Revert "Switch to secure packages"

[RossComputerGuy]

Reverts #37 because non-customers cannot access it.

Summary by CodeRabbit

• Chores

  • Updated CI/CD workflow configurations
  • Updated build system configuration references
  • Standardized workflow formatting

• Documentation

  • Updated README configuration example

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The PR updates GitHub Actions workflows with formatting consistency and permission adjustments, reorganizes documentation references, and refactors the flake.nix outputs function signature from destructuring pattern { self, ... }@inputs: to direct inputs: binding with corresponding reference updates.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow Permissions .github/workflows/nix.yml, .github/workflows/rust.yml	Removed permissions blocks (id-token: write, contents: read) from flake-check and rust-fmt-and-clippy jobs respectively.
GitHub Actions Workflow Formatting .github/workflows/determinate-ci.yml	Added explicit quotes around scalar values (tag patterns, permission values, flake references) for YAML consistency.
Documentation README.md	Reordered JSON runner mapping for Systems feature; moved x86_64-linux entry before aarch64-darwin and added formatting whitespace.
Flake Configuration flake.nix	Refactored outputs function signature from { self, ... }@inputs: to inputs:; updated internal references from self.* to inputs.self.*; changed nixpkgs URL from DeterminateSystems/secure to NixOS/nixpkgs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• flake.nix requires careful verification of the outputs function refactoring and all self-reference updates to ensure correct Nix semantics with the new input binding pattern
• Cross-reference the nixpkgs URL change to confirm it aligns with intended dependency sources

Possibly related PRs

• Switch to secure packages #37: Makes inverse edits to flake.nix—both PRs modify the outputs signature and switch between self and inputs.self reference patterns, suggesting related refactoring efforts.

Poem

🐰 Permissions trimmed and quotes aligned,
Inputs rebound with self refined,
From secure to nixpkgs we find our way,
Flake harmony blooms today! 🌿

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Revert "Switch to secure packages"' accurately describes the main change: reverting a previous commit that switched to secure packages, as confirmed by the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch revert-37-secure-packages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/determinate-ci.yml (1)

9-9: Quoted tag pattern and explicit permissions look good; confirm OIDC need

Quoting the tag pattern and setting flake-iter-flakeref: ".#" are both appropriate and keep the workflow unambiguous. The permissions block (id-token: "write", contents: "read") matches typical requirements for OIDC-based reusable workflows like DeterminateSystems/ci; just confirm that this job still relies on those tokens post‑revert and trim the block if they’re no longer needed.

Also applies to: 18-20, 23-29

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f7247bc and 565b40f.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/determinate-ci.yml (2 hunks)
• .github/workflows/nix.yml (0 hunks)
• .github/workflows/rust.yml (0 hunks)
• README.md (1 hunks)
• flake.nix (4 hunks)

💤 Files with no reviewable changes (2)

• .github/workflows/rust.yml
• .github/workflows/nix.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: DeterminateCI / build (aarch64-darwin, macos-latest)
• GitHub Check: DeterminateCI / build (aarch64-linux, ubuntu-24.04-arm)
• GitHub Check: DeterminateCI / build (x86_64-linux, ubuntu-latest)
• GitHub Check: rust-fmt-and-clippy

🔇 Additional comments (2)

README.md (1)

55-60: README runner mapping reorder is fine

The added blank line and reordered JSON keys are purely cosmetic; the documented default mapping remains accurate and unambiguous.

flake.nix (1)

6-7: Revert to public nixpkgs and inputs: binding looks correct

Pointing nixpkgs at https://flakehub.com/f/NixOS/nixpkgs/0 aligns with the “revert secure packages” goal, and switching to outputs = inputs: with inputs.self / inputs.nixpkgs cleanly preserves the prior overlay wiring and crane src behavior. Please run nix flake check across your supported systems to confirm everything still evaluates against the new nixpkgs source.

Also applies to: 17-18, 27-33, 91-98