feat(workflows): add reusable Nix validate/build templates#13
Merged
Conversation
Relocate the shared Nix CI reusable workflows into dryvist/.github so the org has one normalized, FlakeHub-free Nix CI source. Ported byte-identical from JacobPEvans-personal/.github (git-blob SHA match) so the consumer repoint is a clean uses: owner-swap and the eventual personal-copy removal needs no drift reconciliation. Both use determinate-nix-action (installer only) + actions/cache; neither touches FlakeHub. zizmor policy already permits DeterminateSystems/* ref-pin, so no policy change is needed. Assisted-by: Claude:claude-opus-4-8
This was referenced May 31, 2026
The org references its own reusable workflows via @main (self-reference convention), but the unpinned-uses policy only trusted external vendors, so a dryvist/.github reusable-workflow call failed zizmor with a SHA-pin demand. Add dryvist/* to the trusted-publisher list so consumers can call the new Nix templates as dryvist/.github/...@main. Assisted-by: Claude:claude-opus-4-8
This was referenced May 31, 2026
JacobPEvans-personal
added a commit
to dryvist/nix-claude-code
that referenced
this pull request
May 31, 2026
dryvist/.github#13 merged: adds the _nix-validate template and the dryvist/* entry to the zizmor unpinned-uses trusted-publisher policy. Bump the pinned input so the local/CI zizmor check (which reads ${inputs.dryvist-github}/zizmor.yml) accepts the dryvist/.github@main reusable-workflow reference in ci.yml. nix flake check passes (EXIT 0). Assisted-by: Claude:claude-opus-4-8
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
May 31, 2026
Add a Continuous integration section to the Nix hub page: CI runs through shared reusable workflows with actions/cache + cache.nixos.org, and does not use FlakeHub. FlakeHub's hosted cache no longer has a useful free tier and a FlakeHub-backed cache action fails CI on api.flakehub.com auth. The free Determinate installer and Determinate Nix module are unaffected. Refs: dryvist/.github#13 Assisted-by: Claude:claude-opus-4-8
JacobPEvans-personal
added a commit
to dryvist/nix-claude-code
that referenced
this pull request
May 31, 2026
* fix(dev-hygiene): exclude CHANGELOG.md from treefmt release-please regenerates CHANGELOG.md with `*` bullets each release; prettier (via treefmt) rewrote them to `-` and failed the treefmt and pre-commit flake checks. Exclude CHANGELOG.md from treefmt, mirroring the existing markdownlint-cli2 exclude. Collapse the settings.* assignments into one block to satisfy statix. This failure was masked until now because CI died at the FlakeHub cache step before nix flake check ran. Assisted-by: Claude:claude-opus-4-8 * fix(ci): drop FlakeHub cache, call shared nix-validate template The inline ci.yml used DeterminateSystems/magic-nix-cache-action, which now authenticates its cache against api.flakehub.com and fails CI: FlakeHub: cache initialized failed: Unauthenticated: Cannot find netrc credentials for https://api.flakehub.com/ FlakeHub's hosted cache no longer has a useful free tier. Replace the three inline jobs with a single call to the shared, FlakeHub-free _nix-validate template (actions/cache + Determinate installer). nix flake check covers flake eval + treefmt + pre-commit + lib tests; all_systems:false keeps it to the runner's system, matching prior x86_64-linux-only behavior. Refs: dryvist/.github#13 Assisted-by: Claude:claude-opus-4-8 * chore(deps): bump dryvist-github for dryvist/* zizmor trust dryvist/.github#13 merged: adds the _nix-validate template and the dryvist/* entry to the zizmor unpinned-uses trusted-publisher policy. Bump the pinned input so the local/CI zizmor check (which reads ${inputs.dryvist-github}/zizmor.yml) accepts the dryvist/.github@main reusable-workflow reference in ci.yml. nix flake check passes (EXIT 0). Assisted-by: Claude:claude-opus-4-8 * refactor(flake): inherit dev-hygiene from dryvist/.github flake-module Stop redefining the org-wide dev-hygiene global settings locally. Delete the inlined flake/dev-hygiene.nix and import inputs.dryvist-github.flakeModules.dev-hygiene instead — the same dryvist/.github source already used for zizmor.yml, now a lean flake (treefmt-nix + git-hooks only, no devenv/crate2nix/devshell). dryvist-github becomes a flake input (nixpkgs follows ours); the standalone treefmt-nix and git-hooks inputs are dropped (now transitive via .github). The CHANGELOG.md treefmt exclude lives in the shared module, not here. Lock temporarily pins the dryvist/.github#15 branch; repointed to main once it merges. nix flake check passes (EXIT 0). Refs: dryvist/.github#15 Assisted-by: Claude:claude-opus-4-8
JacobPEvans-personal
added a commit
to dryvist/ai-assistant-instructions
that referenced
this pull request
May 31, 2026
The Nix reusable workflows (_nix-validate.yml, _nix-build.yml) now live in dryvist/.github, not JacobPEvans-personal/.github. Split the canonical-homes table so a future agent does not 'fix' the cross-owner split or move the remaining non-Nix shared .github workflows. Refs: dryvist/.github#13 Assisted-by: Claude:claude-opus-4-8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Establish
dryvist/.githubas the org's normalized, FlakeHub-free Nix CI home:.github/workflows/_nix-validate.yml— Linuxnix flake check(inputs:runner_label,all_systems).github/workflows/_nix-build.yml— macOS build (input:build-command)zizmor.yml— adddryvist/*: ref-pinto the trusted-publisher policy so the org can reference its own reusable workflows via@main(per the self-reference convention) without a SHA-pin demand.The two workflows are byte-identical ports from
JacobPEvans-personal/.github(git-blob SHA verified). Both useDeterminateSystems/determinate-nix-action@v3as a Nix installer only plusactions/cache— neither touches FlakeHub.Why
FlakeHub's hosted cache no longer has a useful free tier.
dryvist/nix-claude-codeis the last Nix repo still usingmagic-nix-cache-action(FlakeHub-backed); its CI fails onapi.flakehub.comauth. This makesdryvist/.githubthe single normalized Nix CI source so the failure cannot silently recur. The failing repo is repointed at_nix-validate.yml@mainin dryvist/nix-claude-code#33.The
zizmor.ymlchange is required becausedryvist/.github/...@mainis an org self-reference; the policy previously trusted only external vendors (actions/*,DeterminateSystems/*,googleapis/*), so a self-referencing reusable-workflow call failedunpinned-uses. Verified: withdryvist/*trusted,nix flake checkon the consumer passes (zizmor...Passed).Notes
uses:owner-swap.actionlintflags SC2086 at_nix-validate.yml:98($ALL_SYSTEMS_FLAGunquoted) — intentional in the upstream canonical (the flag is--all-systemsor empty; quoting passes an empty arg tonix flake check). Kept verbatim; this repo runs no shellcheck/actionlint gate.Refs: dryvist/nix-claude-code#33, dryvist/ai-assistant-instructions#662