Motivation
A qualified safety-critical toolchain requires reproducible builds — the same inputs must produce the same outputs on any machine, at any time. ISO 26262 requires traceability from requirements to the deployed artifact. DO-178C requires configuration management that can reproduce any released build.
Ferrocene — the qualified Rust compiler — built custom build orchestration for exactly this reason. For the PulseEngine pipeline, we use Bazel for hermetic builds and Nix for hermetic toolchain provisioning.
Currently, only rules_rocq_rust uses Nix (flake.nix) for toolchain management. Extending this across the pipeline ensures that every developer, CI runner, and qualification environment uses identical toolchain versions.
Scope
- Add
flake.nix providing a development shell with all required toolchain dependencies
- Pin toolchain versions (Rust, Bazel, any tool-specific dependencies)
- Integrate with the existing Bazel build so that
nix develop provides everything needed for bazel build //...
- Add
flake.lock to version control
Context
This is part of a broader effort to make the entire PulseEngine pipeline — meld, loom, synth, kiln, sigil — reproducible end-to-end. See the blog series on hermetic builds (upcoming) for the full picture.
Related: rules_rocq_rust already has a working flake.nix that can serve as a reference implementation.
Motivation
A qualified safety-critical toolchain requires reproducible builds — the same inputs must produce the same outputs on any machine, at any time. ISO 26262 requires traceability from requirements to the deployed artifact. DO-178C requires configuration management that can reproduce any released build.
Ferrocene — the qualified Rust compiler — built custom build orchestration for exactly this reason. For the PulseEngine pipeline, we use Bazel for hermetic builds and Nix for hermetic toolchain provisioning.
Currently, only rules_rocq_rust uses Nix (
flake.nix) for toolchain management. Extending this across the pipeline ensures that every developer, CI runner, and qualification environment uses identical toolchain versions.Scope
flake.nixproviding a development shell with all required toolchain dependenciesnix developprovides everything needed forbazel build //...flake.lockto version controlContext
This is part of a broader effort to make the entire PulseEngine pipeline — meld, loom, synth, kiln, sigil — reproducible end-to-end. See the blog series on hermetic builds (upcoming) for the full picture.
Related: rules_rocq_rust already has a working
flake.nixthat can serve as a reference implementation.