Add Nix flake for devenv.sh / NixOS integration

[Copilot]

Users on Nix-based workflows (NixOS, devenv.sh) have no first-class way to install sql-tap. This adds a flake.nix for source builds and wires up the goreleaser Nix publisher for release artifacts.

Changes

• flake.nix — builds both sql-tap and sql-tapd via buildGoModule across all default systems. Uses pkgs.lib.fakeHash as the vendorHash placeholder; maintainer must replace it with the real hash after the first nix build attempt:

  nix build 2>&1 | grep "got:" | awk '{print $2}'
  

  Also run nix flake update to generate flake.lock.

• .goreleaser.yaml — adds nix: publisher targeting mickamy/nur-packages. Gracefully skips if nix-hash is absent in CI. Two prerequisites before it goes live:

  1. Create the mickamy/nur-packages repo (NUR-compatible layout)
  2. Add a Nix install step to the release workflow

• README.md — documents Nix installation under a new ### Nix section:

  # Direct install
  nix profile install github:mickamy/sql-tap

  # devenv.yaml
  inputs:
    sql-tap:
      url: github:mickamy/sql-tap

  # devenv.nix
  { inputs, pkgs, ... }: {
    packages = [ inputs.sql-tap.packages.${pkgs.system}.default ];
  }

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• goreleaser.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Nix package release</issue_title>
<issue_description>Hi!

Thanks for this great application! It's tremendous help when debugging applications which use query builders instead of ORMs!
However, would you consider releasing at as nix package as well?
Our workflow relies on https://devenv.sh and such, adding tools via nix packages is the best option.

Here's the documentation for releasing as a nix package if you're interested: https://wiki.nixos.org/wiki/Nixpkgs/Create_and_debug_packages</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Nix package release #22

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR adds first-class Nix/NixOS support for sql-tap by introducing a flake.nix for source builds, adding a goreleaser Nix publisher targeting mickamy/nur-packages, and documenting Nix installation in the README.

Changes:

• flake.nix — new Nix flake using buildGoModule to build sql-tap and sql-tapd across all default systems
• .goreleaser.yaml — adds a nix: publisher block for releasing pre-built derivations to mickamy/nur-packages
• README.md — documents Nix installation for both direct flake use and devenv.sh integration

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
flake.nix	New Nix flake definition for building both binaries from source
.goreleaser.yaml	Adds goreleaser Nix publisher targeting mickamy/nur-packages
README.md	Documents Nix installation via flake and devenv.sh

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The release workflow (.github/workflows/release.yml) does not include a "install nix" step, but the .goreleaser.yaml nix: publisher section's inline comment says "Add 'install nix' step to the release workflow so nix-hash is available" as a prerequisite. Without Nix installed in the release runner, the goreleaser Nix publisher will fail on release. The PR description also calls this out but it was not implemented. This will cause releases to fail once this is merged unless the workflow is updated before a release is triggered.

[Copilot]

The README's Nix installation instruction uses nix profile install github:mickamy/sql-tap, but this command will only install the sql-tap TUI client. The sql-tapd proxy daemon is equally required to use the tool (as shown throughout the README's Quick Start section). Users will likely be confused when they install via Nix and find sql-tapd is missing. Consider documenting how to also get sql-tapd when installing via the flake, or making mainProgram in the flake encompass both binaries.

Suggested change

	nix profile install github:mickamy/sql-tap
	# Install both the TUI client (sql-tap) and the proxy daemon (sql-tapd)
	nix profile install github:mickamy/sql-tap#sql-tap github:mickamy/sql-tap#sql-tapd

[Copilot]

The vendorHash is set to pkgs.lib.fakeHash which will cause every nix build invocation to fail with an intentional hash mismatch error. This is a placeholder value that must be replaced with the actual vendor hash before the flake can be used by anyone. As-is, running nix profile install github:mickamy/sql-tap (as documented in the README) will always fail for end users.

The hash must be computed once (e.g., by temporarily setting vendorHash = null; or running nix build and reading the "got:" line), and then the real SRI hash must be committed in place of pkgs.lib.fakeHash. Publishing a flake with a fake hash as the committed value makes the flake non-functional for all users until this is fixed.

Suggested change

	# and replacing pkgs.lib.fakeHash below with the output.
	vendorHash = pkgs.lib.fakeHash;
	# and replacing this null value below with the output.
	vendorHash = null;

[Copilot]

The subPackages = [ "." "cmd/sql-tapd" ] builds both the sql-tap (TUI client) and sql-tapd (proxy daemon) binaries in a single derivation. However, the ldflags only inject the version into main.version for one package at a time — the -X main.version=… flag only applies to the main package being built. Since there are two separate main packages (one at the root and one at cmd/sql-tapd), only one of them will receive the correct version injection. The sql-tapd binary at cmd/sql-tapd/main.go also declares var version = "dev" and this ldflag will only update one of the two main packages. You should split these into two separate buildGoModule derivations with their own ldflags, or verify that buildGoModule correctly propagates -X main.version to all subPackages.

[Copilot]

The nix: publisher section in .goreleaser.yaml is missing the install stanza. Looking at the brews: block above (lines 43-45), the Homebrew tap explicitly installs both sql-tap and sql-tapd binaries. Without an install field, the goreleaser Nix publisher will default to only installing the binary that matches the package name (sql-tap), meaning the sql-tapd daemon binary will not be installed via the NUR package. Consider adding an explicit install field to ensure sql-tapd is also installed alongside sql-tap.

[Copilot]

The flake-utils input is referenced as github:numtide/flake-utils without any commit pinning, and there is currently no flake.lock in the repository. This means every Nix evaluation or build will fetch and execute a moving target from a third-party repository, giving it the ability to influence or replace the built sql-tap binaries. To mitigate this supply‑chain risk, generate and commit a flake.lock (e.g., via nix flake update) so that flake-utils (and nixpkgs) are locked to immutable revisions, and keep that lock file updated via regular, explicit dependency bumps.