our runner has 16 cores (nproc).
-      # We limit parallelism only to avoid exhausting disk space and memory
-      # resources, not to save CPU resources.
-      PARALLEL_INTEGRATION_TESTS_NUM: 12
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - {runner: garm-jammy, libc: musl}
-          - {runner: garm-jammy-amd, libc: gnu}
-          - {runner: garm-jammy-amd, libc: musl}
-    # format() because `${{ matrix.runner }}-16` is not valid in runs-on.
-    runs-on: ${{ format('{0}-16', matrix.runner) }}
-    steps:
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Install Docker
-        run: |
-          set -eufo pipefail
-          sudo apt-get update
-          sudo apt-get -y install ca-certificates curl gnupg
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
-          sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-          sudo apt-get update
-          sudo apt install -y docker-ce docker-ce-cli
-      - name: Prepare for VDPA
-        run: scripts/prepare_vdpa.sh
-      - name: Run unit tests
-        run: scripts/dev_cli.sh tests --unit --libc ${{ matrix.libc }}
-      - name: Load openvswitch module
-        run: sudo modprobe openvswitch
-      - name: Run integration tests
-        timeout-minutes: 60
-        run: scripts/dev_cli.sh tests --integration --libc ${{ matrix.libc }}
-  integration-arm64:
-    name: integration-arm64
-    needs: [preflight, dco, quality, build]
-    if: >-
-      github.event_name == 'merge_group' && needs.preflight.outputs.full == 'true' && needs.dco.result == 'success' && needs.quality.result == 'success' && needs.build.result == 'success'
-    timeout-minutes: 120
-    env:
-      # Our runner has 80 cores (nproc).
-      # We limit parallelism only to avoid exhausting disk space and memory
-      # resources, not to save CPU resources.
-      PARALLEL_INTEGRATION_TESTS_NUM: 25
-    runs-on: bookworm-arm64
-    steps:
-      # arm64 runner user is "runner" (vfio's is "github-runner").
-      - name: Fix workspace permissions
-        run: sudo chown -R runner:runner ${GITHUB_WORKSPACE}
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Run unit tests (musl)
-        run: scripts/dev_cli.sh tests --unit --libc musl
-      - name: Load openvswitch module
-        run: sudo modprobe openvswitch
-      - name: Run integration tests (musl)
-        timeout-minutes: 60
-        run: scripts/dev_cli.sh tests --integration --libc musl
-      - name: Install Azure CLI
-        run: |
-          set -eufo pipefail
-          sudo apt install -y ca-certificates curl apt-transport-https lsb-release gnupg
-          curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
-          echo "deb [arch=arm64] https://packages.microsoft.com/repos/azure-cli/ bookworm main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
-          sudo apt update
-          sudo apt install -y azure-cli
-      - name: Download Windows image
-        shell: bash
-        run: |
-          set -eufo pipefail
-          IMG_BASENAME=windows-11-iot-enterprise-aarch64.raw
-          IMG_PATH=$HOME/workloads/$IMG_BASENAME
-          IMG_GZ_PATH=$HOME/workloads/$IMG_BASENAME.gz
-          IMG_GZ_BLOB_NAME=windows-11-iot-enterprise-aarch64-9-min.raw.gz
-          cp "scripts/$IMG_BASENAME.sha1" "$HOME/workloads/"
-          pushd "$HOME/workloads"
-          if sha1sum "$IMG_BASENAME.sha1" --check; then
-              exit
-          fi
-          popd
-          mkdir -p "$HOME/workloads"
-          az storage blob download --container-name private-images --file "$IMG_GZ_PATH" --name "$IMG_GZ_BLOB_NAME" --connection-string "${{ secrets.CH_PRIVATE_IMAGES }}"
-          gzip -d "$IMG_GZ_PATH"
-      - name: Run Windows guest integration tests
-        timeout-minutes: 30
-        run: scripts/dev_cli.sh tests --integration-windows --libc musl
-  integration-vfio:
-    name: integration-vfio
-    needs: [preflight, dco, quality, build]
-    if: >-
-      github.event_name == 'merge_group' && needs.preflight.outputs.full == 'true' && needs.dco.result == 'success' && needs.quality.result == 'success' && needs.build.result == 'success'
-    runs-on: vfio-nvidia
-    env:
-      AUTH_DOWNLOAD_TOKEN: ${{ secrets.AUTH_DOWNLOAD_TOKEN }}
-    steps:
-      # vfio-nvidia runner user is "github-runner" (not "runner" like arm64).
