nodejs · aduh95 · Jun 22, 2026
diff --git a/.github/actions/build-shared/action.yml b/.github/actions/build-shared/action.yml
diff --git a/.github/workflows/build-shared.yml b/.github/workflows/build-shared.yml
@@ -0,0 +1,89 @@
+name: Build Node.js (shared libraries)
+
+on:
+  workflow_call:
+    inputs:
+      runner:
+        description: The runner to use for the job.
+        required: true
+        type: string
+      extra-nix-flags:
+        description: Additional CLI arguments appended to the nix-shell invocation.
+        required: false
+        type: string
+        default: ''
+      with-sccache:
+        description: Whether to enable sccache
+        required: false
+        type: boolean
+        default: false
+      v8-nar:
+        description: An optional name for the NAR archive for V8 that needs to be downloaded
+        required: false
+        type: string
+        default: ''
+    secrets:
+      CACHIX_AUTH_TOKEN:
+        description: Cachix auth token for nodejs.cachix.org.
+        required: false
+
+permissions: {}
+
+env:
+  FLAKY_TESTS: keep_retrying
+
+jobs:
+  build:
+    runs-on: ${{ inputs.runner }}
+    steps:
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: tarballs
+          path: tarballs
+
+      - name: Extract tarball
+        shell: bash
+        run: |
+          tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
+          echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
+
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3  # v31.10.6
+        with:
+          extra_nix_config: sandbox = true
+
+      - uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71  # v17
+        with:
+          name: nodejs
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        if: inputs.v8-nar
+        with:
+          name: ${{ inputs.v8-nar }}
+
+      - name: Configure sccache
+        if: inputs.with-sccache
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3  # v9.0.0
+        with:
+          script: |
+            core.exportVariable('SCCACHE_GHA_ENABLED', 'on');
+            core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on');
+            core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
+            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
+            core.exportVariable('NIX_SCCACHE', '(import <nixpkgs> {}).sccache');
+
+      - name: Build Node.js and run tests
+        shell: bash
+        run: |
+          nix-shell \
+            -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
+            --pure --keep TAR_DIR --keep FLAKY_TESTS \
+            --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
+            --arg loadJSBuiltinsDynamically false \
+            --arg ccache "${NIX_SCCACHE:-null}" \
+            --arg devTools '[]' \
+            --arg benchmarkTools '[]' \
+            ${{ inputs.extra-nix-flags }} \
+            --run '
+                make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS"
+            ' "$TAR_DIR/shell.nix"
diff --git a/.github/workflows/test-shared.yml b/.github/workflows/test-shared.yml
@@ -47,7 +47,7 @@ on:
       - vcbuild.bat
       - .**
       - '!.github/workflows/test-shared.yml'
-      - '!.github/actions/build-shared/**'
+      - '!.github/workflows/build-shared.yml'
     types: [opened, synchronize, reopened, ready_for_review]
   push:
     branches:
@@ -98,15 +98,12 @@ on:
       - vcbuild.bat
       - .**
       - '!.github/workflows/test-shared.yml'
-      - '!.github/actions/build-shared/**'
+      - '!.github/workflows/build-shared.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-env:
-  FLAKY_TESTS: keep_retrying
-
 permissions:
   contents: read
 
@@ -151,20 +148,15 @@ jobs:
           - runner: macos-latest
             system: aarch64-darwin
     name: '${{ matrix.system }}: with shared libraries'
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
-        with:
-          persist-credentials: false
-          sparse-checkout: .github/actions
-          sparse-checkout-cone-mode: false
-      - uses: ./.github/actions/build-shared
-        name: Build and test Node.js
-        with:
-          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          extra-nix-flags: |
-            --arg useSeparateDerivationForV8 true \
-            ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
+    uses: ./.github/workflows/build-shared.yml
+    with:
+      runner: ${{ matrix.runner }}
+      with-sccache: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
+      extra-nix-flags: |
+        --arg useSeparateDerivationForV8 true \
+        ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg withFFI false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
   build-aarch64-linux-v8:
     needs: build-tarball
@@ -247,34 +239,23 @@ jobs:
       matrix:
         openssl: ${{ fromJSON(needs.build-aarch64-linux-v8.outputs.matrix) }}
     name: 'aarch64-linux: with shared ${{ matrix.openssl.name }}'
-    runs-on: ubuntu-24.04-arm
-    continue-on-error: false
-    env:
-      OPENSSL_ATTR: ${{ matrix.openssl.attr }}
-    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
-        with:
-          persist-credentials: false
-          sparse-checkout: .github/actions
-          sparse-checkout-cone-mode: false
-
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
-        if: ${{ needs.build-aarch64-linux-v8.outputs.local-cache }}
-        with:
-          name: libv8-aarch64-linux.nar
-
-      - uses: ./.github/actions/build-shared
-        name: Build and test Node.js
-        with:
-          cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          # Override just the `openssl` attr of the default shared-lib set with
-          # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All
-          # other shared libs (brotli, cares, libuv, …) keep their defaults.
-          # `permittedInsecurePackages` whitelists just the matrix-selected
-          # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support
-          # cycles evaluate without relaxing nixpkgs' meta check globally.
-          extra-nix-flags: |
-            --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \
-            --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
-                openssl = (import $TAR_DIR/tools/nix/openssl-matrix.nix {}).$OPENSSL_ATTR;
-              }" \
+    uses: ./.github/workflows/build-shared.yml
+    with:
+      runner: ubuntu-24.04-arm
+      download-nar: ${{ needs.build-aarch64-linux-v8.outputs.local-cache && 'libv8-aarch64-linux.nar' }}
+      openssl-attr: ${{ matrix.openssl.attr }}
+      # Override just the `openssl` attr of the default shared-lib set with
+      # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All
+      # other shared libs (brotli, cares, libuv, …) keep their defaults.
+      # `permittedInsecurePackages` whitelists just the matrix-selected
+      # release (e.g. `openssl-1.1.1w`) so EOL-with-extended-support
+      # cycles evaluate without relaxing nixpkgs' meta check globally.
+      extra-nix-flags: |
+        --arg useSeparateDerivationForV8 ${{ needs.build-aarch64-linux-v8.outputs.local-cache && '"$(nix-store --import < libv8-aarch64-linux.nar)"' || 'true' }} \
+        --arg sharedLibDeps "(import $TAR_DIR/tools/nix/sharedLibDeps.nix {}) // {
+            openssl = builtins.getAttr \"${{
+              !contains(matrix.openssl.attr, '$') && !contains(matrix.openssl.attr, '\"') && !contains(matrix.openssl.attr, '\') && !contains(matrix.openssl.attr, '`') && matrix.openssl.attr
+            }}\" (import $TAR_DIR/tools/nix/openssl-matrix.nix {});
+          }" \
+    secrets:
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}