== Transfer the sources you need by USB-drive

If you want to build everything from source on the CI/CD server, you must transfer:

* Updated package definitions (e.g., new Guix commit / channel state)

* All required source code (not binaries)

=== Step 1: On a networked (twin) machine

* Check for new versions

{{{#!sh
guix refresh PACKAGE-NAME
}}}

This will update the local package definition in your channel checkout (if you're maintaining your own channels or overlay packages).

* Build the package to pull source code into the store

{{{#!sh
guix build --source PACKAGE-NAME
}}}

This ensures that all source tarballs and patches are downloaded and cached.

* Export source code and channel state

Export the source derivation (not the binaries!):

{{{#!sh
guix archive --export -r $(guix build --source PACKAGE-NAME) > sources.nar
}}}

Also export the updated Guix channels or commit used:

{{{#!sh
guix describe --format=channels > channels.scm
}}}

=== Step 2: Transfer to the air-gapped CI/CD server

Copy the following files via USB or other air-gap-compliant method:

* sources.nar (the archive of source derivations)

* channels.scm (to sync channel state)

* Optionally: your custom channel checkout (if using overlays)

=== Step 3: On the CI/CD server

* Sync channel state

{{{#!sh
guix time-machine -C channels.scm -- build PACKAGE-NAME
}}}

Or, if you want to pull into your main Guix:

{{{#!sh
guix pull --channels=channels.scm
}}}

* Import the sources

{{{#!sh
guix archive --import < sources.nar
}}}

Now the CI/CD server has all it needs to build the package from source without network access.

=== Optional: Preload additional sources or dependencies

To avoid surprises, you may want to pre-fetch all sources recursively:

{{{#!sh
guix build --sources=transitive PACKAGE-NAME
guix archive --export -r $(guix build --sources=transitive PACKAGE-NAME) > all-sources.nar
}}}

This ensures no source fetch attempts will occur during CI builds.