-      - name: Fix workspace permissions
-        run: sudo chown -R github-runner:github-runner "${GITHUB_WORKSPACE}"
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Run VFIO integration tests
-        timeout-minutes: 25
-        run: scripts/dev_cli.sh tests --integration-vfio
-    # Most tests are failing with musl, see #6790
-    # - name: Run VFIO integration tests for musl
-    #   timeout-minutes: 25
-    #   run: scripts/dev_cli.sh tests --integration-vfio --libc musl
-  integration-windows:
-    name: integration-windows
-    needs: [preflight, dco, quality, build]
-    if: >-
-      github.event_name == 'merge_group' && needs.preflight.outputs.full == 'true' && needs.dco.result == 'success' && needs.quality.result == 'success' && needs.build.result == 'success'
-    runs-on: garm-jammy-16
-    steps:
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Install Docker
-        run: |
-          set -eufo pipefail
-          sudo apt-get update
-          sudo apt-get -y install ca-certificates curl gnupg
-          curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
-          sudo chmod a+r /usr/share/keyrings/docker-archive-keyring.gpg
-          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-          sudo apt-get update
-          sudo apt install -y docker-ce docker-ce-cli
-      - name: Install Azure CLI
-        run: |
-          set -eufo pipefail
-          sudo apt install -y ca-certificates curl apt-transport-https lsb-release gnupg
-          curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
-          echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ jammy main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
-          sudo apt update
-          sudo apt install -y azure-cli
-      - name: Download Windows image
-        run: |
-          set -eufo pipefail
-          mkdir $HOME/workloads
-          az storage blob download --container-name private-images --file "$HOME/workloads/windows-server-2025-amd64-1.raw" --name windows-server-2025-amd64-1.raw --connection-string "${{ secrets.CH_PRIVATE_IMAGES }}"
-      - name: Run Windows guest integration tests
-        timeout-minutes: 15
-        run: scripts/dev_cli.sh tests --integration-windows
-      - name: Run Windows guest integration tests for musl
-        timeout-minutes: 15
-        run: scripts/dev_cli.sh tests --integration-windows --libc musl
-  integration-rate-limiter:
-    name: integration-rate-limiter
-    needs: [preflight, dco, quality, build]
-    if: >-
-      github.event_name == 'merge_group' && needs.preflight.outputs.full == 'true' && needs.dco.result == 'success' && needs.quality.result == 'success' && needs.build.result == 'success'
-    runs-on: bare-metal-9950x
-    env:
-      AUTH_DOWNLOAD_TOKEN: ${{ secrets.AUTH_DOWNLOAD_TOKEN }}
-    steps:
-      - name: Code checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Run rate-limiter integration tests
-        timeout-minutes: 20
-        run: scripts/dev_cli.sh tests --integration-rate-limiter
   # The single required-status check. Branch protection requires this one job.
   all-green:
     name: all-green
@@ -738,13 +473,6 @@ jobs:
       - fuzz-build
       - gitlint
       - hadolint
-      - integration-arm64
-      # VFIO worker is failing #8160
-      # - integration-vfio
-      # See: #8211
-      # - integration-windows
-      - integration-x86-64-mq
-      - integration-x86-64-pr
       - openapi
       - package-consistency
       - preflight