From 7a6723f2f29c939f3e1d806bb935e69142cd83c0 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sun, 14 Jun 2026 20:56:14 -0400 Subject: [PATCH 1/2] Update CI: modernise validate workflow and add flake.lock auto-updater validate.yml switches from cachix/install-nix-action to the DeterminateSystems nix-installer-action and adds magic-nix-cache-action for build caching, consistent with cup-collector, ytdlfin, and weasley-wizarding-clock-card. Action versions bumped to checkout@v6. update-flake-lock.yml is a new weekly workflow (Thursdays 06:00 UTC) that opens an automated PR to bump flake.lock, keeping all inputs fresh without manual intervention. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/update-flake-lock.yml | 26 +++++++++++++++++++++++++ .github/workflows/validate.yml | 13 +++++-------- 2 files changed, 31 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/update-flake-lock.yml diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml new file mode 100644 index 00000000..daef842d --- /dev/null +++ b/.github/workflows/update-flake-lock.yml @@ -0,0 +1,26 @@ +name: Update flake.lock + +on: + schedule: + # Weekly on Thursday at 06:00 UTC — keeps inputs fresh without noise + - cron: "0 6 * * 4" + workflow_dispatch: + +jobs: + update: + name: bump flake.lock + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - uses: actions/checkout@v6 + - uses: DeterminateSystems/nix-installer-action@v22 + - uses: DeterminateSystems/magic-nix-cache-action@v14 + - uses: DeterminateSystems/update-flake-lock@v28 + with: + pr-title: "chore: update flake.lock" + pr-labels: "dependencies,nix" + commit-msg: "chore: update flake.lock" + # Sign commits so they pass any branch-protection signature requirements + sign-commits: true diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index aca0e80d..2da1a10e 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,12 +7,9 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - - uses: cachix/install-nix-action@v26 - with: - extra_nix_config: | - trusted-users = root @runner + - uses: actions/checkout@v6 + - uses: DeterminateSystems/nix-installer-action@v22 + - uses: DeterminateSystems/magic-nix-cache-action@v14 - name: Validate flake run: nix flake show @@ -21,7 +18,7 @@ jobs: run: nix fmt -- --ci . - name: Run deadnix - run: nix run nixpkgs#deadnix ./modules ./lib + run: nix run nixpkgs#deadnix -- ./modules ./lib - name: Run statix - run: nix run nixpkgs#statix check -- . + run: nix run nixpkgs#statix -- check . From f946e8d5f5762e653ca8e8b3f4a1cfcd6032c289 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sun, 14 Jun 2026 21:01:11 -0400 Subject: [PATCH 2/2] Remove nix flake show from CI The step fetches all flake inputs including the private-flake, which CI has no credentials to access. The linting steps (fmt, deadnix, statix) cover what CI can realistically validate; flake evaluation is covered locally via nixdiff before pushing. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/validate.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 2da1a10e..bb9e16d8 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -11,9 +11,6 @@ jobs: - uses: DeterminateSystems/nix-installer-action@v22 - uses: DeterminateSystems/magic-nix-cache-action@v14 - - name: Validate flake - run: nix flake show - - name: Check formatting run: nix fmt -- --ci .